“Cyberattacks are perceived as the global risk of highest concern to business leaders in advanced economies” – this from the WEF just a week before the recently concluded WEF at Davos. #Wow. Imagine even just a decade ago, it is unlikely that cybersecurity would have even made an agenda item and now it has headlined the event. How and Why did this transformation happen?
It isn’t that hard to comprehend. We live in an uber-connected (weak pun?) world, from consumers to cloud to devices in our homes, offices, hospitals, manufacturing plants, solar probes … and a weakness in one affects the rest of the ecosystem (Google Meltdown and Spectre to name a recent large impact vulnerability). The public-private sector divide is fueled by varying government mandates throughout the world and the private corporations needing to fuel their own agendas while still playing ball (or not in certain cases) to win business. And the sophistication of the attackers who use the very same cloud platforms, Internet and data to launch attacks makes this a dramatically difficult fight to sustain individually by any one entity. Therefore, there needs to be close and constant cooperation between the pioneering private organizations and the forward thinking governments. Simple right? Easier said than done.
To be fair, the WEF has gone a step further and identified 14 areas of focus for contextualizing security policy for public-private collaboration. These are ‘zero days’, ‘vulnerability liability’, ‘attribution’, research, data and intelligence sharing’, ‘botnet disruption’, ‘monitoring’, ‘assigned national information security roles’, ‘encryption’, ‘cross-border data flows’, ‘notification requirements’, ‘duty of assistance’, ‘active defence’, ‘liability thresholds’, ‘cyber-insurance’. This reference architecture is great and is pretty comprehensive but we need to do more. Specifically – AI!
The AI monster is all around us. And while the fake Twitter accounts (65k+ at last count according to Twitter) affecting over half a million of US voters makes headlines, these very same Twitter (and Facebook and Google …) accounts can be used to infiltrate the minds of not just voters but security professionals, IT admins and consumers in a subtle yet powerful fashion. Heck, spare capacity on your laptop or enterprises with reserved capacity on AWS EC2 is being hijacked for crypto currency mining. Bottom-line – we need to go far beyond the 14 if we want to get really serious about cooperative security. The WEF may be over but our fight is not.
So what needs to be done? Not so simple. The same public-private organizations need to come together to discuss what AI framework do we need to put in place to combat this new age threat vector. The days of deploying bots to fight bots is not far off. Maybe that is the only way forward. We can’t wait for the next WEF to bring these gnarly topics to light.