Security goes military at CeBIT

CeBIT bills itself as "the digital economy's most important international event", so did its Cyber Security conference deliver on that promise this week?

It certainly helped perpetuate the cyber fear doing the rounds of late, with a few subtle reminders that infosec is being militarised — including an attempt by the Australia's Defence Signals Directorate (DSD) to ban the media from its opening keynote.

The ban didn't work. At least four journalists managed to join around 100 uncleared conference attendees and their internet-connected smartphones to report that DSD assistant secretary for cyber-security John Franzi said... well, nothing particularly exciting and certainly nothing secret.

The key take-home messages were that the number of attacks against government networks is still rising, and that DSD's Top 4 mitigation strategies will still protect you from most of them.

The military theme was strongest in the two presentations that contained the newest information: Richard Stiennon's keynote on what he called the Age of Weaponised Malware, and Dr Jodi Steel's presentation on NICTA's collaboration with the US Defense Advanced Research Projects Agency (DARPA) to develop bug-free program code for military drones.

Stiennon, chief research analyst with IT Harvest, noted that the first weaponised malware was Stuxnet, discovered in 2012. But he marks the Age as beginning on 1 June 2012, when The New York Times published its account of how President Obama had ordered the Stuxnet attacks against Iran.

To counter such weapons, as well as other highly-targeted threats, Stiennon says organisations need to create a "cyber defence team", like the one set up by defence contractor Lockheed Martin, to deliver a coordinated response. And to do that, they need to understand the nature of the threats against them.

The team includes cyber defence analysts — more puzzle-solvers than infosec practitioners — who use data mining and analysis tools from vendors such as Palantir to discover connections and develop that understanding. They report to management via a weekly chart that lists the ongoing campaigns being conducted against them, what's known about the attackers' motives, and how far they've managed to penetrate the organisation.

There's also a Red Team for attack and penetration testing and internal audit — but their focus is on business process hacking rather than infrastructure.

To differentiate this new organisational model, Lockheed Martin created a new job title. The cyber defence team is led not by the chief information security officer (CISO), but by a "Cyber Commander", who is also responsible for liaison with law enforcement agencies.

Stiennon concedes that this job title may be too militaristic for anyone except defence contractors.

Meanwhile, NICTA's work with DARPA is tackling a key source of security vulnerabilities: program code. Steel, who's director of NICTA's Security and Environment Business, notes that much infosec work consists of patching software vulnerabilities. "We need to be building systems more reliably in the first place," she said.

Traditional software checking and audits are only 85 percent effective, Steel said, and in embedded systems such as those controlling military drones, DARPA's target application, that's not good enough.

"Formal verification" can prove that code is bug-free, but it's been expensive and time-consuming. NICTA has been developing automated tools and methodologies to speed up the process, and aims to produce verified software at only twice the cost of developing standard software. NICTA is "close" to achieving that, Steel said.

Formal verification will become more important as "the internet of things" massively increases the number of internet-connected devices, all of which will need securing.

As an example, Steel noted that a modern car has between 30 and 100 processors. Researchers have already worked out how to create malicious music which, when played on the car's stereo, caused a buffer overrun, inserts malware and takes over the car — including engine controls and the brakes.