lolloj - Fotolia

Fix the basics first, then worry about AI, advise experts

The freedom of the internet is at risk, with the cyber arms race and the industrialisation of hacking are set to continue as attackers move up the value chain to target trust mechanisms, threat experts predict

Organisations should ensure they are meeting all of the basic security requirements before investing in advanced security systems using artificial intelligence (AI), according to UK cyber threat experts.

“I have quite a blunt view on some of the AI solutions that are being sold in the market, particularly those that are network only,” said Kris McConkey, threat detection and response lead partner at PricewaterhouseCoopers (PwC), during a panel discussion at the CyberUK 2019 conference in Glasgow.

“If you look at it from a mathematical perspective, if you are adding endpoints and you are only looking at network traffic to do AI or ML [machine learning] on it, you have got an exponential complexity problem. If you are actually doing the AI or ML at the endpoint, you have a complexity problem that is much easier to deal with.

“But aside from the technicalities of how the solutions work, there is a definite disparity between the effectiveness of the AI solutions and the marketing budgets of those selling them. And if you still haven’t got a lot of the [basic] stuff fixed like two-factor authentication on Office 365, those are huge priorities relative to something like an AI-based anomaly detection box sitting on the network somewhere.

“So don’t waste your time on some of that stuff, if you have better uses of that time,” said McConkey, who prefaced his comments with the view that an era in which attacks and defences are fully automated using AI without human agency is “still a long way off”.

However, he said that within the next 2 to 3 years, security researchers will probably see more exploitation for malicious purposes some of the good AI and deep learning technologies that defenders are starting to use.

Attackers are increasingly going after whatever personal and financial data they can, but being able to use that data at scale, said McConkey, is not possible using manual processes, and attackers are increasingly like to use things such as AI-based natural language processing technologies for analysis.

Matt, head of industry operations at NCSC, said: “Prognostication in the cyber realm is a very dangerous sport because cyber moves so quickly, making it hard to define what it is going to look like in 5 years’ time. But for me, looking forward 5 to 10 years, a lot of what it is going to be shaped by is the industrialisation of hacking capabilities.

“So the more that we see AI being used for defensive purposes, as well as potentially offensive purposes, and we have greater ability to use that for either espionage or for disruptive and destructive purposes, that will effectively scale the [threat] actors’ ability to scan the vulnerable elements of the internet, and then get access to take anything they want for data mining purposes.”

According to the NCSC, future cyber attacks are less likely to be targeted and more likely to be threat actors targeting as much as they can and using that to get a foothold and investigating what they can do with the data they have collected.

Focusing on the positive use of AI and ML, Jeremy Watson, professor of engineering systems at University College London (UCL), said both these technologies will be increasingly deployed in defences at the edge of the internet in the future.

“These will be devices that understand their function and understand if they are being commanded to do the wrong things or being asked to send data to the wrong places,” he said, predicting that there will be a lot more autonomous functionality.

As a result, Watson expects to see “socio-technical challenges because people will have to think what agency they are prepared to grant to autonomous systems – how much decision making can they give to a machine, and what are the indicators for trust in this area.

“So questions will arise around decision auditability of AI and ML, right the way across the patch – whether it’s in the cloud or locally – [about] the provenance of the evidence on which those systems actually make their decisions and there are legal liabilities to look at carefully,” he said.

West’s internet ‘under pressure’

In terms of general cyber threats, Eleanor, head of assessment at NCSC, said that the Western model of the internet is increasingly coming under pressure.

“We feel that the internet is becoming ‘less free’ with authoritarian states clamping down on free speech online, monitoring their citizens daily lives online, and using their cyber abilities to control and monitor what their citizens are doing, thereby restricting and censoring the internet,” she said.

At the same time, these authoritarian states are meddling in the free sections of the internet in the West, she said, and turning online freedoms against themselves by spreading disinformation, using troll factories and exploiting free speech for malicious purposes.

“There also seems to be a disconnect between the alarm in the media and regulatory regimes about the theft of data, and the threat that data breaches represent and the targeting of data, whereas the average citizen is more blasé than the coverage suggests they ought to be,” she said.

