Podcasts
Caveat
Ep 286
Caveat 11.20.25
Ep 286 | 11.20.25

AI arms race meets nation-state mayhem.

Show Notes
Transcript

Dave Bittner: Hello, everyone, and welcome to "Caveat," N2K CyberWire's privacy, surveillance, law, and policy podcast. I'm Dave Bittner and joining me is my cohost Ben Yelin from the University of Maryland Center for Cyber Health and Hazard Strategies. Hey there, Ben.

Ben Yelin: Hello, Dave.

 

Dave Bittner: On today's show Ben and I are once again joined by Ethan Cook, editor of the "Caveat" newsletter. He's sharing his experience from attending the Ignite the Public Conference. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover please contact your attorney. All right. Ethan, welcome.

 

Ethan Cook: Hey, guys. How are you doing?

 

Dave Bittner: Doing well. Thanks. Doing well. So give us some setup here. Tell us about this conference that you attended. Who ran it and why it matters.

 

Ethan Cook: Yeah. So the conference was held at the end of October and it was hosted by Palo Alto Networks and it was called the Ignite the Public Sector Conference. And with this conference they were bringing in both industry tech people who provide, you know, various services as well as public sector people. The FBI was there for example. And it was talking about and the whole theme was about how do we prepare ourselves for this new reality that is somewhat already here as well as is coming in the next, you know, 5 to 10 years. And how can we best prepare ourselves, understand what the threat landscape is, and pivot to that threat landscape? There was a series of panels that covered a variety of different topics. All of them were very, very well put together.

 

Dave Bittner: Well, let's start with some of your work there. You interviewed one of the experts from Palo Alto Networks?

 

Ethan Cook: Yeah. So throughout this interview, you know, we were covering a variety of different topics, some of it being on, you know, what threat actors are doing it, some of it being on how the current U.S is functioning and how some changes are going on. I think, you know, from the interview there were two really great insights and the first was being how threat actors are currently operating. You know, we just talked about in our last deep dive how North Korea has, you know, evolved over the years, and how the IT worker scam has become one of its predominant tools. That was something that they echoed. I think another great focus or conversation point was how Russia has kind of been acting recently. Obviously they are still heavily focused on Ukraine. That's to be expected with their cyber groups. But there's been a notable down ticking at least from what they've been able to see at Palo Alto as they figure out where they stand with the Trump administration. And figure out, you know, kind of -- not necessarily a full on, you know, culling of, you know, complete end of everything, but more so on a let's calm the waters, let's have a even playing field, and I think that was particularly relevant in that early months of the Trump administration where they were trying to seek a peace deal between Ukraine and Russia. But, you know, that still is kind of a theme right now where they're focusing heavily on Ukraine and not so much on trying to mess things up in the U.S. Rather the people trying to do that they named was China who was very, very active. And they, you know -- they are very, very aggressive in how they've been targeting critical infrastructure.

 

Ben Yelin: Is this Russia thing, do you see it as some type of like temporary detente because at least it seems publicly like the Trump administration has feuded more with Russia recently. I mean there's been saber rattling about nuclear weapons. So do you think this is something, Russia's relative inactivity, relative to the past, that could last a while or do you get the impression that this is just very temporary?

 

Ethan Cook: I get the impression that it's a temporary aspect of "Let's see how hot the water is before we, you know, just start rattling things up." I think there was an element of "Let's see if we can get the peace deal done with Ukraine and if that mean we have to calm things down" I mean we saw that on the U.S' side. I think there was an announcing that during those negotiations the secretary of defense Hegseth put a temporary pause on all Russian operations. So I think on both sides there was a calming of "Let cooler heads prevail for a little bit." I don't think that's something that's going to last, especially, you know, just given to your point how aggressive things are becoming again as well as, you know, now that the peace deal I think has kind of been any hopes of it have been quashed for the near future I think that that's kind of opened -- will likely open the door again to "Okay. Let's resume what we were doing a year ago."

