We have to live with the legacy flaws #2017ACSC


OpDSC_0007ening the keynote session in Canberra for the Australian Cyber Security Centre Conference 2017, Dr Deborah Frincke, NSA Research Directorate highlighted, “the ‘new’ cybersecurity domain is a battlefield. Yet the playground for our children, platform for commerce, network for our infrastructure, source of government intelligence operations and where the majority of the community lives and plays.”

The NSA Research Directorate is a place of research amongst operations and capabilities, being one of 16 federal government agencies in the USA, each with challenging and, at times, opposing responsibilities and domains. This is seen as a positive framework to avoid too much control and centralisation by one agency and provide the necessary checks and balances. The NSA Research Directorate, explained Dr Deborah Frincke, is focused on information assurance, foreign intelligence and computer network operations in support of the White House and State Department, military targeting support and collaboration with Government, academia and industry.

The research is designed to achieve a scientific advantage. Dr. Frincke said, “Any human endeavour invites a new frontier and new approaches. The cyber problem is about cyber assurance and leveraging between offensive and defensive. We are trying to be more open and transparent.”

What is hard about cybersecurity is you never quite know what’s going to happen. Using the analogy of rock climbing, making a change can go awry, or a risk can emerge that wasn’t assessed, or the landscape itself can change. There is increasingly sophisticated cyber threats and the consequences never goes down. In the cyber domain, anything that has gone wrong, never stops going wrong because of legacy systems. Old flaws are always with us. Dr. Frincke recalled, “We thought we had a problem when we couldn’t list all of a system’s vulnerabilities on one page. Now we have to categorise them. The days of having a clean slate are gone. We have to live with the legacy flaws. We have to team strongly and globally to keep up.”

The scientific principles subject to ongoing research includes ‘cyber deception’ and getting a better understanding of the adversary through rigorous scientific study of human cyber behaviour. Defensive deception seeks to re-balance the asymmetric nature of network defence and leveraging an attackers cognitive bias, designed to frustrate them. Similar in concept to a ‘honeypot’, the desire is to have these concepts designed in from the start. Another principle under research is the use of ‘cyber moving targets’. Introducing dynamic variation to counter attack vectors and increase attacker workload, create delay and frustration.

Dr. Frincke also moved into the area of ‘adversarial machine learning’ that is looking to use techniques of data poisoning, evasion, astroturfing. It is a path reasonably likely to continue where an adversary is able to control or corrupt data pools and as new big data projects are started, the compromise could be there from the start and stays there. This results in an inbuilt bias and inherent influencer – meaning the ‘compromised normal’ becomes the ‘normal’.

In closing, a key message from Dr Frincke, was the need to anticipate that expectations on us will change. If we don’t design our systems to respond to changes, we could be designing a whole new Y2K problem. It is an important issue in terms of big data sets, privacy, civil liberties and privacy assessments.

Chris Cubbage, Editor