SCP - Chapter 2 - The potential: Australia could become world-leading in cyber security

Key points in this chapter

  • Cyber security in Australia employs around 19,500 people
  • Total expenditure is A$4.6 billion in 2017
  • More than three-quarters of the market is dominated by foreign companies, mostly with local bases employing Australians
  • Many local companies are not harnessing their full export potential
  • Australia can compete most effectively in software (in areas of distinctive research capability) and services (in the protection stack and underlying processes)
  • A$3.6 billion spent on external cyber security 2017
  • A$960 million on their internal cyber security functions in 2017
  • Small but fast-growing sector
  • Strong cyber security will enhance Australia's global reputation as a trusted and secure place to do business
  • Foundation for future success of all industries in national economy

2.1 Overview

Cyber security in Australia is a small but fast-growing sector. It is estimated to employ approximately 19,500 people, either as part of an organisation's internal cyber security workforce or through external cyber security providers. Total expenditure on cyber security in Australia in 2017 amounted to approximately A$4.6 billion. Australian demand and employment is dominated by outsourced cyber security services, and more than three-quarters of this market is controlled by foreign companies - though mostly operating from local bases and employing Australians. Software and hardware markets are dominated by direct imports.

Despite this, there are already a number of home-grown cyber security success stories. Australian cyber security providers have developed strong offerings in software and service niches. Several Australian software companies have also joined global value chains and established worldwide reputations for their products. Developments over the last year are particularly promising. Interviews conducted for this updated Sector Competitiveness Plan indicate that procurement officers are increasingly aware of the growing number of Australian cyber security providers with compelling products and services. AustCyber's new initiative GovPitch has contributed to this growing awareness by offering a space for domestic cyber security startups to pitch their solutions to public sector officials and stand a chance to secure a government contract. The cyber security workforce has grown strongly, despite a persistent talent shortage in Australia.

Australia's internationally successful cyber companies have continued to expand, including Cog Systems, Nuix, FunCaptcha and Dtex Systems. Many are building on their international success as a lever to drive further expansion at home. Such 'boomerang' companies (see Box 11) include UpGuard, which was founded in 2012 and has since grown to more than 80 employees in the US and Australia.

Australia's internationally successful cyber companies have continued to expand, but many local service companies are not harnessing their full export potential

However, many Australian cyber security service companies are still failing to harness their full export potential. This is at odds with evidence that Australia is considered a services hub, with Australian businesses generally earning much more revenue (relative to national GDP) from services than their peers elsewhere in the world. Cyber security companies could do more to make use of this fundamental country-specific advantage.

Given the small scale of the domestic market, Australia will struggle to become globally competitive in all segments of the cyber security sector. Instead, limited resources should be targeted to parts of the cyber security sector that are both attractive and where Australia can compete most effectively. Analysis suggests this includes:

  • software - in areas of distinctive research capability
  • services - in the protection stack and underlying processes.

While these segments will be the initial focus of industry development, many government and AustCyber actions will also support the competitiveness of the industry as whole.

Australia should also consider the opportunity in cyber security to build on other national sector strengths, such as resources and financial services. By building products and services that address the specific cyber security needs of these sectors, Australian companies can develop distinctive, competitive offerings for the global marketplace.

Cyber security services will likely experience a much stronger growth in demand than cyber security hardware and software

2.2 Strong local demand for cyber security services

Increasing risk awareness has led companies to invest more heavily in the safety of their networks and IT systems. According to a recent Telstra survey, 62 per cent of Australian companies are planning to increase their overall security spending (cyber and electronic) over the next 12 to 24 months. Only 2 per cent of respondents are planning to decrease their security budgets.1

In 2017, total external spending on cyber security in Australia reached A$3.6 billion (see Figure 9) and is expected to remain strong. Over the next decade, external cyber security spending in Australia is likely to increase more than twice as fast (7.8 per cent annual growth) as broader IT spending (3.5 per cent), which was almost A$87 billion in 2017.2 It is estimated that Australian organisations spent a further A$960 million on their internal cyber security functions in 2017.

