Appendix A: Industry Knowledge Priorities
Approach to developing knowledge priorities
Knowledge priorities have been developed in line with the current and foreseeable needs and opportunities for industry research and commercialisation in the Australian cyber security sector. They will be used to inform AustCyber's activities as it works with industry and the research community to improve research focus, collaboration and commercialisation performance. This includes engaging with stakeholders in existing cyber security focus areas to develop cyber security capabilities in Data61 and the Defence Science and Technology Group, as well as in universities across Australia. AustCyber will use its nationwide networking expertise to work towards maturing Australia's cyber security ecosystem, and also rely on Data61's existing arrangements with Australian universities on research and commercialisation.
These knowledge priorities for the Australian cyber security have been developed based on a literature review of existing research focuses and consultations with stakeholders as part of the development of this Sector Competitiveness Plan. The major documentary sources are the Australian Government's Science and Research Priorities and the CSIRO's report Enabling Australia's Digital Future: cyber security trends and implications.1
- Emerging prevention, detection and response technologies
- Prevention: New ways of supporting the nation's cyber security by discovery and understanding of threats, vulnerabilities and opportunities
- Being dynamic and proactive with approaches to identifying vulnerabilities, including tools to better predict malicious actor drivers and behaviour
- Prioritising risks in order maximise the value and impact of prevention efforts
- Classifying these vulnerabilities
- Exploitation by malicious actors
- Non-malicious events such as natural disasters, equipment failure and human error
- From this, developing national resilience, including
- Encryption of data
- Distributed storage systems that mitigate the impact of a breach
- Improved user behaviour
- Detection: Discovering and assessing intrusions
- Determining which technologies can be used to discover intrusions, and developing methods to differentiate this activity from normal human/machine behaviour
- Developing methods to detect a breach even if nothing has been affected yet
- Developing technology to increase the frequency of audits without hampering business activities or incurring significant costs
- Response: Recovering from a breach
- Determining what technologies can be used to remove all known infected systems, applications and devices from the network
- Understanding ways to embed lessons learned for human behaviour and workplace culture
- Increasing the speed at which cyber security breach info is shared across the community
- Ensuring systems continuity, including through self-healing systems
- Prevention: New ways of supporting the nation's cyber security by discovery and understanding of threats, vulnerabilities and opportunities
- Identity, authentication and authorisation in the cyber domain
- Finding new strategies and techniques for systems, applications and individuals to verify, identify and establish trust, including understanding the implications of the abuse of trust
- Identifying ways to manage the increasing digital access points (and therefore threat vectors) because of trends toward integrated platforms and mobility
- Identifying the best use of advanced sensors/intelligent devices to verify trust
- Ensuring security, privacy, trust and ethical use of emerging technologies and services such as
- Cloud computing
- Cyber-physical systems, including the Internet of Things, robotics, self-driving cars etc.
- Machine learning
- Big data and data analytics
- Mobile applications
- Approaches to deal with the increasingly 'shared' responsibility of cyber security
- Developing a better understanding of user behaviour at the macro level (including norms of behaviour in cyberspace and user interaction with integrated platforms) and its impact on cyber security
- Ensuring the evolution in cyber security policies and skills closely match changes in technology, our adoption and then dependence
- Creating a culture with a deeper understanding of cyber security challenges and breaches, including the importance of information sharing, recognising the interdependence of cyber security with national security, national interest and economic prosperity
Appendix B: Methodologies and assumptions
At present there are significant measurement challenges in estimating cyber security revenues in Australia. Cyber security is not captured by Australian Bureau of Statistics industry definitions. It is therefore necessary to use external market research estimates (a range of divergent estimates exists) and assumptions to form a view on the amount of revenue that accrues to cyber security providers in Australia. The demand and revenue figures presented in this report should be interpreted as estimates only and a wide confidence interval should be applied when using them to inform decision-making.
To estimate industry revenue by segment and the share of demand currently met by Australian companies, a proprietary model was built based on a range of data sources, including Gartner and IDC.2 The assumptions for market shares (that is, share of Australian spend) and export shares (proportion of revenues that are derived from exports) for Australian companies are shown in Figure B1, as well as the source of those assumptions.