 

Dave Bittner: Now forgive me, Ethan. Who was it that you spoke to from Palo Alto Networks?

 

Ethan Cook: Yeah. So I had the opportunity to sit down with Daniel Kroese, the VP of public policy and government affairs, and Pete Renals I believe it's pronounced, the director of their national security program at Unit 42, both at Palo Alto.

 

Dave Bittner: One of the things that caught my eye from your reporting on that was you talked a bit about CISA and where things stand with them.

 

Ethan Cook: Yeah. So obviously it's no secret that the current administration has a different approach to how they want CISA to operate. We've actually, you know, we talked about it on one of our deep dives about there's been a pulling back of CISA. You know, I asked them about what they feel about this and how that's going to impact states. You know, they were more optimistic about this change. I think there was an element of firsts that while there may have been some -- there may be some states that have or need some time to pivot, that states are significantly further along than where they were when CISA was created in terms of just general IT understanding, cyber understanding, and have this infrastructure. They cited North Dakota as being one of, you know, the stand outs of being able to in recent years of developing this program as well as states have been available to scale out their information sharing programs to actually cross state lines which, you know, we talk about typically being a federal role. And that states have been developing these kind of interesting coalitions to be able to better defend themselves especially when you have, you know, infrastructure that crosses multiple state lines. I also think there was a -- they phrased the pivot of CISA less so of a "Oh, we want to, you know, access it," but rather a refocusing or maybe a doubling down on what the federal government they really want the CISA to act as. And that's the security agency for the federal government and act as a central cyber hygiene agency. And I think one thing that they noted was that right now within the federal government you have so many agencies all with their own structures for defense and that just is making things increasingly harder to organize, defend, you know stay on top of. And they want CISA to be a little bit more of a proactive manager in that role.

 

Dave Bittner: That's interesting. I wonder I suppose it's making lemonade out of lemons in my mind with the significant cuts we've seen at CISA. That would be the half full assessment. Ben, do you have any thoughts on that?

 

Ben Yelin: Yeah. I mean I was -- this is very timely because we got very temporary reauthorization. I know it's a different CISA, but they're all related. CISA 2015 which is kind of the cousin of CISA the agency was reauthorized through January now that we have a deal to end the government shut down.

 

Dave Bittner: Yeah.

 

Ben Yelin: So CISA as an entity and CISA the information sharing network are hanging on by a thread.

 

Dave Bittner: Yeah. All right. Well, there were some panels there at the event as well which you found interesting. Take us through that experience.

 

Ethan Cook: Yeah. So they had four panels throughout that I was able to attend, the first being on quantum, the second being all about zero trust, the third being about the AI arms race so to speak, and the last being a expert kind of a fireside chat. Let's start with the quantum one. I think that was one of -- my two favorites were the quantum and the AI arms race. So I'll start with quantum. I think, you know, the scale, you know, everyone jokes that, you know, quantum has been promised for 10 years for 20 years. Right?

 

Ben Yelin: It's 10 years away. It's just 10 years away.

 

Dave Bittner: It's like nuclear fission. It will be here in 20 years no matter when you ask.

 

Ethan Cook: Exactly. I think, you know, this feels a little different given the regulatory standards that are being mandated or, you know, expectations and timeline sun setting that are being kind of being put out by government agencies that are, you know, now kind of being put forward by NIST, etcetera, that we didn't really see previously. And I think that kind of puts forward this thing that, okay, maybe it's actually not 10 years away for the 15th time. It's, you know, maybe actually under like five to eight. And the expectation is that, you know, with quantum we're going to have this modern encryption that we know would today be absolutely shattered. Right? And we are going to have to currently upgrade our existing infrastructure to have better encryption that can actually or maybe I don't know if the technical word is encryption, but better security systems that can prevent quantum -- threat actors from using quantum to just break existing encrypted data.

 

Dave Bittner: Yeah.

 

Ben Yelin: So do you think we have a chance to win the quantum arms race?

