Artificial intelligence is one of the most influential forces in information technology. It can help drive cars, fly unmanned aircraft and protect networks. But artificial intelligence also can be a dark force, one that adversaries use to learn new ways to hack systems, shut down networks and deny access to crucial information.
The challenge is to prepare for a future where autonomous cyber attacks powered by artificial intelligence (AI) will threaten cyberspace and could endanger human life. This prospect is so significant the Japanese cabinet secretariat tasked with developing the country’s national cybersecurity initiatives has created a research and development focus group to craft plans to counter cybersecurity threats, including those designed with AI.
One reason Japan’s National Center for Incident readiness and Strategy for Cybersecurity (NISC) is preparing for such mind-bending, cyber-menacing possibilities is that it will host momentous events in the near future. The country will be the site of the Rugby World Cup in 2019, and just one year later the Summer Olympics. Hosting world-class events such as these shines the spotlight on Japan in many positive ways; however, it also makes them a prime target for cyber attacks.
The center’s primary mission is to develop the nation’s public and governmental cybersecurity policy. It also establishes the standards and operating policies for government and private entities as well as forensic and incident response protocols. In addition, the NISC promotes critical information infrastructure protection. While the NISC makes policy recommendations based on ongoing research, it does not create or impose regulations.
Traditionally, the definition of critical information has been limited to specific government branches, defense forces and certain infrastructure. But the introduction of artificial intelligence into the equation changes the scope of that definition. AI software can provide powerful solutions for autonomously managing critical systems that can create defenses and reprisals against would-be attackers at lightning speed.
However, the converse also is true. Cyber attacks powered by artificial intelligence could be immensely potent and far-reaching. For example, the technology in AI-based autonomous cars could be exploited to cause accidents deliberately or deliver dangerous substances or devices.
NISC Deputy Director Ikuo Misumi, who has been working at the governmental level in cybersecurity for more than a decade, says artificial intelligence is his primary cybersecurity concern today.
Unlike software, AI learns from each experience, improving its strategy, tailoring a nearly irresistible lure for each victim. AI cyber weapons can recruit resources, creating a cyber force that doesn’t sleep and never gets sick or injured. It is arguably the most unrelenting force on the planet, Misumi relates.
Countering these kinds of emerging threats is an ongoing process. The NISC works directly with the private sector on a daily basis, and timely incident reporting to the center is critical to addressing vulnerabilities and, when necessary, notifying the organizations that may be affected.
Misumi understands that industry may be reluctant to share cyber incident information with the Japanese government because of possible regulatory reprisals, public embarrassment or competitor exploitation. However, the center assures companies that data regarding cybersecurity incidents is handled with care. Anonymization or sanitization removes information that could identify specific companies and protects the personal information of individuals.
The introduction of AI to the cybersecurity realm makes reporting cyber attacks all the more important. The deputy director considers the threat from AI-based attacks so significant that he created a research and development cybersecurity strategy focus group to develop initiatives and policies to address cybersecurity threats, including those that originate through AI. The challenge is to prepare for a future where AI-powered cyber attacks will autonomously threaten cyberspace, he says.
Although AI-driven cyber weapons sound like science fiction, they have already been deployed with shocking effectiveness. For example, the SNAP_R Twitter phishing tool is an AI-powered social media algorithm that lures its victims into revealing personal information. When pitted against a human phishing competitor, SNAP_R was nearly seven times faster and lured five times as many victims into sharing their personal information than the human phisher.
AI cyber weapons represent a significant threat to many countries, including Japan. Education and diligence is paramount especially in terms of private sector solutions in software, hardware, implementation and consulting. The number of cybersecurity attacks is on the rise and can be carried out on critical infrastructure, public systems or personal use devices.
Building public awareness about cybersecurity and cyber hygiene in Japan is one of the NISC’s main missions. Because the younger generation in Japan represents the majority of Internet users, one tactic the NISC created is the “Be Vigilant” anime campaign. In March 2017, the NISC held a two-day cybersecurity awareness event in Tokyo’s Akihabara neighborhood as part of the campaign. More than 10,000 young people attended the event.
In addition to raising awareness, the center hopes these approaches will attract the next generation to explore a career in cybersecurity at the NISC.
To address the cyber challenges Tokyo will face while hosting the Summer Olympics in 2020, the NISC cybersecurity standards and operations developed are already being carried out. The center is responsible for assessing the infrastructure that supports the games; the Tokyo Organizing Committee of the Olympic and Paralympic Games will protect systems that directly impact the outcomes of the games, such as time measurement and ticketing systems.
The NISC is working closely with the committee to safely secure the organization of the games. The center just completed a second round of the Plan-Do-Check-Act risk management cycle. It will carryout the cycle six times before the games begin.
A risk management cycle has been created for the infrastructure of each venue. For example, each location is equipped with three power sources. Two of the power sources, one of which operates as the main power source, are external and independent. In case these two power sources fail, each venue has a battery back-up generator to provide on-site power.
In the future, Misumi says the NISC will need to work more extensively with external partners to meet its missions of continuing to develop policy for public and governmental cybersecurity, forensic and incident response, and protecting critical information.
Japan prepares for the latest weapons on the digital battleground
Written by [our very own VP, Plans & Programs] Jonathan Hobbs Ph.D.