Figure B1 – Assumptions used in estimating Australian cyber security revenue
Workforce supply shortage and economic costs
In this Sector Competitiveness Plan, a skills shortage is defined as the additional number of workers that would be in the core cyber workforce if the supply of suitable workers were unconstrained (see Figure B2). Suitable workers have both the technical and non-technical (for example, communication skills) skills that employers consider important.
Figure B2 – Modelling demand and supply of cyber security workers
Estimating the current workforce supply gap is difficult. As such, four different approaches based on job market metrics were used: the wage premium; recruitment failure rates; recruitment time; and job market depth (see Figure 22 for details on the four metrics).
Wage premium: IT was used as a relatively unconstrained industry. Assuming a unitary elastic demand curve, the IT salary plus cyber training costs was mapped to the demand curve to derive the unconstrained cyber workforce size. The process is illustrated in Figure B2.
Recruitment failure rate: The number of unfilled cyber jobs was estimated by taking the number of cyber job ads and assuming that the recruitment failure rate for cyber was equal to IT overall and the best performing IT category for recruitment success.
Recruitment time: The number vacancies that could have been advertised if cyber security's time to fill were equal to IT was calculated using the number of cyber job ads and time to fill in cyber and IT. The difference between these estimates represents the workers that would have been in the cyber workforce had supply been unconstrained.
Job market depth: The ratio of the number employed over the number of job ads was calculated for cyber, IT, and the national average across industries. The size of the workforce that would be required in cyber align cyber security's job market depth with the latter two benchmarks was then calculated.
Using the output of these four analyses, the minimum and maximum estimates across the metrics were taken as the supply shortage range. Note that job market data does not account for unadvertised cyber roles (for example, some cyber roles in the Defence Force). This means the supply shortage could be even larger.
Financial impacts of the skills shortage were calculated based on the average revenue or wages per worker in the cyber sector. This is because the skills shortage reduces both the revenue of cyber security providers, and the wages paid to internal cyber security teams within cyber users.
Appendix C: Regulatory reform plan
Digital trade - and efforts to secure it - is a mainstay of the global economy. The point of difference to traditional forms of trade is that it occurs in cyberspace, a conceptually borderless domain of human interaction. Observing other more cyber mature economies, it is clear that disparate national approaches to the regulation and standardisation of cyber security pose significant barriers to efficient trade relationships and effective innovation.
Domestically, Australia is in a nascent stage of regulation on cyber security. Australia's Cyber Security Strategy identified that existing regulations are sufficient to encourage good risk management practices and foster innovation. The Cyber Security Strategy also identified that existing voluntary standards, as a means of self-regulation, are appropriate for Australia's current (comparatively low) level of cyber maturity. The work undertaken to develop the Cyber Security Sector Competitiveness Plan supports the Strategy's position.
However, the following areas for optimisation have been identified as supporting support industry growth and the economy as it embraces cyber security and develops innovative solutions to cyber challenges:
- harmonisation of cyber security regulatory and legislative frameworks both domestically and internationally, industry self-imposed regulations, standards and guidance
- active discussion on issues which may attract regulatory responses and industry impacts of such action
- engagement in strategic discussions with relevant agencies on implications of the applicable multilateral export control regime, the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies
- access to skilled labour, specifically through temporary visa arrangements.
Cyber security is a global industry and a globalised endeavour. Australian public and private sector entities as well as academic institutions and non-profits are required to navigate multiple national and international standards and guidance. This affects industry productivity (as well as public sector efficiency), can be cost prohibitive for small entities to engage in some markets, and can inhibit access to global export markets. The harmonisation of domestic and international standards to a single globally acceptable standard is a critical step and one that at the international level, Australia can help progress, leveraging our relative market size to diplomatic and strategic policy standing.
As the Australian economy becomes increasingly mature in its management of cyber risk and embedding cyber resilience, it will be increasingly important to be mindful of regulatory duplication, inconsistencies and inefficient complexity. Proactively working toward regulatory harmonisation, including self-regulation, will support good practices and help encourage innovation and flexibility.