 

Ethan Cook: I think so. So one of the most interesting things they put out was, you know, the global spending that has been being put in to quantum across the world at the moment. And right now we're at, you know, 57, almost 57, billion U.S dollars globally which is, you know, not the craziest amount when you compare it to let's say AI. Right? But I think it does say something that we're willing to put in, you know, globally over $50 billion in to something that is theoretically maybe 10 years away. And I think that that acceleration and that money is only going to continue to go up especially with how advanced AI's becoming. And I think that has been a key unlocking point that whoever will master AI and be able to harness that effectively will be poised to win the quantum computing race.

 

Ben Yelin: Do you think as opposed to AI like quantum is somewhat of a safer investment because there's less of a chance this is all going to end up being a bubble?

 

Ethan Cook: Yeah. I think --

 

Ben Yelin: Granted that's a hard question.

 

Ethan Cook: No. I think it's a good question though. I think, you know, we talk about a lot right now with AI bubble and it's you kind kind of every -- you know, every time anyone sells any AI stock as a major investor it's you see [inaudible 00:10:43] blank sold this, blank, you know, time to pop. I think it is a safer investment especially on the business side of buying quantum computing abilities or investing in that especially for agencies that or groups that are handling sensitive information. You know, it's kind of been talked around a lot that threat actors have been stealing and harvest encrypted data that they know they cannot break now, but they know in 5 to 10 years that quantum will become more readily available and they can break it later. And, you know, things like PII and PHI will likely still be relevant. Maybe not as up to date per se, but it is still, you know, medical records aren't going to suddenly change over 10 years. Maybe new stuff is added, but if you had a medical treatment that went on to your history, you know, that's still going to be there. Or if you have an [inaudible 00:11:34].

 

Dave Bittner: Espionage.

 

Ethan Cook: Exactly. And so I think that that aspect of quantum is different from AI. Right? Like there is an element of AI right now where it's this, you know, the wild west of it could help you accelerate your business. It could. You could inadvertently destroy your own business because you misconfigure and it goes and does a bunch of stuff. Or threat actors expose you, etcetera. But on the quantum side I think it's more of a approach of organizations need to get ahead of this now because it is going to become a reality. And while it may not have the overnight impacts that were -- or transformational impacts that AI is having, it will have substantial impacts for your security.

 

Dave Bittner: Yeah. I mean we talk about this a lot over on the CyberWire that there's this push to be using what they call quantum ready encryption. So it's available already, encryption methods that they know are secure even against a quantum threat. So the push is for organizations that you have something that you know needs to be protected now and in to the future now's the time to look in to quantum ready encryption. Is that -- does that echo what they were talking about on the panel there, Ethan?

 

Ethan Cook: Yeah. I think there is this mindset that you need to get quantum ready encryption sooner rather than later and, you know, they mention that this is not something that you need to do tomorrow. Right? This is not something that is like, "Oh my god. We need it." Like everybody was trying to spin up AI right now. This is not something that if you do not get this done by tomorrow or within the year, you know, you're going to have a problem. It's more so this is something that's going to happen by the end of the decade slash somewhat in to next decade. If you aren't trying to figure out how to implement this now over the next year or two you are probably going to fall behind and not be prepared to actually effectively do it.

 

Dave Bittner: Interesting. Well, let's move on to zero trust. What was discussed there?

 

Ethan Cook: Yeah. So this zero trust was a -- you know, the panel was more of a use case for how the Indian Health Agency was able to implement a zero trust policy. And I think one of the great things that came out of this discussion was the value of not compromising the core mission. Right? And I think what I mean by that, and what the panel was discussing, was in cybersecurity we often like to think in this binary thing of you are either secure or you're not. Right? And the reality is that, one, you're always not secure fully. You're never going to fully protect yourself. And I think the other -- the other flip side of that is you -- if you're so secure that you no longer can operate as a business it doesn't matter. And, you know, the panel discussed how yes their job is to secure a hospital. Right? Or a hospital network in this case. But if they implement so many security measures that the hospital can't treat patients anymore because there's just too much in the way then it doesn't matter anymore because then the whole point of the hospital doesn't work. Right? The number one goal is protecting and securing patients from a health perspective and then also protecting them from a data perspective. And being able to balance those two while still making good changes, and at times changes that probably healthcare professionals are not going to like because it slows them down, are important, but it's not okay to absolutely debilitate them by making them jump through so many holes from a security perspective.

