Australia took significant strides towards elevating cyber security as a key national interest in the most recent Federal Budget, backing the country’s intelligence and cyber capabilities with $9.9 billion.
Codenamed REDSPICE – Resilience, Effects, Defence, Space, Intelligence, Cyber, Enablers – it’s “the most significant single investment” in the 75 years that the Australian Signals Directorate has existed. It will bolster Australia’s offensive and defensive cyber capabilities, triple its current offensive cyber capability, and double persistent cyber-hunt activities.
The officially stated reason for the multi-billion dollar investment is to address “the deteriorating strategic circumstances in our region, characterised by rapid military expansion, growing coercive behaviour and increased cyber-attacks”.
It’s worth contextualising this, both from a government and geopolitical perspective, as well as how it relates to the business sector and its individual and collective cyber security posture.
Within Australia – and more broadly, the Asia Pacific – it’s becoming clearer that cyber security is a key focal point of our defensive posture in the region. It also has a role to play in our offensive capabilities. This could act as a deterrent to other countries, but it’s also a capability that could be called upon under various treaties that Australia has with other regional and global powers. While focus on Australia’s offensive capabilities tends to be around what the country may be able to operationally execute on its own, it is probably more likely that these capabilities will be seen in more multilateral settings, where cooperation is in the common interest.
But it’s not just geopolitics where increased investment in defensive and offensive capability is useful.
The Government already uses its defensive and offensive security capabilities to protect Australia, and Australian businesses, from threats, before those threats can arrive at the defensive lines of businesses themselves. This is a capability that requires some long-term focus and funding, and now has it.
Most business-oriented defensive and offensive work necessarily occurs outside of public view, and indeed it’s only on rare occasions that we get some insight into the extent of these capabilities. We saw this in recently-passed last resort Government assistance powers, which points to the heightened role of government generally in cyber incident response. We also saw it in network-level blocking of SMS spam, often a precursor or vector for ransomware and other types of malware attacks.
The reality is, what we know and see publicly of government cyber security assistance barely scratches the surface of its capabilities. And that’s to be expected: cyber security isn’t a field where anyone shows their hand.
In the context of the past couple of years, and particularly the heightened threat landscape of today, it makes sense to maintain existing capability levels, but also to invest in new capabilities to allow Australia to maintain its current defensive protections and to respond appropriately as and when the situation calls.
The $9.9 billion backing of cyber security not only shows its significance as a focus of the Australian Government, it also underlines the importance of making cyber security a focal point for your business as well.
While businesses generally have some awareness of cyber security risks, we often see smaller businesses that think of themselves as inconsequential targets compared to larger organisations with more assets and financial wealth.
The reality is that these things aren’t correlated. Small businesses are an as big – if not a bigger – cyber security target because they are perceived by attackers as easier to compromise. While the payoff may not be as big, it’s still large enough to hurt. The average cost of an incident to a small business is about $9000.
The recent Budget recognised this, and offered credits and tax offsets for SMEs to invest particularly in “cyber security systems” and other digital tooling. This is, in turn, recognition that the costs of an incident outweigh the cost of securing businesses against these threats in the first place.
Again, that speaks to the environment of heightened cyber security awareness we find ourselves in today, and of governments understanding the role they can play in protecting Australian businesses from some of the worst the internet has to offer.