Two much-discussed areas of technology offer the prospect of reshaping cybersecurity. Experts at the inaugural Global Cyber Innovation Summit offered some perspective.
Cybersecurity in a quantum computing world.
On May 1st a panel of experts discussed how emerging quantum technology will affect cybersecurity. The session was moderated by George Hoyem (Managing Partner at In-Q-Tel) and consisted of Aaron J. Ferguson (Senior Executive Technical Director, US Department of Defense), Soren Telfer (Director, AT&T Palo Alto Foundry), Bob Gleichauf (Executive Vice President, Global Technology, In-Q-Tel), and Seth Caliga (Research Scientist, SRI International).
Gleichauf offered some opening perspective. We care, he said, about quantum repeaters (which relay a quantum entanglement) because they shift the attack surface. China, he noted, has "doubled down" on quantum computing, investing probably $11 to $12 billion in the field. But money doesn't always solve problems. Both Australia and the UK stand out for having well-structured, very productive and innovative quantum programs with far more modest investments. He characterized the quantum repeater as a complex device that takes "a string of pearls" to realize. Caliga believed such realization is about five years away.
To Hoyem's question about why CISOs should care about this field, Telfer offered a complex answer. "We care," he said, "because we don't want to create the [false] impression that this is a crisis." We're also interested in workforce development, and this emerging technology will require a sophisticated and capable workforce. "If we wait ten years, we'll never have the workforce to deal with it."
Ferguson was throughout a voice of caution and well-informed skepticism about the larger claims being made for quantum computing. The science of this is viable, he said, but not in the near term. One challenge any realistic applications of that science will inevitably face is the need to verify security and interoperability with allies. "The research is excellent, but the reality is a ways off. We don't endorse it for national security systems." NSA and GCHQ agree that they see no near-term utility in quantum technology for the intelligence services.
Any country, Ferguson said, is looking for an information advantage, and we need to keep an eye on quantum technology. "In principle it represents a threat to classical systems. But it's not happening in the near term."
With artificial intelligence and machine learning, offense wins.
Is there enough urgency about artificial intelligence and machine learning? One's initial reaction to this question might be a dismissive "of course there is." Are there any topics more widely discussed in cybersecurity? But Shawn Turskey, NSA's Senior Executive Representative to the Department of Homeland Security, thinks otherwise. Artificial intelligence and the related technologies of machine learning may already be having a tremendous impact on our lives, but we continue to underestimate how extensive that impact is, and will be. His presentation was cautionary, designed to be alarming.
Turskey began with a working definition of artificial intelligence: "AI is any device that perceives its environment and takes actions to maximize its chances of achieving its goals." Consider how this might figure into cybersecurity. Getting into a network isn't all that difficult. Knowing where you are in that network is a good bit more challenging, and figuring that out typically takes a human operator. But "what if I could put thousands of robots, with AI, into your networks?" If AI is applied by attackers, "exploits are going to go through the roof." To be sure, you can also automate patching, but when Turskey asked if you would take an automatically generated patch and apply it in your enterprise, he saw no takers in the audience, and he answered his own question: "No."
Proliferation of AI and machine learning will dramatically increase the number of capable threat actors, decrease defenders' ability to detect those threats, and will therefore increase the threat actors willingness to attack. These technologies also offer considerable potential for more effective social engineering.
"I think offense wins," he concluded.