The demand for cyber security products and services in Australia is comparable to global demand trends, but with a larger emphasis on services. Figure 9 shows that around 73 per cent of the local sector’s external demand is for cyber security services, compared with around 60 per cent globally. Demand is particularly strong for services that strengthen the operational security of a business or other organisation. The dominance of the services segment in Australia may be partly explained by the particular structure of the local economy, where small and medium-sized enterprises make up around 95 per cent of all Australian businesses. These businesses may lack the scale and resources to run in-house cyber security management teams.

Over the next decade, the current demand pattern is set to intensify as organisations are expected to make even greater use of outsourced services to manage growing security needs and a proliferation of security breaches. It means that cyber security services will likely experience a much stronger growth in demand than cyber security hardware and software. This basic trend applies to both Australia and the world, but in Australia the additional demand is expected to bolster a broad spectrum of different security services - from the protection stack to underlying processes - whereas globally demand is expected to strengthen most notably for security operations services.

Figure 9 – Breakdown of Australian external cyber security spend

Figure 9

2.3 Much of local demand is met by foreign companies

Foreign providers meet much of the existing domestic demand for cyber security products and services. For example, currently there are no local companies among the 15 largest software providers by value in the Australian cyber security market. The combined market share of Australian companies is estimated to be less than 5 per cent. It is a similar picture in hardware, with no major Australian hardware providers. The representation of Australian companies is stronger in services. Noting that the market data is not strong, interviews and other sources suggest the market share

of Australian home-grown services companies is about 25 per cent, while around half of the market is served by foreign-owned companies with core personnel in Australia (this excludes foreign companies with only a sales presence in Australia).3

Putting these findings together provides a view of Australia’s cyber security sector revenue - defined as the revenue from the sale of cyber security products and services by businesses with a core team in Australia.4

Figure 10 shows that Australia’s cyber security sector generated around A$2.4 billion in revenue in 2017 (see Appendix B for details of the methodology and assumptions).5

Figure 10 – Breakdown of Australian external cyber security spend

Figure 10

Much of the current employment in the Australian cyber security sector depends on the degree to which imports are used in a market segment. For example, hardware and software are typically directly imported to Australia and create very little permanent local employment (as seen in Figure 11). Together, these two market segments are estimated to support less than 1,000 jobs in Australia. Local companies are much more engaged in cyber security services, which are generally more labour-intensive and so create more jobs. It is estimated that local cyber security services companies are supporting around 3,500 jobs in Australia.

Foreign service providers with local operations remain the largest employer in Australia's external cyber security market. Multinational corporations currently employ around 6,500 cyber security workers. Since many services are difficult to import directly (for reasons discussed in the previous chapter) and need to be provided through local operations, these companies make a very significant contribution to the overall workforce. They are only exceeded by internal employment of cyber security teams, which is estimated to be around 9,000 workers.

Figure 11 – Breakdown of cyber security employment in Australia by the type of firm*

Figure 11

2.4 Local cyber security companies are competitive in software and services

Australian companies have been successful in areas of both software and services, in both domestic and international markets.

Software

In software, there is a strong 'beachhead' of Australian companies in the area of security operations. Companies such as Covata, StratoKey, Airlock Digital, Kasada and Huntsman have developed successful software products and established market presence both in Australia and in international markets. Another example is Nuix, the Australian data analytics and security company chosen by the International Consortium of Investigative Journalists to analyse the files in the Panama Papers (see Box 2).

Box 2

Nuix: Making sense of the data explosion

The world is amassing data like never before. Yet vast amounts of the growing stockpile of information crowding server centres across the globe has long lost its immediate business value. Such 'dark data', as it is commonly known, comprises a jumble of information that has become irrelevant over time, such as expired customer files, records of previous employees, old emails, notes and presentations, historic financial statements or outdated accounts.

Continuing to store large amounts of obsolete data poses a security risk, especially if it contains sensitive information. As a result, many organisations have begun to tidy up their electronic storage rooms to deter cyber criminals, and Australian IT company Nuix is helping with this task.

