WASHINGTON — For years, Pentagon leaders have said that cyber security, like missile defense, was a natural place to start using artificial intelligence: high speed, high stakes, with too much data coming in too quickly for a human mind to comprehend. But, amid the current AI boom, have algorithms emerged that can contribute to cybersecurity today?
“For the moment, not really,” laments David McKeownPentagon chief information security officer and deputy CIO for cybersecurity, when the issue was raised at an AFCEA TechNet Emergence conference. sign Monday. “I’m disappointed.”
“I’ve been looking for use cases where AI is used to perform cybersecurity tasks and, so far, I don’t see many,” McKeown continued.
The absence is palpable in the industry, he says. “I took a group of CISOs AWS (Amazon Web Services) on Friday, (and) they haven’t developed anything that I can say.
The absence is also palpable at the Pentagon.
“Inside the building, we have (a) CDAO that is in charge of our data and the future of our AI,” he continued. referring to the Department of Defense’s Chief Office of Data and Artificial Intelligence created in 2021. “They focus on improving the higher levels decision quality datathey focus on combat missions where they leverage AI, it is used to optimize maintenance cycles of bombers and we’ve saved billions of dollars – but I’m looking for ways to leverage AI on the cybersecurity front.
So, McKeown told the AFCEA audience of many entrepreneurs, “If you know of any products that leverage AI to do things in cybersecurity, I’d like to talk to you.” This is a key element of our zero trust strategy.”
On the sidelines of the conference, McKEown wanted to clarify that his public speech was a “call for data” asking the industry to offer AI options, not a tech layoff. “Don’t tell people I’m not getting into AI, (because) I love AI. I want a lot of AI,” he told Breaking Defense.
With such a strong demand signal from the Pentagon and with cyberattacks growing in number, frequency and sophistication, why has no one built a sufficiently capable AI defense? In short: because it’s hard.
The industry is trying, said Kyle FoxChief Technology Officer at SOSi, which helps defend the Pentagon’s multinational mission partner environment. He said his The team already uses AI tools for at least some aspects of cybersecurity.
“It’s early days and there aren’t a lot of turnkey commercial solutions out there,” he told the AFCEA panel, “but I really encourage everyone to experiment in this domain “.
Why is cybersecurity AI so far behind other fields like Large language models And image analysis? It turns out that the type of machine learning algorithms that can analyze consumer data and Browse Public websites for generating scary-accurate product recommendations, human-sounding (albeit tasteless) text, or photorealistic people with too many fingers have a much harder time mastering the complexities and intricacies of cyber defense.
On the one hand, cyber defense is no longer just about defending cyberspace, as software is increasingly used to operate physical systems. And while algorithms are great at digesting digital data, AI I still have trouble understanding the messy, analog world of physical objects, machines and infrastructure and how they interact – for example, in the complex interconnections of a weapons system or a civil electricity network.
“We tend to think of software as something that can be analyzed by itself,” said Emilie Frye, cyber expert at the MITER think tank, speaking on the AFCEA panel alongside McKeown. “Software and hardware are often – not always – inextricably linked. »
“Software…is present in every piece of critical infrastructure operated by the United States,” added Fox, who spent 12 years as a software engineer in the US Air Force. This means that all sorts of mundane but vital machines can be hacked. “This problem is getting harder, not easier, (and) we’re not winning…In fact, we’re kind of losing right now.”
Small, specialized software programs, called firmware, have long been incorporated into industrial and consumer devices, from pipeline controls to baby monitors. The movement to computerize ordinary objects and network them wirelessly into a vast “Internet of Things” puts software in hardware of all kinds – and that software may come with unintentional bugs or worse, intentional backdoors.
Finding all these subtle flaws, hidden in countless lines of code, is precisely the kind of huge, painstaking, head-scratching task that AI optimists say their algorithms can help human analysts handle. But, as McKeown and his fellow panelists warned, AI still has a long way to go.
