IT Essentials: Shock horror – no AI shock horror
AI’s threat to cyber security may have been exaggerated
It was a promising start.
A select (I like to think) group of tech journalists was led into a WiFi-less cellar under Tobacco Docks in East London where a senior CISO at Google and the managing director of cybersecurity firm Mandiant Consulting EMEA awaited us, seated at a bare table. The vault door was closed firmly behind us. A light may have flickered.
Were we about to be briefed about an imminent cyberattack by massed ranks of intelligent malicious bots, against which our puny human defences would be worthless?
Actually no.
"We're not really seeing attackers use AI in any way better than a skilled operator," said Stuart McKenzie of Mandiant, in a disappointingly offhand manner.
Of course, he went on, AI can be a handy tool, particularly in target selection where a gang is searching for potential victims in new territories. It can also be quite useful for debugging your malware to increase the chance it will work as planned, but no more than having an experienced partner in crime at your side.
But aren't cyber gangs using AI to find and exploit known vulnerabilities in organisations' codebases?
Well, theoretically they could do that, conceded McKenzie. But it's not going to be easy unless they really understand what the rest of the enterprise software stack looks like and how it's run.
But surely criminals are using AI to craft hyper-convincing phishing emails?
To an extent that's true, he said. Translation certainly helps, but Google Translate has been around for well over a decade. And even with GenAI it's hard to write something convincing that a Japanese exec is going to click on unless you are very familiar with the linguistic and cultural nuances of the country.
Anyway, he continued, phishing is a numbers game where victims self-select, and AI doesn't offer much help with spearphishing.
This was getting desperate. But won't it ultimately be a case of attackers' AIs and defenders' AIs battling it out, as in the later Terminator movies?
That seems very unlikely, he said.
Hmm. The hotly anticipated shock horror headlines weren't exactly writing themselves, but worse was to come.
Apparently AI/ML may be more useful to defenders than attackers, adept as it is at crunching through massive amounts of data and revealing patterns. What's more it is likely to lead to a much-needed democratisation of defensive capabilities, and better governance and security practices, making it harder for threat actors to succeed.
The vault door was opened and we exited into the fresh air, bereft of headline material but perhaps a little relieved that things might not be quite as bad as they are often painted.
Recommended Reads:
In the second part of her interview with Amadeus CTO Sylvain Roy, Penny Horwood found out how the travel platform is endeavouring to use AI sustainably. In the first part of the interview Roy spoke about how Amadeus is building personalised travel experiences via a cloud native platform.
I attended the Google Cloud Summit where all the talk was about intelligent agents. There were mixed views about what constitutes agentic AI and when it will really make itself felt, but it's an area buzzing with activity.
And Neha Batra, head of business technology at Dominos, explains what she is looking forward to most at the Women and Diversity in Tech Festival on 5th November.