“The Future of Information Security”

A Conversation with Gus Hunt, CTO, CIA; hosted by Robert Anderson, Director, Technology Transfer, Illinois Institute of Technology

GH: As money moves out of being in your pocket, organized crime is going after money where it is — online.

BA: What do we need to do to bring awareness to commercial sector?

GH: It’s hard to take seriously until it happens to you. But I see a coalition of needed emerging. A body of law is emerging on other side, everything from HIPA to disclosure laws. We have capabilities that exist, we just haven’t had to deploy them yet.

In one month, our writers produce more code than an entire year. 5.5 billion attacks were stopped worldwide, up almost 100% from the year before. 120,000 new variants of malware emerged per year. It’s frightening.

One of the big emerging trends is a focus on how to leverage technologies to detect emergence of threat, isolate that threat, and allow the rest of our systems to operate.

Govt is very concerned about what’s happening in private sector, because they’re fundamentally important to national security. There’s a lot of effort being put towards engaging better with universities, private sector, etc.

No formal major alliance globally at governmental level. Much of what you’ll see emerging will start in areas like banking, but as threats mature and nation-state actors become more mature, you will begin to see more response.

How can government stay apace with technological advances and developments. Govt is notoriously inefficient at dealing with innovation, yet innovation velocity is continuing to accelerate.

Social-mobile cloud paradigm has taken friction out of creating infrastructure, allowing new ideas to take off very quickly. Mobile space has taken friction out of people’s ability to broadcast at work and at play.

Talent and talent management is one of the key things they worry about. Where will they get the necessary talent and skills to do what they want. Aren’t able to compete with Silicon Valley for talent, but have some attractive goals. STEM education failure is a huge problem for the CIA.

Absolute security is absolutely impossible. Therefore, you have to think completely differently about your systems. Phishing attacks from the top, more and more sophisticated. From the bottom too. How do you minimize the loss that will occur when your system gets penetrated.

Have to think about how to protect data very well, separate applications from your data.

BA: Is government doing enough?

GH: Very hard for government to figure out what is enough. From a govt perspective, we’re doing a lot. Long-term focus on cuber problem, not just as national security but as crime problem, DSHS.Very committed and in this for the long haul, but it will take a lot of active engagement by private sector, universities, etc.

BA: What can others do for you?

GH: Getting active on this. Don’t ignore the problem, assuming it will be fixed for you or that you’ll have a competitive age. Adopt new models of computing, figure out ways to make things more secure.