By Bobbie Stempfley, Vice President, Cyber Security Dell Technologies (formerly Deputy Assistant Secretary Cyber Security and Communications, Department of Homeland Security)
Cybersecurity has evolved from a conversation among technologists in server rooms to a substantial dialog between industry leaders and policy makers on the international stage. There is an almost universal recognition of the importance of managing risks associated with doing business in the digital age of the 21st century, and three decades of not adapting to modern technical and security capabilities to overcome.
As we face this history, technological innovations continue and the promise of artificial intelligence (AI) has reemerged as new capabilities have captured the imagination. “AI is one of the most powerful technologies of our time, with broad applications. . . in order to seize the opportunities AI presents, we must first manage its risks.”[1] An active debate is occurring on how AI, which has been described as being as important an innovation as electricity and the wheel, will impact the delivery of citizen services, public safety, economic development, and national security. In cybersecurity today we are facing workforce shortages, millions of devices connected around the globe each requiring regular updates to address vulnerabilities, and threats like ransomware. Enterprises attempt to rationalize a growing set of security technologies designed to provide detection and protection, while adversaries learn and adapt with agility. Should we be optimistic that the advancements in AI will change these dynamics?
We must start with approaching how we build and integrate this technology; the concept of ‘built-in' security in new and updated systems has never been more relevant. Highly secure, privacy-enhancing solutions must be the norm, not the exception. Given the pace of advancement in this space, this reality is not assured. It will take leadership, research, investment, and the development of solutions for unanswered questions, including:
The perennial question of ‘how much security is enough’ must evolve into more robust risk management discussions that guide security and government leaders. These discussions should focus on how to make risk trade-offs between safety and security on the one hand, and to achieving other essential imperatives such as interpretability and fairness on the other. Effective guidelines and best practices for how to make these decisions must be built in partnership between the public and private sectors. These guidelines and best practices must then be considered as a part of the responsible use of AI.
There is reason to be optimistic. The recent rapid advancements in Generative AI and its broad applications present tremendous opportunities to change the cybersecurity ecosystem, perhaps for the better. The opportunity areas are rich and include:
This optimistic view must be balanced by a realistic assessment that these technologies will also shift the dynamics of cybersecurity in less positive ways. The exact solutions that will enable better threat detection and support more efficient operations of security teams can and will be leveraged by adversaries to improve target selection and enhance their efficiency in exploitation. GenerativeAI’s ability to create more personalized content is being used to draft even more effective phishing emails and deepfakes. The volume of threats is likely to increase, and security teams will have to manage this increase. These impacts are among the obvious ones, but they are an incomplete representation. Other realities must be faced:
Despite the general understanding of the importance of cyber security, not all organizations are in the position to implement what is necessary to address the threats faced by today’senterprises. Whether it is a lack of access to resources, talent or influence, these organizations can present risks to their customers and partners. Given their reality, these organizations may be further left behind as the speed and volume of attacks increase, and their ability to access security solutions remains challenged. How we leverage this moment of innovation to reduce this divide will be key to our efforts to advantage the protectors and defenders.
As with any advancement, malicious actors with fewer concerns about ethics, privacy, and responsible use will seek to use it to their advantage. Each advancement on the defender's side will be met with innovations by the adversary. This cat-and-mouse game has historically advantaged the adversarial threat actors. Now is our opportunity to change that. The core question is how to effectively leverage the innovations that will be driven by the use of AI, to provide a more significant advantage for the protectors and defenders than for the threat actors. And, in doing so, ensure that policies and capabilities benefit all, reducing the divide between well-resourced organizations and the cyber-underserved -- creating advantages for all.
[1] FACT SHEET: Biden-Harris Administration Takes New Steps to Advance Responsible Artificial Intelligence Research, Development, and Deployment
[2] WSJ article 26 sept 2023 Why Do Employees Keep Ignoring Workplace Cybersecurity Rules? By Anthony Vance and Zeynep Sahin Sept. 26, 2023 at 12:00 pm