AI and Cyber-security

The Artificial Intelligence (AI) hype train seems to be everywhere nowadays with numerous commercial solutions in the market boasting the “powered by AI” logo. From Netflix movie recommendations to Apple’s Siri and the upcoming Metaverse, AI has spread to every facet of our digital lives. Cyber-security professionals are also jumping onto the bandwagon by implementing solutions that use AI to further enhance their protection and detection capabilities. One area that gets missed out often, however is where Artificial Intelligence and Cyber-security overlap.

As someone who has taught, written and spoken on AI cyber-security risks quite a bit, I thought it would be a good idea to just summarize a few changes to the status quo that Artificial Intelligence will bring to Cyber-security.

This list should help you regardless if you are a CISO or a cyber-security newbie.

🚀 Change 1 – Artificial Intelligence and Cyber Security

AI technologies have been a game changer for cyber-security tooling with companies like Crowd Strike , DarkTrace etc. pumping millions of dollars into using AI based technologies. AI and machine learning is able to ingest and analyze billions of metadata points and make intelligent decisions to protect attacks which traditional controls will miss. Unfortunately for most cyber-security teams, these types of tools have been the extent of their interaction with AI.

If as a CISO your cyber-security teams are unaware of the fundamental concepts of AI and machine learning then upskilling them is the need of the hour.

CISOs are already aware that businesses across the world are pumping millions into AI to gain a competitive advantage in the marketplace. As risk experts, CISOs are required to identity and mitigate cyber-attacks on these applications and this is where the problems start. Cyber-security teams are simply unaware of the new types of attacks targeting AI based systems. with techniques like Data Poisoning, Model Extraction and Membership inferences poised to become as common as SQL injection and XSS attacks in the coming years

Are your security pent-testing teams able to look for such new attacks in business applications ? Or is it going to be blind-spot in your security posture ?

Check out the below for how pen-testing changes for AI systems:

🚀 Change 2 – Artificial Intelligence and Cyber-crime

If cyber-security teams and CISOs are not taking AI seriously, then rest assured cyber-criminals are not. They have already start leveraging the powerful features of AI to enhance the technical and social engineering attacks they can carry out.

We have already started seeing attackers leverage the power of DeepFakes to take social engineering to the next level by impersonating IT personnel and gaining access to sensitive PII databases and back-end systems. This attack was serious enough for FBI to issue an advisory on the same which can be read here.

Watch the video below to see how the attack unfolds:

🚀 Change 3 – AI and risk assessments

When faced with a business application to assess, most cyber-security pros will treat it like any other application and check application level attacks and the surrounding infrastructure to make sure security best practices are followed. While this is good in practice Artificial Intelligence based systems introduce new cyber security threats which need to be identified and mitigated. Attackers can target the training data or the models that drives AI systems and corrupt the entire decision making process. Is the integrity and security of the model and pipeline considered in your risk assessments ?

AI and Machine Learning algorithms rely on their underlying models which analyze huge amounts of data to reach decisions. What if an attacker was not interested in stealing the data but with tampering the decision making process ? Depending on the nature of decisions being made, the potential attack could be far more severe especially with the rising adoption of AI across a variety of high risk sectors. This needs to be incorporated ASAP into cyber security assessments.

🚀 Change 4 – AI and regulatory requirements

AI is going to introduce new regulatory frameworks which companies will be required to comply with if they are using AI systems in a particular setting. The most important regulation by far and the one expected to have the most impact around the world comes from the European Commission which in April 2021 issued a proposal for a new act to regulate AI.  Similar to how it set the stage for global data privacy laws with the General Data protection regulation (GDPR) in 2018, this act is expected to have wide-reaching implications across the world. EU rules usually end up setting the standard for the rest of the world because of all the companies that work in it, so we can expect this act to become a blueprint for other countries to derive their own AI laws.

As the world’s first concrete proposal for regulating artificial intelligence (AI), the EU’s draft AI Regulation is going to have a huge impact on the debate on AI and how companies are going to adopt AI in the future. The regulation takes a risk based approach and focuses on high-risk AI systems which have to comply with a deep set of technical, monitoring and compliance requirements

AI and regulations

  How the AI act categorizes requirements based on risk

🔥 The future of Artificial Intelligence and Cyber-security

CISOs and cyber security teams need to see the far reaching impacts that AI is going to have on the security and threat landscape. AI is going to be a great tool AND a risk for businesses going forward unless they are prepared. Without proper checks and supervision in place, CISOs will find AI to be a blind spot in their security defenses which will leave them exposed to new types of attack. Similarly by properly embracing AI, it can prove to be a game change in the fight against cyber-crime in the coming years.

NOTE: if the topic of AI and Cyber-security is interesting to you then do check out my course on AI Governance and Cybersecurity OR my recently published book available on Amazon