I have to beg a revision to this analysis of AI as a solution to the InfoSec industry skills shortage. Point of fact, the skills shortage in cybersecurity is no longer about a lack of bodies performing any of the automated data mining and intrusion detection functions AI is currently able to do, and may advance further in years to come, but actually about human beings with the right skillset to do what AI can never do. We are looking at human beings who can not only intelligently leverage "tools" like AI, pentesting toolkits like Kali Linux, and the myriad hacking/cracking soft and hardware tools out there, but also to think like and counter Black Hat human threats with similar skillsets.
The Canadian Security Intelligence Service published an insightful paper "2018 Security Outlook - Potential Risks and Threats". In this paper they acknowledge that the skills shortage in cybersecurity will continue to be unsolved. In fact, they predict such a growth in automated tools with decision-making and other AI attributes and there is an embedded warning in this outlook that we can not blindly trust everything these systems produce. We need human beings as hackers, as analysts, as overseers of the AI armies predicted for 2017-2018 or we will lose control of the cyberwars we are currently managing.
To sell current and predicted AI tech as a solution to the security skills shortage is to suggest the problem is something other than it is. And if we suggest that, when AI is improved and proliferated, there will be a mistaken sense of comfort among some in the industry, and especially among those who are not "in the know" that will actually do more to threaten InfoSec as an industry, and the actual safety and security of our systems, in that it will create a vulnerability in the widening of the security skills hole - the human factor.
We love our tools, we love AI and we love technology. It will never be a solution to the ever-growing shortage in qualified human hackers desperately needed to fill seats in InfoSec roles across the needy customer base. All new tech needs human monitoring and if the AI as anticipated here comes to pass, you will need yet another large body of human assets to make it successful.
Perhaps it's because I am involved in the security industry, but I struggled to find any substance or "thought-leadership" in this article. Your comment, on the other hand, was far more interesting and substantial—so thanks for that!
Having worked in tech for as long as I have, and being able to apply some of that human element of foresight based on "gut feeling" to what I read, I see a lot of the same sentiment echoed out there among the InfoSec talents who are in the trenches. I'm not the only one who sees the InfoSec talent shortage as being about people. Add more tools, add more people.
Please prove me wrong, but I fear that "AI security" means that if your behavior/usage pattern is different than anybody else's, you are automatically marked as suspect.
Yeah, this is something I've been thinking about more and more...
At what point will AI get "good enough" where the work to accommodate edge cases in human behavior is considered too expensive to implement?
Will it simply be more economically viable to expect those people to conform to the "standard" or else be selected out?
We already see this to some extent where so much energy for improving peoples lives and "changing the world" is built on the assumption that everyone has an Android/iOS smart phone with Wifi/4G/LTE data access and a Facebook/Google account.
Not only that, but attackers will learn to mimic behavior/usage as necessary to complete the task. Data analysis will continue to be a useful tool, but few firms understand 'AI' enough to properly employ it in the first place and I doubt there are any which are prepared for adversarial input and other attacks that go after their 'AI' as the first step in embeddding.
Yes, that, and also the exact opposite - we will use web browsers and voice agents that are aware of our sensitive data and can protect its accidental leakage. That means stopping me when I am about to divulge my email on a public forum like reddit or reply to that Nigerian prince.
People don't excel at protecting themselves, there is a huge need for a secure and private web browser, one that actively blocks tracking and information leakage. There is research into how to keep our data anonymous, we just need it packed into a nice web browser.
That's why AI should augment human endeavours rather than replace them.
If your behaviour is different you are by definition an anomaly, but there shouldn't be an immediate intellectual leap to "suspect" or any form of malice.
Anomalies are interesting, with most scientific discoveries coming from "that's odd..." moments,
I think AI should automate the laborious majority and leave us humans free to investigate the anomalies
9 comments
[ 4.8 ms ] story [ 286 ms ] threadThe Canadian Security Intelligence Service published an insightful paper "2018 Security Outlook - Potential Risks and Threats". In this paper they acknowledge that the skills shortage in cybersecurity will continue to be unsolved. In fact, they predict such a growth in automated tools with decision-making and other AI attributes and there is an embedded warning in this outlook that we can not blindly trust everything these systems produce. We need human beings as hackers, as analysts, as overseers of the AI armies predicted for 2017-2018 or we will lose control of the cyberwars we are currently managing.
To sell current and predicted AI tech as a solution to the security skills shortage is to suggest the problem is something other than it is. And if we suggest that, when AI is improved and proliferated, there will be a mistaken sense of comfort among some in the industry, and especially among those who are not "in the know" that will actually do more to threaten InfoSec as an industry, and the actual safety and security of our systems, in that it will create a vulnerability in the widening of the security skills hole - the human factor.
We love our tools, we love AI and we love technology. It will never be a solution to the ever-growing shortage in qualified human hackers desperately needed to fill seats in InfoSec roles across the needy customer base. All new tech needs human monitoring and if the AI as anticipated here comes to pass, you will need yet another large body of human assets to make it successful.
At what point will AI get "good enough" where the work to accommodate edge cases in human behavior is considered too expensive to implement?
Will it simply be more economically viable to expect those people to conform to the "standard" or else be selected out?
We already see this to some extent where so much energy for improving peoples lives and "changing the world" is built on the assumption that everyone has an Android/iOS smart phone with Wifi/4G/LTE data access and a Facebook/Google account.
People don't excel at protecting themselves, there is a huge need for a secure and private web browser, one that actively blocks tracking and information leakage. There is research into how to keep our data anonymous, we just need it packed into a nice web browser.
If your behaviour is different you are by definition an anomaly, but there shouldn't be an immediate intellectual leap to "suspect" or any form of malice.
Anomalies are interesting, with most scientific discoveries coming from "that's odd..." moments,
I think AI should automate the laborious majority and leave us humans free to investigate the anomalies