Experts call for global data sharing to defend against AI-driven cyberattacks
If they haven’t done so already, cyber attackers may soon be arming themselves with artificial intelligence and machine learning (ML) strategies and algorithms. Before long, it may not be a fair fight if defenders remain naive to what AI and ML can do on both sides of the battle. So suggests a new report by IEEE and the Canadian tech consulting firm Syntegrity.
The report — stemming from a three-day intensive meeting last October of cybersecurity experts from government, the military, and industry — aggregates the group’s findings into what it calls the six “dimensions” at the intersection of AI, ML, and cybersecurity.
First, the report advocates ways to keep cybersecurity regulations and laws up to speed with the latest developments in the field. The report says that laws and legal precedents should be altered to encourage, not burden or discourage, continued research toward anticipating and countermanding next-generation cyberattacks.
Specifically, it notes, both copyright and export control standards need to be modified to allow security researchers to investigate cutting-edge cybersecurity questions without worrying about running afoul of outdated laws and regulations.
Brian David Johnson, Futurist in Residence at Arizona State University and contributor to the report, says cyberdefense research is no longer an academic exercise or incidental curio. Increasingly, he says, the severity, sophistication, and frequency of cyberattacks is making cyberdefense crucial to both the commercial and public sphere.
“We are starting to see cybersecurity and defense against cyber and digital attacks mature,” he says. “What we’ve seen over the last five years is increasingly larger, deeper, broader attacks. Not only is it raising this to the attention of people, it’s also becoming bad for business — and bad for the business of government.”
Hacked companies tend to keep to themselves after they’ve been hacked. And victimized companies keep silent to the detriment of all the other companies in their industry, and to the economy as a whole.
Report co-sponsor and professor of electrical engineering at West Point, Col. Barry Shoop, says one of the more significant recommendations from the report involved a widespread problem that has emerged when a company or government agency in any field tries to mount an effective cyberdefense.
“In the for-profit sector, say a financial institution, they are less willing and in some cases not willing at all to share data for the common good of everybody,” he says. “They’re not willing to share what has transpired, what the attacks against them were, what their defense was. Because there’s legal aspects, and there’s perception. They have stockholders, they have investors. So if they share that they were attacked and were unsuccessful, that knowledge could drive their stock price [down], could drive away investors.”
As a result, Shoop says, a cyberattacker can hit multiple companies or government agencies today and be assured that very little knowledge is shared between those targets that could help everyone respond more effectively to the attacker. Hacked companies tend to keep to themselves after they’ve been hacked, in other words. And victimized companies keep silent to the detriment of all the other companies in their industry, and to the economy as a whole.
Of course, the report comes hot on the heels of Facebook’s publicized tangles with Russian hackers — which CEO Mark Zuckerberg said in testimony on Capitol Hill last week is best combatted with AI, even though that technology that may still take another 5 to 10 years to fully mature.
On the other hand, says Johnson, Facebook is hardly alone in providing a case study of the kinds of problems addressed in the report.
“Honestly, if you look at the past couple years, this report would have been released around the announcement of a large attack or breach, because it’s happening every month,” he says.
Yet, he adds, there’s an analogous problem that industry long ago figured out. And it could provide an important guide to tackling the cyberdefense problem too.
“The idea of having a clearinghouse is very popular in technology,” he says. “The place where you see it the most is in standards setting. Like coming up with the Bluetooth standard. Because if [industry] can come up with a Bluetooth standard, then everybody can work together.”
RELATED: Making sure AI is harnessed for good
So, just like competitors and sometimes even fierce rivals set down their differences to hammer out industry standards and technology roadmaps, Johnson says, government agencies or industry clearinghouses could also provide global, up-to-the-minute cyberattack intel for the common cyberdefense.
“[We recommend] setting up a national or international repository of clean data,” Shoop says. “You don’t necessarily know where it comes from, but you’ve seen the attack vectors, you’ve seen the response or lack of response. And so you can tune your system to be able to defend against those kinds of attack vectors.”
Shoop, who in 2016 was president of IEEE, hopes policy makers and industry will recognize the potential of establishing such a cyberdefense clearinghouse, all the more so when AI and ML algorithms demand rivers of data on which to train.
“We’re seeing a rise of artificial intelligence and machine learning, in terms of attacks,” he says. “So the speed at which the attacks change is increasing substantially. So you need artificial intelligence and machine learning to defend against that, to match the speed of those attack vectors.”
Johnson says he’s optimistic that governments and industry can work together, in the ways the new report outlines, to fight cyberattacks.
“I’m an optimist, because I believe that people build the future,” he says. “This paper is all about actually getting people together to say, ‘Look, we’ve all been talking about this. We’ve talked about this at conferences, we’ve talked about this when we work together. Let’s get everybody together and start coming up with some solutions.”
The original version of this article first appeared in IEEE Spectrum. Views expressed in this article do not necessarily reflect those of ITU.