Notes from the ACSC 2017 Conference

The Australian Cyber Security Centre’s annual conference, held last week in Canberra’s National Convention Centre, was so much more than the usual conference vendor-fest. I’m filled with hope now that Australia is on a trajectory, set by the launch of the Cyber Security Strategy in April 2016, that will finally oil the political machinery that will allow industry, start-ups and government to work together for a brighter future.

World Class Speaker Line-up

What I thought was incredible about this conference was the vast array of speakers from both Australia and overseas, who openly brought their intellect, research and ideas into this semi-public forum. No other conference on the Australian circuit has such an array of talent and expertise under one roof, and they are all approachable and ready to discuss what they are doing, irrespective if you are a vendor, a service provider or a consumer. For the first time in a long time, it was so nice to be at a conference that was not all about the vendors. ACSC has managed to pull off what I thought was impossible, making the conference all about the delegates and the industry.

Opening up, was Dr Deborah Frincke, an amazing lady who leads the Research Directorate of the National Security Agency/Central Security Service (NSA/CSS), which is claimed to be the largest in-house research organisation in the U.S. Intelligence Community. Her keynote set the tone for the rest of the conference, where she explained that the Internet (i.e. cyberspace) b is now both a battlefield and playground for our children – somewhere where we live, work and play while opposing forces are conduct intelligence and counterintelligence operations to prepare for conflict. In all reality, cyberspace is these and more – it’s an extension of our lives in almost every facet. Therefore, security in cyberspace is something that affects us all and is something that we must all learn about and understand better.

Cyberspace Trends

Figure 1: Trends in Cyberspace (courtesy of NSA)

Dr Frincke went on to explain that the legacy technology debt ensures that what’s previously gone wrong in cyber security will continue to go wrong long into the future. How often do we see headlines suggesting a breach occurred because the organisation had unpatched legacy Windows XP systems? Instead of ignoring the problem, hoping it goes away, she suggested that we embrace this legacy issue and better understand the consequences of managing this debt while acting to mitigate the risks of attacks against these legacy systems through better detection mechanisms (such as log collection and event correlation). “Our goals must be mission oriented,” she proclaimed. We need a systemic approach which allows us to profile and understanding the enemy – from the attacker’s perspective – considering their motivations and means, from espionage to crime, which will help us decide how to detect it. Cyber crime is now a social issue affecting all of us, where no person or business is safe.

Cyber Moving Targets

Dr Frincke went on to explore some of the new approaches the NSA is taking to cyber defence, where their research is focusing on making it harder (or even too hard) to hack them as targets. They are building continually changing configurations into their infrastructure, meaning the first step of the attack is nearly impossible: profiling and reconnaissance. Imagine your adversary scanning your systems for vulnerabilities and getting a different response each time. What would they attack?

Adversarial Machine Learning

Figure 2: Building Cyber Moving Targets – Deception at its Best (courtesy of the NSA)

They would be wasting their time building exploits for something that doesn’t even exist, causing immense irritation. Her goal:  frustrating these adversaries to the point where they give up or go and attack someone else. It sounds good, right, but the technologies that allow the infrastructure to morph and change are hard to manage – thus automation will be critical, and this requires a lot of research.

The Australian Cyber Security Growth Centre

No blog post about the ACSC 2017 conference would be complete without mentioning the ACSGN. Craig Davies provided an update and overview of what the ACSGN had achieved since its inception last year. The government funds it, but as he said, it’s not a government service. Its reason for existence is to support industry. The ACSGN has a broad remit to build a successful cyber security start-up community, as you might expect. However, it’s also there to assist businesses that are scaling up their cyber security offerings to service a bigger and more complex market, as well as businesses who are overseas and want to invest in Australia. But he also explained that one of our greatest failings is that a few of the world’s best cyber security companies were born in Australia but have been forced to move overseas to gain funding and traction in the global market. He wants to entice these companies home and provide the platform for them to reach the global and local markets that previously only Silicon Valley could have provided. It’s ambitious, but it’s also exciting. The Australian Cyber Security Growth Network is an extraordinary contribution to the Australian cyber security economy, and I must applaud the government for investing in this capability. Hopefully, now that the Digital Marketplace is up and running, we’ll see businesses of all sizes playing in the market that was once dominated by multi-nationals. Undoubtedly, the ACSGN will drive competitiveness beyond anything we’ve seen previously in Australia and will allow the underdog start-up with one fantastic offering to compete for the same business opportunities that were once only open to the likes of CSC, IBM and Lockheed Martin.

Change is Coming…

The ACSC 2017 conference was excellent. It’s certainly shown us that the government is serious about making Australia an economic force to be reckoned with, with cyber security as one of the pillars of our future success. There was a tremendous buzz at the conference and everyone we spoke to was enthusiastic and excited about the future. Let’s keep the conversation flowing, the innovation bubbling and start investing locally in Australian expertise. I’m looking forward to next year’s conference already, especially regarding the conversations around mandatory breach notification which invariably will start later this year.