ExCISA chief says AI could mean the end of cybersecurity The Register

pExCISA head Jen Easterly claims AI could spell the end of the cybersecurity industry as the sloppy software and vulnerabilities that criminals rely on will be tracked down faster than everppSpeaking at AuditBoards user conference in San Diego Easterly said the threat landscape has never stopped evolvingppThe proliferation of data platforms and devices meant weve expanded the attack surface for cyber threat actors like China and Russia and Iran and North Korea and gangs of cybercriminals Easterly said that if cybercrime was a country it would be the third biggest in the world just behind the US and ChinappBut ultimately this is all the result of bad software ridden with vulnerabilitiesppWe dont have a cybersecurity problem We have a software quality problem she said The main reason for this was software vendors prioritization of speed to market and reducing cost over safetyppAI is making attackers more capable helping them create stealthier malware and hyperpersonalized phishing and also to spot and surface vulnerabilities and flaws more quicklyppCISA has responded with its own AI action plan and I believe if we get this right we will actually be able to tip the balance to the defenders and protectorsppThat includes through detection countermeasures and learning from attacks but also identifying vulnerabilities and ensuring software is secure by designppUltimately she said if were able to build and deploy and govern these incredibly powerful technologies in a secure way I believe it will lead to the end of cybersecurityppBy which she meant that a security breach would be an anomaly not a cost of doing businessppIt was important to demystify hackers Easterly added and stop giving them portentous or glamorous names such as Fancy Bear or Scattered Spider More appropriate titles would be scrawny nuisance or weak weaselppEqually it is important to be clear about the real extent of their technical capabilities Phraseology like advanced persistent threat obscured the fact that attackers are overwhelmingly exploiting the same categories of vulnerabilities that have plagued the industry for years The Peoples Liberation Army is not relying on exotic cyber weapons she said but simply flaws in routers and other network devices to lay the ground for a fullscale attack in the event of war against TaiwanppMoreover Easterly said this distracted attention from the victims Too often the emphasis is wrongly on mistakes companies make While user behavior could act as the start of an investigation it shouldnt be the conclusionppRather the real focus should be on the fact that the common factors uncovered by MITRE nearly 20 years ago crosssite scripting memory unsafe coding SQL injection directory traversal remain part and parcel of shipped software Its not jaw dropping innovation They were the golden oldiesppThis is because software companies insisted customers bear all risk and convinced government and regulators that this was acceptableppAI offers a way to address this she claimed as it is far better at tracking and identifying flaws in code And it would be possible to tackle the mountain of technical debt left by a rickety mess of overly patched flawed infrastructureppEasterly who stepped down from her CISA role as Trump returned to the White House and later had a role at West Point rescinded also backed the current administrations approach to AI regulationppI think the great news is the current administration is continuing to champion the idea of secure by design for software broadly But she said the kicker was that the recently released White House AI Action Plan talks specifically about cybersecurity and the need for AI systems that are created designed developed tested and delivered with security as the top priorityppIn a QA with Easterly AuditBoard CISO Richard Marcus said the company found securebydesign principles valuable for dealing with suppliers But he added we actually turn the mirror back on our internal teams too and say this is what were expecting in marketplace but lets make sure our products are also upholding the same design principlesppAsked by Marcus what was top of mind for next year Easterly said the key to reducing software risk is demanding more from software vendors Thats where the risk gets introduced and thats where we have the power and the capability through everything that you all do to be able to drive down that risk in a very material way ppSend us newsppThe Register Biting the hand that feeds ITpp
Copyright All rights reserved 19982025

p