Where regulation is deemed to be necessary, Australia should work to ensure the focus is on risk based and outcome-focused regulation. This requires strong demonstration of performance but allows for ecosystem development and changing environments.
Standardisation is also recognised as a key factor in the Australian Government's Innovation and Competitiveness Agenda released in 2014, with alignment to international standards set to deliver significant competitiveness, productivity and efficiency gains to the Australian supply chain.
Australia should seek to adopt trusted international standards and review regulations to remove references to local bespoke standards, including differences in standards and guidance between domestic jurisdictions. Regulations may need to bridge any gaps between international standards and standards required for genuinely local conditions. Australian entities should use standards to enhance technical integrity, improve risk management practices, enable cost effective investment in security and encourage innovation. Aligning with international standards also facilitates local industry to compete in global markets and attracts sustained foreign investment
AustCyber will work, in partnership with key stakeholders, to explore opportunities for harmonisation and, where possible, remove bespoke standards and guidance. This will include working with international organisations and consulting broadly across stakeholder groups in the Australian economy. AustCyber will also work with these stakeholders to provide improved, tailored communication on regulatory requirements and guidance, with priority for small to medium entities.
Through its policy advocacy role, AustCyber will support industry discussion on issues, which may attract regulatory responses and the possible industry impacts of such action as well facilitate engagement with governments on such discussions (refer to AustCyber's Business Plan).
Technology-based cyber security solutions are part of a growing set of technologies that can be applied to lawful and unlawful activities, as well as in nation-state escalatory behaviour (pre-war and war). That is, they have 'dual use'. The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, of which Australia is a signatory, applies in these circumstances, mainly impacting solutions incorporating cryptographic technologies.
As cyber security solutions and new technologies evolve, it is increasingly important to consider their dual uses and appreciate the possible positive and negative impacts of globally mandated export controls on the innovation process. It is critical industry engagement on these impacts is included in governmental efforts to comply with and evolve the Wassenaar Arrangement and similar international regimes and conventions.
AustCyber will work with relevant agencies within the Australian Government to ensure regular industry consultation on the barriers and benefits to cyber security innovation and commercialisation of export controls and similar international regimes and conventions. AustCyber will also support efforts for the translation of international policy agreements into domestic regulatory and self-regulatory frameworks.
The Sector Competitiveness Plan confirms the position described in Australia's Cyber Security Strategy, that the Australian economy has an extant shortage of skilled cyber security labour, forecast to worsen without intervention. The Sector Competitiveness Plan is one source of action to address this challenge, as is the Cyber Security Strategy, AustCyber's Business Plan and a wide range of other government and corporate action.
As the skills pipeline issues are addressed and the size of the cyber security workforce increases, it will also be important to support labour mobility within Australia and globally, to ensure the ecosystem develops in ways that incorporate the most advanced thinking and solutions development. This will require the sector to engage in, among other policy related activities, debates on the modernisation of Australia's skilled migration policy.
AustCyber will work with industry associations and other peak bodies to ensure industry interests are appropriately represented in discussions on the ways and means to boost the availability of skilled cyber security workers, including on temporary visas and related matters.
- Australian Government (2015), Science and Research Priorities. Available at: http://www.science.gov.au/scienceGov/ScienceAndResearchPriorities/Documents/15-49912%20Fact%20sheet%20for%20with%20National%20Science%20and%20Research%20Priorities_4.pdf. CSIRO (2014), Enabling Australia's Digital Future: cyber security trends and implications. Available at: https://www.csiro.au/~/media/Do-Business/Files/CSIRO-Futures/Enabling-Australias-Digital-Future-2014-pdf264MB.pdf).
- Market size by country obtained from Gartner (2016), Information Security, Worldwide, 2014-2020, 3Q16 Update and combined with similar estimates from IDC and IbisWorld; software market share data obtained from IDC (via custom data requests).
AustCyber’s mission is to grow a vibrant and globally competitive cyber security sector that enhances Australia’s future economic growth.