I have had several clients, friends, and family ask me about artificial intelligence, generative AI, and AI-based cybersecurity over the last several months. This topic seems to be popping up everywhere. In preparation for several client meetings, and as I prepare to speak at a banking conference later this spring on this subject, I have taken the time to prepare the following outline / narrative on the subject of AI, AI types, AI and IT Security, and AI and financial institutions. This post is only a start, but it presents a decent overview of the subject as we continue to navigate these new and ever-changing waters.
Artificial intelligence (AI) is the theory and development of computer systems able to perform tasks that normally require human intelligence, such as visual perception, speech recognition, decision-making, and translation between languages.
Over the past 18 months, the I.T. industry has experienced a fundamental change in focus due to the explosive growth of generative AI technologies and the questions and concerns that come along with this evolution in artificial intelligence. Prior to November 30, 2022, artificial intelligence was largely viewed as a future technology, with current iterations limited to basic personal assistants like Apple’s Siri or Amazon’s Alexa or novel chess-playing super computers like IBM’s Deep Blue. AI was the future, but then we all met OpenAI’s ChatGPT. ChatGPT’s ability to learn and adapt and generate human equivalent (or better) content in mere seconds with the click of a mouse has turned the IT industry upside down and has left everyone scrambling to react, adapt, and join the new AI revolution.
Fast forward to today and every significant application, tool, website, and technology company has a feature or component that is “AI powered”. Some of these new offerings are simply rebranded existing tools or features leveraging basic machine learning functions or other established AI-like mechanisms, while others are based on new, more powerful generative AI models and resources that have the potential to bring significant change. And for every legitimate corporation attempting to join this AI revolution there is a malicious resource on the Dark Web attempting to leverage these new technologies for selfish and evil goals. It is between these two factions – legitimate business resources versus malicious Dark Web hackers – that most of the world finds itself, trying to make smart decisions on what AI-based technologies to adopt and how to defend against these new and ever more advanced AI-based cyber threats.
In order to successfully navigate this ever-changing new world of artificial intelligence, it is important define some fundamental concepts in AI and build an understanding of from where this technology came and where it is heading.
Fundamental Types of AI
Reactive Machines
Reactive Machines are basic AI systems that operate on a predefined data set and execute specific tasks without gaining knowledge from past experiences. While useful in certain applications, reactive machines have limitations. They don’t allow for learning or adaptation; they can only recognize and respond to a certain, defined amount of data. Therefore, their functionality is limited in comparison to those AI technologies that can learn and improve. Moreover, reactive machines are unable to build upon previous knowledge, limiting the ability to perform complex tasks through adaptation. Examples include:
IBM Big Blue as a chess master
Basic email spam filters
Ad recommendations based on your search history
Movie recommendations on Netflix based on your viewing history
Limited Memory AI
Limited Memory AI systems, as the name suggests, utilize past data to make informed decisions and enhance their performance over time. This type of AI technology evolves over time as it is taught through the introduction of more data, making it more advanced than reactive machines. Examples include:
Certain website chatbots
Virtual assistants like Apple’s Siri or Amazon’s Alexa
Other natural language processing technologies
Theory of Mind AI
Theory of Mind AI is an advanced category of AI systems that focus on comprehending and interpreting the human mind, including emotions, beliefs, and intentions. These systems are designed to understand, remember, and adjust to the needs of other intelligent entities with the goal of enabling these AI systems to better understand and interact with humans and other agents. These systems are also typically tied to large language models and ever-growing data sets. This is the AI home of generative AI and related technologies. Examples include:
OpenAI ChatGPT
Google Bard and Google Gemini
Self-Aware or Super-intelligent AI
Super AI, or Artificial Superintelligence (ASI), is the theoretical level of AI wherein its capabilities exceed that of human intelligence, and it attains self-awareness. These hypothetical AI systems possess the potential to become the most proficient form of intelligence on the planet, outstripping human intelligence and being markedly better at all tasks we undertake. Examples include:
Terminator’s Skynet
2001’s HAL
(kidding of course – or am I?)
Other AI Related Applications and Terms
Natural Language Processing (NLP)
Natural language processing is an interdisciplinary subfield of computer science and information retrieval – a subset of AI. It is primarily concerned with giving computers the ability to support and manipulate human language. This technology falls under the Limited Memory AI model. Examples of this technology include:
Apple’s Siri
Google Assistant
Phone system interactive voice response solutions
Computer Vision
Computer Vision is an AI system that enables machines to interpret and analyze visual information from the world, such as images and videos. It utilizes pattern recognition algorithms to educate computers to interpret and comprehend the visual world, analogous to how the human brain comprehends visual information. Examples of this technology in production include:
Facial recognition systems
Object detection and tracking in video surveillance
Autonomous / self-driving vehicles
Machine Learning
Machine learning is a field of software engineering that analyzes data to find patterns, then uses those patterns to assist humans in decision-making based on enormous volumes of similar new and existing data. In essence, machine learning algorithms look at past decisions or cause-and-effect patterns and then seek to predictively replicate those same decisions to assist users or businesses. This technology falls under the AI category of Reactive Machines.
