Organisations should ensure they meet all basic security requirements before investing in advanced security systems that use artificial intelligence (AI), according to a UK cyber threat expert.
“I'm pretty skeptical about the AI solutions being sold on the market, particularly those that are network-only,” Chris McConkey, lead partner for threat detection and response at PricewaterhouseCoopers (PwC), said during a panel discussion at the Cyber UK 2019 conference in Glasgow.
“From a mathematical standpoint, if you're adding endpoints and you're only looking at the network traffic to run AI and ML, [machine learning] This creates an exponential complexity problem that is much easier to address if you are actually running the AI or ML at the endpoint.
“But aside from the technical aspects of how the solutions work, there is a clear gap between the effectiveness of AI solutions and the marketing budgets of those selling them. And if you’re not yet [basic] Fixes like two-factor authentication for Office 365 are a much higher priority than, say, an AI-based anomaly detection box sitting somewhere on the network.
“So don't waste your time on that if you can use it more effectively,” McConkey said, adding that he believes the time when attack and defense will be fully automated using AI without human intervention is “a long way off.”
But he said that within the next two to three years, security researchers will increasingly see some of the smart AI and deep learning techniques that defenders are starting to use being further misused for malicious purposes.
Attackers are increasingly going after as much personal and financial data as they can, but using that data at scale isn't possible through manual processes, so attackers are increasingly using techniques such as AI-based natural language processing for analysis, McConkey said.
Matt, NCSC's head of industrial operations, said: “Predictions are a very dangerous sport in the cyber world. Cyber is changing so rapidly that it's hard to define what the situation will be like in five years' time. But for me, looking five to 10 years out, the industrialisation of hacking capabilities will have a major impact.”
“As AI is used not only for defensive purposes but potentially for offensive purposes, it will increase our ability to use AI for espionage and other destructive purposes. [threat] The ability of actors to scan the internet for vulnerable elements and retrieve anything for data mining purposes.”
The NCSC said future cyber attacks are less likely to be targeted and more likely to see threat actors targeting as wide an area as possible, using this to gain a foothold and explore what they can do with the data they collect.
Jeremy Watson, professor of engineering systems at University College London (UCL), highlighted the aggressive use of AI and ML, saying that going forward, these two technologies will be increasingly deployed in defenses at the edge of the internet.
“These will be devices that understand their own functions and understand if they're being commanded to do the wrong thing or if they're being asked to send data to the wrong place,” he said, predicting more autonomous capabilities.
As a result, Watson predicts that “socio-technical challenges will arise, as people will have to think about what authority they are willing to give to autonomous systems, how much decision-making power they are willing to give to machines, and what the indicators of trust are in this space.”
“So that raises questions about the auditability of AI and ML decisions across patches, whether in the cloud or locally. [about] “There are sources of evidence on which these systems actually make decisions and legal liabilities that need to be carefully considered,” he said.
Western internet 'under pressure'
NCSC's head of evaluation, Eleanor, said the Western internet model was coming under increasing pressure when it came to cyber threats in general.
“They feel the internet is becoming 'less free' as authoritarian states suppress free speech online, monitor their citizens' daily online lives, use their cyber capabilities to control and monitor their citizens' actions, and restrict and censor the internet,” she said.
At the same time, she said, these authoritarian states are turning online freedoms against themselves by interfering with free parts of the internet in Western countries, spreading disinformation, using trolls and exploiting free speech for nefarious purposes.
“There appears to be a disconnect between the alarm in the media and regulatory regimes about data theft and the threat that data breaches pose and the targeting of data, with the public being more apathetic than the reports suggest,” she said.
However, the NCSC expects this gap to close in the coming months and years as people gain a better understanding of why their data is important and what bad actors can do with it.
“Our major adversaries – China, Russia, Iran and North Korea – will continue to launch malicious cyber activity against the UK and our allies, and we will continue our arms race and defence efforts because it's not going to stop anytime soon,” Eleanor said.
But state-sponsored malicious cyber activity is not limited to just the four countries, she said: “We are seeing other countries popping up, like some in the Gulf region and some in South America, learning from the big four and imitating each other.”
“this is, [cyber] The arms race will not be dominated by the Big Four forever, so we need to be aware of the rise of smaller nations.”
Attackers move up the value chain
Speaking more generally about future cyber threats, PwC's McConkey said one key trend that is already emerging is the fact that attackers are moving up the value chain and will continue to do so.
“When you look at financial services, we're moving from commoditized banking malware to, effectively, central banks and other nation states being able to target the data feeds that financial services rely on, potentially. [threat actors] It's to manipulate market movements,” he added.
Overall, he said, this means that threat actors, whether intentionally or not, are targeting the trust mechanisms on which digital ecosystems are built.
“We have looked at the supply chain from the perspective of MSP processes. [managed service providers] “They are being targeted. From a telecommunications industry perspective, there are other China-based attackers operating across more than a dozen global telecommunications companies, potentially targeting the hardware and software supply chain,” he said.
“So across the ecosystems that we rely on, whether that be process outsourcing, communications, software, hardware, we’re seeing an increasing number of very skilled and persistent attackers focused on penetrating them at some level.
“As a result, we have to think about how to address it on a much larger scale than we are today, but it will be interesting to see what the goals are in the next five years, because I think they will change.”
The Industrialization of Cybercrime
Andrea S, head of cyber threat intelligence at the National Crime Agency (NCA), said that from a law enforcement perspective, the proliferation of data in society creates more opportunities for criminals to exploit that data for monetary gain.
“The main threat is whatever is coming at us now, but what persists is the individuals behind them and our ability to deal with them. [cyber criminals] In collaboration with our partners [is what is important]”The difference between our capabilities and theirs will be the true indication of the threat going forward,” Andrea said.
Long-time and persistent criminals have built complex networks and the necessary capabilities in-house. “Over the last few years, we've seen a market emerge through forums offering cybercrime services,” says Andrea.
“More recently, we've seen it become more prevalent in the dark web space. So what we're talking about is the industrialization of cybercrime. From low-level actors to very hard-to-catch criminals, they're going to drive crime and threats because they're entrepreneurs, they're very adaptable and they're forward-thinking.”
Because attacks are likely to be a mix of targeted, opportunistic and even unintentional – in the case of WannaCry, it is widely believed to have been carried out by mistake or without understanding what the impact would be – the NCSC's Matt said defences needed to focus on key infrastructure systems.
“We need to make sure that the defenses that we have in place are sufficient to protect not just the critical systems in our critical networks, but also the basic systems that we rely on every day, so that they're resilient enough to protect us from any unintended attacks or specific targeted attacks that might not be directed at us,” Matt said.
Finally, UCL's Watson said organisations need to think about their attack surfaces: “There are many attack surfaces beyond the traditional ones – industrial control systems, autonomous vehicles, building management systems – we need to do careful analysis with our partners across these attack surfaces and take precautions proportionate to the severity of the consequences.”
Rather than focusing on encouraging innovation, McConkey urged more attention to issues such as orphaned kit. “There are countless breaches that have occurred because something was literally forgotten, nobody maintained it, it wasn't maintained because the person responsible left the organization, and that was the root cause of the breach,” he said.
Another key goal that organizations should strive for, he said, is to implement all the good security guidance available. “These all make a difference, and focusing on small, incremental improvements can go a long way in avoiding a lot of the negative impacts,” McConkey said, emphasizing the importance of doing the security basics well.
