The race to build up an arsenal of cyberweapons is fueling a market for skilled experts who can hunt for vulnerabilities and create exploits to target them, according to the CIA’s former chief technologist.
Calling the practice "the first frictionless arms race that we've ever had in the world," Gus Hunt, the former chief technology officer at the CIA, said many governments are spending heavily on discovering vulnerabilities in products and not disclosing them to the vendor to get fixed. They are kept for use for future cyberespionage or cyberattack activity, he said. Meanwhile, cybercriminals are getting better at spotting significant flaws and devising ways to capitalize on them, he added.
"It's a massive business out there, and there's a lot of money to be made in this massive business," said Hunt, who spent 28 years at the intelligence agency.
Referring to Stuxnet, the cyberweapon unleashed against a nuclear enrichment facility in Iran, Hunt noted that the offensive malware wasn't contained. It had an impact on manufacturers and critical infrastructure systems globally and is being studied by criminals aiming to unleash malware with similar characteristics.
The growing movement to develop cyberweapons is indirectly impacting the private sector, where it's getting significantly more difficult to figure out where to spend on security technology and is sustaining an IT security skill shortage that is forcing some companies to seek turn to managed security services, Hunt said, speaking Thursday at the Bloomberg Enterprise Summit in New York.
"Previous weapons systems took a lot of time and a lot of science," Hunt said. "This is instantaneous."
Hunt said he's seeing C-suite exhaustion due to compounding regulatory pressures, growing threats and the need to secure data in increasingly complex and interconnected systems. Those pressures are helping fuel growth in managed security services designed to remotely monitor security appliances for alerts and system logs for potential threats, he said. Companies that can't afford big IT teams are increasingly outsourcing management and monitoring functions, Hunt said.
Pure managed security services providers and solution providers that are building out ongoing services capabilities tell CRN that they are being increasingly called on to provide assistance with threats. Rob Kraus, director of security research at Solutionary, the managed security services subsidiary of NTT Group, said Solutionary has been studying ways to grow the incident response business by understanding where businesses need help the most. The company's analysis of its 2013 engagements found 31 percent of businesses are caught off-guard by denial-of-service attacks that bring down important Web applications. Others need help containing and removing an infection, he said.
"We're not just talking about incident response for small mom-and-pop banks, we're talking about Fortune 100 companies," Kraus said. "The incident response becomes that next step in support, because across the spectrum firms don't have an incident response plan at all."
Hunt said many businesses fail to identify their most valuable data and determine where it is stored, relying on an outdated strategy of putting security mechanisms around systems containing sensitive data but failing to address the security of the data itself. Hunt runs his own consultancy and also is chief cyberstrategist at Teradact, which specializes in controlling sensitive documents and redacting sensitive information in them.
"Resilience is what it is all about," he said. "You want to be able to rapidly detect and rapidly remediate, but it is the data they are after."
NEXT: The CIA's Use Of Amazon Web Services