Defence is key to securing safe digital domains for all
Although Scotland's booming tech sector is set to contribute billions towards the economy and bring numerous societal benefits, the emergence of AI means cyber threats are growing in number and sophistication, discovers Anthony Harrington
SCOTLAND'S technology sector is forecast to contribute some £25 billion to the Scottish economy over the next six years. On top of this, the sector is integral to so much of the country's economy and underpins Scotland's financial services sector.
The tech sector is extremely broad but this introduction will focus on cyber security, an area that contains both tremendous opportunities and also some worrying dangers.
The growth of the digital economy has put the need for cyber resilience front and centre, which is all well and good, but the nature of the threat changes all the time.
Professor Bill Buchanan OBE, who leads Cybersecurity and Applied Cryptography research at Edinburgh
Napier University, warns that cyber security is a fast-moving field.
“If you take Scotland's banks and financial services organisations, and look at this as a contest between attackers and defenders, so far defence has a pretty good record,” he says.
The financial services sector has invested heavily in cyber security over the last decade or so. In so doing, it has created large numbers of well-paid, highly skilled jobs for Scottish graduates coming through departments such as Buchanan's.
“We have seen a 100 per cent success in getting cyber security graduates into graduate levels roles, with many going into the financial services sector. That is very pleasing. However, we are on the threshold of the emergence of new generations of Ai-driven ‘hack-bots' that pose dangers that the cyber security industry could struggle to defeat,” he comments.
He points out that for probably more than two decades now there have been publicly available hacking tools that could be downloaded at will. These tools gave rise to a generation of amateur hackers that were collectively known as ‘script kiddies'.
The script kiddies didn't need a vast amount of specialist coding knowledge. They simply used the available tools to try and crack passwords and systems, with varying degrees of success. Good cyber resilience management and controls generally saw off this kind of attack relatively easily.
If we fast forward a little, it is very easy to see even amateur cyber attackers being gifted with far more dangerous hacking tools.
Buchanan points out that AI hack-bots will benefit from natural language skills.
“We can expect these skills to be as advanced or more so than CHATGPT and the dozens of AI bots that have followed. So, whereas today, so many phishing emails emanating from criminals abroad are easily spotted through their grammatical mistakes and odd use of English, those mistakes just will not be there.”
Not only that, he points out that these AI hack-bots will probably be very specific in who they target, and will have a detailed profile of the potential victim or company.
“Organisations are often only as secure as their extended supply chains,” he points out. One way of hacking into an organisation's IT systems is by first compromising the systems of one of that organisation's suppliers. Any route that gives a bad actor access through an organisation's defences can leave it open to enormous loss or damage.
“We are not at all far from seeing these AI bots sending perfectly crafted, highly targeted emails, voice calls and or text messages, that are going to cause significant harm.”
Buchanan points out that once a smart Ai-driven system gains access to a corporate network, it will probably start looking through the systems to see what data it can gather.
It will have the ability to sift masses of data to determine what is valuable, and what additional vulnerabilities it can find or create across that corporation's ecosystem. While all this sounds disturbing, there is much companies can do to defend the integrity of their systems. This includes using multi-factor authentication that makes passwords obsolete and encrypting all the company's data.
“If the data is encrypted, even if the company's security is breached, the data simply looks like garbage and is valueless to the attacker,” he points out.
“There is no doubt that the cyber security industry is going to have to move up a couple of levels to combat the evolving threat. It is already obvious that attackers will have the power of AI at their fingertips, so we will all need to step up our game,” he concludes. ■