Call for uniform platform to boost cyber security

"But we have to step back and understand the environment: the defence industry is not normal commerce. If you're in a defence industry supply chain, your adversaries are well resourced and highly motivated state actors, and their one job is to get inside your systems and access your data. It's not a fair fight."

The Commonwealth is committed to using Australian industry and research to support Defence, including a $230 million Centre for Defence Industry Capability (CDIC), the $640 million Defence Innovation Hub (DIH) and $730 million for the Next Generation Technologies Fund (NGTF).

However, Australia's defence industry includes up to 3000 SMEs, most of which do not specialise in cyber security.

"Many SMEs who could be active in defence industry are experts in a niche," says Wilson. "They design things, they cut and weld things. When they're getting into defence industry, they often don't know where their data is stored or who has access to it."

Australia is in the 'Five Eyes' intelligence-sharing arrangement with the US, Canada, New Zealand and Britain. While it confers strategic benefits on Australia, it raises Australia's profile as a source of defence secrets which attracts serious intelligence adversaries. To accommodate this, the Commonwealth's ICT security arrangements are very tough – in many cases tougher than SMEs can bear.

"The tender stage for most Defence contracts has a Restricted classification," says Wilson, meaning SMEs cannot receive tender documents or respond to them without relevant clearance from Defence. "A tender might have to be responded to within two months, but it takes the company three months to get the clearance."

When tenders progress, or a company wins a tender, they usually find themselves in the next security layer – a layer that few SMEs attain without assistance from government or a prime systems integrator.

"The stakes are very high in defence industry. If our adversaries access specifications from our procurement programs, they can reverse engineer the specs and find the weak points in, say, one of our land vehicles. As soon as an SME is part of a tender, they are a potential target."

He says the current system either places the onus of cyber security on the SME, or shifts responsibility to the Prime running the program. In many cases the Prime's data security demands are as onerous as the Commonwealth's.

He says three ICT companies have been accredited by the Australian Signals Directorate (ASD) to develop 'protected cloud infrastructure' for use by defence industry participants and Defence has a process that gives SMEs limited access to protected systems, driven by membership of the Defence Industry Security Program (DISP), compliance with the Defence Security Manual (DSM) and access to the Defence Online Services Domain (DOSD).

DISP members carry the responsibility for securing, monitoring and reporting on their ICT systems, and in many cases the Australian SME cannot afford the consulting costs.

"There's so much talent and innovation in Australian industry, and the defence industry will be better for their participation," says Wilson. "But we are probably at the point where we need a uniform cyber security platform, designed and operated by a government agency – probably CDIC [Centre for Defence Industry Capability]."

With a single cyber security platform, the ICT costs for each SME would come down, the integrity of the supply chain would be more assured and Defence security on-boarding would become streamlined. He says it also gives the government the ability to engage in the "full force" of cyber counter measures, which include "eyes on" and real-time monitoring of the platform – something most SME defence suppliers can not afford.

"Our AltoCrypt technology is about access for clients who already have a security platform. But to protect SMEs and the supply chains they operate in, we need a single platform through which SMEs use secure servers, secure mail, secure apps and secure storage."

Cyber security has taken on an importance beyond the intrusive and expensive scourge of hacking and ransomware, says the global head of cyber at JLT Group, Sarah Stephens.

"The British government is committing around £5 billion to a cyber security program around government, intelligence, essential services and defence. It's an investment in making government more secure, making businesses more secure and enhancing training, and deception technologies."

Stephens – who is London-based – says the conscious effort to create a sovereign defence industry in Australia brings the cyber vulnerabilities of the business world into the realm of government and defence security.

"Australia's government, intelligence and defence systems are well locked down. But when you bring so many companies into your defence industry supply chain, there is going to be variation in the quality of cyber security systems and processes."

She says in the past two years Australian businesses have matured in their approach to cyber security, most notably in their attitude to what it actually is.

"I no longer hear people from the C-suite dismissing cyber security as 'a problem for the IT department'," says Stephens.

She says the Notifiable Data Breach laws – provisions in the Privacy Act which require companies to notify the Office of the Australian Information Commissioner if there's been a data breach – are a good step for Australia.

When companies seek to become defence industry suppliers, the stakes are very high, says Stephens, and there is no 'magic box' that renders their systems secure from motivated state actors. Cyber-security still relies on human behaviour.

"We know that 15 to 20 per cent of people in an organisation will click on a link in an email that they think could be a phishing email, because their curiosity is too great," says Stephens. "We also know that when organisations introduce two-factor authentication or encryption to their email systems, users try to get around those safe-guards because of the convenience factor.

"Those two things – curiosity and convenience – are human factors. Training and collaboration are the best way to deal with it."

One initiative attempting to enhance our defence industry cyber security – and develop cyber security products and processes for export – is AustCyber, the Australian Cyber Security Growth Network.

Chief executive officer of AustCyber – and former security chief of Atlassian – Craig Davies says the Network has a focus on defence industry which addresses both the cyber security of the defence industry supply chain, and the development of the domestic ICT security industry.

"We see the defence industry opportunity across the country as a way to rapidly mature the companies, and to encourage our cyber security companies to be a part of that supply chain.

"The technology advances that can be driven out of defence bleed into finance and health and digital government strategies. The ultimate mission is to protect people, protect data, protect ideas."

He says the current crop of local cyber security companies – such as Penten and Airlock Digital – are proving themselves capable of operating in a defence industry supply chain, which is also global. However these smart companies aim at a "point", whereas defence industry needs a "plan".

Davies says within the Five Eyes community, Australia is known for fresh ideas and smart, nimble thinkers. The Network AustCyber recently partnered with Austrade to mount the G'day Defence showcase, in which 57 Australian companies will travel to the US in a trip that starts in Washington and culminates in San Francisco at the RSA Conference.

"The Americans are really excited with some of the ideas coming out of Australia, and the impressive people they are meeting. There's already Australian firms being inducted into the American security system."

Davies says AustCyber has supported a national cyber security curriculum into TAFE, where enrolments are very strong, and has run 'Cyber Security Challenges' to test the skills of cyber warriors and see who should be operating inside Australia's defence security structures.

Davies is particularly focused on the sovereign capability aspect of the government's defence industry plan. He says a nation with a sovereign defence industry needs sovereign cyber security.

"It's a burning issue right now – we have to get it right or we'll miss an enormous opportunity to develop and implement our own security capability in Australian defence."