This paper considers the question of whether it is desirable and viable to preserve national interests in cyberspace through a focus on sovereign capability. Desirability is addressed through an examination of the relevance of, and risks associated with, cyberspace. Viability is examined in terms of the potential of Australia's cyber industry and the prospect of protecting sovereignty in cyberspace through industry policies such as Defence's Sovereign Industry Capability Priorities.
The Australian cybersecurity sector has matured significantly over the past five years. Yet there is an over-reliance in Australia on the use of non-Australian services companies for cybersecurity needs. Two-thirds of Australian cyber companies are less than 10 years old and lack the market maturity to compete with established global cyber firms. In line with global trends, compared with hardware and software spending, cybersecurity services consume nearly 45 per cent of the protection stack, over 73 per cent of security operations and nearly 80 per cent of underlying processes, including governance, risk and compliance.
In Australia in 2018, external spending on cybersecurity products grew by 8 per cent to $AUD3.9 billion, compared to 6 per cent growth in 2017. Within the space of four years, over 50 new cybersecurity companies were created in Australia, with over 26,500 workers employed in the sector, which is an increase of nearly a third. Of these companies, 43 per cent are exporting globally, generating $ AUD3 billion from the domestic market and $AUD600 million internationally. In Australia, the cybersecurity sector has witnessed an average growth rate of 9 per cent per annum from 2016 to 2020.
With substantial growth in the market over the past five years, there is potential for the Australian cyber industry to grow further. Australia's cyber industry is reliant upon human capital; thus, expansion of the industry is reliant upon increasing the skills pipeline. Since 2018 there has been a dramatic increase in cybersecurity training programs across Australia. Australian universities and TAFEs have mobilised to address the skills gap, with more than 50 per cent of cyber providers surveyed being more confident about the talent pipeline than they were five years ago.
More than 20 Australian universities now offer cybersecurity as a dedicated degree or as a major in IT or Computer Science. The shortage at more senior levels of the experience curve has been met with the supply of dedicated postgraduate programs. At the vocational and education and training, or VET, segment of the market, enrolments increased from less than 500 in 2014 to approximately 3,800 in 2019. Private training providers have also entered the market in greater numbers to offer skill-based qualifications. Although this increase in education and training is helping to deliver the current workforce, arguably it may need to be expanded further to meet the demands of a growing cyber industry.
Although the cybersecurity market is on an upward trajectory, some key sectors continue to remain exposed to adverse risk. Defence, in particular, is at a medium risk level, fuelled by very high threat levels as well as its regulatory environment, which disincentivises companies from entering the defence sector. Development of Australia's competitive edge in products and services such as threat intelligence, cloud security and analytics could become areas for defence and other critical infrastructure activities such as telecommunications and space.
With government's recognition of cyber threats, the need to protect critical infrastructure, and the implications of COVID-19 on Australia's resilience, there is likely to be a substantial call on Australian industry to deliver more cybersecurity capability. Although Australian industry cannot be expected to deliver all cybersecurity, there will be a greater emphasis on sovereign and trusted elements of supply chains supporting critical infrastructure. Australian industry may feature more prominently, depending upon the nature of risks and the relative strength of our national cyber industry.
In the examination of supply chains supporting our national cyber environment, it is likely that many defence systems will be classified as critical infrastructure and even as 'systems of national significance'. As part of its $270 billion Integrated Investment Program, Defence will invest up to $20 billion over the next decade on IT and cyber capabilities. Although this will include overseas solutions, the growing risk arguments together with the government's announcement of increased Australian industry content in defence acquisitions should be reflected in increased local cyber procurements.
The case for sovereign cyber industry capability primarily is driven by the need for resilience of national and defence systems within Australia, but there is a secondary, economic argument for fostering Australian cyber industry. In 2020, the Western Australia AustCyber Innovation Hub modelled the business risks and costs of cyberattacks to small businesses in Western Australia. While the model gave a range of outcomes, the conservative figure used to show the value of cybersecurity was a 4.7 to 1 return on investment. This figure highlights the fact that if any major industry deemed as critical infrastructure were to invest in Australian cybersecurity products and services to protect them, they would circulate the large majority of $4.70 within Australia for every dollar spent on hardware, software and services. The data model could also apply to Defence, in that cost avoidance (when an attack does not occur due to strategically apportioned spend to critical operations) equates to the preservation of the ability to operate, monitor and defeat attempted intrusions and attacks.
Cybersecurity and sovereignty [PDF 203KB]
Published online: 3 December 2021
Last updated: 12 August 2022
Please consult the citation requirements of your university or publication.
Australian Government Style Manual
A Dowse, T Marceddo and I Martinus, ‘Cybersecurity and sovereignty’, Australian Journal of Defence and Strategic Studies, 2021, 3(2): 201-219. https://doi.org/10.51174/AJDSS.0302/VJIQ5734
Dowse A, Marceddo T and Martinus I (2021) ‘Cybersecurity and sovereignty’, Australian Journal of Defence and Strategic Studies, 3(1): 201-219. https://doi.org/10.51174/AJDSS.0302/VJIQ5734
Chicago Manual of Style - Notes and Bibliography
Dowse, Andrew, Tony Marceddo and Ian Martinus. “Cybersecurity and Sovereignty.” Australian Journal of Defence and Strategic Studies 3, no. 2 (2021):201-219, https://doi.org/10.51174/AJDSS.0302/VJIQ5734.
The following can be used as guidelines. For further information, see the Australian Government Style Manual.