The federal agencies responsible for cyber security say their joined-up approach is starting to pay dividends, but challenges remain around building relationships with industry, and retaining staff with sought-after specialist skills.
Senior officials from the inter-agency Australian Cyber Security Centre recognise the worldwide skills shortage in the field is its biggest challenge. The agencies represented in the ACSC run a small number of cadetships that can lead to tertiary studies and sometimes a job with the centre, and contribute to promoting science, technology, engineering and maths careers — collectively known as STEM — in high schools.
ACSC co-ordinator Clive Lines, a deputy director of the Australian Signals Directorate, said recruitment was still an issue for the government agencies because they can’t compete against private sector salaries for staff with more advanced skills.
“We actually do very well with initial recruitment levels; we have far more applicants than we could hope to actually bring in and train in a way that’s meaningful,” Lines told delegates at the ACSC conference last week.
“It’s actually at the sort of five-to-10 year experience levels where, to be honest, we bleed to industry.
“And while there are things we do around individual agreements, and we are certainly in Defence having a big conversation around what looks like a ‘class arrangement’ for particular skills, the reality is that we are often outbid by industry.”
Skills and thrills
Cybersecurity is just one of several specialist fields where the rigid public service classification structure makes it hard to recruit the requisite technical expertise. Yesterday, the government acknowledged this was a problem for the Australian Securities and Investments Commission, and announced the corporate regulator’s employees would no longer be employed under the Public Service Act as a solution.
At the ACSC conference, Lines put a positive spin on the situation, saying that at least the government’s investment in staff who moved into more lucrative private sector roles was boosting the nation’s overall cybersecurity skills base.
“So while sometimes I get a bit cranky about being treated as a training organisation, at the end of the day it’s actually about national capability,” he said.“… it’s actually not a zero-sum game, because it’s about national capability.”
The ASD official said he didn’t see the rapidly growing sector as a competition, and his fellow ACSC representatives from the Computer Emergency Response Team, Australian Federal Police, Australian Crime Commission and Attorney-General’s Department agreed.
All were speaking on a leaders panel at the second annual ACSC conference, a cost-neutral event which is part of the ongoing process of building relationships with cybersecurity professionals in the private sector.
“If you think about this in a sense as a national capability, the fact that whether those skills are in industry versus in government actually doesn’t matter, because I don’t see this as a job purely for the ACSC,” said Lines.
“Part of the reason we host this conference is we actually want industry in this space, we want industry providing services to industry and to government and to private individuals, and while it is a problem, particularly at the moment, given the lack of STEM graduates and the lack of STEM studies at high schools and universities, it’s actually not, in a sense, a zero-sum game, because it’s about national capability.”
Lines confirms there are “conversations about pay scales in government for these specialist skills” going on behind the scenes, and about how experts could “move between industry and government” in cybersecurity, also like ASIC.
“It is a difficult conundrum at the present time because of the overall skills shortage … but it’s not an impossible situation,” he added.
The national cybersecurity strategy, released yesterday, details some measures in response to the skills shortage. Lines told the conference ASD is also “seriously considering” moving to a new business model that would allow lower security clearance requirements for some roles and locations outside Canberra.
Restructure to support
The AFP’s representative, David McClean, said moving the cyber crime team from High Tech Crime area into “the heart” of the organisation, Serious and Organised Crime, made it a more popular career option for police.
“We wanted to make it more accessible conceptually and professionally to the large body of men and women in the organisation who may choose to have a career in cyber crime,” McClean said, joking about its previous position on the agency’s periphery.
“It was potentially remote from them, hidden away in the basement of the building being practised by some highly expert people. We weren’t really sure what they were doing, but they were obviously doing something very clever and it was reaping great rewards for the organisation.
“So we’ve moved it now … and we are building a tiered cyber crime training curriculum to better enable the entire organisation to help us meet our responsibilities from this year to the next.”
The new training framework is a “major piece of work in progress” but the AFP will still need to recruit external experts to investigate cyber crime, he added.
Building the trust bank
Since last year’s conference, the ACSC has signed seven formal agreements and has 13 more still being finalised.
“At a high level it’s easy to forget that … we’re literally only 12 months old as a single centre,” Lines told the delegates.
“That sounds pretty simple but actually it’s been a significant learning curve for all of us taking what had previously been largely an ASD organisation with small embeds from the other agencies, to actually co-locating all the expertise and all the people.”
The Australian Crime Commission’s Tim Wellsmore said the information flow from industry that is vital to the ACSC’s work had increased but that building more of those relationships was still a key challenge.
From some of the questions that were thrown at the panel, there is clearly a lot more engagement work ahead. The question that attracted the highest number of votes from delegates via a conference website was:
“Currently it appears that the ACSC is serving a purely government and self serving agenda. Despite publicly stating that you work with industry, in reality the involvement with industry just isn’t there. When will private sector start to see benefit from ACSC?”
Wellsmore responded that some companies were “already starting to see benefit” — some represented at the conference — but that it was not obvious due to the confidentiality of their agreements with the ACSC.
“This is just the beginning,” he promised, saying the inter-agency team would continue to provide more value to industry as it signed more partnerships, and suggesting the “onus” was on businesses to provide intelligence if they could.
Friendly, approachable, open for business
The ASD hopes that lowering the classification levels of a lot of its work and publishing more of its advice will make it easier to partner with private sector information security teams.
The AFP’s work raising cybersecurity awareness in the community might not involve directly talking with Australian businesses, McClean said, but it was indirectly benefiting them even if they didn’t realise it.
“We do have some work and some ground to make up in terms of engaging you and getting your attention and confidence, and your willingness to support us when we have those situations where we have a criminal offence on foot,” he conceded.
“There’s a lot of instances where industry will report matters to CERT but not have necessarily the confidence or the desire to work with the AFP in terms of a prosecution.” … this is very, very hostile ground if people want to come to Australia and offend.”
“We all understand the reasons for that, and they are many, but we will need to push further into that reluctance if we are to try and peg a few scalps to our mast and make some strong statements … that this is very, very hostile ground if people want to come to Australia and offend.”
When asked for a short final statement, all five members of the ACSC leaders panel were as one in urging their private sector counterparts to share information and work collaboratively with the joined-up government agencies.
As well as being physically located together now, Lines said the member agencies were successfully strengthening international partnerships and have implemented a “triage model” to avoid turf battles and tripping each other over.
“We actually used to spend a lot of time working out and arguing amongst ourselves about who had lead,” he said. “That’s all gone away and that’s all made all of our lives much, much easier and it actually means that in terms of who we’re assisting, [they’re] getting a much better and much faster response.”
On the relationship-building front, the conference has been a big success for the ACSC. “Because cybersecurity’s a team sport, we really have to get all of the players into the locker room,” a spokesperson told The Mandarin between sessions.
The event attracted just over 800 delegates in 2015, less than six months after the ACSC opened for business, and that number swelled to over 1000 this year.
While not sapping any funds from the cybersecurity budget, the event goes a long way to support the centre’s aims through heavily discounted training courses, networking opportunities and a carefully chosen program of speakers.
The inevitable over-the-top IT industry trade show was in full effect with the opportunity to keep up on the latest products that might — or might not — help keep information safe, in between the arcade games, massages, espressos and lavish prize draws.
“I think a lot of people were surprised we managed to pull it together the first time after opening in November, and that we put a lot of effort into the program.” the spokesperson said. “Content is king at our conference; we’re not here to make a buck. We wanted to make a conference that we would want to attend.”