Article Details

Ex-CISA head thinks AI might fix code so fast we won't need security teams. Jen Easterly says most breaches stem from bad software, and smarter tech could finally clean it up. Ex-CISA head Jen Easterly claims AI could spell the end of the cybersecurity industry, as the sloppy software and vulnerabilities that criminals rely on will be tracked down faster than ever. Speaking at AuditBoard's user conference in San Diego, Easterly said the threat landscape has never stopped evolving. The proliferation of data, platforms, and devices meant "we've expanded the attack surface for cyber threat actors like China and Russia and Iran and North Korea and gangs of cybercriminals." Easterly said that if cybercrime was a country, it would be the third biggest in the world, just behind the US and China. But ultimately, this is all the result of bad software, ridden with vulnerabilities. "We don't have a cybersecurity problem. We have a software quality problem," she said. The main reason for this was software vendors' prioritization of speed to market and reducing cost over safety. AI is making attackers more capable, helping them create stealthier malware and "hyper-personalized phishing," and also to spot and surface vulnerabilities and flaws more quickly. CISA has responded with its own AI action plan, and "I believe if we get this right, we will actually be able to tip the balance to the defenders and protectors." That includes through detection, countermeasures, and learning from attacks, but also identifying vulnerabilities and ensuring software is secure by design. Ultimately, she said, "if we're able to build and deploy and govern these incredibly powerful technologies in a secure way, I believe it will lead to the end of cybersecurity." By which she meant that a security breach would be an anomaly, not a cost of doing business. It was important to demystify hackers, Easterly added, and stop giving them portentous or glamorous names such as Fancy Bear or Scattered Spider. More appropriate titles would be "scrawny nuisance" or "weak weasel." Equally, it is important to be clear about the real extent of their technical capabilities. Phraseology like "advanced persistent threat" obscured the fact that attackers are overwhelmingly exploiting the same categories of vulnerabilities that have plagued the industry for years. The People's Liberation Army is not relying on exotic cyber weapons, she said, but simply flaws in routers and other network devices to lay the ground for a full-scale attack in the event of war against Taiwan. Moreover, Easterly said, this distracted attention from the victims. Too often the emphasis is wrongly on mistakes companies make. While user behavior could act as the start of an investigation, it shouldn't be the conclusion. Rather, the real focus should be on the fact that the common factors uncovered by MITRE nearly 20 years ago – cross-site scripting, memory unsafe coding, SQL injection, directory traversal – remain part and parcel of shipped software. "It's not jaw dropping innovation… They were the golden oldies." This is because software companies insisted customers bear all risk and convinced government and regulators that this was acceptable. AI offers a way to address this, she claimed, as it is far better at tracking and identifying flaws in code. And it would be possible to tackle the mountain of technical debt left by a "rickety mess of overly patched, flawed infrastructure." Easterly, who stepped down from her CISA role as Trump returned to the White House, and later had a role at West Point rescinded, also backed the current administration's approach to AI regulation. "I think the great news is the current administration is continuing to champion the idea of secure by design for software broadly." But she said "the kicker" was that the recently released White House AI Action Plan talks specifically about cybersecurity and the need for AI systems that are created, designed, developed, tested, and delivered with security as the top priority. In a Q&A with Easterly, AuditBoard CISO Richard Marcus said the company found secure-by-design principles valuable for dealing with suppliers. But, he added, "we actually turn the mirror back on our internal teams too, and say this is what we're expecting in marketplace, but let's make sure our products are also upholding the same design principles." Asked by Marcus what was top of mind for next year, Easterly said the key to reducing software risk is demanding more from software vendors. "That's where the risk gets introduced, and that's where we have the power and the capability through everything that you all do, to be able to drive down that risk in a very material way."