The New South Wales government has announced an investment into the state’s cybersecurity capabilities, hoping to use AU$60 million to create an “army” of cyber experts.
With the funding to be spread over three years, Minister for Customer Service Victor Dominello said the creation of a cyber army would see the scope of Cyber Security NSW broadened to incorporate small agencies and councils.
Cyber Security NSW was stood up in mid-2019 to consolidate and lift the cyber capability of state entities.
“The AU$60 million is not only a four-fold increase in spending on cybersecurity but allows Cyber Security NSW to quadruple the size of its team in the battle against cyber-crime,” Dominello said.
“Cyber Security NSW will train the next generation of cybersecurity experts and ensure there is a cross-government coordinated response, including advance threat intelligence sharing, cybersecurity training, and capability development.”
The funding was made available through a AU$240 million commitment made in June to improve NSW’s cybersecurity capabilities, which included investments towards protecting existing systems, deploying new technologies, and increasing the cyber workforce.
Under that commitment, Dominello previously announced standing up a cybersecurity vulnerability management centre in Bathurst, 200km west of Sydney.
To be operated by Cyber Security NSW, the centre will be responsible for detecting, scanning, and managing online vulnerabilities and data across departments and agencies.
In June, Dominello also called for submissions to help shape the state government’s 2020 NSW Cyber Security Strategy. The plan will be aimed at developing a “comprehensive, sector-wide cybersecurity strategy”, one that supersedes the existing 20-page strategy that was published in late 2018.
“The new strategy will be delivered through an integrated approach to prevent and respond to cyber security threats and safeguard our information, assets, services, businesses, and citizens,” Dominello said at the time.
The federal government earlier this month published its own cybersecurity strategy, which included the Commonwealth vowing to: Develop legislation that would impose cyber standards on operators of critical infrastructure and systems of national significance; consider what laws need to be changed to have a minimum cyber baseline across the economy; and create powers that allow the federal government to get on the offensive and actively defend networks and critical infrastructure.
The strategy followed the announcement of the Cyber Enhanced Situational Awareness and Response (CESAR) package that will see the federal government spend AU$1.35 billion over a decade on the nation’s security agencies. Around AU$470 million will be used to create 500 cyber-related jobs within the Australian Signals Directorate (ASD).
Beyond CESAR, the federal government has put forward another AU$320 million in funding under the strategy.
During a recent hearing into the cyber resilience of Commonwealth entities, ASD was asked if any of the cyber funding, including from the 2020 Defence Strategic Update, would be put towards ensuring such entities are compliant with the Top Four mitigation strategies.
ASD said in response to questions taken on notice that it would continue to conduct cyber uplift initiatives similar to what it has previously run as part of the AU$1.35 billion dollar investment in cybersecurity.
“As announced through the Defence 2020 Force Structure Plan, AU$15 billion will be invested by the Defence Portfolio (including the Australian Signals Directorate) for cyber and information warfare capabilities in over the next decade,” it said.
“This includes the recently announced investment of AU$1.35 billion over 10 years from 2020-21 to enhance and continue initiatives focussed on national situational awareness of cyber threats, disrupting cyber criminals offshore, and building partnerships with industry and government which enhance national cyber resilience.”
Also provided on notice by the ASD was the admission that it hasn’t conducted any bug bounty programs in Australia, despite such initiatives resulting in more than 10,000 vulnerabilities being discovered since 2016 in the United States.
“ASD operates in line with the Responsible Release Principles for Cyber Security Vulnerabilities, which are available at asd.gov.au,” it said in response to a question asking if the government considered the adoption of bug bounty programs for Commonwealth government agencies.
“In line with these principles, ASD engages actively with the information technology research community and industry who disclose vulnerabilities to ASD.”