National cyber budgets: same, same but different
16 Jun 2016| and

Image courtesy of Flickr user Defence Images

The latest report from UNSW’s Australian Centre for Cyber Security (ACCS), ‘Australia’s Response to Advanced Technology Threats,’  claims that Australia doesn’t take cyber threats seriously enough. The report argues that the differences between Australian cyber security rhetoric and spending compared to our allies, namely the US and UK, indicate that Australia is lagging behind in both our understanding of and responses to cyber threats. The report argues correctly that Australia has a long way to go towards developing the strong cyber security posture and workforce it requires. However, when making comparisons between Australia and other countries, it’s helpful to understand a variety of factors that contribute to national differences.

The transnational nature of cyberspace requires national cyber security budgets to address international cyber challenges. Developing conflict prevention frameworks, capacity building efforts, internet governance initiatives and international cybercrime engagement are priorities that demand international cooperation. So a certain proportion of states’ cyber spending is directly comparable and a national budget can act as an indicator of a government’s capacity to address global challenges and contribute to those international projects.

However, it’s important to remember that a proportion of a state’s budget is reflective of its specific national cyber threat landscape. The cyber security risks seen on the ground differ in nature, number and extremity between countries. For example, while the majority of breaches in France are the product of hackers or criminal insiders, such incidents only represent 30% of cyber incidents in Brazil.

Numerically, the threat faced by the US is enormous; IBM’s 2015 Cost of Data Breach Study found that while 60% of global cyber incidents take place in the US, only 6% occur in Australia. Incidents in the US are not only more numerous but also more damaging. For example, an international study by the Ponemon Institute found the average cost of a breach in the US to be US$15 million, US$6.32 million in the UK and only US$3.47 million in Australia. Meanwhile, Australian government figures sit even lower, with the average cost of a breach to an Australian business estimated at AU$276,323.

The divergent frequency and scale of incidents results in varying aggregate damage to each country. McAfee’s 2014 report, Net Losses: Estimating the Global Cost of Cybercrime, undertook an international comparison of the proportion of a country’s GDP lost as a result of malicious activity online. According to the report, Australia lost only 0.08% of its GDP, while the UK and the US lost 0.16% and 0.64% respectively.

Even assuming that each country faced the exact same cyber threat, making budget comparisons in relative terms as a proportion of national GDP, rather than in absolute terms, more accurately reveals cyber security’s position within national priorities. Referring to recent announcements of US plans to invest US$19 billion in cyber security efforts over one year, while the UK has committed £1.9 billion over five, the report claims that Australia is annually being outspent by its allies by 400 and 10 times respectively.

However, when broken down annually and measured as a proportion of GDP (as projected over the relevant funding years), Australia spends 0.003%, the UK 0.020% and the US 0.113% of national GDP on cyber security. The claim that the US is spending hundreds times more than Australia is based on a direct comparison of absolute budget allotment, without taking into account the size of the economy from which the investment is being made. Such comparisons are therefore misleading in the important discussions on Australia’s funding strategies.

The US and UK are actually spending 35 and 6 times more than Australia in relative terms, respectively. The gap between Australian and US spending isn’t as severe as suggested in the ACCS report, and must be understood in the context of each country’s level of risk. Compared to Australia, the US experiences a 10 times higher rate of cyber incident, 8 times the cost to GDP and 5 times the cost per average breach. That reality means the existence of some gap in national funding response should in some sense be expected, and doesn’t necessarily represent an Australian disregard of the importance of cybersecurity measures as the report suggests.

Of course, the discrepancy is still significant and there’s room for growth in the Australian budget. The need to invest and plan further for Australia’s cyber workforce, as mentioned in the report, cannot be understated and is a priority echoed by the ICPC. Increasing Australian investment in cyber education, securing infrastructure and combatting cybercrime, as suggested by the report, is important to address the AU$2 billion cost of malicious cyber activities to the Australian economy each year.

However, there’s an important difference between calling for increasing investment and requesting more dramatic rhetoric. Policy development needs to take place in a reasoned and rational manner, so avoiding misleading and alarmist comparisons is essential. Threat perceptions must be accurate and breach reports honest, but unnecessarily dramatising the threat doesn’t change the results on the ground.

Australia should continue to increase its investment in cyber security to ensure it manages the risks, and can continue to enjoy the benefits of cyberspace. It’s vital that this discussion is based on national realities and informed by an accurate understanding of where Australia sits in relation to its peers in terms of relative risk and response.