Cyber-security: We must and can do better!

Security, especially of embedded/cyber-physical systems, including cars, aeroplanes, communication devices, and industrial control, has become a hot topic this year. For example, a  report on the state of IT security recently published by the German BSI (Federal Office for IT Security) lists, among others, a targeted attack on a German steel mill that led to massive damage of the facility (p 31 of the report).

Such attacks are only going to become more frequent, and people are looking for solutions. Increasingly, people are starting to realise that the existing cyber-security “solutions”, such as software patches and malware scanners, are just doctoring with symptoms. (Very lucrative business for the “solution” providers: they know that there are lots of bad guys out there who find new compromises all the time, forcing their customers to keep buying the latest security “solution”.) The “catch, patch, match” approach advertised by the Australian Signals Directorate (ASD) is in line with this approach, and scary in its naïveté! (The description of threats is reasonable, but the proposed “solution” is amazing. And they mean it: I attended a talk given by an ASD general at a cyber-security conference, and the message was essentially “catch, patch, match and you’ll be fine”!)

In contrast, ASD’s colleagues at the BSI take a more active role, including working with industry to provide secure core technologies (Sect 4 of the above report). They note that there is a fair bit of indigenous cyber-security capability, which needs to be coordinated and supported to provide more comprehensive security solutions for German industry.

It would be nice if there was a similar realisation in the Australian government. With the seL4 microkernel we have developed at NICTA, we have unique expertise in the world’s most secure operating-system kernel and the associated verification technology. There is a significant number of NICTA alumni out there who are familiar with the technology, including some who are running their own businesses (e.g. Cog Systems). Together with them we’d be in the perfect position to develop really strong cyber-security solutions, and build a local, export-focussed cyber-security ecosystem.

But it seems others may beat us to it. For example, DARPA has just issued a SBIR call (SIBRs are research grants for small business) aiming at developing a security ecosystem around seL4. Other governments may follow (eg Germany is a prime candidate.) Much of this development will be open-source, and thus re-usable locally. But without government support for the local ecosystem, we’ll lose the massive head start we’re enjoying at the moment.