Thought for the week: Cyber risk moves at AI speed

To begin your week, I recommend listening to this recent The Wall Street Journal podcast: Cybersecurity Braces for AI "Bugmaggedon." The short summary is that an unreleased frontier artificial intelligence model was announced last month and is capable of autonomously finding and exploiting bugs and other security vulnerabilities at superhuman speed. The developer indicates the model has already found thousands of vulnerabilities in every major operating system and browser. 

And it's not just the volume of bugs the AI can find efficiently; it's the speed to exploit the vulnerability once found that compounds the problem. The WSJ asserts that eight years ago the average time between a bug being found and exploited in a cyberattack was 847 days. Now, it's within one day. Geeks apparently call this the AI vulnerability Armageddon, but the WSJ calls it "Bugmageddon." 

The developer indicated this frontier model is so powerful that the developer is only releasing it to a limited pool of companies that make up much of the backbone of the technology world. In reality, however, the mere existence of this model raises concerns. Also, apart from this latest development, I think we have already seen a growing volume of attacks and exploits that appear to be fueled by AI-enhanced threat actor activity, so this is best characterized as a step change in an issue that already exists. 

So, what does this mean for companies? A few thoughts come to mind.

It's a good time to get faster at patching

The security teams will need increased resources to process and patch at materially greater speeds than before. This will need to become more of a 24/7 type activity with tighter data feeds and maintenance protocols.

Update and streamline incident response plans

With the increased volume of cyberattacks, it is a good time to revisit and streamline incident response plans. In particular, the extent possible based on lessons learned from prior incidents and experience, map out strategies for how the company will manage a potential increase in volume of incidents that affect company data. Key threads include how to handle potential repeats of patterns of data incidents and enhance plans on risk-based decisions for how to address global privacy, critical infrastructure, PCI and other notification requirements.

Revisit third party contracting

Consider how to respond to an expected increase in volume of cyberattacks from a third-party contracting perspective. When you think about it strategically, the outcomes might not be obvious. Do you really want to receive a breach notice right away every time a vendor experiences an incident that impacts business contact data? From a customer contracting side, should you be doing more to build in some flexibility for time to ascertain whether an incident is real before you are obligated to notify?   

Refresh on tabletops and update senior leadership

It will be important to refresh tabletop exercises and otherwise update senior leadership on developments in the ecosystem, and the ways in which the company is responding. This may be helpful for assuring proper resources for information security and incident response teams. It may also help to prepare senior leadership so that they will have context if they start to learn of a higher volume of incidents.