Nuix is one of Australia's leading cyber security companies. Founded in 2000 by a team of computer scientists, Nuix has developed powerful forensic software to collect, process and analyse huge amounts of digital data. Its ability to sift through terabytes of large and complex files at high speed has made it the go-to software for leading organisations around the world who need fast and accurate answers - including the United Nations, the US Secret Service, Interpol and the Department of Defence.

Nuix's software helps clean up unknown, messy and risky data hidden in forgotten corners of corporate networks. It helps detect and respond to cybercrime, manage insider threats and rapidly find evidence in a law suit or audit. Most recently, a global group of investigative journalists used Nuix's optical-character recognition technology to review the so-called Panama Papers, the 11.5 million documents leaked from a Panama-based law company.

The investigation, in which Nuix's electronic discovery software was able to digest 2.6 terabytes of data in just 1.5 days, unveiled a web of hidden offshore accounts linked to several countries' leaders and other high-profile public personalities. Today, Nuix remains headquartered in Sydney, with additional offices in the US, England, Ireland and Germany.

Australian cyber security software companies are also exporting their products in the protection stack area (for example, Mailguard) and in the area of underlying processes (for example, Secure Code Warrior).

Hardware

The representation of local companies in hardware is weaker, although the innovative work of Penten (see Box 3) and QuintessenceLabs (see Box 13) demonstrates that Australian companies can still play a strong role in niche areas of hardware.

Box 3

Penten: High-grade encryption for the field

For Penten, a Canberra-based cyber startup, the last 12 months have been about delivery, growth and more innovation, including:

  • signing major projects, including with Defence
  • exporting orders to the UK and Canada
  • doubling staff numbers from 20 to 40
  • experiencing a 100 per cent revenue increase
  • launching the Deception.ai business unit.

At the release of AustCyber's first Sector Competitiveness Plan in 2017, Penten also launched AltoCrypt Stik, its flagship secure mobility product for Defence and other government agencies. Penten's AltoCrypt Stik is a secure, small and discreet USB device that enables government users to access highly classified networks wirelessly, both in the office and remotely. AltoCrypt Stik has been described as the game changer for access to classified information, and Penten has secured significant government contracts to deliver the capability, including to Defence via the Defence Innovation Hub.

The 2018 launch of Deception.ai establishes a new business unit, which employs machine learning to help customers automate the production of realistic decoy content to detect and track cyber attackers. Its first product, Trapdocs, is an enterprise virtual appliance, which uses the deception.ai machine learning engine to survey a document repository and create and place realistic decoy files, designed to entice a data thief. With no reason for anyone to touch them, interaction with the decoy files creates a highly reliable indication of a data breach.

AustCyber has provided customer introductions, mentoring and market awareness opportunities to Penten. 'AustCyber has encouraged us to work with other Australian cyber businesses to create more complete and compelling offerings. Our partnership with Quintessence Labs was born out of collaboration opportunities created by AustCyber,' said Penten's CEO, Matthew Wilson.

Penten continues to grow its security cleared and highly experienced team, adding project managers, logistics and finance professionals, along with significantly growing its hardware, software, networking and security engineering capabilities. Penten has focused heavily on building the team, processes and artefacts to build Australian solutions ready for export. The outcomes enable customers to solve their challenges with world leading capability that can be simply transitioned into service.

Penten's logo

Services

The services segment of Australia's cyber security sector contains a large number of local companies. In the protection stack, Australian companies such as archTIS and Shearwater Solutions provide services in security architecture and penetration testing. Security operations are dominated by service providers managed by large multinationals, but does include some smaller Australian companies including Telstra.

Australia is strongest in the third security need area of underlying processes. Local companies in this segment include Hivint, Cogito Group and Enosys. In addition, Australia's universities and TAFEs are increasingly participating in the services segment by providing cyber security courses designed to train students for work in the sector (see Box 8 and Box 9 for details).

