Uplifted Attackers, Human Defenders: The Cyber Offense-Defense Balance for Trailing-Edge Organizations

Uplifted Attackers, Human Defenders: The Cyber Offense-Defense Balance for Trailing-Edge Organizations

 
 
 Benjamin Murphy Twm Stone
 Harvard Law SchoolIndependent 
 
 
 Abstract

 Advances in artificial intelligence are widely understood to have implications for cybersecurity. Articles have emphasized the effect of AI on the cyber offense-defense balance, and credible commentators can be found arguing either that cyber will privilege attackers or defenders. For defenders, arguments are often made that AI will enable solutions like formal verification of all software—and for some well-equipped companies, this may be true. This conversation, however, does not match the reality for most companies. “Trailing-edge organizations,” as we term them, rely heavily on legacy software, poorly staff security roles, and struggle to implement best practices like rapid deployment of security patches. These decisions may be the result of corporate inertia, but may also be the result of a seemingly-rational calculation that attackers may not bother targeting a firm due to lack of economic incentives, and as a result, underinvestment in defense will not be punished.

 This approach to security may have been sufficient prior to the development of AI systems, but it is unlikely to remain viable in the near future. We argue that continuing improvements in AI’s capabilities poses additional risks on two fronts: First, increased usage of AI will alter the economics of the marginal cyberattack and expose these trailing-edge organizations to more attackers, more frequently. Second, AI’s advances will enable attackers to develop exploits and launch attacks earlier than they can today—meaning that it is insufficient for these companies to attain parity with today’s leading defenders, but must instead aim for faster remediation timelines and more resilient software.

 Trailing-edge organizations exist in a grim reality. Their minimal investment in cybersecurity has been premised on an assumption that attackers are insufficiently incentivized to target them. AI’s effects on the economics and technical capacity of cyberattacks will expose these organizations to substantially heightened risk. This may spur additional investment in defense, but likely only after these organizations are subject to substantial damages. Our analysis points to a substantial degree of exposure across the economy, with only limited mitigating factors arising from AI’s improvements to cyberdefense. The situation today portends a dramatically increased number of attacks in the near future, a reality which has not been captured by the existing discussion of AI-enabled cyber risks. Moving forward, we offer a range of solutions for both individual organizations and governments designed to improve the defensive posture of firms which lag behind their peers today.

 Keywords  artificial intelligence   ⋅ \cdot 
cybersecurity   ⋅ \cdot 
cyber readiness

 
 
 
 
 1 Introduction

 
 
 1.1 AI’s Impact on Cyber

... (truncated, 98 KB total)