It’s ‘AI on steroids’, and there’s no master plan to defend against it – Thomas Hammel, CISO, Allianz USA

Thomas Hammel

Try as one might, no organisation can guarantee 100 per cent security. But most are firmly intent on at least closing the gap that their cyber enemies can exploit.

Thomas Hammel, Allianz USA’s Chief Information Security Officer (CISO), fears this gap could be crowbarred open with the combined forces of two fast-emerging technologies.

Tapping his more than 35 years’ experience in IT security, governance, and infrastructure and architecture (spanning an array of tech-forward organisations including IBM, The European Space Agency and Eumetsat), we recently spoke with Hammel on the key components of a healthy cyber culture, the rapid evolution of social engineering schemes and the (hopeful) resistance against ‘deepfake’ technologies, and why we must act now to stand any chance against the quantum threat.


FST Media: It’s often said that culture eats strategy for lunch, and this is no less true in the dynamic world of cyber defence. So, how can global financial services organisations build more cyber-resilient cultures?

Hammel: Leadership commitment is a key component of resiliency. Without this commitment, this concept will die on the vine, as this not only requires solid financial backing but also a strong CISO commitment.

There are many components to this that encompass several disciplines. Policies are the backbone of this culture. Define your policies, operationalise, and communicate them, and consistently review and update them with the current threat landscape in mind.

Situational awareness is also key. Encourage a culture of collaboration, information sharing, and reporting of security concerns or incidents within the organisation; employees should feel comfortable reporting potential threats. Security must be flexible to adapt to the fast pace of the ever-changing threat landscape. By adapting your policies to protect against current risks, adjust your tool set to fit what is relevant today and avoid spend on legacy threats that have tapered off by transitioning to relevant threat protection solutions (as they say, out with the old, in with the new).

Some leaders fixate on older threats. Although they may be proved right, it’s critical to assess the risk, establish likelihood, and make a decision. This would certainly improve your overall resilience and target financial support where needed.

 

Additionally, maintaining a strong governance risk and compliance (GRC) program is a key component of this as well. GRC is critical to ensuring your organisation maintains its resilience as well as continually improves its security posture.

 

FST Media: GRC goals can often prove noble but lofty in scope. How do you distil this down to a practical level?

Hammel: Understanding that your organisation is never really 100 per cent secure and knowing that compliance does not necessarily equate to security are key factors, as is the mindset that complacency will eventually come back to bite you.

Never assume that you are secure – no one, really, is ever fully secure.

 

To paraphrase an Einstein quote, “To get to the speed of light, you need infinite energy.” For me, “To get to 100 per cent security, you need infinite funding!”.

Balance is key. Finance what is required and do not finance more than the value of your assets.

 

FST Media: Take us through the evolving threat landscape. What to you stands out as the prevailing cyber threat to industry today?

Hammel: The threat landscape will always evolve as it has since the Creeper program in 1971, which was widely recognised as the world’s first computer worm. The emergence of Creeper, effectively, spawned the creation of the cybersecurity discipline. Since then, cybersecurity has evolved to meet the threat head-to-head and continuously – not always at the same pace, and with some wins and many losses over five decades. This will continue to be a battle, one I often refer to as ‘cyber warfare’, as the consistent innovation by bad actors continues and, in some cases, surpasses our own ability to detect, protect, and defend against them.

While it’s challenging to isolate a single threat as the greatest concern, many of the currently known multifaceted threat types can cripple an organisation depending on specific conditions, such as the data value or worth to a bad actor, as well as the organisation’s fortune status or political influence, which ultimately determines the likelihood and severity of an attack. Let’s not lose sight of these.

If I had to make a choice, I believe the greatest upcoming threat, something we should all be concerned about, is the advent of artificial intelligence (AI) in the creation of malware and its corporate use in the creation of commercial off-the-shelf software. This will create a myriad of potential zero-day exploits that we can then only manage by invoking AI into the battlefield. These technologies can be used to automate attacks, evade detection, and scale malicious activities.

When combined with quantum computing, it has the potential to perform attacks where even I have difficulties envisioning the creation of a master plan or how to defend against it at this point in time.

 

AI can be applied to all known forms of malware used today, let alone the prospect of ‘AI on steroids’ – that is, coupling machine learning technologies with quantum computing. It is too early to predict the type of impact this will have on the direction of cybersecurity or the possible outcomes.

What is known is that, if we wait to defend against it instead of innovating now, it will be too late; well-funded, state-sponsored bad actors will be the first to strike.

 

FST Media: When can we expect this perceived threat to become a practical one?

Hammel: In our current global geopolitical crisis, the risk is very high that we will see the first strike of this type before the end of 2024 – likely on a government or military organisation. If you’re not fast, you are food.

In this rapidly evolving threat landscape, it’s critical for organisations to take a proactive approach to cybersecurity in mitigating the risks posed by evolving cyber threats.

 

FST Media: Social engineering remains one of the principal vectors for corporate cyber breaches, targeting what is widely seen as the weakest point in any security perimeter: human credulity. How do you feel social engineering schemes have evolved or will evolve in the future?

Hammel: Modern social engineering schemes have become increasingly sophisticated. But among the most concerning to me are deep fakes.

AI is a powerful tool that allows a bad actor to convince you to trust them. The use of deep fakes by bad actors poses a growing and concerning threat to various aspects of cybersecurity, including cybersecurity, privacy, politics, and misinformation. They are already being used today to great effect. These malicious actors employ deep learning and AI technologies to create convincingly realistic but entirely fabricated audio and video content, often with the intention of gaining one’s trust for the purposes of deceiving, manipulating, or defrauding individuals or organisations. Deep fakes can be used for disinformation campaigns, identity theft, or to impersonate board members, politicians, and prominent persons, leading to false statements, fake news, and damaged reputations.

