Innovation Oz Style: Take a world-leading secure kernel and kick it to the kerb

CSIRO believes a secure kernel has less national benefit than going all in on artificial intelligence.

csiro-larry-marshall.png

CSIRO chief Dr Larry Marshall trying to explain basic science to a climate science-denying Senator

Image: APH

As with many things, timing is everything, and in the weeks after word drifted out that Australia's Commonwealth Scientific and Industrial Research Organisation's (CSIRO) Data61 was binning its secure microkernel research, the world of cyber attacks manifested in the real world in new ways.

From oil pipelines, to meat works, to a more traditional Russian-backed phishing campaign, the cyberdial has been turned up and the frequency of attacks, particularly in the ransomware space, has hit deluge-like levels.

And yet, while the torrent of malware is far from unexpected, people lining up with jerry cans and fighting with each other because someone might have clicked on a dodgy email certainly is.

The need to develop a better foundation, and more secure ways of computing, would appear to be more necessary than ever -- but not at the CSIRO, where artificial intelligence is the order of the day.

"We think Australia needs artificial intelligence for industry 4.0, for our sovereign capability, for digital agriculture, and to deal with environmental hazards," CSIRO CEO Dr Larry Marshall told Senate Estimates on Thursday night.

"Really putting digital at the heart of Australia's resilience and recovery as we build back."

One of the problems with the seL4 microkernel and the Trustworthy Systems team that developed it, according to Marshall, was that it supposedly did not provide enough "national benefit".

"So it's difficult to see an opportunity to build an industry in Australia, or to derive a national benefit from that technology, and given priorities are artificial intelligence, we chose to pursue that and focus our resources where we thought we could drive greater national benefit," Marshall said.

"The challenge with that technology ... it's very mature and it is open source."

During the hearing, Marshall waved articles listing CSIRO's high ranking among global research organisations, but seL4 has been similarly regarded as first class research. One has to walk a long way to find a mathematically proven secure kernel.

"This is an instance of Aus policy directly leading to undermining Australian cybersecurity," security researcher Vanessa Teague said in reaction to CSIRO's decision.

"It's hard to think of better world-leading Aus cybersecurity research than [seL4 Foundation]."

Chair of the seL4 Foundation Gernot Heiser rebutted CSIRO claims that seL4 was mature technology in a blog post.

"The group is not accidentally called 'Trustworthy Systems' (and not, say, the 'seL4 Research Group'). seL4 is only the starting point for achieving trustworthiness in computer systems. It's as if over 100 years ago people said combustion engines are a solved problem once it was shown they could power a car," he wrote.

"Fact is that, while seL4 is mature enough to be deployed in the real world, there's plenty of fundamental research work left on seL4 itself, and there is far more research left on how to achieve real-world trustworthy computer systems. It's not that just sprinkling a bit of seL4 fairy dust over a system will make it trustworthy."

Heiser laid out the work to be done on temporal isolation of processes, especially on systems where critical real-time workloads run at the same time, but he added the research was under threat as the CSIRO had handed back some money from the US Air Force.

The University of New South Wales has backed Trustworthy Systems until the end of 2021, with Heiser stating it gives some breathing space to "line up more pathways".

In recent years, the push has been on in Australia to commercialise the country's research, and this seems to be the rock that Trustworthy Systems has tripped on.

"Unfortunately that technology was licensed [to Qualcomm] for a one-time fee," Marshall said. "And when I say unfortunately, that technology has gone through two billion mobile devices, but unfortunately, there's no ongoing royalty arrangement with that deal that was done back in at that time."

Keep in mind that the CSIRO loves royalty payments and will sue to ensure it gets its cut. The organisation boasts it got AU$430 million in settlements over its Wi-Fi patents. The open-source nature of seL4 does not lend itself to this type of outcome.

Marshall said it would be great if a company was spun out around the work and if it could figure how to make money.

"Our conclusion was that's not really feasible in Australia, which is why we chose to discontinue the work," he said.

Given the current environment, where Australian politicians are calling on ASD to use its classified powers to blast away ransomware groups, and who knows what the political response from Moscow, Pyongyang, and Beijing would be to that; local law enforcement continue to say dumb stuff about encryption; and Australia's strategic rivals are using current weaknesses to be downright awful to parts of their population, a little research on the defensive side of computing would be useful.

The seL4 kernel isn't going to be powering any desktop or server near you anytime soon, but it could go some way to making IoT devices look less like Swiss cheese to bad actors. It could even end up being the underpinning of CSIRO's "artificial intelligence for industry 4.0" systems -- whatever they are -- or help inform the new OSes that are being developed.

In a worst case scenario for CSIRO where it kept seL4 but it didn't yield rivers of gold, it could still push research in vital areas of cybersecurity, increase Australia's research reputation, and show that the nation isn't completely full of the cyber ignorant. But alas, the world of secure kernels is not as sexy and pitch-friendly as the buzzword-laden AI realm, and Trustworthy Systems has been forced to shift from a national research organisation that has been subject to funding cuts, into a university sector that has seen far more drastic cuts.

For our national benefit, hopefully the upcoming AI research yields more than a better chatbot.

ZDNET'S MONDAY MORNING OPENER 

The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet's global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America. 

PREVIOUSLY ON MONDAY MORNING OPENER: