Former CIA Tech Chief: Inside Look At Cyberarms Race, Snowden Leaks, Amazon Cloud Contract
The race to build up an arsenal of cyberweapons is fueling a market for skilled experts who can hunt for vulnerabilities and create exploits to target them, according to the CIA’s former chief technologist.
Calling the practice "the first frictionless arms race that we've ever had in the world," Gus Hunt, the former chief technology officer at the CIA, said many governments are spending heavily on discovering vulnerabilities in products and not disclosing them to the vendor to get fixed. They are kept for use for future cyberespionage or cyberattack activity, he said. Meanwhile, cybercriminals are getting better at spotting significant flaws and devising ways to capitalize on them, he added.
"It's a massive business out there, and there's a lot of money to be made in this massive business," said Hunt, who spent 28 years at the intelligence agency.
[Related: Former NSA Director Keith Alexander: The NSA Will Not Retreat ]
Referring to Stuxnet, the cyberweapon unleashed against a nuclear enrichment facility in Iran, Hunt noted that the offensive malware wasn't contained. It had an impact on manufacturers and critical infrastructure systems globally and is being studied by criminals aiming to unleash malware with similar characteristics.
The growing movement to develop cyberweapons is indirectly impacting the private sector, where it's getting significantly more difficult to figure out where to spend on security technology and is sustaining an IT security skill shortage that is forcing some companies to seek turn to managed security services, Hunt said, speaking Thursday at the Bloomberg Enterprise Summit in New York.
"Previous weapons systems took a lot of time and a lot of science," Hunt said. "This is instantaneous."
Hunt said he's seeing C-suite exhaustion due to compounding regulatory pressures, growing threats and the need to secure data in increasingly complex and interconnected systems. Those pressures are helping fuel growth in managed security services designed to remotely monitor security appliances for alerts and system logs for potential threats, he said. Companies that can't afford big IT teams are increasingly outsourcing management and monitoring functions, Hunt said.
Pure managed security services providers and solution providers that are building out ongoing services capabilities tell CRN that they are being increasingly called on to provide assistance with threats. Rob Kraus, director of security research at Solutionary, the managed security services subsidiary of NTT Group, said Solutionary has been studying ways to grow the incident response business by understanding where businesses need help the most. The company's analysis of its 2013 engagements found 31 percent of businesses are caught off-guard by denial-of-service attacks that bring down important Web applications. Others need help containing and removing an infection, he said.
"We're not just talking about incident response for small mom-and-pop banks, we're talking about Fortune 100 companies," Kraus said. "The incident response becomes that next step in support, because across the spectrum firms don't have an incident response plan at all."
Hunt said many businesses fail to identify their most valuable data and determine where it is stored, relying on an outdated strategy of putting security mechanisms around systems containing sensitive data but failing to address the security of the data itself. Hunt runs his own consultancy and also is chief cyberstrategist at Teradact, which specializes in controlling sensitive documents and redacting sensitive information in them.
"Resilience is what it is all about," he said. "You want to be able to rapidly detect and rapidly remediate, but it is the data they are after."
NEXT: The CIA's Use Of Amazon Web Services
When asked about the government's surveillance activities in the wake of the Edward Snowden leaks, Hunt said the intelligence community "has the authority of the law behind them." The activity is much like businesses using analytics to study customer buying behavior to better position products, he said. The goal is to look for basic patterns of behavior in people trying to undertake another terrorist attack, he said. Privacy is not dead, Hunt said, because people can "make decisions in their digital life about how much of your identity you are going to give up."
In the wide-ranging discussion at the conference, Hunt also briefly talked about the CIA's inability to keep pace with the private sector on innovation and its decision to award a $600 million contract to Amazon Web Services.
Hunt said the agency had been considering cloud technology in 2009 when it recognized that it wasn't able to match the buying power in the traditional marketplace, causing it to lag behind on technology initiatives. Building out its own enterprise cloud would have been costly and put it continually behind the private sector, Hunt said.
"The hard part was figuring out how to solve the problem," Hunt said.
Hunt said after a competitive bidding process, the decision was made to create a copy of Amazon's cloud within its own data center to maintain high security.
"It is not Amazon as in the Amazon commercial cloud, it's a copy of the Amazon cloud behind our fence line with our guards," he said. "Securing your own workloads remains a critical thing that everyone has to do."
PUBLISHED APRIL 25, 2014