However, very few of the local companies are currently exporting their services. Among those that do have a significant presence abroad is Bugcrowd (see Box 15). The company was founded in Australia in 2012, but has since shifted its headquarters to San Francisco, partly for better access to venture capital. Telecommunications company Telstra has ventured into Southeast Asia, through a partnership with Telkom Indonesia, comprising a jointly managed data network and security services. Other examples of cyber service providers with large international operations include risk-analysis company UpGuard and endpoint-protection company Dtex Systems. Both were founded in Australia but, similar to Bugcrowd, are now headquartered in the US. Some Australian universities also 'export' education by offering cyber security courses to international students.

Revealed competitive advantage

The concept of revealed comparative advantage (RCA) can help identify country-specific strengths by measuring an economy's current supply of a product or service against the backdrop of global supply. It measures how much more or less successful that country is than the world average when supplying a particular good or service. An RCA index value above 1 signals that a country enjoys a comparative advantage in the supply of a certain product or service. In contrast, an index value below 1 indicates a disadvantage relative to other suppliers globally.

The analysis in Figure 12 reveals that Australian companies and foreign companies with core operations in Australia already earn much higher revenue (relative to national GDP) in services than their average peers worldwide. This highlights a substantial comparative advantage in the services segment of the cyber security sector. The situation, however, is reversed in the hardware and software segments, where the current revenues (relative to national GDP) of Australian companies and foreign companies with core operations in Australia are significantly lower than the equivalent world average, signalling a comparative disadvantage.

Figure 12 – Revenue and advantage

Figure 12

2.5 Australia's opportunity: focus initially on a limited number of segments

Australian cyber security companies have proven to be successful abroad, even in highly competitive markets such as the US and Europe. To emulate the success of these local 'pioneer' companies across the wider Australian cyber security sector, Australia needs to identify and focus on its country-specific competitive advantages. The talent base and resources also need to be developed to turn Australia's strengths into a competitive edge. While the role of AustCyber is to promote and improve the competitiveness of the entire cyber security industry, it will also support the development of several initial focus segments.

In developing this updated Sector Competitiveness Plan, a rigorous framework of analysis was used to identify several segments within the Australian cyber security sector that promise the largest opportunities for the Australian economy over the next decade. Seven segments appear most noteworthy - three software segments and three services segments meeting the three basic security needs (protection stack, security operations and underlying processes), and one segment for hardware. To understand which of these segments warrant the greatest initial focus, they were analysed according to their:

Attractiveness - This is based on the segment's size and growth internationally and in Australia, its exportability, its potential to create jobs and the quality of those jobs, and its fit with technological trends.

Competitiveness - This is based on Australia's ability to compete, considering existing presence, any revealed comparative advantage, and the segment's match with Australia's skill profile.

As a result of this analysis and tested through extensive interviews with industry participants, three focus segments stand out: software (prioritising areas of existing research strength), services in the protection stack, and services in underlying processes.

Figure 13 – Cyber security sector segments assessed on attractiveness and Australia's ability to compete

Figure 13

Software

Software is an attractive segment in both security operations and the protection stack. It has a strong existing presence in the protection stack and the largest forecast increase in demand for security operations. Software products are highly exportable and generate high-quality jobs. The convergence of IT and OT, mobile internet and the Internet of Things will also have a positive effect, multiplying the complexity of networks and security operations. Automation is also likely to emphasise software at the expense of services, as developments in AI and advanced machine learning lead to more sophisticated software-based solutions.

Given the appeal of both these areas for software, the best approach for Australia is to consider software as one broad segment and then identify specific areas of research capability to build on for a strong software ecosystem. Two possible areas of focus are cryptography (which is typically applied in the protection stack) and data analytics (in security operations). However, these will need to be further refined through more detailed assessment of Australia's comparative research strengths.

Though software is an attractive segment, it is not as strong in terms of competitiveness - the evidence is not as strong for Australia's ability to compete effectively in software. Australia's current revenue in software is very low, which implies a lack of comparative advantage. However, several companies have succeeded both domestically and in export markets. These include Nuix, which has become internationally renowned for its forensic capabilities (see Box 2), Huntsman and Stratokey. These 'beachhead' companies can provide a model for the development of a stronger Australian software segment.