 

Dave Bittner: Yeah. You know, I've heard that story multiple times about how particularly in healthcare, right, the number one priority is patient care. And if you tell a doctor, let's say a surgeon, that this bit of cybersecurity is going to slow down their ability to provide care, critical care, the surgeon's going to say, "No. It's not." Right? And so it's an interesting kind of forced collaboration, necessary collaboration where you have a set of priorities. And to me it's a good reminder that the number one job of any organization is usually the business. Right? Not cybersecurity.

 

Ethan Cook: And I think, you know, another point that came from that panel was the value of getting over the perception that security will inhibit these business goals. Right? And that the best way to counter this mindset is through, you know, really effective communication and education not just with non cyber folk, but also within your cyber team. You know, I think letting them know that, hey, we're here to serve that purpose of this organization, whether that be healthcare, whether that be, you know, maybe law enforcement, whether that be in financial sector, etcetera. You know the job here is to serve the organization, not create the perfect system.

 

Dave Bittner: All right. Well, let's talk about the AI arms race then. You said this one was particularly interesting.

 

Ethan Cook: Yeah. So this one was fascinating. I really, really enjoyed this panel. I actually think it was my favorite panel out of all of them. The FBI was in attendance on this one and the whole conversation was surrounding how AI is being used to -- by threat actors. And how it is already beginning to significantly impact agencies and defense organizations and, you know, businesses around the world. And I think the most important thing that I came away with was previously before the advent of AI it - the rough estimation from when a threat actor was able to first infiltrate an organization to data exfiltration, that whole process, took roughly around nine days. And with AI that has now been accelerated to under 2 days with 1 in 5 attacks being done in under an hour. And that was very glaring.

 

Ben Yelin: So has kind of an equivalent progression happened on the defensive side or are the threat actors outrunning our ability to defend against them?

 

Ethan Cook: I think right now they're outrunning, and I think that that's because, you know, a theme that came up is -- and maybe not so much in private, but certainly in the public sector that the private sector is not burdened by a lot of the rules and regulations that the government is. Right? So they can adopt AI and implement these things. But there's still a cautious approach of, "Okay. Well, let's not introduce anything that's going to absolutely shatter our security system." Right? Test it. Thoroughly vet it. You know, make sure it's good. Let's be careful before we just buy the latest widget. And I think even on -- and then 10 times that for the government. Right? Because now you don't just have to do all that whole process. You've got to get approval. There's a whole bidding process. They have laws. You know, there's directives, policies, etcetera, that just extend that process while attackers they don't care. Right? They will launch their attacks. They don't care about regulations. They don't care about securing themselves. Exactly. So I think that the defense is certainly behind on -- than the offense.

 

Dave Bittner: And is this affecting the threat actors at all levels or is the -- are the high end actors, the nation state actors, are we seeing them being first to adopt these things? Or is it trickling down to those lower level actors as well?

 

Ethan Cook: I think the answer to that is yes. I think, you know, nation state actors are certainly using it. In the panel they specifically noted how the PRC, the People's Republic of China, is specifically investing very heavily in to these efforts. And already using them to exploit targets within the U.S. And that AI's allowing them to scale their operations significantly. And then this theme can also be applied to mid tier actors who are using AI, and I think this was very enlightening, to scale their operations to what would be traditionally considered nation state level capabilities.

 

Dave Bittner: We'll be right back. [ Music ] I know we've seen a lot of -- how do I say this? Improvement when it comes to things like phishing. Like AI has taken away the broken English. You know, it's just made it harder to detect. Is that -- did they cover that sort of thing as well?