The call comes from inside the house
Teaching AI to do cybersecurity is becoming increasingly difficult as best practices have changed dramatically, both for defense and offense. Cybersecurity used to mean perimeter defense: firewalls, passwords, and automated virus filters. But it soon proved impossible to stop all attackers at the firewall, which meant that smart cyber defenders had to assume that a smart enemy was already lurking somewhere on their networks inside the doors and that every user had to be monitored for any signs that their account was compromised – what the cybersecurity industry calls a zero trust defense.
Attackers, meanwhile, are increasingly stealing real user credentials – often obtained through phishing emails and other “social engineering” tricks that leverage on human error, not the defeat of a machine – and then “live off the land” by exploiting the software already on target. network, rather than uploading their own code. Instead of looking for easily identifiable malware and other foreign code, defenders now had to look for anomalous behavior of seemingly legitimate users using legitimate software.
“They’re going to access your networks, and in many cases, when they get there, they look like legitimate users. They often don’t upload any payloads with signatures that our tools will see,” McKeown warned. “(So) we have to get really good at knowing what an anomaly looks like. …What is within the realm of possibility for the detection of abnormal behavior?
Pattern and anomaly detection is generally well suited for AI, but it requires a lot of data to train. This data is often not available. Few networks are fully “instrumented” to monitor and record legitimate user behavior, experts note. When this is the case, the data only shows what is normal on the specific network from which it was extracted: a different group of users using identical software may exhibit very different behaviors, leading to trained security AI on someone else’s “normal” to stop legitimate operations.
Additionally, the applications used on a modern organization’s network are numerous and constantly evolving, with old software regularly updated (often to fix cybersecurity vulnerabilities) and new software added all the time. Increasingly, the threat no longer comes from outsiders downloading obvious malware, but from insiders creating backdoors in software your own IT department buys. Even if the prime contractor is reliable, can it guarantee that its contractors and sub-subcontractors write specific pieces of code that go into the final application?
This cybersecurity “supply chain” problem may be insurmountable, warned VTG’s Zac Burke, former head of a Pentagon supply chain program called Iron Bank. “You really don’t understand the problem until you have it on your knees,” he told the AFCEA hearing. “The quantity of (software) artifacts that only the DoD uses, there are hundreds of thousands.
Executive Order 14028 tried to solve this problem in 2021 by, among other things, establishing standards for the code to become a “Software nomenclature» (S-BOM), essentially the digital equivalent of a nutritional warning label that tells users what ingredients are inside. But the quality of S-BOMs depends on the integrity and competence of whoever wrote them – or rewrote them. “It’s as simple as opening a text editor and editing the S-BOM,” Burke said. “Our assessment is that the only way you can trust an S-BOM is to build the software yourself.”
How about verifying a vendor’s software code before downloading it to your system? Even if the buyer has the expertise to make that assessment, panel experts said, government contracts rarely give the buyer the right to do so. Given software companies’ sensitivity to intellectual property leaks or disclosure of an unpatched vulnerability by third parties, they are unlikely to sign contracts exposing their proprietary code in the future .
“They’ll never share their real code, (but) I don’t think I necessarily need to see the code,” McKeown said. “I just need to know that they are growing in a safe environment.”
Alternatively, Burke suggested, you could try purchasing open source code. In this case, instead of trying to protect the code by keeping it secret, the developers let everyone see it for free, hoping that the good guys looking for vulnerabilities to fix will work faster than the bad guys looking vulnerabilities to exploit. But this is not viable for many military missions.
Sometimes the only solution is to disassemble the finished software and try to rebuild the original source code, e.g. banalyze binaries software to install.
“We can reverse engineer binaries all the way back to source code – we think, theoretically, at scale,” Burke said. “We’re doing some experiments.”
“I’ve never heard much about that,” McKeown commented. “I understand why you do this, (but) it’s a little scary: If we can do it, the opponents can do it to us too.”
UPDATED 3/15/24 at 9:30 a.m. ET to correct Kyle Fox’s title at SOSi.