As ChatGPT attracted widespread use and attention, many B.C. businesses and organizations looked to adopt and benefit from artificial intelligence (AI) tools and technologies.
Doing so, however, may make businesses more vulnerable to cybersecurity risks, especially as technology adoption continues to facilitate remote work, experts warn.
“There are many attacks that are possible in AI-based systems, even more than classic software systems, once you bring in AI and machine learning,” said Karthik Pattabiraman, cybersecurity professor at the University of British Columbia (UBC).
“For example, revision attacks where an attacker can make small changes in input. An example would be saving stickers on stop signs to fool self-driving cars into thinking the stop sign is a different sign.”
“And more recently, generative AI with large language models, such as ChatGPT, are also subject to similar cybersecurity attacks where hackers can break the “data guard” built into existing language models to change … or steal the data.”
Remote work, now more common than it was pre-pandemic, has provided more opportunities for attackers, added Pattabiraman.
“For example, if I’m an employee and I’m logging in remotely, maybe my credentials get stolen, and even my voice and writing style can be impersonated, so the person on the other end has no clue that they’re talking to a scammer.”
He said there haven’t been any large-scale cases with data security attacks using AI, but that he expects this to ramp up over the next two to three years.
“[Businesses] should think very carefully about whether or not they want to deploy AI-based systems because a lot of times, you can get away with simpler detection-based systems than using complex AI, which opens up new threats and attacks with a much larger attack surface,” said Pattabiraman.
“They should carefully think through the risks of deploying AI and whether it makes sense for their business and whether the rewards outweigh the risks.”
Use of AI for cybersecurity also grows
Despite the potential risks it creates, AI has also been used to detect and address cyberattacks, and it’s becoming an important tool to combat increasingly sophisticated attacks.
“[AI] is a double-edged sword. It can be extremely helpful for us but cybercriminals now have access to the same tool,” said Omer Segoly, founder and CEO of 91Ô´´-based cybersecurity company Cyber Unit. “To battle AI, you’re going to need AI on your side as well.”
“For example, phishing emails in the past were very easy to detect and prevent, but now with ChatGPT available to any amateur hacker criminals, they are able to craft very well-worded and effective phishing emails that will help maximize their chances of going through and inflicting damage.”
Darn IT, another cybersecurity company that has an office in 91Ô´´, has also been using AI to detect and stop suspicious activities and threats from spreading and causing more harm to businesses and organizations.
“One of our vendors has a platform that uses an AI engine, which sits on every single endpoint and their network and looks for anything that would fall into certain categories, and then it would stop it, isolate it, and shut it down and stop the spread of infection,” said Darnley Greson, founder and CEO of Darn IT.
“When there are new variants and new strains that try to masquerade as a different program or a different file, traditional antivirus software may think that’s fine but some AI antivirus software does a lot more thinking and says, ‘hey, this doesn’t make sense, this is not logical.’”
Industry expands as demand rises
The global cyber security market is growing exponentially, with the industry predicted to hit US$10.5 trillion by 2025, according to an estimate by research firm Cybersecurity Ventures.
This growth has also been seen on the local level – Segoly said until two to three years ago, it would take a lot more education for businesses to understand why they need to be thinking about cybersecurity and taking action proactively.
“A lot of organizations are starting to hear more from the news and from other organizations and businesses that are exposed to cybercrimes and they’re taking more proactive measures to help make sure that they are prepared,” said Segoly.
Post-secondary institutions such as UBC and British Columbia Institute of Technology have been investing more in cybersecurity programs to meet a rising demand for talent.
Greson added that more IT companies are shifting focus to offer cybersecurity solutions, and that more IT professionals are getting certified as cybersecurity experts.
“It was already in demand pre-COVID, but during COVID, it showed a lot of businesses their finger was not on the security button, then they realized they needed to start investing some money or looking into it,” he said.
Greson added that a lot of corporate cybercrime victims are small businesses that don’t necessarily have the resources to invest in security training and solutions. Such firms, he said, may want to explore free tools, such as Ottawa’s CyberSecure Canada program, as a starting point.