At times, RSA Conference 2023 felt more like watching the development of a science fiction plot than a gathering of the world’s top cybersecurity professionals. Much of the conversation among the more than 40,000 attendees focused on what advancements in artificial intelligence mean for cybersecurity professionals and how new AI technologies will be used by threat actors and defenders alike.
On these fronts, there is good and bad news:
For those wary of AI’s potential, the movie WarGames may come to mind. In this 1980s sci-fi drama, a high school student inadvertently awakens an AI that nearly starts a global thermonuclear war. One of the movie's central themes was maintaining human input into computer decision-making. At RSA, many similar concerns were raised about the consequences of autonomous AI decision-making without human oversight.
During many of the keynotes and sessions, the promises associated with AI ran high. For example, machine learning can help enterprises better defend their systems through more rapid threat detection, improved data breach predictability, and faster response when breaches occur. Overall, AI can help organizations to better keep pace with evolving threat actor techniques and lower costs through automation, and AI can help improve the effectiveness of security analysts.
With the near-singular focus on AI during the conference, it was no surprise that the winner of this year's RSAC Innovation Sandbox contest was a startup focused on protecting AI models. According to a decision by a panel of judges, HiddenLayer’s ability to help enterprises protect their machine learning models within their products proved to be the most innovative technology this year. The AI application security company, focusing on detecting adversarial machine learning attack techniques, is based in Austin, Texas.
Participating in the Innovation Sandbox contest is a big deal for security startups. According to RSA Conference, since the contest first started, the top 10 finalists each year have cumulatively experienced over 75 acquisitions and raised more than $12.5 billion in investments. Winners from prior years include Apiiro, Imperva, Phantom, Securiti.ai, and last year’s winner: Talon Cyber Security.
Without AI, zero trust has zero chance
Of course, what would the RSA Conference be if today’s buzzphrase wasn’t minimizing yesterday’s buzzphrases? That’s precisely what Rohit Ghai, chief executive officer of RSA Security, did when he said: Without good AI, zero trust has zero chance. Ghai sees AI aiding in improving security technologies such as identity management and security automation.
Adversarial AI: A long-term risk
Regarding the risks security practitioners face today, not everyone is as pessimistic regarding the security impact of AI. “Generative AI doesn't fundamentally change the landscape in any way,” said Nick Biasini, head of outreach at Cisco Talos. Biasini noted that generative AI does enable adversaries to create very convincing spearfishing emails but that those effective lures aren’t enough to make a successful campaign.
“You still have to build the infrastructure,” he said. “You still have to get [the phishing email] in front of the user, and you still have to weaponize the access. [Generative AI] doesn't help you with any of that. And we already have sophisticated lures and very good spearfishing techniques today,” he said.
While generative AI does provide more access and ability to more users, it doesn’t fundamentally change the nature of the threat, Biasini added. “[There is] the ability to train artificial intelligence on your own data set and make use of it. If one were to take an AI and train it heavily on vulnerability and exploit data, one potentially could have a very powerful tool. But that is not something that everyone is going to have access to. This is only going to be state-sponsored enterprises with very deep pockets. This stuff is extraordinarily expensive to use,” Biasini said.
By George V. Hulme