Global cyber-security tie-ups critical, says former CIA official

Mr Gus Hunt.

Mr Gus Hunt deals in a dystopian-sounding space of aggressive cyber attacks, simmering geopolitical tensions and damaging hacking scandals. But the former chief technology officer of the United States Central Intelligence Agency (CIA) is surprisingly affable - and optimistic about the future of the cyber-security industry.

Mr Hunt, who retired from the CIA in 2013 and now heads the cyber practice for Accenture Federal Services, spoke to The Straits Times when he was in Singapore for a company event two weeks ago.

His week-long visit coincided with the announcement of Singapore's proposed Cyber Security Bill on July 10, which he praised.

Mr Hunt, a 28-year veteran of the intelligence agency, highlighted that the Bill was important in "setting minimum standards and requirements for compliance".

Citing the high-profile cyber breach of more than 40 million payment cards used at US retailer Target in 2013, which was carried out through one of the retailer's third-party vendors, he emphasised that "everything is inter- connected these days, and cyber security is a 'weakest link' issue".

"What I think is really good about the Bill is that it tries to set the minimum standards and minimum compliance that companies must do, and that helps to reduce the weakest-link threat."

When asked about his assessment of Singapore's cyber-security initiatives, Mr Hunt downplayed his knowledge, but said that based on Accenture analysis and the United Nations' global cyber-security index, Singapore is doing a "terrific job". "Globally, one in three cyber attacks is successful and in Singapore, that number is one in four. Just looking at numbers alone, I'd say that Singapore has done a great job and it is a function of the time, energy, focus they want to put on the problem," he said.

However, Mr Hunt noted that "absolute security is absolutely impossible" and painted a gloomy picture of increasingly frequent cyber attacks of a more aggressive nature because it is just "very easy to write a lot of cyber malware".

The good news is that cyber malware is often not coded well, such as in the case of the WannaCry virus, which had an obvious coding error, he said. But the ease of creating new iterations of malware hastens the pace of attacks, and "the cycle is going to get worse over the next few years", he said.

Much of this is because of the "explosion" of the Internet of Things (IoT), which is the network-connected system of physical devices such as vehicles, electronics and sensors, which enable these devices to exchange and collect data.

The growing use of smart and connected devices is the "single biggest issue facing cyber security", said Mr Hunt. The world will go from having about seven billion connected devices such as smartphones and laptops, to multiple times that when more devices like TV sets and conference-room equipment are connected.

"That means there could be a hundred times more ways by which hackers could get at you, and we really have to begin to focus very clearly as nations and businesses about how to secure these things."

His emphasis on IoT prompted the question on whether his singling out of its danger came from lessons learnt at the CIA. In March, a 9,000-page collection of CIA files released by WikiLeaks generated a media storm in the US when it was revealed that the agency was hacking IoT devices, including Samsung smart-TV sets, turning them into silent listening devices.

Mr Hunt would not comment on the issue, but added that he had learnt his lessons "through time", and that "all software and hardware have vulnerabilities".

He was more candid and had a surprising take on a potential Russian-American cyber-security unit, proposed by US President Donald Trump in a tweet on July 9.

The plan has been panned by both Republican and Democrat politicians, including Senator Lindsey Graham who said it was "not the dumbest idea I have ever heard, but it's pretty close".

Mr Hunt had a different view, calling international engagement, even with countries not perceived as allies, as "critically important".

"We need to develop international partnerships around cyber security as all of us are affected by it. The worst thing that can happen is that we lose all confidence in our ability to do commerce electronically. Imagine how destructive that would be to national economies."

Citing the "mutually assured destruction (MAD)" threat of the nuclear age, Mr Hunt said "we are heading towards a new form of MAD, which I call mutually assured darkness". "The ability of nation states to take down systems of another state through cyber warfare" is a potential, which calls for talks like the strategic arms limitation talks that encouraged countries to wind down the nuclear missiles in their arsenal, he said.

"Cyber is early in this phase, but these talks will have to emerge for the cyber realm. We have to talk about what constitutes an inappropriate use. The Geneva Convention, for instance, prevented attacks on hospitals. Well, shouldn't the same apply for cyber weaponry, which is that enemies should not destroy hospitals' ability to deliver care to patients?"

He noted that it was easiest for people to start engaging with allies, but "business is global". "These sorts of treaties are going to, and have to, emerge. I'm optimistic that they will emerge because we are all vulnerable together."

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on July 24, 2017, with the headline Global cyber-security tie-ups critical, says former CIA official. Subscribe