Artificial Intelligence and IT Security
The field of IT security has been working diligently for many years to take advantage of the algorithms and data analytical advantages presented by artificial intelligence to strengthen cybersecurity defenses and become more proactive in terms of threat detection and remediation. Unfortunately, the world of cyber criminals and Dark Web hackers have been equally diligent in researching and developing new attack vectors and social engineering schemes that can take advantage of the processing power and automation AI presents. The battle lines have been drawn and continue to get redrawn as advances in AI change the battlefield landscape in modern cyber warfare. The following are some Pros and Cons to take into consideration.
Pros – The Good Guys and How AI makes the World a Safer Place:
Threat detection through data analysis and pattern recognition
Automated alerting and remediation
Fraud detection through content review and analytics
Intelligent automated network scanning and vulnerability detection
Lowering the bar to entry into the world of cybersecurity through easier code development and tools management
Interesting ways these technologies have been implemented:
Bomb detection through visual pattern detection, environmental changes, and other mass data analysis.
Disease research and detection through mass data analytics and predictive algorithms.
Military reconnaissance through automated drones and other camera enabled resources.
Lie detection through active mind reading.
Cons – The Bad Guys and How AI can make the World a Scary Place:
Video and audio deep fakes / human impersonation
Advanced and automated social engineering attacks
Malware automated code generation and adaptation
Intelligent automated network scanning and vulnerability detection
Language assimilation and impersonation
Data poisoning
Synthetic identity generation and management
Lowering the bar to entry into the world of cybercrime through easier code development and tools management
Cyber criminals are also directly attacking artificial intelligence environments and tools using several creative attack vectors including:
Data poisoning – injecting false or manipulative data into the AI knowledge base to alter outcomes.
Data leakage analysis – collecting leaked data from an AI model and analyzing to determine intent and function.
Detection evasion through AI model corruption – Feeding corrupt inputs to an AI model to generate opportunities to evade detection and remediation.
AI model extraction and replication – Due to the relatively low cost of hardware and compute resources, some criminals are stealing and extracting AI models, building their own platforms, and analyzing outputs to gleam new information and generate advantages.
Specific Guidance to Financial Institutions Regarding Artificial Intelligence
The U.S. Department of the Treasury has released a guidance document to help financial institutions navigate AI-related cybersecurity risk – Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector. This document is quite informative and provides guidance in several different areas. The following is an outline of its key points.
AI Risk Management and Developing an AI Risk Management Framework – Artificial intelligence should be integrated into and evaluated as a standard component of every organization’s risk management process. Financial institutions should develop and/or adopt an AI risk management framework to track and evaluate all organizational AI tools and systems as well as all external AI-based risks to the financial institution.
Evolution of the Chief Data Officer and Organizational Data Mapping – Every organization should assign resources to map and manage data throughout the institution. Data should be properly identified, categorized, and tracked by system and by authorized user. Data flows should be established and maintained to ensure the receipt and transmission of data is properly managed and secured.
Vendor Management and AI – The management and use of AI-related technologies and systems by or through vendors should be a component of the overall enterprise vendor management process. Like risk management, vendor management should incorporate AI as a factor when considering and evaluating new and existing vendors.
Integration of Appropriate AI into the Institution’s Cybersecurity Framework – Every organization should be proactively evaluating and implementing appropriate, well-vetted AI-based or augmented security tools and controls into the overall cybersecurity technology stack. These new tools and resources will allow financial institutions to respond to and mitigate threats quicker and more effectively, especially in situations in which the cyber criminals are bringing AI-based resources to bear in their attacks.
Tiered Multifactor Authentication – Multifactor authentication (MFA) remains one of the most effective controls against credential compromises and other related attack vectors. As AI-based social engineering attacks continue to evolve and get stronger and more effective, MFA will be a vital control in defending against credential compromises, user impersonation, and user account theft.
To supplement this timely and appropriate advice by the U.S. Department of the Treasury, all organizations have access to the newly revised NIST AI Risk Management Framework. This is an excellent guidebook to the development and implementation of a sound AI-integrated risk management process. It can also be a strong source when revising existing policies and procedures. It is based on the industry standard risk management principles of Govern | Map | Measure | Manage.
*Disclaimer – all of the content in this narrative was human generated and not the product of a generative AI tool or resource.