As a result, we face an increasing challenge in distinguishing between authentic and manipulated content, which demands heightened vigilance, advanced detection tools, and legal frameworks to combat this emerging threat.

 

Using AI combined with quantum computing, it may be possible within microseconds to perform data mining of thousands of specific individuals within any organisation, conduct thorough research on their targets, often leveraging publicly available information from online sources, and with great efficiency to deploy ultra-high quality spear-phishing campaigns targeting C-Level individuals with frighteningly convincing emails encouraging them to pay invoices, transfer money, provide privileged access, relinquish privileged information and much more. Although we have only seen this level of sophistication in a limited distribution, I am certain it will increase exponentially. It will be possible in the very near future based on current AI growth trends.

 

FST Media: What hope is there to resist such a threat?

Hammel: The only defence we can currently leverage is to educate staff of this threat, make them aware and teach them how to identify it.

Encourage a ‘trust but verify’ mindset. Even when communication appears to be from a trusted source, individuals should independently verify the request or information. Be cautious and limit the information shared online and use privacy settings to limit public access to personal details. Be on the lookout for startups that specialise in this space and invest wisely – many make unrealistic claims.

 

FST Media: Endpoints are the inevitable weak link in any security perimeter. What, ultimately, should a good endpoint security strategy look like?

Hammel: To answer this question, one must first define the endpoints at risk in your organisation. Mobile phones, for example, are frequently forgotten as they are in many cases not owned by the organisation.

To define a good endpoint security strategy, it is critical that you understand your data and the data classification that is or could be on any endpoint, including the likelihood of exploitation. Once defined, implement a risk-based approach by deploying an endpoint detection and response (EDR) solution for high-risk assets and perhaps an antivirus or anti-malware solution on devices that have a lower risk to be cost-effective. The implementation or utilisation of vulnerability scanning, combined with a well-defined patch management process with actual SLAs, is also highly effective and inexpensive when compared to some more costly enterprise solutions. Defend, protect, and detect in your on-prem and cloud environments by using firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS) – this ensures a comprehensive and proactive approach to protecting an organisation’s individual endpoints.

Also, too many organisations do not encrypt their data as it increases cost and impacts performance; consider, then, defining an encryption strategy that also uses a risk-based approach based on data classification. Encrypt data on devices that can be lost or stolen, or encrypt only confidential and strictly confidential data, or at least in motion or perhaps also at rest. Also, consider increasing the number of devices you encrypt based on what budget you have available. Not everyone can go full monty on encryption.

How much you encrypt and where you encrypt is a decision that requires a risk assessment and knowledge of your threat landscape, and to perform a cost analysis based on the organisation’s requirements.

 

There are many more ways to secure your environment just by invoking the correct policies that align with your overall requirements and, for some, that may be enough.

In summary, the correct answer to this question is: “It depends”.

 

FST Media: You noted earlier the threat posed by the combined forces of quantum and AI. However, the original fears around the emergence of quantum have stemmed from their encryption-busting potential. Do you rate quantum as a serious threat, a potential ‘fifth column’, to longstanding and trusted methods of cybersecurity?

Hammel: Quantum computing scares me. It has the computing power to break encryption in a very short amount of time. Theoretically, a fully functioning quantum computer could break an asymmetric key in a matter of minutes. Public keys are especially vulnerable because many of them are based on the factorisation problem: i.e. it is hard for digital computers to find two prime numbers from their product, as defined by the International Monetary Fund. This concern has gained increasing attention in the field of cybersecurity.

Many encryption methods, such as RSA and ECC, rely on the obstacle of factoring large numbers or solving complex mathematical problems. Quantum computers could theoretically solve these problems with ease using, say, Shor’s algorithm, cracking open widely used encryption algorithms based on factoring large numbers or solving discrete logarithm problems. Public-key encryption methods, which are widely used to secure data transmission and communications, are predominantly vulnerable to these attacks, impacting secure connections leveraging HTTPS, S/MIME & SMTPS, and countless other applications.

The implication of this would mean that global internet banking could no longer be viable.

 

It has the potential to shut down global commerce.

 

FST Media: How far are we off from the theoretical quantum threat becoming a real one?

Hammel: There is the belief by some that this scenario is still far off into the future. What we do know is that technological growth is exponential. Add AI into the mix, which is currently experiencing explosive growth, and you have a big problem.

Given that it has taken many organisations more than a decade and millions of dollars to modify their entire data centres from using TLS 1.0 to 1.2, I don’t have much faith that many enterprise organisations could, with any agility, react to massive cryptography breaches in time.

 

Transport Layer Security (TLS), a cryptographic protocol that protects Internet communications, has been at risk since 2014 when POODLE (Padding Oracle on Downgraded Legacy Encryption) was discovered as a vulnerability. Many organisations just accepted the risk, as the cost to upgrade it would have required the replacement of millions of software applications. Imagine, what would the cost be to upgrade your entire crypto suite?

The current prediction for the maturity of quantum computing is still widely stated as being years or decades away. That is too close for my comfort. There is, however, some good news on the horizon. Research is ongoing into the development of quantum-resistant algorithms, and there is still time to make progress on this. China and Russia have also been investing significantly in quantum technology, including quantum computing – which is food for thought at least.

What is being done in the rest of the world is mostly commercially sponsored, with both IBM and Microsoft maintaining active programs. Japan, Canada, The EU, and Australia are also researching this.