Defence Business: Highlights from ADM’s 3rd Cyber Security Summit | ADM July 2013

The summit reflected a strengthened direction and resolve in Government efforts to deal with a rise in cyber attacks. However the challenges were becoming more frequent and more complex, according to the speakers.

Of particular interest was an important update on the development of the Government’s Australian Cyber Security Centre. Major General Stephen Day, Deputy Director for Cyber and Information Security at the Australian Signals Directorate - ASD (formerly Defence Signals Directorate) - will be the first coordinator of the Government’s new Australian Cyber Security Centre (ACSC).

Day said details were still being discussed and ASD will continue with its central role.

 “ASD will provide the majority of the new centre’s staff and about 73 per cent and the majority of the centre’s capability,” he said.

MAJGEN Day conceded there was still confusion in industry and in some Government areas about whom in Government was responsible for what in cyber security.

“My intention is that the ACSC will become a one-stop shop for cyber security. Behind the shop front, we are going to have to work out who is best positioned to deal with the issue at hand,” he said.

While there was no new funding, in the current budgetary environment flat is up, he said.

MAJGEN Day also unveiled the latest cyber attack statistics from the current Cyber Security Operations Centre (CSOC) over the last three years. Some 1,259 attacks were recorded in 2011, 1,790 in 2012 and in first five months of 2013 some 789 incidents. Of these, CSOC responded directly to 313 in 2011, 685 in 2012 and 398 up to May 2013.

In the most recent investigations, MAJGEN Day classified that of the incidents where an actor is attributed, 80 per cent are state-sponsored, 14 per cent as cyber-crime and six per cent attributed to individuals or “hacktivists”. MAJGEN Day also commented on the recent intelligence collection operations of US National Security Agency and the leaked Prism operation.

 “All intelligence activities carried out by ASD are conducted in strict accordance with Australian law,” he said.

Other notable presentations revisited the issue of what a future cyber war would require and the importance of China and its perspectives in Australia’s approach.

Cyber attacks required a major shift of how we should think about defence, argued Scott Borg, Director and Chief Economist of the US Cyber Consequences Unit.

He instanced the example of the profound and sustained harm that could occur when a major electricity generator can be tampered with digitally. While a few days without power was sustainable, more than a week of no power could cripple an economy. He noted that these generators were built and shipped from China and India and could take anywhere from months to years to build.
The role of traditional Defence responses in this context was not an easy fit. Smashing or “taking out” the enemy was unclear, particularly when attribution was uncertain. The likelihood is the attacker could disguise its source and continue its attack through advanced persistent malware attacks from a remote area that could be even tougher to find.
On the other hand, he said cyber warfare was less focused on destroying an enemy’s economy. Instead the aim was to force a country to do “certain things” it would not otherwise do. Avoiding the use of nuclear weapons was a major consideration.

Contrary to popular wisdom, future cyber warriors would be closer to a small group of software developers that would have a good understanding of the vulnerabilities of critical infrastructure. These would tend to be middle-aged for this reason, he argued.

Also one elite person will not equate to a 100 mediocre recruits he noted. This undermined current concepts of how future armies are developed and sustained, he added.
Perhaps most challenging of all to the summit was former marine, Col (Ret) William Hagestad II’s trenchant coverage of Chinese culture and Australia’s new cyber rules of engagement.

With an ability to speak and read Chinese, Hagestad argued that Australia’s recent Defence white paper would confuse the Chinese. On the one hand it suggested China was not an enemy. On the other Australia’s actions to bar State-owned Chinese company, Huawei from bidding for the construction of the national broadband network sent another signal. So is China an enemy or a friend, he asked?
He said China had a poor capability with indigenous innovation and was more inclined to use malware to attack Australia and its allies intellectual property.

He concludes that Chinese written malware can be well disguised and hard to locate. It was close to “the ultimate form of cryptography” he said. The proxy wars had begun and threats by China are bad and will get worse, according to Hagestad and urged Australian agencies develop cyber offensive capabilities.
Former DSD deputy director, Mike Burgess returned to the summit as Telstra’s new Chief Information Security Officer. His key message was that information security was a leadership issue and despaired that less than 30 per cent of Australian company boards understood the risks of losing control of their systems or data. He wanted to see more security awareness training among staff to reverse the increase in compromised business systems that he was coming across.

A similar perspective was aired by David Owen, Director, Strategy & Major Client Groups for BAE Systems Detica. Owen’s experience was that malware attacks were becoming “professionalised” in the sense that serious attacks occurred during working days and business hours. In a “Watering Hole” attack, the attacker compromises a site likely to be visited by a particular target group, rather than attacking the target group directly. Eventually, someone from the targeted group visits the “trusted” watering hole site and becomes compromised. Formerly popular tools such as intrusion detection systems (IDS) and security operations centres (SOC) were not making the inroads on incursions companies had hoped.

The size of the data, false positives, and expense in maintaining them meant many companies were turning off or ignoring their IDS alerts. Seeing the big picture without behavioural analytics was challenging. Only a small proportion of company and government agencies were approaching a maturity and capability to cope with the rise in attacks, he noted.

Other speakers such as Radware’s General Manager Mick Stephens outlined the latest techniques for coping with denial of service incidents.

The alarming rise in untested and increasing software lines of code in tools such as the latest F35 fighter aircraft made cyber security complicated to manage, said Major Gen (ret) Robert Behler the COO of Carnegie Mellon University’s Software Engineering Institute. Bragging rights used to be how many “G”s a jet pilot could sustain. Now it was how many million software lines of code, the pilot’s craft depended on, he said.
Defence policy planners needed to understand the risks of increased software complexity opened a new vulnerability door. Sometimes the cost of improved functions and convenience may be too high. He urged Defence procurers to look for systems that had security designed in from the outset rather than tacked on later at a much greater expense.