Generative AI is a powerful new technology, differs in a fundamental way from previous versions of AI. Namely, it creates new things based on global information. It is posing a very serious cybersecurity threat that the West is not currently prepared to deal with. In a way, it could be similar to the early appearance of COVID—and could need a similar response. 

A concerted, immediate and cooperative effort is needed from Western governments and innovators in the commercial space (both individuals and corporations), an effort similar to that around the MRNA vaccines to fund the development of adaptive defense technology that can stop generative AI created attacks. Cyber attacks come without borders; to be effective, responses must also come without borders.

So, how serious is the threat of generative AI? We have become so inured to rapid technical change that it is difficult to recognize when a truly disruptive technology appears. In fact, we won’t know the damage for sure until after the fact. 

Generative AI may be the start of another technology cycle, as significant as the one that started around the time of the appearance of the microprocessor. The danger is that generative AI is growing so rapidly in such a capability that if we wait to find out, we may not be able to catch it.

Logical analysis says that the threat is severe. Modern quality of life is highly dependent on our digital infrastructure. Before generative AI, cybercrime was the biggest industry in dollar volume on the planet. Generative AI could turbo-charge cyber crime, dramatically degrading our digital infrastructure and thus our quality of life. Some are calling for regulation, but regulation may have little positive effect on the cybersecurity problem and take too long to implement.

Breakfast with Chad: Chad Wants to Regulate AI

The static defense problem

Current cybersecurity defensive tools are like castles: very effective against swords and knives. However, generative AI has given attackers cannons and bombs and the internet has given them the mobility to find the weakest points to attack. The answer isn’t a better Maginot Line. Now, dynamic and adaptive defense is the only thing that will work.

Current cybersecurity tools are static. That is, they are based on identifying preexisting known patterns and applying preexisting known scripted responses. However, generative AI systems create a very large number of brand-new types of attacks for which there are no preexisting known patterns or scripted responses. That is, they change very rapidly. Too rapidly for patterns to be identified and installed in static defensive tools. Also, because the attacks are changing, effective responses can’t be easily anticipated and scripted.

What we need are dynamic defensive tools that can detect new attacks very quickly and stop the attack before serious damage has been done. To do this, the defense must be very close to the subsystem being protected. Some propose using generative AI to defend. This won’t work because the response from such systems will be too slow—in part caused by their central site nature.

Generative AI technology is growing rapidly in capability, and will be able to do even more damage tomorrow. These systems are trained on everything from the web, so even this article will become part of their training. Because of this, I spent a couple of months not talking publicly about this for fear it would make the AI problem worse. But at the recent RSA Conference, the cat came out of the bag. Early on, some argued that controls could be put in place to prevent bad uses. But, there are widely reported ways to get around these controls.

The generative AI industry has started calling for regulation. Asking for regulation may be a way for the generative AI companies to move financial liability away from themselves. But, in the cybersecurity space, damage is already being done and the word is out. Regulation can’t return things to normal. At least not quickly or effectively enough to control attackers outside of the West. The question that confronts us now is, “How can we quickly develop and deploy cyber defenses that are effective against generative AI created attacks?”

A global problem requires a global solution

The situation today is similar to that in the US during the 1930s regarding the appearance of the V8 Fords. Bank robbery had been local. The new Fords made it possible for robbers to quickly escape state lines, thereby avoiding local law enforcement. The only way to defend was to create a national defense; this would become the FBI. Today we face attackers crossing national boundaries. Some are hiding in countries outside the reach of law enforcement in the West and some are actually national actors themselves. Many of the attacks are purely commercial. But some of the commercial attacks on critical infrastructure blend over into defense and intelligence. It may be politically difficult to create an international organization to respond. But, at the least, it requires a coordinated international effort.

The US Must Act Now To Overcome Chinese Cyber Threat

We need to quickly develop the dynamic/adaptive technology and methods for migrating from our current static defenses (S2: static attack ID/scripted response) to dynamic defenses (D2: dynamic attack ID/dynamic response). This migration is important because of the extremely large sunk investments in today’s static systems. These combination defenses can be called S2-D2.

There are innovators currently working on these dynamic/adaptive technologies, but they need support to bring their technology to fielded products. In a way, this situation is similar to when we first got news about the appearance of COVID. There were innovators working on MRNA, but they needed support to quickly bring us the products we needed to defend ourselves.

Western governments need to band together with commercial industry innovators to support research and development (R&D) focused on rapid development and deployment of S2-D2 systems. Governments in the US, Europe, Canada, Australia and New Zealand have programs to provide financial support for R&D and entrepreneurship. These programs come from both national defense and national industrial policy parts of the governments. Because of this, they have been concerned with improving narrow national competitive positioning against the rest of the world. However, the threat from generative AI cyber attacks is global. The Western world needs an effective response quickly. This can best be achieved by cooperation between the leading Western governments working closely with innovators in the commercial industry.

Proposal for a defense strategy

The stages listed below need to involve very broad cooperation between innovators in all of these sectors, national governments, commercial organizations, academic organizations, labs and individuals. High risk projects should be embraced. The lowest risk in terms of project success as defined by delivery of project deliverables, will always revolve around a small improvement in what already exists. We know that such an approach (a better Maginot Line) will not give us what we need. Accepting high risk projects will mean that many will fail. But those that succeed will get us where we need to be.

Because the threat is already here and growing, this support has to come very quickly. Decisions made at the national level in all countries must be made on a global basis, not on a narrow national basis.

In Stage 1, cybersecurity proposals responding to current solicitations must be reviewed and granted on a multinational global basis—not on narrow national competitiveness. There has to be trust that as other nations schedule solicitations, or new initiatives come online, there will be reciprocity. Thus, Stage 1 focuses existing solicitation and proposal processes on the immediate need to fund development of dynamic and adaptive defenses.

Stage 2 will start new initiatives focused directly on dynamic/adaptive technology. From the early moments of the COVID pandemic, the US Congress gave iARPA a special allocation for very rapidly deployed R&D funding. The solicitation was posted in May with an early June 2020 response deadline and a 30 to 60 day response turnaround target. Many notable things came out of this program, including the development and fielding of waste water surveillance programs that proved to be critically important. This same kind of thing can be done to speed the development and fielding of S2-D2.

Stage 3 is longer term. It involves the normal R&D program support planning and release of solicitations. This would be best if there was coordination between the national programs to make sure that all the bases are covered. Here again, speed is important.

Stage 4 will create an international forum for cooperation between those involved in creating, administering and actually doing the R&D in these programs. The effort to create this international forum for cooperation can and should be started now. It can begin operating informally almost immediately. It is listed as stage 4 here, only because it is likely to take time to formalize.

Generative AI is posing a very serious cybersecurity threat that the West is not currently prepared to deal with. Concerted immediate cooperative effort is needed by Western governments and innovators in the commercial space (both individuals and corporations). Regulation can have little positive effect on the cybersecurity problem and takes too long to implement. What is needed is a concerted effort to fund the development of dynamic defense technology that can stop generative AI created attacks. The attacks come without borders and the response to be effective has to come without borders.

[Bella Bible edited this piece.]

The views expressed in this article are the author’s own and do not necessarily reflect Fair Observer’s editorial policy.