 

Ethan Cook: Yeah. So that was an aspect. Phishing has certainly not only can we just make our phishing attempts better from -- in that aspect of, you know, removing the broken English. And not only can be launch more of them, but I think we can make them, you know -- threat actors are making them more personalized. Right? So if I know that I'm going to send a phishing email out let's say it's a general one, right, out to the financial sector, I can craft one that specifically feels like it's going after the financial sector in general. And then if you have a spear phishing attempt where you know very intimate information about someone, maybe, you know, their address or, you know, their routines, etcetera --

 

Ben Yelin: Their boss's name is a big one. Yeah.

 

Ethan Cook: Now I can create one that it sounds -- it's not just me attempting to guess how your boss communicates. If I have your emails I can upload them to AI, learn your communication patterns, and then churn that out as a very, very effect spear phishing.

 

Ben Yelin: Just when I thought I was getting good at identifying spear phishing attempts.

 

Ethan Cook: Yeah.

 

Ben Yelin: I mean my university does the testing that any good organization would do where they send us fake phishing emails to see if we can sus them out. And, you know, maybe with AI my 100% record will be broken.

 

Ethan Cook: I like that 100% record boast though. That's pretty good.

 

Ben Yelin: Yeah. No. That's a flex for me. That's a definite flex.

 

Ethan Cook: It's okay. I think I'm batting under 100 because a couple years ago, you know, I was clicking too fast and I was clicking through emails and I wasn't even trying to click on it. I just misclicked on it. I was like, "Oh. No." I knew this one. I knew it wasn't real. I just I was moving too quickly.

 

Dave Bittner: Yeah. I'm at 100% but for different technical reasons. I figured out -- we use testing services well and I figured out where they consistently send things from. So I can send to its own little folder.

 

Ben Yelin: You never have to check. Yeah.

 

Ethan Cook: Dave's spear phishing folder. Or just phishing I guess.

 

Dave Bittner: Fight fire with fire. Right? Like --

 

Ben Yelin: Yeah. Absolutely. Well that, I mean that kind of gets to the heart of this whole thing. Right? Is all right. AI is now getting better at drafting phishing emails. That means we have to adapt and use AI to get better at sussing out phishing emails. Exactly. Like it's just it is a true arms race.

 

Ethan Cook: Yeah. I thought one of the other interesting things that came away in terms of, you know, AI advancing was specifically on patching and the vulnerability that has emerged from patching culture. Right? We talk about now how, you know, the best thing we can do is patch our systems. Patch. Patch. Patch. Patch. Right? However the AI industry is allowing us to flip that patching culture on itself by automatically, you know, tracking CVs when they're uploaded and finding them, creating an attack, and launching that attack before defenders can even know that the CV has been published which I thought was particularly enlightening with how CVs, you know, have been traditionally viewed as this secure, you know, great way to communicate and get information out. It's now being turned against itself.

 

Dave Bittner: Right. So the velocity has increased. >> Ethan Cook:Yeah. Yeah. So what was the bottom line from the FBI here? Did they have any recommendations for where we need to go?

 

Ethan Cook: Yeah. So I think that first thing they mentioned was this need for a, you know, I think the quote was "all of industry approach" when defending the U.S. Right? That and specifically they looked back at, you know, what are the most recent horrible attacks we've experienced which was Salt Typhoon. And obviously that did not affect just the U.S. That affected many other nations. But the FBI representative talked about how after Salt Typhoon became published you had a lot of companies come forward voluntarily to disclose that they were attacked. And obviously they were helped in the recovery process. So, you know, they got something in return. But that information they gave on how they were attacked allowed the FBI to find and discover other groups and other sectors that had been attacked as well as other nations and minimize the damage substantially. I think that was one of the biggest take aways. And then I think the second one was the value again with this AI arms race which is that, yes, attackers are going to exploit this. It is the nature of attackers. But the federal government, you know, they talked about -- the FBI representative talked about how, you know, they have the ability to punch back so to speak. Right? At actors. They can leverage many different ways to do so. Private industry doesn't necessarily have those capabilities or legal standing. Right? And --

 

Dave Bittner: Not yet.

