All companies have digital transformation among the main strategic initiatives and at the top of their priorities - justifiably. Digitizing all the analog information and digitalizing current processes is not a small feat and is proven to provide substantial tangible benefits like the ability to access the data across organizations faster and cheaper than ever before and measure and monitor all operations, sometimes even in real-time.
But looking at the scale of fraud and cybercrime, it's hard not to see that the same thing that provides many tangible benefits to an organization simultaneously opens new attack vectors for people with nefarious intentions. All information in digital form can easily be accessed or moved/stolen in volumes no one could do with their physical form. Such data can be used to be sold to the highest bidder and, in worst-case scenarios, could even lead to bankruptcy.
All people exposed to fraud and cybercrime or those who "handle" them across diverse organizations understand that digital technology is a huge fraud enabler, whereas the countering technology to eliminate the current fraud and cybercrime trends is just trying to catch up and provides only partial mitigation capabilities. Moreover, terms like democratization in technology areas mean that more and more non-technical people or even a layperson can use the technology without the need for extensive training or appropriate education.
It is similar in education. Here we formally still follow the same conventional paradigm - passing through grades with a standardized curriculum, while in the digital space, this concept is quickly becoming obsolete. Knowledge is not restricted to those attending the schools. It is available, and most of it is free. And similarly, as in the paragraphs above - while it provides many benefits (in providing education to children and people in general, especially in areas where given knowledge wouldn't otherwise be available), we can't ignore the negative aspects coming with it hand in hand. Knowledge always was, is, and will be the power. And not always the power to do good.
Very few (me included) believed that AI could easily step into the domain of art and creative professions as they require "human creativity," which can't be easily translated into algorithms, and yet, one of the first instances of AI we saw in this area were use-cases linked to images and graphics. Web-based AI tools that would erase unwanted parts of the picture, upscale low-quality photos of your grandparents, even expand/outpaint a picture or create a seamless transition between two different images were just the early applications. Today you can ask the algorithm to generate an image based on your descriptive text input in desired graphical style and combine it with your pictures or photos (like the one at the top of this article - a hand with six fingers - created by Midjourney AI).
A few weeks back, we have seen the world-changing (at least from the media attention and hype on the social networks) event of releasing the ChatGPT. And though understanding its practical boundaries, which come from the underlying technology, it is obvious that it will reshape many industries.
You might be asking - How does it relate to fraud and cybercrime? I believe the digital transformation and democratization of tools, technology, and knowledge will be the same as described above. AI assistants will be integrated into our various tools, like email clients, time management apps, MS Teams, etc. New specialized assistants will be created for specific use cases like healthcare, finance , and many others. Within a few weeks, we have seen adoption and modifications to scale down or optimize the ChatGPT-like assistants to fit into the memory of our standard PC or event wearables and IoT devices.
We might have already had a feeling before that the advancements were coming too fast, and we had difficulty keeping up with all the changes. These last few weeks have been a precursor to what is yet to come. I'm sure most people are already looking forward to this future. The future, where knowledge couldn't be any closer to any individual. Some will immediately explore how this new future can be exploited to benefit them.
Imagine an AI integrated into a cyber-security platform with complete oversight of what is happening (SIEM, IDS, EDR, EDX, and others). An assistant whom you can give a task to consolidate the available data and generate a report of incidents and their resolution. An assistant who can notify you of new vulnerabilities and their impact on your organization. I'm sure you have many more applications in your mind, but have you thought about the possibility that such an assistant can be asked what would be the best way to breach the current security perimeter, which attack vector would be least visible, or which way to exfiltrate the sensitive data knowing your internal IT landscape and IT assets as well as technology deployed? Or which user failed the most phishing attempts or got the most antivirus alerts within the finance department?
Imagine an assistant who can optimize the company's logistics and operations based on current inventory data and usage/expenditure of components, parts, and raw materials in production along with the production plan. And now, imagine someone asking the same assistant how to perform the most efficient supply chain attack.
And finally, imagine having an assistant trained on the best-performing companies' data to support the critical decisions of the top-level managers. We don't even have to go to the future as, since last August, there is already an AI-based CEO - Mrs. Tang Yu .
The above examples might make you think that not adopting the technology internally might mitigate the risk sufficiently - at least in these early days. But it doesn't end there.
Imagine that there are groups (independent APT groups or even state-sponsored ones) that can train the cyber-specific model. Such a model can focus on collecting and consolidating information from publicly available sources (OSINT). How authentic will the new spear-phishing email look when the model generates it based on the social network profiles of the head of the finance department? How authentic will it look when considering public information and partnership announcements to write a Business Email Compromise email leveraging a database of leaked mail credentials or mobile numbers?
How efficient such an assistant would be in advising the hackers on the best possible targets for spear phishing or even on the shortest path to exploitation, considering all the publicly available information about the organization - used technologies and associated known vulnerabilities?
As Stan Lee wrote in 1962 in Spiderman comics through the character of Uncle Ben - "With great power comes great responsibility."
There will be many challenges and risks with this new technology and its adoption into various aspects of businesses and our lives. There will be voices against its wide adoption without a proper risk assessment (as is already happening ), but, as Bloomberg states - it might be too late now, as the technology is out there. Governments, companies, and academics will further formulate the guiding principles to mitigate the abuse of this technology. However, fraudsters and cyber criminals will get their hands on it and exploit it without any hesitation or moral limits. Immediately.
For us - people trying to fight against these criminals - we must prepare ourselves - primarily through self-education and upskilling to ensure our capabilities and prowess are at par with theirs, if not above.