However, the NCSC expects the gap to close in the coming months and years as people get a better understanding of why their data is important and what malicious actors can do with it.

“Our key hostile state adversaries like China, Russia, Iran and North Korea will continue to launch malicious cyber activity against the UK and its allies, and we will continue to engage in that arms race and defensive activity that we will have to do because it is not likely to stop any time soon,” said Eleanor.

However, she said that state-sponsored malicious cyber activity is not limited to just four states. “We are seeing other states coming out of the woodwork, with other nation states learning from the big four and copying each other, such as some states in the Gulf area and South America.

“This means the [cyber] arms race won’t be exclusively dominated by the big four in perpetuity, so we do need to keep an eye out for some smaller players coming to the fore.”

Attackers move up value chain

Speaking more generally about future cyber threats, PwC’s McConkey said one of the key trends already in evidence is the fact that attackers are moving up the value chain and will continue to do so.

“If you look at financial services, we are going from commodity banking malware to nation states that are effectively in central banks and others, and being potentially able to target data feeds that financial services rely on, enabling [threat actors] to manipulate market activity,” he added.

In aggregate, he said, this means that, either intentionally or unintentionally, threat actors are targeting the trust mechanisms that the digital ecosystem is built on.

“We have seen in the supply chain from a process perspective with MSPs [managed service providers] being targeted. We have other China-based actors running rampant in over a dozen global telcos from a telecommunications perspective, and we have possible targeting of hardware and software supply chains,” he said.

“So across the entire ecosystem of stuff that we rely on for process outsourcing, communications, software and hardware, we have got a growing number of very good and persistent attackers focusing on getting into those at some sort of level.

“As a result, we have to learn to figure out how to deal with that at a much bigger scale than we are currently dealing with, but it will be interesting to see what the objective are within the next five years, because I think they will change.”

Industrialisation of cyber crime

Providing a law enforcement perspective, Andrea S, cyber threat intelligence lead at the National Crime Agency (NCA), said that the proliferation of data in society is providing criminals with increasing opportunity to tap into that data and monetise it.

“The key threats are whatever is hitting us right now, but what is persistent is the individuals behind it, and our ability to tackle those [cyber criminals] collaboratively with partners [is what is important]. The gap between our capabilities and theirs is what is really going to describe the threat going forward,” said Andrea.

The persistent criminals that have been around for a long time have built complex networks and have the capabilities they need in-house. “Over the past few years, we have seen that become a marketplace, opening up through forums to provide cyber criminal services,” said Andrea.

“More recently, we have seen in the dark web space that become more prevalent. So what we are talking about is an industrialisation of cyber crime, right from low-level actors right up to the very hard-to-catch criminals. They are entrepreneurs and they will drive the criminality and the threats because they are very adaptive and forward-looking.”

Because attacks are likely to be a mix of targeted, opportunistic and even unintended – as some have argued in the case of WannaCry, which is widely believed to have been unleashed by mistake or without understanding of what the effect would be – Matt of the NCSC said defences need to focus on key underlying systems.

“We need to ensure that the defences we have in place are good enough to protect those basic systems, not only critically important systems inside critically important networks, but also the basic systems we rely on daily so they are resilient enough to protect us against any wayward attack that may not be directed at us as well as specifically targeted attacks,” said Matt.

In closing, UCL’s Watson said organisations should be thinking about attack surfaces. “There are many attack surfaces beyond the traditional ones like industrial control systems, autonomous vehicles and building management systems. It behoves us to do a careful analysis with partners across those attack surfaces and take precautions that are appropriate to the severity of the outcome.”

McConkey urged more attention to be paid to issues such as orphan kit rather than focusing on rewarding innovation. “I have lost count of the breaches we see because something literally got forgotten about, nobody was looking after it, the person responsible left the organisation and as a result it wasn’t maintained, so it became the root cause of the breach,” he said.

Another key goal, he said, that organisations should be aiming for is implementing all the good security guidance that is available. “All of that has an impact if it is done, and focusing on making small incremental improvements has a disproportionate impact in deflecting a lot of bad stuff,” said McConkey, underlining the importance of getting the security basics done properly.

Read more about cyber threats

Read more on Hackers and cybercrime prevention