Cybersecurity versus cyberattacks: How emerging technologies have complicated the ‘cyber war’
Katina Michael is a professor of innovation systems at the School for the Future of Innovation in Society and School of Computing and Augmented Intelligence at Arizona State University (ASU).
Her decades of work include investigating the complexity of the cybersecurity ecosystem, the multiple stakeholders and their entanglements, the human factors and the social implications of cybersecurity.
“We need everybody considering cybersecurity and learning about it so that we build better capacity among individuals, better capabilities in organizations, and at the governmental level and intergovernmental level, a better road map in how we respond as a society,” she said.
In the Q&A below, Michael expands on this thought, diving into what she describes as a “tit for tat” between hackers and cybersecurity defense mechanisms.
Question: October is Cybersecurity Awareness Month. What is top of mind for you in the current state of cybersecurity?
Answer: I’m going to say three things. The first thing is the number of scams continues to skyrocket. The second thing is the number of data breaches are getting larger and larger, some as big as countries. We're talking not only in the hundreds of millions, but even a billion passwords stolen across nation states. And then the third thing is: What about AI? What if we unleash the power of AI into attack mechanisms? We've got this AI constantly morphing and generating new methods of attack against sitting ducks. That's really my top three for this month.
Q: Has our collective understanding of the importance of cybersecurity outpaced the evolution of cyberattacks?
A: It's a resounding no. Surely education can come a long way, but we will never be ahead of the attacks. We will always be playing catch up,
We've got to increase budgets in organizations. We've got to increase human resources that are using tools like artificial intelligence to defend and protect networks and systems and services and online platforms. We're not doing enough. Security and privacy, for example, haven’t been taken seriously because they are often thought of as non-functional requirements. My hope is through my work on social implications that I raise awareness about this and that we do actually provide the commensurate resources at every layer.
Hackers have the whole day to look at how they can penetrate systems. And when money is the main motivator to the penetration of a system, they'll keep going.. Of course, we can try and increase our cyber defenses through technology, but technology alone is not the silver bullet solution.
Q: Will artificial intelligence serve as both a defense mechanism against cyberattacks and a tool for hackers to instigate attacks?
A: That's very accurate. It's pretty much a dual-use technology. I can use it in defense. I can use it for offense.
The stakes are also increasing, either through sensitive information being stolen or things that people rely on every day, like pharmaceuticals. Hackers are focused on critical infrastructure, on supply chains, but it's getting more and more personal. First they hack networks and organizations, then they hack the cloud and major platform providers. Then they're going to start hacking our edge devices. And next we're going to see hacks of humans.
This has a life-threatening context. It's one degree more than, ‘I can't get my pharmaceuticals.’ It's, ‘I can't switch myself on this morning,’ or ‘I could be subject to a heart attack because my device has been killed.’ We are starting to see vulnerabilities, not just in the network, not just in the organizations, not just at the edge, but in us.”
Q: How does biometric data enhance cybersecurity? How could it potentially complicate it?
A: We are using our face prints and our fingerprints to unlock our phones, or some of us use our fingerprints to do that. There's no problem with that because the biometric data is stored on the phone. For example, in the iPhone, it’s stored in a ‘secure enclave.’ It’s not in the cloud somewhere.
Increasingly, we are seeing sensitive data being stored on the cloud, some of which is unencrypted, and that's a problem. It means if it's on the cloud, it can be taken, and if it can be unencrypted or decrypted, there's an issue.
The greater worry is that (hackers) are going to flood the internet with fake images through generative AI, known as deep fakes. They will penetrate systems using presentation attacks, imposter attacks, photo morphing attacks, even evolving compound attacks – introducing noise into algorithms so that we spoil the image or it can go undetected.
Q: How do we better protect biometric data?
A: Through more robust policy frameworks, through compliance with international standards. We've got to benchmark this stuff. We've got to test it. You want to introduce a new technology? You've got to do commensurate testing on large populations. You've got to have people participate in the process of development and deployment.
We have to think in an innovative way because we will never be ahead of this game. Security will not be foolproof. It's never foolproof. Security is just a mechanism by which we can have some kind of sanity in the cyber-physical-social world in which we live.
Q: We asked each expert to provide a practical tip. Check out Michael’s response below: