Sep 14 2023

Hackers Armed with Generative AI Pose a Greater Challenge to Businesses

Three leading CISOs discuss the future of cyberdefense in the artificially intelligent future.

Generative AI isn’t new, but releases by artificial intelligence developers such as OpenAI and Stable Diffusion in 2022 represent real leaps forward in the availability and usability of generative AI applications — advances so significant that the internet is filled with predictions of doom.

Humanity hasn’t ceased to exist in the months since chatbots became super-powered, however, and cooler heads are pondering the implications of these technologies, industry by industry.

In order to understand the cybersecurity impact, BizTech convened a roundtable of security leaders — Equifax CISO Jamil Farshchi, Mastercard Chief Security Officer Ron Green and Patricia Titus, CISO of the insurance company Markel — and asked them for their takes on the challenges and opportunities they see on the horizon.

Ron Green
We want our people to experiment with it, try it, but we’re not going to let them run wild and throw it into production.”

Ron Green CISO, MasterCard

BIZTECH: What was your initial reaction to the news of breakthroughs around generative AI such as ChatGPT?

Farshchi: My first thought was, “Man, this is really cool! There’s a lot of opportunity here.” But as a security guy, my next thought was that it’s going to generate some risks for us Social engineering is going to get really bad, and I think there will be a whole host of additional risks that will manifest themselves over time.

Titus: To be honest with you, it struck fear in my heart. The threat actors have gotten more sophisticated and better at what they’re doing. This is going to take them to a new level. Our industry has gotten a lot better about reacting very quickly to changes in the behavior of threat actors. So, I’m interested to see what will come out of the cybersecurity startup community.

Green: The generative AI stuff pops up and it’s like, “Oh, man! We’ve got to work on that, but the financial services sector can’t take as long to think about it as we did with cloud.”

The speed of availability to everybody, that was a surprise. And then, “Wow, we’ve got to get in front of this so that we can use it appropriately.” There’s a lot of goodness that comes with it, but then there’s also the opportunity for badness.

Ron Green Designed Quote

REAM MORE: How cybercriminals use AI in their attacks, and why you should use it for defense.

BIZTECH:  What threats does AI pose to your company’s network security?

Green: First, how will bad actors intentionally use it for evil? We’re seeing the bad guys use it, not in ways that are like their machines attacking our machines, but in ways that make it even more difficult for humans to discern, for example, phishing. A lot of the things that we point out — grammar errors, spelling errors, urgency — generative AI smooths all that out for bad actors.

Second, as we take advantage of the opportunity, what might we do to cause inadvertent lapses or weaknesses in our security?

When you first adopt stuff, you don’t know quite what you’re doing. And then, because of that, you’ve created a big old hole. There are a number of rules that we put in place. We want our people to experiment with it, try it, but we’re not going to let them run wild and throw it into production.

You need to be smart about it but not too slow. In the next 12 months, I think you’ll see the financial services sector come up with the guardrails that we’ll need to enable practical business uses around generative AI.

Patricia Titus
The threat actors have gotten more sophisticated and better at what they’re doing. This is going to take them to a new level.”

Patricia Titus CISO Markel

Titus: I think we recognized that with the advent of cloud and Software as a Service applications that there is no border anymore. There’s a lot of gray space where our data and our people might be working; the traditional concept of perimeter security is gone. For every bit of good we do, someone figures out how to get around it, so I’m sure the threat actors will be fast following.

It’s my tagline: “Security is a journey, not a destination.” It’s a constant cat-and-mouse game. Deepfakes will create a new level of social engineering that we haven’t seen before. When you get into the ability to make a voice sound identical to someone’s, that’s going to be a problem.

Farshchi: I think that it’s a short- and long-term kind of discussion. In the short term, I don’t know that there’s a whole lot that I’m thinking about changing. When you look at what it offers today, what does it do? It potentially increases the volume of attacks because it reduces the barrier to entry in the space.

Most of us are dealing with tens of thousands if not millions of attacks a day anyway, so what’s a few more? In the short term, that’s not a huge deal. It’s the long-term picture where this whole thing starts to really change.

I think the winners are going to use generative AI for the greater good of their organizations. By doing that, we’re going to be able to offset — in fact, I think we’re going to be able to largely eliminate — a lot of the risks that generative AI creates, by virtue of using generative AI itself.

LEARN MORE: How to make artificial intelligence work for you.

BIZTECH:  How are your security solutions using AI now? How would you like them to apply the technology in the future?

Green: We’re using orchestration and machine learning to help in our security operations. Some of the technologies can learn from the way that our operators review. That becomes an iterative task, and the machine can now handle that. That leaves the people to then think about the harder things that require more attention.

Farshchi: I am trying to figure out ways that we can incorporate this new technology into our security stack. When I look at AI, its strengths fundamentally lie in models and in data. And when I look at it from an internal perspective, I’m thinking to myself, who knows more about the way my environment works or the models themselves than me? Nobody does. Who has more data about my organization from a security standpoint than me? Nobody does. With the right AI toolkit, I’m able to put all that to work and see a meaningful differentiation against the attackers that would be using generative AI against me.

DISCOVER: How can businesses leverage artificial intelligence for their own cyberdefense?

Titus: We’ve had ML and AI in our tools for some time, either through behavior detection or user behavior analytics. The capability is there and it’s good and it’s working. But I do think we need capabilities to inventory generative AI, to find what we don’t know. Some of the regulations, like the European Union’s AI Act, are going to be asking us to inventory AI. We’re going to need capabilities that automatically look for where someone might be using AI and we may not know.

Jamil Farshchi, CISO, Equifax
Most of us are dealing with tens of thousands if not millions of attacks a day anyway, so what’s a few more?”

Jamil Farshchi CISO, Equifax

BIZTECH:  Overall, are you an optimist or a pessimist when it comes to the impact of generative AI on cybersecurity?

Titus: I’m an optimist and I do think this is going to become a game changer. It’s going to be a competitive edge for some companies. We’re going to have to figure out how to balance the compliance and regulatory piece: How do we help educate our regulators about what it is and what it is not?

And then making sure people are implementing very strong data loss prevention capabilities to keep our sensitive data within our control.

Farshchi: In terms of sort of the dynamics of why AI is so powerful and what makes it powerful, I think that the scales are tipped in our favor. If we lean into it, it provides us a ton of upside opportunity, far more than it does for the bad guys. So, I am an optimist there. I believe, from a pure security standpoint, that generative AI will be a meaningful net positive.

Green: I’m an optimist. There’s more good than bad that will come of it. The thing is, the bad is going to grab the headlines.

Greg Mably/Theispot

Be Ransomware Ready

Is your organization prepared for a cyberattack? Learn how to step up your ransomware protection.