How ASD plans on spending $9.9 billion on cybersecurity—and find the staff

Australia’s federal election is now set for 21 May, but bipartisan commitment to budget commitments such as the government’s $9.9 billion cybersecurity investment has already allowed the Australian Signals Directorate (ASD) to plan for a nationwide expansion and big changes in how it executes its cybersecurity mission.

What Redspice will do for Australian cybersecurity

The newly announced Redspice (Resilience, Effects, Defence, Space, Intelligence, Cyber, and Enablers) initiative, which will see $9.9 billion invested in bolstering Australia’s national cybersecurity capabilities over the next decade, will double the ASD’s size with the addition of 1,900 new jobs.

Its expansion is expected to triple Australia’s current offensive cyber capability, double its persistent cyber-hunting capabilities, and quadruple its global footprint, as well as drive investments in new technologies including advanced AI, machine learning, and cloud-based technologies.

Redspice—whose overall plan is contained within a formal Redspice blueprint—has been welcomed as a game-changer for Australia’s cybersecurity capabilities, with Minister for Defence Peter Dutton saying that the investment “will substantially increase ASD’s offensive cyber capabilities, its ability to detect and respond to cyberattacks, and introduce new intelligence capabilities.”

The investment is designed to ensure Australia’s cybersecurity capabilities keep up with the “rapid growth of cybersecurity capabilities of potential adversaries,” Dutton said, noting that “deteriorating strategic circumstances in our region” had made it clear that “the nature of conflict has changed, with cyberattacks now commonly preceding other forms of military intervention”.

With cybersecurity now consistently mentioned in the same breath as investments in conventional defence—and analysis confirming that nearly all the announced funding has been redirected from other parts of the defence budget—Redspice represents a strong commitment to turning that conceptual link into real action.

The project “signals positive intent and a significant step in the right direction”, said Dave Shephard, APAC vice president at security firm Illumio, noting that “cyberattacks on government organisations and critical infrastructure providers are increasing and the current global geopolitical landscape has raised tensions further.”

Building a new ASD workforce

Despite supporting Redspice’s intent, Shephard—like many in the industry—is concerned that the initiative may struggle to overcome ongoing challenges posed by Australia’s cybersecurity skills shortage.

“An extra 1,900 ASD jobs over the next 10 years will help ensure we have the resources to keep the nation secure,” he said, “but, acknowledging the skills shortage, where the 1,900 employees will come from isn’t yet clear. Leadership requires more than resources; what can we actually do—better, or differently than before—that will move the needle?”

Speaking in a recent Senate Estimates session after the Redspice announcement, ASD Director-General Rachel Noble offered some guidance about how her agency plans to use the funding to build its capabilities in an Australian jobs market that has long wrestled with a “pervasive and ominous” cybersecurity skills gap.

The ASD received 9,000 applications for jobs in 2021, Noble said, noting that the “very confident” agency already has a multidisciplinary waitlist of 700 people with ASD-relevant skills ready to join the organisation once appropriate positions become available. “It is not ASD,” she said, “that seems to have an issue in the way that other experts have so described in attracting people with the right skills to join our organisation.”

Not all of the 1,900 jobs will be in cybersecurity, Noble added, noting that the agency is “a team sport” and that new hires would also include “a vast array of different skills” including data scientists, engineers, linguists, analysts, and ICT people, policymakers, HR staff, psychologists, lawyers, and experts in security, compliance, and communications.

Reflecting the staggered delivery of the Redspice funding—one analysis found that just $588.7 million in new money will be allocated in the first four years of the program—the ASD will add about 400 staff during FY2022-23, 600 more in FY2023-24, and then an additional 700 staff over the two following years.

Significantly, Noble said, the agency will be able to employ specialists in planned new facilities in Brisbane, Melbourne, and Perth that will house 40% of the agency’s staff—removing the long-held requirement that working with the ASD required relocating to Canberra.

Like the new ASD facility opened last month at Majura Park—which will colocate ASD staff with experts from the Australian Defence Force, Australian Federal Police, Australian Criminal Intelligence Commission, Home Affairs, and key industry partners—planned buildings in the three other cities will be designed to support the growing number of ASD roles that do not require top-secret security clearance.

That change represents a significant departure from the 75-year-old agency’s historical roots in signals intelligence, with cybersecurity engagements in particular driving the need to accommodate lower-clearance workspaces.

Noble was also questioned about the agency’s attrition rate, which was reported as 9.2% in its FY2020-21 annual report—leading committee members to question whether the money was well directed towards developing skills that were then lost. Even with many ASD staff leaving the agency for jobs in private-sector organisations and other government agencies, Noble responded, Redspice investments in the ASD workforce would still support the “national interest”. “We put a lot of money and effort into training people and investing in them to develop the skills that we need,” she said. “If we’re growing and developing people with those high-level skills that we need at ASD, and they leave us, then that helps the nation overall.”