I was recently in Canberra to attend the Defence + Industry Conference and provided a US Department of Defense Cyber Maturity Model Certification (CMMC) program briefing to Lockheed Martin supply chain SMEs the following day.
The Defence + Industry Conference was excellent, very well delivered, and remarkably informative regarding the Defence Strategic Review, AUKUS (Pillar 2), and the impact these will have on Defence procurement and industry development in the coming years. And Deputy Secretary, CASG, Chris Deeble’s acknowledgment of country was one of the most impressive, moving things I have heard at such an event.
What was a constant throughout the event was the importance that the Department of Defence placed on cyber security. As mentioned in all sessions, cyber security is critical for the defence industry to take seriously, and cyber uplift, resilience and hardening were reinforced as key requirements when working with Defence projects.
I noticed a mixed sense of optimism and scepticism within the industry of increasing opportunities created by AUKUS Pillar 2’s focus on information sharing and technology transfers and greater integration of the Defence Industrial Base of Australia and US.
Richard Marles MP Minister for Defence and Pat Conroy MP, Minister for Defence Industry, both mentioned the “seamless integration” of Canada’s industry with its neighbour the US, as an example Australia can look to.
And it seems inevitable that increasing information sharing, technology transfers and a relaxation of export controls will lead to increased opportunities for Australian Industry.
But is the Australian industry ready for the increased compliance requirements to take advantage of these opportunities?
From what I have experienced, neither Industry nor Government are prepared.
Industry often sees cyber as a cost with no measurable ROI and a hindrance to doing business. The government often doesn’t understand SMEs’ constraints, introducing friction points such as delays in assessing DISP applications and upgrades and processing security clearances.
But something needs to change. The US is itself getting serious about cyber security and the expectations it is placing on industry to protect sensitive information. The introduction of the US Department of Defense, Cybersecurity Maturity Model Certification (CMMC) programs is evidence of this.
CMMC is poorly understood and often misrepresented in terms of its importance to industry. This is based on past events but does not reflect what going to be expected of industry in the near future. CMMC will formalise, enforce and assess the industry’s cyber maturity against a standard more advanced than currently implemented by most organisations.
To put the importance the US is placing on cyber for the industry in perspective, we can quote John Sherman, CIO US Department of Defence “I recognise full well that CMMC is a controversial topic, but it’s a necessary one. We’re not gonna let China and Russia, rob us anymore of our blueprints; our plans; or other things that are going to put our service members at risk… “.
Canada has already recognised the need to uplift cyber and continue their seamless integration with US industry by recently announcing the development of a Canadian CMMC equivalent program with reciprocal recognition of compliance. Our Canadian friends are just getting on with it.
Australia needs to do the same. We need to streamline DISP and security clearance processes (not weaken them), incorporate a CMMC equivalent program into IRAP and provide advice and resources to the defence industry to facilitate the uplift of their cyber. This can be done within existing structures and frameworks so we are not reinventing the wheel. Frameworks, standards and resources are already there. They just need to be aligned. Isn’t that what AUKUS is about?
Tomorrow, another CMMC briefing. This time in Sydney for the BAE Global Access Program. Despite the challenges, it is a real bonus to meet with the Defence industry and learn about the amazing innovative work undertaken in Australia.
Like our defence industry clients, Secure State is busy innovating and developing a cyber security platform to enable organisations to take advantage of the opportunities that the closer integration AUKUS will create. Stay tuned.
Head of Strategy