CyberCX 2022 Budget Analysis: What the federal Budget means for cyber

Cyber and critical technology have been big agenda items for the 46^th Australian Parliament. They’ve also been big ticket spending items for Budget 2022-23, as Australia heads into a federal election. In this post we set out the major spending measures, and what they could mean for Australian organisations and our broader threat landscape.

In the last twelve months, the federal government has released half a dozen reviews or draft laws designed to uplift Australia’s cyber resilience. Many of these changes will increase expectations on large Australian organisations to put cyber security front and centre of their risk management strategies.

Budget 2022 was an opportunity for the government to ensure its own investment in national cyber defences match its expectations of industry.

So how did the government go? The Budget will significantly bolster the offensive and defensive capabilities of the Australian Signals Directorate (ASD). It also contains measures intended to address our national cyber workforce shortage, grow and protect critical technologies, and to uplift cyber security—in federal government itself and among small businesses.

Budget 22-23: Cyber security measures at a glance

Intelligence and offensive cyber capabilities

The Australian Signals Directorate (ASD) will double in size over the next decade, adding 1,900 new staff. This is part of the creatively titled $9.9 billion “REDSPICE” package (standing for Resilience, Effects, Defence, Space, Intelligence, Cyber and Enablers).¹

REDSPICE is intended to:

• Triple ASD’s offensive cyber capabilities
• Double ASD’s cyber hunt and response activities.

This investment – the largest single cyber spend in Australia’s history – reflects our deteriorating strategic environment and cyber threat landscape. Earlier this month, Defence Minister Peter Dutton warned about China’s rapid investment in offensive cyber capabilities. According to the budget papers, REDSPICE will let Australia keep track of adversary capabilities, deter attacks, protect our critical systems and “counter attack” if necessary.

REDSPICE also backs in the government’s intent to step up cooperation with Australia’s Five Eyes intelligence partners, including under the AUKUS capability agreement with the US and UK.

Most prominently, REDSPICE reflects the central role this Government sees for ASD in Australia’s cyber defence. In 2021, ASD played a significant—and unprecedented—role in Australian public policy debate on amendments to the Security of Critical Infrastructure Act. It’s also just gained new ‘step in powers’ that will empower ASD to direct certain Australian critical infrastructure owners and operators in the event of a future cyber crisis.

Tackling cyber workforce shortages and diversity issues

The Budget recognises that Australia has a cyber and broader technology talent pipeline problem, and contains important measures for workforce growth and diversity:

• REDSPICE talent: One of the biggest challenges for REDSPICE will be meeting the demand for 1,900 new ASD staff, when Australian governments and industry are already facing a critical cyber workforce shortage. Part of the funding announced includes partnerships with educational institutions to train data scientists, artificial intelligence and cyber security professionals, and ICT engineers. This is welcome.

• Regional Australia: The Budget allocates $18.6 million over 3 years for a pilot program to provide digital and data training and employment opportunities for regional Australians. This is another welcome measure, given CyberCX’s latest Intelligence Insights Report – as well as multiple state government audits – identifies skills shortages as a key risk for our regional and rural communities.
• Women: The government is extending existing programs to raise the profile of women in STEM, like the Superstars of STEM and Women in STEM Ambassador. It’s also allocating $3.9 million over 2 years to support women into digitally-skilled roles. Importantly, this measure doesn’t just focus on school leavers and universities, but will have more immediate effect, offering industry partnerships and pathways to help mid-career women transition into the tech workforce. Building a cyber pipeline that’s diverse and sustainable is a national imperative, especially when women today barely make up 20% of Australia’s cyber workforce.
• Talent attraction: The government will continue the Global Australia Taskforce for another 2 years to attract talented individuals and investment to Australia.

One thing this Budget doesn’t address is how the Australian Government plans to leverage the cyber security industry to support threat hunting and incident response activities. The REDSPICE investments will affect only the smallest tip of the cyber defence iceberg, especially as the size and complexity of our critical infrastructure sectors grow over the coming decade.

Australia’s incident response capability primarily exists in industry—inside incident response companies, ASX100 and critical infrastructure operators themselves. In a national cyber crisis, it would be these workers keeping Australians safe. There is still significant work to be done on how ASD and the Australian Cyber Security Centre link up with the private sector.

Budget 22-23: Cyber measures by the numbers

Uplifting national cyber security

Support for small businesses

Small businesses play an important role in Australia’s economy and supply chains for our essential services and critical infrastructure (we are only as secure as the weakest link in our supply chains).  But small businesses often they lack the budgets and staff to uplift their cyber security to levels commensurate with the threat.

From Budget Night, over 3.6 million small businesses will have extra tax incentives for investments in cyber security and other digital assets and services. Businesses with annual turnover under $50 million can now deduct 120%of these ‘digitalisation’ expenses, up to $100,000 per year until June 2023.

This measure is, however, broad. It can be used for major investments like transitioning to the cloud and uplifting cyber security, through to e-invoicing, accounting software and even web design. The challenge for small businesses (and larger enterprises in their supply chains) will be balancing the opportunities of digitalisation with the necessity of cyber security investment.

Under a separate budget measure, small businesses will also be able to deduct 120% of the expenses of staff training courses delivered by Australian entities, a measure we hope helps small businesses to uplift cyber skills and awareness.

Securing government networks

The Budget also continues to invest in the federal government’s own cyber security maturity journey. Notably, it doubles down on the ‘Cyber Hubs’ pilot first announced in last year’s Budget. Recognising that Commonwealth departments hold incredibly sensitive information (especially citizens’ personal information), Cyber Hubs are intended to be centralised nodes of expertise for cyber threat monitoring, detection and response.

Last year, the government announced Cyber Hubs would be set up in the Department of Defence, Home Affairs and Services Australia. Now, a further $30.2 million will be spent to support these Hubs and to establish a fourth pilot in the Australian Taxation Office.

Critical technology

Since 2021, the government has expanded its policy lexicon from “cyber” to the expanded term “cyber and critical technology”.  This is an important recognition that security starts in hardware, technical standards and supply chains, and that investment in next-gen telecommunications, advanced computing and biotech (among other areas) is essential to Australia’s economic prosperity and national security.

In the last twelve months, the Australian government has inked multiple cyber and critical technology agreements with allies and partners, including India, Japan, the United States and United Kingdom.

The Budget doubles down on the importance of critical technology. Measures include:

• $18.6 million over 4 years to shape global critical and emerging technology standards
• Investment in a sovereign quantum computing industry (amount unspecified for national security reasons)
• A US$1.33 billion financing package to Telstra for its acquisition of Digicel Pacific, the South Pacific’s leading telco operator
• Lifting the staff cap in the Department of Defence to support the trilateral AUKUS partnership (a significant part of which involves collaboration on cyber capabilities and critical technologies).

In the lead up to Budget Night, the Prime Minister also announced a new “Cyber and Critical Technology Centre” to be stood up in the Office of National Intelligence, Australia’s peak intelligence body. This new office will provide vital intelligence-coordination, as well as important cyber and tech analysis to the next Australian Government as it shapes up its policy priorities and investments.