Are we finally ready to get serious about cybersecurity in AI?

Just when many thought it wouldn't get worse (despite warnings that it would), cybersecurity failures have started to fire off like a chain reaction of explosions across the economy. Let’s review just three major events this year that have systemic properties:?

(1) Ransomware attack on UnitedHealth Group’s (UHG) subsidiary, Change.

Change is a provider of healthcare billing and data systems that facilitates payments to doctors and healthcare facilities nationwide. The attack seriously disrupted operations at healthcare centers that serve more than 30 million poor and uninsured patients.

In July, UHG announced that the expected total cost of the response has increased by more than $1 billion to between $2.3 billion and $2.45 billion this year. However, that figure likely only represents a small fraction of the total cost, not including costs to thousands of healthcare professionals, clinics, and patients, much less impact on health.

(2) Ransomware attack on CDK

This was a nightmare for car dealers who are estimated to have lost nearly $1 billion . Customers couldn’t pick up new cars, dealers were guessing about credit scores for car buyers on loans, and inventory management was a mess. Public reports essentially describe chaos.

CDK is quoted as saying that the company expects no meaningful impact to its financial condition, but it’s been reported that they paid $25 million in ransom, presumably after the second attack in as many days. The company is being sued by car dealers, so time will tell.

(3) CrowdStrike outage

Just five days ago as I write this, on July 19th, 2024, what has been described as the largest IT outage in history took place when a routine update contained faulty code was distributed and installed on Windows PCs and servers, resulting in the ‘blue screen of death’ for 8.5 million devices. This event likely cost lives as it impacted 911 call centers, hospitals , airlines, and banks, among thousands of others. ?

CrowdStrike is a leading cybersecurity company that has a pretty good reputation for cybersecurity (at least it did until this event). The CEO George Kurtz discusses the need to bend the time curve on patching due to the increasing sophistication of state-sponsored hackers ransomware groups. The need for speed presumably influenced their recent outage as they rush to update code.

I’m not sure whether LLM chatbots were used to help conduct the two ransomware attacks above, but most experts agree chatbots are undoubtedly being employed at scale to assist in all types of illegal activity, including cyber, systemic activities and catastrophic. As I’ve often said since we made the decision to stop providing information on our Synthetic Genius Machine (SGM) R&D, “Any system that can accelerate discovery can accelerate destruction”.

Any system that can accelerate discovery can accelerate destruction.

Increasing systemic risk in the cloud

I’ve been warning about rapidly increasing systemic risk in computing for years, particularly as the big three cloud vendors began to form a tight oligopoly. Between AWS, Azure and GCP, the big three now host a very large portion of the economy and national security, including a significant portion of the U.S. Government intelligence community and DOD, a large portion of the financial sector, industrial companies, major retailers, manufacturers, healthcare providers, and on and on. Now the same three companies are planning to invest over $1 trillion to expand infrastructure to dominate AI.

I consider the risk in Big Tech to be among the top five systemic risks in the world today. It may be number one. The IMF has been warning about systemic cybersecurity risks since 2020, Swiss Re included Big Tech cloud computing and AI in their emerging risk report for 2024 , and the BIS has been warning central banks about increasing systemic risk in cloud computing and AI. These few examples are representative of a larger community of world experts on systemic risk who are all warning about increasing risk in Big Tech cloud computing and AI.

Unfortunately, despite warnings from me, CISA, the NSA and many others, very little has been done to reduce risks. One problem is the size and influence of Big Tech companies in the political process, and another is perverse incentives. For example, Microsoft is the largest cybersecurity company by revenue, yet is I also the greatest systemic risk in my view due to the characteristics of the company's interconnected footprint. When MS products have security faults, their cybersecurity arm will gladly sell you a solution. To date the financial incentive has been to reward insecure systems. ?

The big one is coming

(From a recent post here on LI).

CRITICAL CYBERSECURITY WARNING. My quote of the week in a reply to Thomas Brown : An 8 or greater magnitude cyber quake is as inevitable as the quake and tsunami that caused the Fukushima nuclear meltdown.

For those who don't study major catastrophes, the Fukushima nuclear disaster was extremely preventable and was predicted years in advance with near certainty. The water pumps in the nuclear power plant were installed below the level of a tsunami predicted and expected due to a large earthquake. It wasn't a matter of if, but when, as the fault line was well-researched, well-known, and earthquakes and tsunamis occur in that location of that size (8.9 in that case) on a regular basis as the pressure builds up in the shifting Pacific Tectonic Plate. Independent researchers had indeed warned for years that the water pumps were below the level of the expected tsunami, and when the quake and tsunami hit the pumps would fail (causing a nuclear meltdown), but the bureaucracies involved didn't move the water pumps. It was deemed too expensive and inconvenient from a political and cultural perspective. Of course, from an ROI perspective, it would have been the best investment possible. Most major catastrophes have similar patterns.

An 8 or greater magnitude cyber quake is as inevitable as the quake and tsunami that caused the Fukushima nuclear meltdown"

Systemic major cyber catastrophes are approaching a similar level of probability -- as in almost certain and just a matter of time. Costs of a comparable 8.9 cyber quake would likely be over $10 trillion in the U.S. alone and cost the lives of at least tens of thousands. An LLM major cat could be much worse. Preventing major cyber cats is costly and inconvenient, but it's nothing compared to the cost if we fail to do so.

Our approach to security in the KOS

Unlike seemingly most of our industry, KYield, Inc. has taken security very seriously from inception. I designed-in embedded security in the first version of what eventually became the KOS, and we’ve continued to place security as a very high priority at every stage of R&D and now commercialization.

The KOS currently includes four layers of security, each of a different type for different purposes. Some of the security is open source and some proprietary. Each of the eight major functions in the KOS has additional security tailored to the risks we are targeting to prevent or mitigate.

For security reasons we don’t reveal as much as we’d like about our technology due to a combination of competitive threats in companies that ignored IP, and state actors like China who have shadowed us for nearly 3 decades of R&D. However, I can share that in addition to the system security that is continuously improved, we have a robust R&D program including advanced security from our next-generation system in the SGM. Our plan is to integrate SGM security into the KOS as it becomes available after robust testing.

By automating the process, some types of risks can be thwarted almost instantly, thereby preventing escalation of costly disasters or systemic events. Captured preventions extend far beyond the digital work environment. They also include the physical work environments, including industrial, retail, agriculture, logistics, shipping, healthcare, pharmaceuticals, banking, insurance, transportation and manufacturing.

Given the sharp increase in systemic cybersecurity failures in recent months, combined with the problem of lock-in and dependence on cloud vendors, we’ve sharpened our focus on transferring more of the DANA workload to devices, and hosting more of the KOS on premises, in local area networks (LANs) and wide area networks (WANs).

Several options are available for hosting, redundancy, and physical security. The configuration should be tailored to each organization’s specific operating environment and security needs. Some may want to consider a digital twin of the KOS in hybrid cloud in case of a catastrophic event on premises. In addition, the data in the KOS is interoperable so that if in the unlikely scenario the KOS would go down, customers would be able to recover quickly. Data always remains under the ownership and control of customers, we just provide the system, certification, and recommendations on how best to configure it.

Bottom line is security is up to every organization. We can’t depend on either government or Big Tech to protect our organizations. It’s up to each of us to protect ourselves and collaborate to ensure safety and resiliency.?

?

?