Services - protection stack

The protection stack includes a range of services that protect organisational networks, applications and endpoints from malicious attackers (see Box 4 for an example). Specific services include network security architecture, firewall configuration and management, penetration testing, vulnerability assessment, and patch and configuration management. Services in the protection stack currently comprise the second largest segment in the Australian industry - after services in security operations - and this area is forecast to experience continued strong demand growth.

While harder to export than software, protection stack services are still relatively exportable due to less need for in-country technical teams to provide the services than is the case in security operations. It requires a strong supply of medium- to high-skill workers, which matches well with the skill profile of the Australian cyber security workforce. The convergence of IT and OT along with the Internet of Things are two trends that increase the number of network endpoints and the need to protect them. Automation may have some negative impact on employment in the protection stack services market, but the strong outlook for demand growth means the negative effect should remain limited.

Australia already has a strong competitive advantage in cyber security protection stack services

Australia already has a strong competitive advantage in cyber security protection stack services. In interviews, many CISOs and CIOs say services such as penetration testing and network security architecture are currently Australia's most outstanding segments in the cyber security sector. Australian companies are already successfully exporting these services. Mailguard, for example, has developed an email and cloud security service that is now sold in 27 countries worldwide. Mailguard's solution builds on a platform of 'Software as a Service' (SaaS) to create what is effectively a niche-managed service providing email filtering.

Box 4

ResponSight: Securing endpoints through behavioural analytics

ResponSight is an Australian data science company that uses anonymous behavioural analytics to provide an innovative approach to detecting malicious cyber actors and security breaches.

While traditional systems actively search for threats, ResponSight focuses on monitoring a person's typical online behaviour by collecting numerical, mathematical and statistical data with the help of cloud-based analytics engines. ResponSight consolidates and analyses millions of activities to understand a user's 'behavioural fingerprint', that is a unique, nuanced way of how people use their computers. The analytics software rings an alarm whenever a user's behaviour differs, indicating a potential security breach.

ResponSight says its approach is more comprehensive than other user and entity behavioural analytics technologies that keep track of user behaviour by monitoring log data or centralised Security Incident and Event Management repositories. ResponSight says endpoint analytics allow it to create a more detailed behavioural fingerprint.

Founded in 2015, ResponSight has plans to expand its customer base into the US and was part of a trade mission to San Francisco in 2017, jointly organised by AustCyber and Austrade.

ResponSight

Services - underlying processes

Organisations seeking to increase the security of underlying processes can choose from various services, including the development of cyber security strategies, risk and compliance policies, employee training, and measures to raise the general awareness of cyber security risks (see Box 5 for one example). Services to improve underlying processes represent about 16 per cent, or A$421 million, of the total external spending on cyber security services in Australia (see Figure 5).

The exportability of services varies considerably. Governance, risk and compliance, for example, is challenging to deliver without having a strong technical team on the ground that understands a country’s regulatory environment. In contrast, awareness, training and oversight services can be delivered remotely. Cyber security training appears particularly well suited for exporting, as it can be offered online or through international student enrolments.

6 The quality of Australian education is highly regarded abroad, particularly in the Indo-Pacific region. As continued strong global growth in cyber security creates demand for skilled professionals (see Chapter 4 for details on skills shortages), Australia’s experience in export of education means the nation’s universities and vocational training institutions are well positioned to exploit this opportunity. Several universities and training institutions are already active in this segment and report a high number of international students in cyber security programs, especially in Masters study programs.

Similarly, Australia already has a strong ecosystem of local companies offering cyber security governance, risk and compliance services. While most have not yet attempted to export these services, some are currently exploring more scalable service delivery models that may enable exportability. Cyber security company Hivint, for example, has established an innovative service platform Security Colony which it is now launching in the U.S. through the Australian Landing Pad Program.

Box 5

Airlock Digital: keeping cyber intruders at bay

Australian company Airlock Digital, founded in 2013, helps keep cyber intruders out of an organisation's network by creating so-called application whitelists. Application whitelisting involves specifying which applications (such as programs, software libraries, scripts and installers) are permitted and can be executed on a computer system. The goal of whitelisting is to protect computers and networks from potentially harmful applications. The Australian Signals Directorate considers the method to be one of the most effective to mitigate targeted cyber intrusions.

