Advancements in artificial intelligence (AI) are transforming science, industry, and everyday life. Unfortunately, criminal enterprises and enemies of national security see the opportunities, too.
Generative artificial intelligence (GenAI or GAI) — a type of AI that creates content such as text or images — is giving cyber criminals powerful new tools for infiltrating and disrupting businesses. Think, for example: ChatGPT but nefarious.
“This is a significant threat because of the impact that GAI usage can have, and the speed at which it is being employed,” warns Michael Tanji, director of cybersecurity for MxD, the National Center for Cybersecurity in Manufacturing as designated by the U.S. Department of Defense.
How to respond? First, understand the changing threat environment, then take needed actions to protect your organization and supply chain. The situation is serious, but not hopeless. Smart businesses never stand still, and neither should approaches to cybersecurity.
In this interview (edited for space), Tanji explains the scope of the AI cybersecurity threat, and offers solid advice for protecting systems, organizations, and individuals from cyber criminals and bad state actors.
Q: How serious is the cybersecurity threat posed by AI to computer systems, manufacturers, and supply chains?
MT: It’s serious. For all the reasons that GAI is a boon to people who can integrate it into their work, those same reasons apply to those who would use GAI for malicious purposes. This acceleration of threats dramatically increases the risks manufacturers and supply chains face because defenses are not keeping pace. This has always been the case when it comes to cybersecurity, but in the past the rate at which defense trailed offense was relatively small.
Q: Is the AI threat mostly about an increase in attacks? An increase in successful attacks? More damage done during an attack?
MT: All of the above. The speed and adequacy of output of GAI models mean that anyone who is already skilled at various types of malicious activity can significantly increase their productivity. If you wrote good phishing emails, you can now write better phishing emails at an order of magnitude faster. Likewise, anyone trying to develop new malicious skills, for example writing malware, can use GAI to generate code that might not be highly effective on its first iteration, but with training will improve.
Phishing is already a highly effective avenue of attack for malicious actors; now imagine a scenario where such attacks are so well crafted that even the most highly trained and attentive employee cannot discern the difference between a legitimate email and a fraudulent one. Attacks are almost certainly going to increase, and their success rate will be higher.
Q: The FBI, other government agencies, and experts are warning about both AI-improved phishing/social engineering scams and voice/video cloning scams. What are we likely to see?
MT: Any sort of threat that is text-based, like phishing, is going to increase in scale, speed, and sophistication. English is not your native language and you’re targeting Americans? GAI can solve that for you. Need to make a couple dozen variations of your malicious message to target different target sets? That takes seconds now, not hours. Voice cloning scams weren’t really possible, or at least were very difficult to do, before. It’s a lot easier now. The same thing with video. Expect problems related to deepfake video to increase and get more distasteful.
Q: How does AI help hackers write code and improve malware?
MT: I know very few people who write code without some kind of GAI assistance. The same goes for malicious code. If there is a saving grace it is that to really make effective use of GAI in the short term you have to be really good to begin with. Experts will detect errors or AI hallucinations better than those who are less skilled, which means if you’re not already good at it, your GAI output will not be that much better than what you can create yourself. That will change over time.
Q: What about after the attack, when an intruder is successful? Can AI in the hands of a criminal or foreign actor do more damage?
MT: A well-crafted GAI attack could automatically attempt to escalate privileges, which would give an attacker greater control and access faster than they could do it manually. It may also be used to detect defensive mechanisms and develop ways to exfiltrate data that would avoid detection by said mechanisms.
Q: This is starting to sound frightening. What’s the right mindset for cybersecurity in the AI era?
MT: If you can use GAI to create code, you can use GAI to analyze code to identify vulnerabilities. This should include both source code and code used for websites. A GAI automated process to scan for and identify vulnerabilities would accelerate the reconnaissance process and identify potential targets for exploitation.
Q: What is the appropriate response by individual businesses and supply chains to the AI cyber threat?
MT: The solution is to mitigate or eliminate as much risk and exposure as you can. If a given problem is solved or eliminated, all the GAI in the world isn’t going to help.
Understand the wider world around you from a security perspective. If you’re making components or parts for weapons platforms or other military use, you’re a target, no matter how small you think you are. Bad guys like small businesses because they tend to be less well-protected. Appreciate that you’re facing two major types of threat actors: people who want your money (criminals), and people who want to put you out of business (foreign nations). They’ll use similar tactics, but the timeframes may be very different. Criminals want to get paid now; foreign threat actors might want to be in a position to shut you down at a moment of their choosing.
Q: Final thoughts?
MT: When you understand and appreciate the role you play, you can develop plans to help you maintain that position. You’re not just a widget maker, you’re a part of the national security apparatus. Improving security is an investment and a part of your duty.
Visit the MxD Virtual Training Center for information on cybersecurity workforce training resources.