Thursday, May 23, 2024

Artificial intelligence and cybercrime


In a recent issue of his regular Global Macro Update newsletters, Ed d'Agostino of Mauldin Economics interviewed Karim Hijazi, a cybercrime expert, about the current state of that field and the growing involvement of AI.  It's a long, multipage newsletter, so I won't even try to go into all it says.  Here's an excerpt to whet your appetite.

Ed D'Agostino:  What is AI's role in all of this? Has it impacted effectiveness of bad actors at all?

Karim Hijazi:  It has. I hate to say it. AI has probably been most embraced in terms of its creativity and its use by nefarious actors or threat actors because as usual, unfortunately, because it affords them the ability to force multiply themselves. That's the number one reason. What they would otherwise need a bunch of people to do they can do... one person can do a whole lot of work with an AI tool that generates an incredible amount of not only the narratives for a phishing email that we talked about, but also the malware itself. It'll actually write the code for the malware that is generally pretty well written. And there's a few tweaks here and there, but what would take weeks or months is done in days.

Ed D'Agostino:  Can you talk a little bit, Karim, about what's at stake here? I mean, we talk about me sitting here in my remote solo office, I get a phishing email. I'm not hooked up to a big company network. Maybe I lose a little bit of data. I think that's how people think of it. Really what we're talking about is the country's critical infrastructure is at risk. What does that look like and how is it at risk?

Karim Hijazi:  Exactly. The everyday person doesn't feel like it can affect them. A lot of where individuals are worried about when it comes to hackers and threats is their identities, maybe their credit card information, their social security number, back to identity. But what's interesting is that in the world we're in now, the interconnectivity between even your computer and mine, by definition, there is one, right? You're looking into your screen and I'm looking into my screen, my camera's picking up my image and sending it to you. There's effectively a link between us. So if you want to think of it from that perspective, right now we're connected. And so if there is, in theory, something on my machine, God forbid, and it wanted to sort of figure out, "Who's Ed?," and it goes into my email and it lurks around and it goes, "Ooh, Ed's got a lot of connections on LinkedIn," or, "He's got a really great follower base on YouTube. He's a good target for me to proliferate myself even further to his audience." So you think about it, that's the first step in terms of its reconnaissance risk. When you start thinking about yourself as a non-player when it comes to why you'd be interesting to a threat actor, you'd be surprised.

The second thing that's really interesting is this is just a micro version of the macro problem, which is supply chain. Supply-chain and third-party ecosystems are the number one challenge that we're having today because a small company leads to bigger company. A bigger company leads to government or critical infrastructure. The pathway, the daisy chain, if you will, is small company, bigger company, critical infrastructure. And from that small company… it could be a work-from-home individual that never left home after COVID because that was the policy of the company but because there's no security protocols at home, they're the easiest targets in the world to get into. The VPN is simply a hypodermic needle into the corporation. The corporation is now access to many other organizations and so on. That's just the super small taxonomy or treeing out of essentially the connections out all the way from the individual to government or critical infrastructure, unfortunately.

Ed D'Agostino:  I think you'd mentioned that some really big cutting-edge technology has been bled out of corporations through this sort of process. Quantuum was one that we talked about yesterday. I thought that we were... I was sitting here looking at IBM thinking, "If IBM gets Quantuum right, this stock is going to go into the moon, maybe we should be looking at it. They seem to be the leaders." And then I spoke with you and you're like, "Well, China's already got all that."

Karim Hijazi:  Unfortunately, China as a nation-state actor has focused heavily on intellectual property theft for years. That's definitely not a new agenda of theirs. It's been their focus for a very long time. I think we all know that from headline news. The problem is they've done it in a multipronged approach. They did it with implants of people, long-term "coverts" through academia that they've had planted for very long periods of time. They've augmented it with things like software and access to environments, through harvesting information electronically. And they've conned people into sharing information as well. That's the other part of this is that they've done a really good job with that. The other thing that's interesting is what people fail to recognize is that nation-state adversaries aren't islands unto themselves. They tend to cooperate. If a Russian or North Korean or Iranian nation-state actor has an initial access into something, they'll broker it to another country for a price. There may be one group in a nationstate adversary that has much better access to something than the other group does, but the other group can pay them for it, and they'll get in.

