Are AI and ML driving more cyber security attacks?

As AI and ML based innovations increase so too are cyber security attacks that exploit their vulnerabilities. McIndoe Risk Advisory investigates.

If you were born before 1980 your teachers probably told you that technology would become so advanced there wouldn’t be enough work to do. Little did they know the opposite would happen and in fact, work would be coming home with us, disrupt our weekends and hijack our holidays. Technology has brought more upsides than down, of course. Advancements in medicine, for one, staying in touch via livestream, especially the last 18 months, to mention but a few. Nothing is perfect, though. Each innovation brings improvements and efficiencies, but the question is always ‘at what cost?’

The last 24 months have seen considerable advancements in AI and ML that influence a variety of areas. Each has its pros and cons, yet regulation of these areas is way behind. That means these solutions are entering the marketplace with a multitude of chinks in their armor and the cyber security threats  each one poses could have serious impact.

A recent report by Adversa, which monitors AI security, has found that vulnerabilities embedded in pictures, audio files, text and other data that guides ML models makes it more difficult to filter, handle, and detect malicious inputs and interactions. This means it’s easier to exploit AI to any end.

While the evolution of technology can’t be stopped, least of all by fits and starts in policy, cyber professionals and their cohorts would do well to get familiar with what’s to come not just in the realms that touch their professional disciplines but also in those that are entering the mainstream. It’s never too soon to consider corporate policies and procedures that can adapt as these tools develop. Our pick of these five would be a good place to start.

Autonomous Vehicles

In April, the UK announced it would begin allowing self-driving cars on the road but quickly had to clarify what that meant. There are six generally accepted levels of autonomy ranging from none to full. The low end, zero to one, requires a human to perform the heavy lift. Levels two and three are partial and conditional automation. Most cars born in the last decade are here, requiring the human to drive but assistance capabilities for steering, speed and environment put the driver in the back seat (figuratively, of course). The next levels, four and five, feature high and full automation that handle all aspects of the driving task and require no input from a human. The main difference between these two is restrictions based on geofencing and weather. Level four has constraints but level five does not. Thus level five is the only true “self-driving car,” and none are currently available to the general public.

Nevertheless, levels two and three are flush with capabilities that present risks because of the 100 million lines of code directing them, their electronic control units (ECUs), GPS, sensors and other systems.

PROS: eliminates human errors, the biggest cause of accidents. The cars do require the driver to stay alert at the wheel, but can help with a range of lifestyles factors like minimizing stress and fatigue on long trips or during rush hour. There are also reports that the cars mitigate greenhouse emissions because they are more efficient.

CONS: the systems that interface between vehicles and infrastructure can be hacked either for direct exploit (i.e., create havoc and accidents that cost insurance companies money) or to put cracks in them that hackers can use as entry points for malice later. 

CRISPR

This chemical tool scalpels stretches of DNA and other genetic material to alter genes. In October 2020 two female scientists were awarded a Nobel prize for their Crispr-Cas9 tool but that doesn’t mean it’s perfect, let alone ready for market, even if certain benign Crispr-Cas9 kits are available online for $100.

Crispr technology may be used to repair mutations, such as sickle cell anemia, but the side effects can be calamitous because the application affects reproductive genetics (sperm, eggs, embryos) to have an impact on future generations. Like AI/ML based solutions and other tech, the creators who cut and paste DNA sequencing don’t have full control of the outcome and cannot predict what twists and turns it may take.

PROS: editing texts of DNA to correct hereditary deficiencies, like blindness. 

CONS: there is currently no prophylactic or post-exposure antidote for any possible bio-threats. Those with a basic understanding in the lab can buy DNA and biohack them to create ghastly bacteria and viruses to wreak havoc with global pandemics. Sort of. The barrier of knowledge for wielding Crispr is high for the moment, which curtails the accessibility, but it also means the variables are that much more unpredictable. In 2016, James Clapper, the US’s then-Director of National Intelligence, declared gene-editing technologies a WMD threat. The anxiety was based on the malice that an enemy’s scientists could develop biological weaponry putting a country into a tailspin trying to identify mystery pathogens, develop vaccines and implement effective public health measures, to say nothing of the economic, political and other dangers. Now downsize that to imagine what effect this would have if deployed within a corporate campus or at a conference gathering hundreds of leaders from a single industry.

Deepfakes

Deepfakes are convincing because they hijack existing audio and video files and employ tech to manipulate those units into fresh knock-offs that look real. Where there may not be sufficient native material to work with, ML can create new. This means a video of your CFO singing happy birthday to a grandchild on FaceBook coupled with other clips at speaking engagements are enough to appropriate and clone into an audio file that can be called into an assistant to ask for passwords. Add in the technology used for chatbots and that file can maintain a dialogue with the assistant and respond to questions.

PROS: avatars create familiarity in some environments and especially in the realms of media and entertainment. Also, executives can dispatch video avatars to present to foreign clients in the language of their choice.

CONS: scant legislation specific to deepfakes exists, let alone any worldwide effort. Also, detection technology is limited and soon enough the deepfakes will get too good to catch. There was a story in the April 2019 Wall Street Journal in which the CEO of a UK energy company received a call from his ‘parent company’ requesting an urgent transfer of €220,000 to a Hungarian supplier.

Humanoids

Similar to Crispr, the past 18 months have brought significant advancements in the realm of robots designed to appear human and impersonate our interactions. Unlike Crispr, producers have been scaling up their manufacturing and availability is within reach. According to NowThis News, global sales of professional-grade robots jumped 32% from 2018 to 2019. David Hanson, whose eponymous Hong Kong-based robotics firm is a forerunner of delivering mass-production to the market said, they can become our friends, our true friends, they might become alive.

PROS: humanoids can be deployed to accomplish dangerous or otherwise risky tasks. For instance, during the next pandemic humanoids may support hospital efforts such as testing, intake and other necessary functions to minimize exposure and hours of frontline workers.

CONS: also similar to Crispr, the ‘Dr. Frankensteins’ employing the technology don’t really know how it works or why it works so well, meaning the threats are endless and their impact will be hard to manage, especially if the AI/ML outpaces the counter-measures of the humans trying to stop it.

Virtual Reality

The basis of VR is to trick the mind into believing something by presenting the senses with convincing information simultaneously. The Virtual Reality Society defines VR as an experience that is totally immersive but not necessarily interactive and cites many VR-adjacent developments as significant to the VR timeline, but the real shift came in the 1990s through the gaming industry.

In the immediate future, gaming will be the chief driver and beneficiary of consumer VR, but smart phones, entertainment, education and other areas will benefit from users having a complete sensory experience. Military and other sectors will also achieve training and functional improvements through the use of VR and ultimately AR. The difference between the two being the former is completely virtual and the latter uses real life settings. Another way to look at it is AR users control their presence, like through a smartphone, whereas VR users are controlled by the system, like through a headset.

PROS: wellness apps such as those that help calm and relax users or present stroke rehabilitation, teleconferencing, training for skills improvement, particularly with first responders and in areas such as telecomm, construction and telemedicine.

CONS: addiction to the immersion, cybersickness (nausea associated with extended use) and the fact that its motive is to trick the mind into believing whatever the system presents. This opens the door to bad actors hacking a company’s training program to imbed “learnings” for employees to unwittingly act out nefarious agendas.

Many other AI and ML advancements warrant review but these five areas are seeing significant development and growth in mass market readiness. Whether a company is adopting any of these solutions directly is irrelevant. The fact remains that each bears threats to cyber security born to and from people.

Share

Featured Articles

ICYMI: New Age of the CISO and cybersecurity trends for 2023

A week is a long time in cybersecurity, so here’s a round-up of the Cyber Magazine articles that have been starting conversations around the world

Kingfisher chooses Google Cloud as catalyst for growth

Google Cloud will support Kingfisher's digital ambitions with a range of solutions, from infrastructure to data analytics.

ICYMI: Cyber predictions for 2023 and trouble in paradise

A week is a long time in cybersecurity, so here’s a round-up of the Cyber Magazine articles that have been starting conversations around the world

Osirium shares its cyber predictions for 2023

Cyber Security

ICYMI: Unloved emails and cybersecurity worth $500bn by 2030

Cyber Security

Cyber security market anticipated to reach $500bn by 2030

Cyber Security