But what sounds simple in theory, can be challenging to put into practice for small and large organisations alike. That is where Airlock can make a difference. It offers application-whitelisting solutions that it says are cheaper, less complex and require less resources to perform successfully.

Unlike signature-based file blocking (blacklisting) such as antivirus software, Airlock's solution proactively sets up barriers to ensure attackers cannot execute malicious and unknown code on an organisation's networks. Each Airlock deployment results in a unique whitelist according to customer needs. Airlock then verifies, monitors and records all file executions across the organisation, permitting only authorised files to load. This makes Airlock extremely effective at preventing both opportunistic and sophisticated attacks, including ransomware and other targeted attacks, allowing the customer to react faster to cyber threats.

Airlock Digital's solution has proven effective in many industries. Clients include government agencies, large enterprises and small companies in Australia. More recently, Airlock has also started growing its international customer base.

Airlock Digital's process

These three segments - software, services in the protection stack, and services in underlying processes - will be the initial focus of efforts to develop a globally competitive Australian cyber security sector. However, many of the strategies and actions proposed for AustCyber and others to support of these segments will also benefit the wider cyber security industry. AustCyber will regularly review the set of focus segments to respond to changes in the industry structure and technology trends that have not been anticipated.

2.6 Playing to Australia’s strengths

Australia’s most promising opportunities in cyber security, while driven primarily by the attractiveness and feasibility of the different product types and security needs, should also consider opportunities emerging from the varying needs of different industries that use cyber security.

While all industries have the same basic security needs, the specific cyber security threats they face - for example, protecting large quantities of confidential user data or hardening the resilience of operational technology - informs the specific mix of products and services required. This means there are potential sources of comparative advantage for Australian companies in the industry composition of Australian cyber security demand, the industry mix of the broader economy, and in the nation’s export performance.

The Cyber Security roadmap [HYPERLINK TBA], jointly developed by CSIRO and AustCyber, specifically identifies growth opportunities at the intersection of cyber security and Australia’s five other priority growth sectors: medical technologies and pharaceuticals; mining equipment, technology and services; advanced manufacturing; oil and gas; and food and agribusiness.

One other example of such industry strengths is financial services. Australia’s financial services companies are the largest users of cyber security in the country. They account for almost one-third of the nationwide security demand, which means they are a much more relevant customer group for cyber security providers in Australia than financial services companies are elsewhere in the world, as illustrated in Figure 14. Financial services organisation face some of the most challenging threats to their cyber security, as the convenience of modern consumer banking - featuring ATMs, point-of-sale systems and mobile banking - has vastly increased the number of endpoints that need to be protected. Banks are also responsible for some of the most sensitive consumer and corporate data, and risk serious reputational damage in case of a breach.

Cyber security companies could harness Australia’s strength as a regional banking and finance hub by tailoring their products and services to the specific security needs of financial services companies. This would allow them to quickly build scale and reach international markets. Interviews with successful Australian cyber security companies revealed several have pursued this strategy effectively. The financial services sector can also play a valuable role through investment in, and becoming an anchor customer for, Australia’s cyber security startups. Westpac, for example, has invested in both QuintessenceLabs (Box 13) and Kasada (Box 6) over the past two years.7 The most recent investment in Kasada demonstrates a large market opportunity for the financial services sector to help scale cyber security products that their customer base can then also adopt.

Figure 14 – Cyber security external spending by industry scaled for size of economy

Figure 14

2.7 Size of the prize: Australia’s cyber revenue could more than double by 2026

Australia could harness substantial benefits from developing a globally competitive cyber security sector - even beyond the strong forecast growth in the industry over the next decade. ‘Business-as-usual’ forecasts imply revenues in the Australian cyber security sector could more than double from A$2.2 billion in 2016 to $4.7 billion in 2026, as shown in Figure 15.