Unfortunately, there's been an onslaught onto our country in such a way that makes it very difficult for us to sort of manage all those beachheads. And so the asymmetry is very challenging, and it ties back to your AI conversation, which is how has that added to it? Just that, it's added this extra level of pressurization onto the systems that we believe were protecting us, and they are indeed failing. Sorry to be doom and gloom, but...

There's much more at the link.  The entire newsletter is well worth reading if you're interested in computer and information systems security.

It's startling to realize how widespread and prevalent cybercrime has become.  It's far more than just "phishing" e-mails or attempts to listen in on communications channels.  It's now become an exercise in how to kinetically affect an entire nation or sector of a national economy.  In another part of the interview, Karim Hijazi notes:

There's things like water treatment facilities that can have water levels… the pH change or the potability change just ever so slightly that'll cause a mass dysentery effect. Then you've got a flood onto the pressurization of a hospital environment in a specific location. And then as we've seen over the course of the pandemic, you conduct a ransomware attack and put the hospitals in a pressurization state where they can't function unless they pay a ransom, and you can really cause a cascading effect. And that's the doom and gloom scenario, of course. But you're completely right, the big concern is if there's that much access to these environments, what can they effectively do? And how much have we given to technology to take over?

And unfortunately, I know I said AI for the third time in this conversation, but here again is where our reliance on it and our over-excitedness to deliver the responsibility over to it, may be a little foolhardy at this point because once it's in the hands of something that really doesn't have any kind of emotionality or ability to identify... For example, in my company, I do employ a lot of automation and AI, but I also use human intuition and experience and talent to identify these problems that simply, at this point, can't be done through technology. And unfortunately for cost savings and a variety of other reasons, people are choosing to go in the direction where it's all automated. And automation's fantastic when there's nothing coming at it to use it maliciously, but when it can be leveraged against you, you’ve got an issue.

Worrying thoughts.  Again, if you want to learn more about this field and how it might affect any or all of us, I highly recommend reading the full interview for yourself.  I also suggest you subscribe to the newsletter (it's free).  Mr. d'Agostino comes up with some very interesting and useful insights.



Maniac said...

Whenever I think of AI, I envision eighteen-wheelers with green troll heads on the front of them.

Anonymous said...

It doesn't require AI attackers to ruin a water treatment facility. Ordinary human water plant workers in Flint, MI did that with depraved indifference. Then, ordinary elected officials, and voters, didn't hold them accountable. AI is not the problem here, and we don't need "AI control" laws.

JWM said...

I have three different blogspot sites up right now. I regularly check the stats, as I'm sure most bloggers do. Every day I see hundreds of hits on sites that don't draw much real traffic. I seriously doubt that anyone in Singapore, or China has any interest at all in this stuff. These are bots crawling for data, and now swiping pics for their AI databases. So we're faced with a choice. If your blog is available to anyone, it's going to be available to everyone, like it or not. If you post a pic of your artwork, it's going to get swallowed up in an AI crawl, and you have no say in the matter. The only option is to not post the pic. Suddenly this whole internet business has more serious consequences than we first imagined.

Dan said...

Evil always embraces and uses new technology to it's advantage forcing good to play catch up. AI will be no different. The bad guys are almost always ahead of the curve.

Old NFO said...

Bots are 'still' the biggest issue we face. They scrape data from everywhere, and their masters use that to penetrate our most secure sites... sigh

Rick T said...

AI is a three-edged sword, not just an unmitigated evil. The articles are partially clic-bait and disaster porn so they focus on the offensive capabilities, but for every offense a defense arises.

My employer has a very active Information Systems Security practice and we use AI tools to continuously improve our penetration testing tools too. And, machine learning and AI responses are built in to corporate-level IT services like Arctic Wolf.