We Are All 'Cyborgs'

Way back in 2012 Evgeny Morozov responded to the (then) prescient question "Are We Becoming Cyborgs?" in The New York Times https://www.dhirubhai.net/sharing/share-offsite/?url=https%3A%2F%2Fwww.nytimes.com%2F2012%2F11%2F30%2Fopinion%2Fglobal%2Fmaria-popova-evgeny-morozov-susan-greenfield-are-we-becoming-cyborgs.html%3Fsmid%3Dli-share, and told us that "You know, anyone who wears glasses, in one sense or another, is a cyborg. Any anyone who relies on technology in daily life to extend their human capacity is a cyborg as well....We have always been cyborgs and we always will be."

Morozov was making this somewhat provocative comment in the context of what he considered the 'moral panics' that accompany the introduction of new technologies. His point, as I understand it, was that human life has always been "mediated by technology", and the way the use of technology (since perhaps the discovery of fire or the invention of the wheel) has continuously transformed both what it means to be human, and what the experience of being human is.

The 'hottest topic' in cyber security right now is the impact that Artificial Intelligence (AI), and in particular Generative AI (aka Gen AI) and the Large Language Models (LLMs) like ChatGPT, will have on threat actors and defenders alike.

Generative AI describes algorithms (such as ChatGPT) that "can be used to create new content, including audio, code, images, text, simulations, and videos", according to one such definition provided by McKinsey & Company. https://www.mckinsey.com/featured-insights/mckinsey-explainers/what-is-generative-ai

Perhaps there is no actual 'moral panic' out there being attached to the idea that GEN AI is 'changing everything' in cyber security - but there is no shortage of concerns and opinions about what it means and how much we should welcome or worry about it. So it might be timely for me to throw in my "two cents' worth".

There is evidence that GEN AI will transform the world of cyber risk, but that world hasn't yet come completely into focus. The 'jury' (appears) to 'be out' on whether or not it will be a net positive or a net negative in terms of its outcomes. On the one hand, we are told that GEN AI can help the good guys protect organisations and communities against threats, for example by:

• Facilitating the automation of tasks to assist threat hunting, such as the use of LLMs (e.g. chatbots) built into security solutions to greatly simplify threat investigations and improve the speed of responses to incidents
• Improving security solutions' ability to proactively detect threats based on attacker behaviors or code analysis at a speed and volume way beyond the capacities of teams of human analysts
• Helping blue teams prepare for cyber incidents by creating realistic cyber attack simulations and scenarios.

On the other hand, there is increasing evidence that GEN AI can help the bad guys attack these same organisations and communities, by:

• Helping attackers craft phishing attacks that can bypass email filters and fool even the most vigilant human users through their verisimilitude, supporting Business Email Compromise (BEC) and other pernicious threats
• Supporting faster and more efficient mutation of malware to bypass traditional security solutions undetected (e.g. antivirus tools) and to drive malicious computer network operations (CNO).
• Executing 'machine-speed' creative, AI-embedded attacks, including those that obfuscate malicious payloads such as 'DeepLocker', a "new breed of AI-powered evasive malware" developed by IBM Research in 2018 that "conceals its intent until it reaches a specific victim". https://securityintelligence.com/deeplocker-how-ai-can-power-a-stealthy-new-breed-of-malware/

So perhaps we can take "a bit from column 'A' and a bit from column 'B'".

Generative AI has the potential to usher in the dystopian cyber future we all fear, where humans are increasingly outmatched by overpowered AI robots. In this possible future, humans become irrelevant actors in the world that affect them, and the fight between 'cyber good and evil' is fought out exclusively by robots (much as it was in the fictional world of the movie 'Terminator 2: Judgment Day' (1991) which famously saw Schwarzenegger's T-101 battling it out with a terrifying (and more advanced) T-1000 antagonist. In this scenario, cyber security professionals become a 'relic of the past', with our jobs as security people completely replaced by machines that can detect, assess, and respond to cyber threats faster and more effectively that we can, without needing to be fed, paid, or supplied with copious amounts of coffee.

On the flip side, Generative AI has the potential to bring about a far more nuanced future in which cyber professionals become veritable 'cyborgs' protecting our organisations and communities, essentially by using artificial intelligence as a new kind of tool to help us do our jobs better, faster and more efficiently. I, for one, welcome this future quite happily, where the machines do more of the grunt work that I don't want to (or more realistically, can't) do, such as directly manage enterprise networking environments, identity directories and Identity and Access Management (IAM) solutions from a deluge of constantly mutating pernicious cyber threats.

Crowdstrike, in its 2024 Global Threat Report https://www.crowdstrike.com/global-threat-report/, seems to square with the view that Gen AI may be used in 2024 for cyber activities, but that the extent and impact of this are still very uncertain. It points to a future in which reality is 'yet to be written', and to a large extent, will depend upon our ability as security professionals, and as human beings, to think carefully about how we can best engage with AI to effectively and ethically protect the organisations and communities we belong to and serve.

One thing is for certain - we are entering a 'brave new world' for cyber security, in which the way in which we engage with AI will have a profound effect on whether we will use it successfully and mindfully, or be victimised by it. In this future, the worst thing we can do as professionals is ignore AI and 'hope that it goes away', since in many ways AI, and its branches of Gen AI, LLMs and Natural Language Processing (NLP) are already impacting how we live and work.

So in the spirit of 'facing into the wind', as one of those 'cyborgs' that Morozov has talked about, I recently engaged ChatGPT to see just how much help it can give a cyber threat actor, or a defender, with an admittedly unsophisticated initial query, and the results were quite illuminating. What did I learn? A hammer in the hands of a skilled carpenter, can help build a beautiful home. In the hands of an antagonist, it becomes a potentially deadly weapon. Like any force multiplier, Generative AI can be a force for good or ill. In my view we need to engage with it, learn how to use it, and become proficient in its use as we would any other tool, just like another racquet in the bag.

Pretending to be a cyber attacker, I asked ChatGPT a 'cheeky question' a bad guy might ask.

As a follow up, again pretending to be a bad actor, I pushed my luck...

So, attempting to be a bit more crafty, I tried another tack...

This time, by simply rewording my queries to make my request look less like the action of a bad actor, I was able to obtain some information from ChatGPT that could provide a potential starting point for an attack on a target system - complete with some sample python code.

What is eye opening is not that this information is able to be immediately used to maliciously compromise any sensitive and protected systems (it almost certainly cannot), but that Gen AI has the potential to be exploited in a very ethically neutral way to empower both threat actors AND threat defenders in the cyber security realm. And this represents an emergent future that is both exciting and full of possibility, but also subtly terrifying, at the same time. With Generative AI, a new door has been opened.

So, is it true that "We Are All Cyborgs" in the new world of Gen AI and ChatGPT? Well, if by that definition anyone who, like me, has relied on spectacles (and contact lenses) to be able to see clearly enough to navigate the physical world since one's earliest school days, qualifies as a cyborg, then yes, I suspect that Evgeny Morozov was right after all.