The advice comes after a sophisticated state-based actor, which Australian intelligence agencies believe to be China, launched this year a wave of cyber attacks against all levels of government, industry and political organisations.
Fergus Hanson, director of the International Cyber Policy Centre at the Australian Strategy Policy Institute, said Australia needed to increase its investment in human resources as a first step, while government procurement guidelines setting a minimum level of local content might also be needed.
Mr Hanson said the government should also clearly set out which areas of cyber security it wanted to have a sovereign capability, so the business community could invest in those areas.
“If you are going to mandate certain sectors where you’re going to build up sovereign capability, then we should also set up FIRB (Foreign Investment Review Board) guidelines so you don’t build up local companies and then they’re bought out by foreign adversaries,” he said.
The Morrison government has already flagged developing a “sovereign cloud” to hold the data of Australians to protect personal information from overseas governments and companies.
The government announced last month that the nation’s premier cyber defence agency, the Australian Signals Directorate, would also recruit 500 employees and build on its offensive capabilities to take the online fight overseas in a $1.3 billion funding boost.
Mr Hanson said the directorate would have trouble finding people with the required skills to fill the 500 positions, saying the “bottleneck in this whole process is expertise”.
Alex Scandurra, emerging technology expert and chief executive of not-for-profit innovation hub Stone & Chalk, said having a sovereign capability in cyber security would be beneficial to Australia’s national security and its economy.
Mr Scandurra said government procurement policy should be used to drive investment in the local cyber security industry.
“A sovereign industrial capability is not just about being able to fill the skills requirements with Australian nationals – it’s also about being able to engage with suppliers and vendors who are owned and headquartered in Australia, and subject to our laws and oversight,” he said.
“Currently, we’re largely dependent on overseas vendors for our cyber security tools and products, which is not ideal.
“We don’t always know who else is a customer for these vendors, we aren’t totally certain what happens to the data they gather from their interactions with us, and they are headquartered in other countries.
“Even if these countries are allies, it would be vastly preferable to be able to procure cyber security tools from companies that are headquartered in Australia and subject to Australian laws, regulations and oversight.”
Mr Scandurra said Australia already has a significant skills shortage in cyber security and it was likely this will continue for some time, particularly if companies continue to go offshore to find their customers.
A report by AustCyber last year found Australia may need almost 17,000 additional cyber security workers by 2026 for the sector to harness its full growth potential.
Sarah Sloan, from global cyber security company Palo Alto Networks, which is headquartered in the United States, said it was important to promote Australian cyber innovation, but the government shouldn’t rely exclusively on home-grown technologies.
“We would encourage the Australian government to focus on vendors’ ability to demonstrate product integrity practices and how it can promote strong supply chain practices in the technology sector,” she said.
“Australia’s upcoming 2020 Cyber Security Strategy should include guidelines and initiatives to drive good practices in this regard. It also should focus on encouraging greater transparency on how the data of Australians are secured and protected.”
A spokesman for the Department of Home Affairs said the government was continuing to develop the 2020 Cyber Security Strategy and “will consider advice from the Industry Advisory Panel prior to finalisation”.
Get our Morning & Evening Edition newsletters
“Drawing on international best practice and the views of industry and the community, the 2020 Cyber Security Strategy will strengthen Australia’s ability to protect Australians and Australian businesses from evolving cyber threats,” the Home Affairs spokesman said.
Anthony is foreign affairs and national security correspondent for The Sydney Morning Herald and The Age.
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.