However, the growth potential is even bigger if Australia undertakes concerted actions to support the three initial focus segments - software, services in the protection stack, and services in underlying processes. In this case, revenues in the domestic cyber security sector could increase to A$6.0 billion in 2026, which equates to an annual growth rate of almost 11 per cent over the decade.

If Australia undertakes concerted actions to support the three initial focus segments, revenue could increase to $A6 billion in 2026

Figure 15 – Forecast cyber security external revenue growth between 2016 and 2026*

Figure 15

This revenue growth would generate new jobs in the Australian cyber security sector. ‘Business-as-usual’ forecasts, illustrated in Figure 15, suggest employment could increase by 7,500 jobs - from 19,000 in 2016 to 26,500 in 2026.

However, the job potential is significantly greater (see Figure 16). If Australia takes decisive action to develop the three focus segments in the cyber security market, in which it already has a competitive advantage, a further 5,100 cyber security jobs could be created. To reach this workforce growth goal of 12,600 more jobs, workers lost from the sector through natural retirement and workers moving overseas will also need to be replaced. The workforce could grow even further if Australia can address the current skills shortage, as discussed in more detail in Chapter 4.

Figure 16 – Forecast cyber security workforce growth between 2016 and 2026*

Figure 16

This growth potential is substantial but may still be relatively conservative, as it is based on ‘business-as-usual’ forecasts and assumes modest improvements in the three focus segments. The performance of leading countries globally in cyber security sector development shows that, if aspiring to global leadership in cyber, Australia could target a much larger sector and workforce by 2026. If Australia could match the performance of global leaders such as the US and Israel, the cyber workforce would expand to almost 60,000 with industry revenue of $11 billion in 2026.8

Cyber investment also has large spillover benefits

Developing a globally competitive cyber security sector in Australia will have significant spillover benefits to the wider economy. Strong cyber security will enhance Australia’s global reputation as a trusted and secure place to do business, increasing demand for other Australian goods and services exports. This is because cyber security is not only a ‘vertical’ sector in the economy, but a critical ‘horizontal’ enabler of activity across other sectors. Without strong cyber security, organisations cannot safely and effectively digitise their operations and realise the significant growth benefits that flow from investments in ICT.

Strong cyber security will enhance Australia’s global reputation as a trusted and secure place to do business

Analysis of the global benefits and costs of different cyber scenarios provides some sense of the potential impact of cyber security on Australia’s broader economy. Research for the Atlantic Council found that cyber security expenditure, while a significant annual cost to the global economy for many years to come, support investments in ICT that yield massive cumulative benefits over the long-term. In Australia, the difference between strong cyber leading to a positive future, and weak cyber leading to lack of trust and investment, could be more than 1 per cent higher GDP by 2026. In the worst-case scenario, where cyber attacks generate constant and widespread disruption to ICT usage, Australia’s GDP could be more than 5 per cent lower in 2026 than the base case. This modelling, while based on global rather than national scenarios, demonstrates that cyber security is a critical driver of growth.

However, the role of cyber security in enabling growth is still not well accepted. A 2016 Cisco survey by of senior executives across 10 countries including Australia, found that only one-third believed the primary purpose of cyber security is to enable growth.9 The remaining two-thirds still viewed cyber security as principally for risk reduction. Less than half perceived cyber security as a source of competitive advantage for their organisation. Further research to understand the impact of cyber security on the growth outlook of the Australian economy could help to change this mindset and support appropriate investments in cyber capability by Australian organisations.

Box 6

Kasada: The 22-year old startup founder who stops malicious web bots

Kasada

Sam Crowther, founder of Australian cyber security startup Kasada, has developed a 'road spike' tool to stop fast moving cyber attacks. The tool foils malicious internet bots by bombarding them with irritating tasks until they give up.

Bots are pieces of code that cyber criminals use to dupe online customers. Wherever people sell something desirable online, bots are usually not far away. For example, they enter the websites of ticketing agencies, e-commerce shops and hotel chains to manipulate their content, pretending concert tickets, limited-edition sneakers or luxury rooms are sold out. Then they offer the same product on eBay and other marketplaces for a higher price, cashing in on the difference. Anyone doing online transactions is susceptible to bots and malicious automation.