 

Ethan Cook: Exactly.

 

Ben Yelin: True.

 

Ethan Cook: And they mentioned how there was a, you know -- one of the best things that they appreciate is how this -- and this has evolved more and more over the years which is private sector groups can, you know, gather intelligence and oftentimes analyze it in a way even if it's very similar intelligence to the way the federal government cannot because of legal rules, and then be able to provide, hey, we have a similar data set that we're seeing this pattern. You know, this emerging. And be able to use that as a central, you know, correlation device for law enforcement to go after a threat actor in ways that the federal government simply just can't because it's not allowed to.

 

Dave Bittner: So the different groups each have their own set of metaphorical handcuffs on them in terms of what they can do, but by sharing information with each other they can --

 

Ben Yelin: We will unshackle us all.

 

Ethan Cook: Exactly. Break the chains.

 

Dave Bittner: That's poetic, Ben. That's fascinating. Yeah. Yeah. Well, let's pivot then to the expert panel. What was covered there?

 

Ethan Cook: Yeah. So this was a panel of just various, you know, tech industry representatives. I believe AWS was on this panel, etcetera. And, you know, they were specifically looking at AI. You know, it's the hot fun topic, you know. This one was a little bit different because this wasn't about oh how are -- you know, how will threat actors be using it from a government perspective and how, you know, governments are defending, etcetera, and evolving. It's more so how can a business adapt. What can businesses do to better protect themselves? And I think one of the first things they mentioned was this emergence of shadow AI. You know, we've all heard of shadow IT. Shadow AI is the new thing. And the reality that is regardless of whether you like it or not your employees are going to be using AI. If you don't put it in, they will put it in. And the worst thing you can do is have an AI system that is in the network that you have no ability to be put on that potentially has so many vulnerabilities whether that -- and not even from threat actors compromising it. Let's say compliance issues. If you're sharing sensitive information with an AI system that's harvesting it. Right? Or, you know, you are potential data poisoning going on.

 

Ben Yelin: Or even taking somebody's intellectual property.

 

Ethan Cook: Exactly.

 

Ben Yelin: Yeah. Yeah.

 

Ethan Cook: And that being a huge blind spot for organizations right now and the value of getting ahead of AI and kind of just the acceptance that it is here whether you like it or not. Instead of trying to say, "Oh. We're not going to do it" or "We're going to, you know -- we're going to have a very limited system," embrace it. Figure out how to properly implement it and manage it. And ensure that you aren't being the one who is having a bunch of AI systems happening around behind your back. You have no idea what's going on. And someone who's just trying to be more efficient at their job is by accidentally compromising and, you know, maybe opening you up to a substantial compliance lawsuit.

 

Dave Bittner: So the notion here is your employees are going to use AI so you should have an AI available for them to use that you know complies with all of the regulations and so on and so forth that your organization has to comply with.

 

Ben Yelin: And I will credit my university for this. Not to make this about me as I always do. But yeah. I mean I think they recognized exactly what you're talking about and now they have an AI system that's walled. So you have to have university credentials to get in and they monitor it closely to make sure that it's complying with all the laws and regulations and that there are ways to protect sensitive information. And it seems like that's the future here.

 

Dave Bittner: Yeah. I mean it is irresistible. You know, it can be such a time saver for employees that I think to tell them that they can't use this, you know, would -- what is perceived as magical technology, I think that's just unrealistic.

 

Ben Yelin: Yeah. I mean it's like telling somebody, you know, 15 years ago, 20 years ago, that you can't use the internet. Like it's just yeah. And we're also in a period where you can tell the movers on this, like the people who are really taking advantage and the companies that are really taking advantage of this getting off the ground and improving their outputs and making products better than those who aren't. Like it's becoming more noticeable I think in every sector.

 

Dave Bittner: Yeah. What other things did they talk about, Ethan?

