The modern battlefield: The role of AI and the state in fighting cyber criminals
If you want to stop worrying about cyber-attacks, it’s best not to know too much. The anecdotes alone will keep you up at night.
Take, for example, the major institution with a broken vacuum cleaner. A staff member who wanted to fix it without making a fuss searched online for a manual for the cleaner, found one and downloaded the PDF onto an office computer.
They had no idea that this particular file came with a few lines of code that, once downloaded within the specific target, would be activated giving an attacker free access to the institution’s network. That intruder threatened to bring the entire business to a halt. The thousands of manuals distributed harmlessly elsewhere cost nothing, only one had to land with the intended victim.
Most of us still imagine a cyber-attack is a bit like an online burglary. We see the attackers doing the virtual equivalent of smashing their way into a house, turning the drawers upside down and taking whatever they can find. Perhaps they encrypt the data and demand a ransom, or just threaten to publish it online.
That happens, and happens often. But the next generation of hackers is much more sophisticated, which poses some serious questions for governments. Without the means to defeat them no nation controls its own fate.
Try another real-life example. Someone calls your IT department asking for your password to be reset. They sound just like you – not only is their voice the same as yours, their speech patterns and choice of words match yours perfectly, because the call is the work of artificial intelligence software. With just a twenty-minute recording of your voice, AI allows someone to perfectly copy your speech, then make you say whatever they want you to say.
And this is just the start. Before long cyber-attacks – launched by nation states and their proxies, or by criminals – will be launched and coordinated by AI, to confront in turn AI cyber defences. The winner will be the side that best understands machine learning. Welcome to the modern battlefield.
If that sounds alarming, the good news is that the world’s leaders are alarmed, of at least aware. We have seen two diplomatic communiqués in two days worrying about the same problem. Both the recent G7 summit in the UK and the NATO summit in Brussels agreed more must be done to tackle ransomware criminals – groups stealing companies’ data and threatening to publish, block access to it or bring businesses to a halt if their demands aren’t met.
These are timely demands. A ransomware attack on the Colonial Pipeline between Texas and New Jersey caused days of fuel shortages. US authorities recovered much of the ransom, but such recoveries are the exception not the rule.
Here, the British Home Secretary Priti Patel and Foreign Secretary Dominic Raab have both made recent speeches on the problem. They get it. But history shows cyber-criminals move faster than legislators and calls for action from international summits often go unanswered. We need to do more.
Just as big companies, with the help of agencies like the National Cyber Security Centre (NCSC), get more sophisticated at protecting themselves, criminals are shifting their sights to much smaller firms. They target travel agents so they can find out where and when you might leave the country, perhaps to visit a location where your phone or PC will be at its most vulnerable. They target medical practices to steal information. The more they know about you, the easier it is for these criminals to pretend to be you, and walk straight through the virtual front door of your company.
Often, these are not smash and grab affairs. The attacker will get into a firm’s system and wait, learning what day to day business looks and sounds like, so they can send the perfect fake email from the chief executive to a junior employee demanding such and such a sensitive document is sent to a strange Dropbox.
This is nothing like someone breaking into your home. It’s much more akin to having an intruder living in your loft, and listening in.
We might think we can police fishing disputes in Jersey with gunboats but in this new world of cyber Mr Putin, Xi and Jong-un’s flotillas are already moored at your router.
So, what should we do about it? Dominic Raab cites the successful floatation of a company I helped to create within Invoke Capital – Darktrace – as evidence of a thriving tech sector, and you’d expect me to sing the praises of private firms. To tackle this problem though, we need the state too. Just as we rely on the military to protect our borders, and the police to guard our day-to-day safety, we rely on government agencies to monitor these serious threats, act on them and issue warnings to the rest of us. No single company, no matter how big, well-resourced or smart can do the job alone.
It is straightforward for the NCSC to set up conversations between trusted partners at the top of the biggest businesses. But it needs to get even better at communicating these risks to the many thousands of firms that are not national strategic assets but are useful to intruders trawling for information about our lives. They should now be placed at the core of its mission.
As for that vision of the UK as a leading tech superpower - with our academic, intelligence and commercial assets that is a realisable goal. But if we don’t deploy those assets well, we will sacrifice both security and sovereignty to the cyber-criminals at our gates.
By Mike Lynch OBE FREng FRS
Entrepreneur and Founder, Invoke Capital