Can Artificial Intelligence Fix Security Issues?

This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

There are several schools of thought regarding artificial intelligence. Leaning to the positive or negative, but without a fuller perspective, one may imagine the attitudes break along generational lines, by they also break along lines of experience in information technology.

There is great enthusiasm about what AI can do to promote better living conditions, evoking wisdom, providing business intelligence through deep analysis of behavior and habits, by signaling trends and anticipating demand. But there are other considerations as well. A critical one is cybersecurity.

Writing this past spring in Security Week, Joshua Goldfarb clarified some unaddressed issues learned as he went back to work on the enterprise side of information security. He spent more than five years on the vendor side. As easily imagined, the vendor side engenders a slanted view. The territory of buyers looks clean and enormously similar from one enterprise to another, often with large numbers of people moving in a single direction.

Contrary to this view, however, Joshua argues that enterprises today are remarkably complex. He lists several considerations that underscore the limits of AI that extend into an effect on cybersecurity. I repeat from the May 30, 2019 issue below:

1. Addressing gaps in the security program is less about technology and more about people and process;
2. The security vendor space is extremely noisy and increasingly out of touch with the needs of the enterprise;
3. Advice and guidance tend to be too abstract and difficult to operationalize;
4. Reporting, metrics, and communicating the value that the security team provides remain a significant challenge;
5. The regulatory environment is increasingly complex, pulling resources away from other important security functions.

On the vendor space, Goldfarb clearly understands the crowded field. Research in the topic confirms this. Each new producer believes itself to be the latest and most upgraded state of play. While this may be true on a discrete level, it does not remain true for very long. Hackers and other sociopaths who violate cyberspace are up-to-the-minute on developments and quick to catch on. They attack both the nuances and credibility of the product, eliminating the status and reputation of the latest product. As he points out further, "their solutions just aren't that unique anymore …. The focus needs to be first and foremost on understanding the existing complexity of the enterprise and subsequently on snapping into it."

In addition to dealing with the mounting regulatory considerations each year, Goldfarb notes that good advice breaks down at the intersection of theory and practice. My own experience confirms this. I find that there often is no intersection at all. Security vendors with a good basic package that can be customized in the firm-to-firm consulting environment will have an easier time attaching to an enterprise, but it will be no mass market. It will be a one-by-one steady uphill sell, with the hope that enterprises may fall into silos as do many target audiences. The vendor can master a space of similar groups. In this way each new enterprise differs less from the one before and reduces the time to provide a product. Still, upgrades are always necessary and, as these also reflect differences in demand, they will need to be customized. And ease of use also becomes critical, as cybersecurity is rarely the primary space of enterprise users responsible for and to customers.

AI and Cybersecurity

With all the consideration given to lauding the potency of artificial intelligence in solving deep analytical problems without error, cybersecurity remains a concern. There has been a body of literature devoted to the topic of remote destruction of automobile operations, for example. Already legendary is remote hacking of listening or viewing devices such as the Alexa AI or Ring Home Security devices, and there are warnings to users of products and equipment in the Internet of Things (IoT). These are often ignored by those who are unaware or in denial about such problems. Yet innumerable questions remain.

Addressing the prowess of AI in protecting against attacks in cyberspace, Torsten George wrote nearly three years ago in Security Week and noted that it may take weeks or months to detect intrusions and AI has been touted as a potential cure for plugging vulnerabilities. Big data sets, along with complex differences among enterprises, make companies both large and small particularly challenged in their approach to enterprise security. Hackers are focused on vulnerabilities, and as soon as they become aware of these, they make the leap. While Torsten cited a Verizon Data Report that, "more than 70[%] of attacks exploit known vulnerabilities with available patches," knowledge of these weaknesses is in advance of the application of a patch. There is an untold number in the 30% left out of this equation. Further, he points out, organizations must now protect a much-expanded attack surface as the IoT broadens annually.

In working on this issue with a vendor in 2014-15, we observed that data protection allowed greater protection than network security because networks could not be made secure. Endpoint security has focused on the broader array of devices being used and provided some advanced defense, but the hope for being comprehensive remains at some distance. New programs still operate on a client-server model. Just as it did in 2014, this model was dependent on verifying the user. Today, we use multiple checks for verification and even verify equipment. This is burdensome for the user who frequently uses a workplace device, a mobile computer, but possibly also a tablet and smartphone. The user expects synchrony and passivity on the part of log-in methods, but often experiences burdensome delays in accomplishing tasks due to log-in complications.

Further complicating the landscape are the new reports that "China and Russia along account for 47% of cyber-attacks throughout 2019," according to Kevin Townsend in the Nov. 22, 2019 issue of Security Week, citing the growing evidence that these nations are competing in Cyberspace. "Ongoing geopolitical tensions involving China, Russia, North Korea, and Iran are leading to Cyberattacks," he writes.

How Can AI Help Overcome This Seemingly Limitless Morass?

Chaos impedes security in every respect. A secure space is one of balance. Political chaos is very public and addressing the crime has taken precedence over merely seeking solutions to the vulnerabilities. Even progress in AI is thwarted by criminals who simply destroy the environment and "selectively deploy[] fileless malware against a handful of targets." This far outreaches the capability of data security systems that authenticate users, once the state of the art. "For executives," Townsend reports, "the worst-case scenario is no longer the theft of data; it is island hopping," wherein a corporation's brand is used to attack customers. And these customers may themselves be an increased source of the risk.

Wherever a gap is left or, more frequently, created‎, it becomes harder to detect the latest challenge. The so-called third-party environment grows to putting mire data on the cloud, even without knowing it, if they use newer systems such as Microsoft 365 or one of a number of collaboration systems. Alastair Paterson, the CEO and co-founder of Digital Shadows, observes that business e-mail compromise still reigns; even where desirable and with willing third parties, the preoccupation with security would have to surpass the effect on peoples' jobs and the product or service of the organization. In May 2019, areas now with acronyms of their own, such as BEC (Business Email Compromise) and EAC (Email Account Compromise) account for more than one-third of finance losses of the $3B reported. Among losses adjusted for these areas along, it is almost a half.

Writing about methods of protection within Endpoint Protection in TechTarget‎ in April this year, Linda Rosencrance addresses 12 essential features of advanced endpoint security tools, listing cloud-based machine learning to help address security concerns. Her colleague, Trevor Jones, authored an issue of TechTarget on this topic a month earlier. Machine learning is a preeminent feature of AI.

In the May issue of Pentest Magazine, Chrissa Constantine refers to machine learning as an algorithm that can create abstractions (models) by training on a dataset and is a method of training an algorithm to accomplish a task. Training involves providing large data sets to the algorithm so the algorithm can adjust and improve. Machine learning modifies itself when exposed to more data. The learning part of machine learning refers to ML algorithms optimizing along a dimension, such as trying to minimize error or enhance the likelihood of predictions becoming true. But machine learning also assumes that some data are thrown out or unusable. There is now no way to tell what relevance these unusable data possess. We are guided by the mystery in AI, where a great deal of confidence is given to an environment with many unknowns. This is a major problem with the slow progress of AI in cybersecurity.

Nina Cunningham, Ph.D., is a member of the Board of Editors of Cybersecurity Law & Strategy, an affiliate of Altman Weil, Inc., and president and CEO of Quidlibet Research Inc., a global strategic planning and cost management firm founded in 1983.