 

Ethan Cook: Yeah. I think they talked about the value that AI brings and, you know, kind of this embrace it mentality which is that it creates this single pane of glass so to speak. When you're looking at your cyber posture, right, you know, previously, and I'm sure we can all remember this, when, you know, a couple years ago where it was there were -- everyone had to have the latest doodad, the latest thing. You know, you had 40 different devices each doing a very different security thing. And while that was really great to have, you know, the hot new thing, it also led to a lot of overhead management, a lot of, you know, having to introduce new risk. And having a single system, you know, obviously yes it creates a single point of failure that is concerning, but having that as a -- being able to consolidate down maybe not in to a single one device, but in to a very small select few that can be able to manage and monitor and actively respond or inform the security team when to respond efficiently with it and correlate data like it's never been able to do before we'll be able to significantly reduce risk for organizations. And attackers are going to be using AI to focus and become more targeted with their attacks. Having an AI system to, you know, what we talked about in defense enables us to do the counter and focus your organization and focus your defensive posture in to a single view or in to a much narrower view will enable you to respond more effectively when incidents are going to happen.

 

Dave Bittner: Yeah. I mean I've heard that point of view over and over again from folks these days to basically let the AI do the things that an AI is really good at sorting through mountains of data, but still have the humans do the things that humans are good at which is things like intuition. You know, some -- this just doesn't feel right. And also you need the humans to double check the AI because, as we all know, AIs, large language models, make tons of mistakes.

 

Ethan Cook: It's never had one hallucination. I've never heard of anything. I'm blowing your mind. And I think, you know, very, very, very fair point. I think, you know, that aspect of having that balance is really important. And understanding that, you know, as with anything, when, you know, the new tech comes out it is there is no perfect solution. You know, I think I always, you know, go back to this belief that we've had crime for 1,000 years plus, 2,000 years plus. Right? Crime's always going to be a thing. We're never getting rid of it. Right?

 

Ben Yelin: Human nature. Yeah.

 

Ethan Cook: Exactly. So there -- if we had the perfect security solution we would have implemented it already. Right? There is no perfect security solution. There -- it's inevitable. Rather than trying to, you know, have this approach that "I'm never going to have a -- you know, I'm going to have this perfect system" rather it's about acknowledging a system's flaws, being able to use other systems to account for it, and I think the value of AI is understanding that it enables you to close more flaws than we've been able to do previously whereas previously in order to minimize, you know, a lot of areas we've had to have so many different security methods. Right? You know whether that be for log analysis, for data correlation, for data gathering. And with AI we can put that together a lot more efficiently than before and that will enable us as a security team to focus our efforts more efficiently and respond faster and, you know, potentially counter things faster than ever before.

 

Dave Bittner: I'm curious kind of to -- as we wind up our conversation here today suppose AI is a bubble. Let's just imagine that. And it's a bubble that's going to burst.

 

Ben Yelin: Bubbles burst? That's news to me, Dave.

 

Ethan Cook: I've heard that happen, but no way.

 

Dave Bittner: Yeah. Those of us who lived through the dot com era they do. And I guess where I'm -- what I'm getting at is right now we have access to these AI systems that is almost free. You know, $20 a month for Chat GPT. I consider that to be almost free. But how long can that go on? And what happens when you have to pay the AI companies what it actually costs to do the things that we've all now grown accustomed to the AI systems doing? Like how does that shake out? I'm curious. You know, Ben, why don't we start with you? What sort of -- as you ponder that, where do you think that might take us?

 

Ben Yelin: I just hope we get to a point where there's like well considered adoption of AI sector by sector with appropriate guardrails coming from government officials. And I think we can get there. There are efforts afoot, especially at the state level, to regulate the disturbing uses of AI. The latest issue seems to be the chat bot problem. And trying to correct those problems without destroying the entire industry. So I think I think it's something that's doable. And I've become more of an I guess more of an AI optimist recently even despite the fact that I still think the bubble might burst. I guess I've had a couple very good use cases of it in my own life and it's reminded me of AI's promise and that we all have a stake in it working and improving our lives.