It usually only takes bots a few seconds to do the damage, as cyber adversaries have now automated their assaults. They let thousands of bots simultaneously attack websites, leaving traditional cyber defences overwhelmed.

'There's so much power in the code, and automation is rampant everywhere,' says Sam Crowther who, as a high school student gained critical work experience with cyber teams at the Department of Defence and Macquarie Group. Then at just 19 years old, he discovered that blocking malicious code from entering a website is much more effective than trying to destroy it. 'The solutions people have used so far against bots are nothing more than a band-aid,' Crowther says.

Over the past three years, Crowther has built a talented team of engineers at Kasada, and perfected his first cyber security product, Polyform. It's a software platform that detects malicious bots and prompts them to solve tedious problems as an entry hurdle into a website.

'It hits attackers where it hurts them most: the economics of their strategy,' says Crowther, now 22. 'The criminals want an easy win, but we slow them down, so eventually they just move on. It's that simple.'

Kasada's defence strategy proved so successful that it attracted one of Australia's largest betting companies as an early anchor customer, boosting the startup's credibility. Other big customers in Australia and overseas soon followed. Kasada's latest success: securing a A$2.5 million seed investment from leading Australian venture capital company, Our Innovation Fund, and Westpac's venture capital fund, Reinventure Group.

Kasada will use the capital to expand to the US, with plans to hire another six software engineers by the end of the year. Crowther already employs eight people locally and will relocate from Sydney to the US to oversee the global move. He says being able to tap into AustCyber's large network and join AustCyber's trade mission to one of the world's largest IT security conferences in San Francisco last year was a catalyst.

'As a cyber security startup, you need confidence and you need cash, but you also need connections.'

  1. Telstra (2018), Telstra Security Report 2018.
  2. Which-50 (2017), 'Australian IT Spend Nears $87 Billion: Gartner'. Available at: https://which-50.com/australian-spend-hit-87-billion-2017-gartner/.
  3. Services are more likely to be provided locally due to the lower exportability of cyber security services compared with hardware and software.
  4. Estimating sector revenue requires subtracting imports (defined in this context as cyber security products and services provided from abroad, without core personnel in Australia), and adding exports (defined as revenue obtained from serving foreign customers from Australia). This definition captures all the revenues that contribute to Australian cyber security employment.
  5. Estimating gross revenue or value added for the cyber security sector is difficult because of the lack of sector-specific data on cyber security collected by the Australian Bureau of Statistics. Cyber security, for example, does not appear in the Australian and New Zealand Standard Industrial Classification, which is used for the compilation of industry statistics in Australia. One cyber security-related profession, ICT Security Specialist, occurs at the 6-digit level of the Australian and New Zealand Standard Classification of Occupations, but little employment data is collected or reported at this low level.
  6. Austrade (2017), 'Australia's export performance in FY2017'. Available at: https://www.austrade.gov.au/news/economic-analysis/australias-export-performance-in-fy2017.
  7. Australian Financial Review (2017), 'Westpac's Kasada deal points to cyber security as a service'. Available at: http://www.afr.com/business/banking-and-finance/financial-services/westpacs-kasada-deal-points-to-cyber-security-as-a-service-20180324-h0xx9h.
  8. Given the lack of standardised data globally about the size of different countries' cyber security workforces, direct comparisons are difficult. Available data indicates that the US and Israel have around 200 to 250 cyber workers per 100,000 people. In Australia that number is around 80, and the potential 2026 workforce identified in Figure 16 would bring that to around 120 per 100,000. For more information see CyberSeek (2018), Cybersecurity Supply/Demand Heat Map, available at: http://cyberseek.org/heatmap.html and Haaretz (2017), 'Israel at Risk Amid Shortage of Cyber Security Experts', available at: https://www.haaretz.com/israel-news/business/israel-at-risk-amid-shortage-of-cybersecurity-experts-1.5491404.
  9. Cisco (2016), Cybersecurity as a growth advantage. Available at: https://www.cisco.com/c/dam/assets/offers/pdfs/cybersecurity-growth-advantage.pdf.