Cyber security of the future.

But first, we headed back to the raw basics of security, at the lock picking station, where we could try our hand at picking locks, and learning about how the pins in the locks evolved to make picking them harder. As it turns out, we lacked the dexterity and feel required to make us good burglars, which is probably for the best!

Despite this, it was a fantastic way to understand how lock pickers took advantage of tooling inaccuracies and vulnerabilities using the same mindset of modern-day hackers.

Australia at the forefront of global cyber security

Australia have been taking a role in the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia as the first non-NATO member to participate as a Contributing Participant where we have been represented by the expertise of Lt Graham Price for the past 15 months. 

The Cyber Defence Centre of Excellence was set up by NATO members interested in protecting themselves and other nations from cyber-attack after a state sponsored cyber-attack on Estonia. Focused on collaborating to research to establish best practice to share with other nations to be able to use and adapt to their own specific needs and circumstances.

Cyber defence is the part of cyber security which falls to the responsibility of the defence forces of each nation. However, the CCDCOE provides unique opportunities, with 39 nations represented by cyber experts in law, technology operations and training are represented where they can get an insight from, collaborate with and learn from to create international collaborative cyber resilience. 

This effort provides advice and guidance to all aspects of government, not only military, providing guidance on building cyber security technology, processes, and people capabilities.

Each year the CCDCOE runs two major exercises:

• Locked Shields – a 3000 participant, 2-day exercise – focusing on the defensive aspects of cyber security, the largest live fire exercise in the world, which Australia has participated in. It plays out by having blue teams defend a nation from attack by red teams.
• Crossed Swords - an offensive focused exercise where teams focus on infiltrating a fictitious country and its infrastructure.

Language Learning Models, including ChatGPT

There were numerous sessions and discussions around the hot topic of language learning models, and artificial intelligence. Everyone was aware of the risks associated with potentially divulging sensitive and private information to the large companies producing the models, which currently limits what some companies are willing to use these models for. 

Staff and companies are eager to experiment with these tools to see what productivity gains they can make from them. While they are still in the relatively early stages of the lifecycle of a new technology, they are very good at writing marketing content and other text and also software code! However, should you, as an employee choose to “outsource” a task or part of a task to an artificial intelligence model, you, are still responsible for what you produce whether or not you wrote it yourself. So, anything produced by a model should be thoroughly checked for accuracy and coverage before publication.

Another example was the use of ChatGPT to produce software code. ChatGPT has been taught using every programmer’s favourite (or previous favourite) resource stackoverflow.com. SO, you would think that, when asking ChatGPT to produce code, that it should produce good quality, secure code. Unfortunately, this was not the case, it only produced a minimal viable produce.

For example, prompting it to:

“Produce a method to generate a database query to retrieve customer records using ‘name’ or ‘city’ parameters passed to the method”

will produce a single line generating the SQL. No good practices including error checking, null checking or potential SQL Injection were included. To include these, you had to include the following into your prompt:

“considering good practice and security concerns”,

and lo and behold, the checking would be included.

Given, at DQS we are management system auditors, auditing a language learning model is also a consideration. The team at decoded.ai had a wonderful session on how to approach auditing a model, and how it should be treated as a “willingness to cede a decision” to an automated process, and that there are two different stages where a model can be corrupted, at the stage where it is learning and can be fed incorrect information, or when a query is being executed.

Quantum Computing

The next huge breakthrough in computing will be when the technology around quantum computing chips becomes advanced and affordable enough to be adopted in mainstream computing. This will be such a large seismic shift that, while we are not there yet, we are certainly at the point thinking and planning for what risks will inevitably arise is necessary.

Quantum computing will mean that things which are currently considered secure, including cryptographic controls, will become immediately obsolete. We will need to plan and consider how the transition is handled. How do we handle the period of time, which will probably be a decade or so, where some people will still be using existing non-quantum computers and other early adopters have migrated? This will involve strengthening cryptographic algorithms and implementing things like having separate keys for quantum and non-quantum machines.

The largest and in equal parts most exciting and scary part, is what will happen when the technology for artificially intelligent models has been enhanced and evolved, and can use quantum computers to learn, answer queries, and potentially even think for itself? 

This will offer solutions to the current global issues, such as world hunger, but also introduce more threats and completely new issues, like the “rise of the machines”.

Check out our other learnings from CyberCon

• Post 1: A certificate doesn't guarantee security.
• Post 2: Insider the mind of a hacker.
• Post 3: Are you really ready for a critical incident?
• Post 4: Cyber security of the future.