Artificial intelligence a ‘double-edged sword’ in world of cybersecurity: experts

Article content

TORONTO – Denis Villeneuve has worked in cybersecurity for 15 years, but rarely have the threats he faced felt as personal as they do these days.

Employees at his workplace, tech company Kyndryl, were sent CEO Martin Schroeter fake videos that were designed to lure them into handing over their login credentials to scammers.

Villeneuve also saw a friend who ran a small engineering firm fall prey when a voicemail was left for his wife using what sounded like his voice to falsely convey that he was in trouble and needed her to pay bail money quickly.

Article content

“I was like, ‘Oh my God. “This happened very recently because this is a good friend of mine,” recalls Villeneuve, Kyndryl Canada’s cybersecurity and resiliency practice leader.

These attacks are made possible thanks to artificial intelligence-based software, which has become more affordable, accessible and advanced in recent years.

But despite the cybersecurity threats, Villeneuve – like much of the tech industry – is careful not to paint AI as too bad.

In the fight against cyber attackers, they believe that artificial intelligence can help as much as it harms.

“It’s a double-edged sword,” Villeneuve explained.

As AI improves, experts feel there will always be a bigger or more innovative way to try to penetrate a company’s defenses, but those defenses are getting a boost from technology, too.

“AI, at the end of the day, is something that is much better for defenders than attackers,” said Peter Smetney, regional vice president of engineering at cybersecurity firm Fortinet Canada.

His reasoning lies in the sheer number of attacks some companies face and the resources needed to deal with or ward them off.

Article content

Article content

A 2023 EY Canada study of 60 Canadian organizations found that four in five experienced at least 25 cybersecurity incidents in the past year. Indigo Books & Music, London Drugs and Giant Tiger have all been victims of high-profile incidents.

Although not all cyberattacks are successful, Semtney said many companies see thousands of attempts to penetrate their systems every day.

Artificial intelligence makes handling them more efficient.

“You may only have four or five people on your team and there are only a few alerts that they can go through manually, but this allows them to focus and tells them which alerts to prioritize,” Smutny said.

Without AI, an analyst would have to manually check whether each attack is linked to an IP address, a unique identifier assigned to each device connected to the Internet, which can help trace the origins of an attack.

The analyst will also examine whether the person behind the headline is already known to the company and how offensive it is.

Using AI, the analyst can now query the software using simple language to quickly gather and present everything about the attacker and their IP address, including where they gained entry into the system and what actions they performed.

Article content

“She can really save a lot of time and point you in the right direction, so you focus on the important things,” Smutny said.

But attackers have the same tools in their arsenal.

Anyone with malicious intent could turn to AI to help collect data from multiple breaches and piece together a target profile, said Dustin Heywood, chief architect of IBM’s global intelligence agency X-Force.

For example, if data tells them that someone frequently shops at Toys “R” Us or at Walmart for baby products, it might tell an attacker that someone recently had a baby.

Attackers sometimes resort to a practice known as “pig slaughter” to fill in any missing information they have.

“You’ll have a robot that starts talking to a person, and starts building a relationship using things like generative AI,” Heywood said. “They will make them feel nice and confident, and then they will start extracting information.”

When attackers obtain financial details, a Social Security number, or enough personal information to access an account, the data can be used to falsely apply for a credit card or sell it to other criminals.

Article content

The potential harm is further increased when there is material good enough to create a deepfake, which is a clip of someone doing or saying something they did not do. Villeneuve’s example of his friend who appears to have left a message for his wife is an example of this tactic.

For smaller targets, AI does much of the heavy lifting, giving attackers the opportunity to focus their attention on high-value victims.

“You can have the robot operator talk to 20 people at once,” Heywood said. “Before, it was a farm of people in a third country, typing on mobile phones.”

He’s also heard of people using augmented reality glasses that instantly pull up information about a person, including their personal data being sold on the dark web, just by looking at it, and others working on “jailbreaking” an introduction to AI-powered chatbots. To extract personal information from people. I entered.

The advances in attacks have convinced him that AI is a “game changer.”

“In the 1990s, teens, kids and college students were hacking websites to smear them,” he said. “Then we recently turned to ransomware where corporate computers are encrypted.”

Article content

Now, the focus has shifted to seizing someone’s identity, which is “really big business,” and AI is fueling even more, Heywood said.

The Canadian Anti-Fraud Center said the country counted 15,941 fraud victims in the first half of the year, with $284 million lost in those incidents. There were 41,988 victims and $569 million lost the previous year.

Heywood, Semtny and Villeneuve feel that the war against attackers is not futile and that companies are taking it seriously.

Employers conduct exercises for companies, such as banks and large retailers, to simulate what it would be like if their companies were attacked, helping them prepare employees to confront threats and identify and patch software vulnerabilities.

Heywood said it’s not difficult to convince companies to take action, because a cybersecurity breach can cost companies an average of $6 million and lead to falling stocks, lower sales and a breakdown in customer relationships.

Anything they can do to stop an attack is worth it, he added, because “trust is gained in inches but lost almost instantly.”

This report by The Canadian Press was first published Oct. 20, 2024.

Article content