July 11, 2023 By Jonathan Reed 4 min read

If you ask Jen Easterly, director of CISA, the current cybersecurity woes are largely the result of misaligned incentives. This occurred as the technology industry prioritized speed to market over security, said Easterly at a recent Hack the Capitol event in McLean, Virginia.

“We don’t have a cyber problem, we have a technology and culture problem,” Easterly said. “Because at the end of the day, we have allowed speed to market and features to really put safety and security in the backseat.” And today, no place in technology demonstrates the obsession with speed to market more than generative AI.

Upon the release of ChatGPT, OpenAI ignited a race to incorporate AI technology into every facet of the enterprise toolchain. Have we learned anything from the current onslaught of cyberattacks? Or will the desire to get to market first continue to drive companies to throw caution to the wind?

Forgotten lessons?

Here’s a chart showing how the number of cyberattacks has exploded over the last several years. Mind you, these are the number of attacks per corporation per week. No wonder security teams feel overworked.

Source: Check Point

Likewise, cyber insurance premiums have also risen steeply. This means many claims are being paid out. Some insurers won’t even provide coverage for companies that can’t prove they have adequate security.

Even though everyone is aware of the threat, successful attacks keep occurring. Even though companies have security on their mind, there are many gaping holes that must be backfilled.

The Log4j debacle is a prime example. In 2021, the infamous Log4Shell bug was found in the widely used open-source logging library Log4j. This exposed a massive swath of applications and services, from popular consumer and enterprise platforms to critical infrastructure and IoT devices. Log4j vulnerabilities impacted over 35,000 Java packages.

Part of the problem was that security wasn’t fully built into Log4j. But the problem isn’t software vulnerability alone; it’s also the lack of awareness. Many security and IT professionals have no idea whether Log4j is part of their software supply chain, and you can’t patch something you don’t even know exists. Even worse, some may choose to ignore the danger. And that’s why threat actors continue to exploit Log4j, even though it’s easy to fix.

Will the tech industry continue down the same dangerous path with AI applications? Will we fail to build in security, or worse, simply ignore it? What might be the consequences?

The new AI threat

These days, artificial intelligence has captured the world’s imagination. In the security industry, there’s already evidence that criminals are using AI to write malicious code or help adversaries generate advanced phishing campaigns. But there’s another type of danger AI can lead to as well.

At a recent AI for Good webinar, Arndt Von Twickel, technical officer at Germany’s Federal Office for Information Security (BSI), said that to deal with AI-based vulnerabilities, engineers and developers need to evaluate existing security methods, develop new tools and strategies and formulate technical guidelines and standards.

Hacking AI systems

Take “connectionist AI” systems, for example. These technologies enable safety-critical applications like autonomous driving. And the systems have reached far better-than-human performance levels.

However, AI systems are capable of making life-threatening mistakes if given bad input. High-quality data and the training that huge neural networks require are expensive. Therefore, companies often buy existing data and pre-trained models from third parties. Sound familiar? Third-party risk is currently one of the most important sources of data breaches today.

As per AI for Good, “Malicious training data, introduced through a backdoor attack, can cause AI systems to generate incorrect outputs. In an autonomous driving system, a malicious dataset could incorrectly tag stop signs or speed limits.” Even small amounts of poisoned data could lead to disastrous results, lab experiments show.

Other attacks could feed directly into the operating AI system. For example, meaningless “noise” could be added to all stop signs. This would cause a connectionist AI system to misclassify them. “If an attack causes a system to output a speed limit of 100 instead of a stop sign, this could lead to serious safety issues in autonomous driving,” Von Twickel explained.

It’s precisely the black-box nature of AI systems that leads to the lack of clarity about why or how an outcome was reached. Image processing involves massive input and millions of parameters. This makes it difficult for end users and developers to interpret AI system outputs.

Making AI secure

A first line of AI security would be preventing attackers from accessing the system in the first place. But given the transferable nature of neural networks, adversaries can train AI systems on substitute models that teach malicious examples — even when data is labeled correctly. As per AI for Good, procuring a representative dataset to detect and counter malicious examples can be difficult.

Von Twickel stated that the best strategy involves a combination of methods, including the certification of training data and processes, secure supply chains, continual evaluation, decision logic and standardization.

Taking responsibility for AI

Microsoft, Google and AWS are already setting up cloud data centers and redistributing workloads to accommodate AI computing. And companies like IBM are already helping to deliver real business benefits with AI — ethically and responsibly. Furthermore, vendors are building AI into end-user products, such as Slack and Google’s productivity suite.

For Easterly, the best way to have a sustainable approach to security is to shift the burden onto software providers. “They’re owning the outcomes of security, which means that they’re developing technology that’s secure by design, meaning that they’re tested and developed to reduce vulnerabilities as much as possible,” Easterly said.

This approach has already been advanced by the White House’s new National Cybersecurity Strategy, which proposes new measures aimed at encouraging secure development practices. This idea is to transfer liability for software products and services to large corporations that create and license these products to the federal government.

With the generative AI revolution already upon us, the time is now to think hard about the associated risks — before it opens up another can of security worms.

More from Artificial Intelligence

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Cybersecurity Awareness Month: 5 new AI skills cyber pros need

4 min read - The rapid integration of artificial intelligence (AI) across industries, including cybersecurity, has sparked a sense of urgency among professionals. As organizations increasingly adopt AI tools to bolster security defenses, cyber professionals now face a pivotal question: What new skills do I need to stay relevant?October is Cybersecurity Awareness Month, which makes it the perfect time to address this pressing issue. With AI transforming threat detection, prevention and response, what better moment to explore the essential skills professionals might require?Whether you're…

3 proven use cases for AI in preventative cybersecurity

3 min read - IBM’s Cost of a Data Breach Report 2024 highlights a ground-breaking finding: The application of AI-powered automation in prevention has saved organizations an average of $2.2 million.Enterprises have been using AI for years in detection, investigation and response. However, as attack surfaces expand, security leaders must adopt a more proactive stance.Here are three ways how AI is helping to make that possible:1. Attack surface management: Proactive defense with AIIncreased complexity and interconnectedness are a growing headache for security teams, and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today