Professor Chris Leckie and his colleagues rarely find themselves struggling for inspiration when it comes to research projects. “I often joke that cybersecurity is a great area to do research in because the Russian mafia is coming up with your next research problem,” he says. “It’s an area where the threats are continuously growing and evolving.”
Leckie is director of the University of Melbourne’s Academic Centre of Cyber Security Excellence, one of two such centres in Australia set up by the federal government in 2017. Now funded by the university, the centre focuses on research and training and is helping to develop a skills pipeline to tackle Australia’s cybersecurity threats.
Those threats are coming from multiple sources, Leckie says, from criminals committing fraud in the form of, say, a ransomware attack against a hospital to political activists hacking websites or disabling systems. “Then there’s the threat of other nation-states or other external entities trying to extract information about government operations or people within the government or within Australia more generally,” he says.
Michelle Price is CEO of AustCyber, an independent, not-for-profit organisation funded by the federal government that aims to develop Australia’s cybersecurity ecosystem. She says Australia has moved up the rankings of strategic targets.
“The number of countries targeting Australia has definitely grown and we can see that happening in more and more sophisticated ways,” Price says. “Government and law-enforcement agencies are at the front line of being impacted by that higher level of sophistication.”
On the front line
Protecting Australia against these attacks is a coalition of forces. The Australian Cyber Security Centre leads the government’s cyber defences and collaborates with the Australian Federal Police, state and territory law enforcement agencies, businesses and academia. Consulting firms play their part, as do all remote workers sitting on their laptops at kitchen tables nationwide.
When it comes to cybersecurity expertise, Leckie says a range of skills is required to tackle the ever-evolving threat. These include the technical skills to work on system design and testing, but go far beyond that.
“You might get people with a background in computer-human interaction to look at the security of how people work with the system,” he says. “From the organisational information systems perspective, you’ve got people who look at how organisations use computers in different roles. How do they assess the risk of different threats?”
We need experts with the skill to communicate complex technical issues to laypeople, Leckie says. (“We have to teach some of our technical people to talk to the human species,” he jokes.) We also need people who are across the legal implications of cybersecurity, experts with training in psychology who understand how fraudsters manipulate people, educators who can ensure workers understand how to be cyber safe and specialists in the field of online financial transactions.
“People tend to think in terms of just the old-fashioned way of looking at it – around just the technical side – but actually cybersecurity is quite a multidisciplinary area.”
Meeting the skills shortage
There is a cybersecurity skills shortage worldwide, Leckie says, and Australia is no exception. But plenty of work is being done to address this, notably through the federal government’s 2016 and 2020 Cyber Security Strategies. As part of a bid to make Australia cyber safe, they aim to increase collaboration between governments, academia and businesses to build the nation’s cyber-skills pipeline.
“There’s been a lot of investment by government, at state and federal level, there’s been a lot of effort put in by the universities to set up cybersecurity courses and programs, and there’s been a lot of engagement with industry,” Leckie says. “And I think that’s certainly improved our standing. Trouble is, it’s not a static game.”
Price points out that the skills challenge isn’t just about cybersecurity professionals. Every person in Australia needs to be made more cyber aware, she says – every job in the future economy will require some level of cybersecurity skills, and an increasing number of roles will require some technical prowess.
We will also need more cyber professionals. According to AustCyber’s 2020 Australia’s Cyber Security Sector Competitiveness Plan, more than 26,500 cyber-security workers are employed across the sector. About 7000 more will be needed across all industries nationwide by 2024.
Many collaborations – from a Melbourne University partnership with Telstra to an AustCyber link-up with Microsoft – seek to bolster the workforce and attract applicants from diverse backgrounds.
However, one area of collaboration that Price believes could improve is workplace secondments between industry and government – something she says Australia doesn’t do well compared with the US, despite recent government efforts. “We need to trust ourselves on that and break down some long-held misperceptions around how government operates and how industry operates, and never the two shall meet.”
The future is only going to get more challenging. Artificial intelligence (AI) will play an increasingly important role in our cyber defences, but Leckie says this presents ethical issues and vulnerabilities. It’s also not just a tool for the good guys.
“What happens as the attackers start to use AI to automate their attacks, to make their attacks more stealthy, to imitate human behaviour better?” he asks. “What can we do to prepare for that, and prevent that or defend against that in the future? That’s one of the longer-term challenges that we’re working on.”
For Price, the imminent convergence of quantum technology and true AI will offer a next-level cybersecurity challenge that will force us to lift our game. “We do have a system, thankfully, within Australia that has evolved over the past five years to generate the skilled people to respond to that need,” she says.
But sticking with the plan, and making continued investment in the infrastructures already built, will be crucial. “If we see a fragmentation occur over the next couple of years, that will really set us back,” Price says. “But if we keep on the path that we’re on, I’m very confident that we’re going to be a world leader in the production of skilled cybersecurity professionals.”