 

Dave Bittner: What do you think, Ethan? Coming away from this conference was there optimism?

 

Ethan Cook: I think there certainly was optimism. I think there's this kind of mindset which is the most optimism will come by being proactive. Waiting for it to happen, waiting to see how this tech's going to play out and just kind of staying on the back rows is going to open you up to compliance issues whether that be from a quantum issue, not adapting fast enough, or whether that be from an AI issue, you know, because your employees are going to be using it or just straight vulnerabilities because you're just not secure with the modern tech that attackers will inevitably be using. I think, you know, regarding the AI bubble I think one for sure there is a bubble. I -- you know, there is. I think there is some rightful concerns that there, you know -- there's a little too much faith put in to it right now that it's this magic pill that's going to fix everything. And I, you know -- I don't think that's true. But I think there is to Ben's point that AI does hold a promise and there's a promise there for a reason. I think the interesting things that I think, you know, right now, as you mentioned, AI's free for the most part. There's some subscriptions. I will be very curious to see how the for profit switch for Open AI impacts this. You know, they still have a nonprofit on that that technically oversees the for profit arm, but --

 

Ben Yelin: The for profit one is just going to become too good.

 

Ethan Cook: Yeah. That's I think there is some real concerns about the impacts that that's going to have long term on AI not from a feature standpoint, but just from a how does that impact the market, how does it impact AI's use like across the board? You know, now we're talking for profit. Is that going to be charged? How does that change things? And I don't think that's fully materialized yet and I don't think it's going to materialize for, you know, several months, but I think that's going to be a pretty big shake up especially if other, you know, previous nonprofits try to make that switch. And I think the other aspect that I'm very curious to see how this plays out is, you know, right now we have so many AI startups. You have I think it's, you know -- feels like every week there are 40 new ones launched. Right? You know.

 

Dave Bittner: Oh yeah. I mean if you're in cybersecurity and you're a startup you have to have a page on your pitch deck that is all about how you're using AI.

 

Ethan Cook: Exactly. And some of these promises are astronomically wild. You know, about what AI's going to do and how they're going to fix everything. And inevitably some of those will fail. Some of them are proof of concepts, etcetera. And I think, you know, we had the tech, you know -- tech bubble, mini bubble, pop a couple years ago where, you know, suddenly a lot of, you know, funding gets pulled. A lot of, you know -- there's a cooling down on tech and everything that can happen with it. And I would imagine that that will be a similar play out where that's going to happen. And I'm more curious less about -- I think it's going to happen, but I'm more curious about who survives it and why they survive it and what the market looks like after that because I'm fairly confident places like Open AI and Anthropic like these places are mammoths. They're never going to go away. Right? They're too big at this point. But the smaller ones, the startups, the small scale companies under 500 people, what do they look like after that pop? And --

 

Ben Yelin: And that was the dot -- sorry.

 

Ethan Cook: Yeah. No. No.

 

Ben Yelin: That was the dot com bust. It was like the big companies survived and the small companies got completely wiped out. As did people's investments.

 

Dave Bittner: Right. Right. Or absorbed. Yeah. All right. Well, interesting stuff. And, Ethan, thank you for joining us and sharing your insights here. Again Ethan Cook is editor of the "Caveat" newsletter. If you are not yet subscribed to that please do so. It is good stuff published on a regular interval so you can find out all about that on our website, thecyberwire.com. And of course our thanks to the folks at Palo Alto Networks for inviting Ethan to the Ignite the Public Sector Conference. We do appreciate being included in that. [ Music ] And that is "Caveat" brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to caveat@n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. The show is mixed by Tre Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

 

Ben Yelin: I'm Ben Yelin.

 

Ethan Cook: And I'm Ethan Cook.

 

Dave Bittner: Thanks for listening. [ Music ]

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Cyber Health and Hazard Strategies, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: N2K Networks, Inc.