CyberWire Daily - Making security decisions around AI use. [CSO Perspectives]
Episode Date: October 7, 2024Rick Howard, N2K CyberWire’s Chief Analyst and Senior Fellow, has a free-wheeling conversation with Merritt Baer, Reco AI’s CISO, about how infosec professionals should think about AI, Machine Lea...rning, and Large Language Models (LLMs). Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K.
Hey, everybody.
Welcome back to Season 15 of the CSO Perspectives podcast.
This is Episode 4, where we turn the microphone over to our regulars
who visit us here at the N2K
Cyber Wire hash table. You all know that I have a stable of friends and colleagues who graciously
come on the show to provide us some clarity about the issues we're trying to understand.
That's the official reason we have them on the show. In truth, though, I bring them on to hip
check me back into reality when I go on some of my more crazier rants. We've been doing it that
way for almost four years now. And it occurred to me that these regular visitors to the hash table
were some of the smartest and well-respected thought leaders in the business. And in a podcast
called CSO Perspectives, wouldn't it be interesting and thought-provoking to turn the mic over to them
for an entire show? We might call it other CSO perspectives.
So that's what we did.
Over the break, the interns have been helping these hash table contributors
get their thoughts together for an entire episode of this podcast.
So, hold on to your butts.
Hold on to your butts.
This is going to be fun.
My name is Rick Howard, and I'm broadcasting from the N2K Cyber Wire's secret Sanctum Sanctorum studios located underwater somewhere along
the Patapsco River near Baltimore Harbor, Maryland in the good old U.S. of A. And you're
listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies
that senior security executives wrestle with on a daily basis.
a daily basis. Merit Baer is a very good friend of mine. She is a Harvard lawyer by training,
became a legislative fellow working for Senator Michael Bennett, the current Democrat from Colorado, transitioned to the Senior Cybersecurity Counsel for the U.S. Department of Homeland
Security, and then later the lead cyber advisor to the Senior Cybersecurity Counsel for the U.S. Department of Homeland Security,
and then later the lead cyber advisor to the Federal Communications Commission.
She spent five years as the Deputy CISO for Amazon Web Services and is now the CISO for Ricoh AI.
We met when our paths crossed on the cybersecurity conference circuit. We were on a panel together before COVID and before chat GPT was a thing,
discussing AI and machine learning and butting heads with opposing views.
And we became fast friends.
She is wicked smart and the perfect person to discuss the cybersecurity profession's potential decisions regarding how to use AI.
So here's my conversation with my friend Merit Baer.
So Merit, when I was soliciting hash table volunteers to do their own episode, you immediately jumped in to claim one of the eight slots for the season.
And you eventually settled in on this topic we're talking about today, which is making security decisions around AI use.
But then you immediately ran into a big stumbling block. So what happened?
Yeah, you know, it's funny because in theory, writing 1,500 words is not a hard thing to do,
but I found that this topic in particular, while I think is really timely because we talk about AI in lots of sort of notional ways about the future or about, you know, ethics or things that are very kind of aspirational. I don't see a lot out there that's
more tangible, like for folks actively making practical decisions around, you know, using AI,
how to know what AI is in their environments, and so on. And as a
practicing CISO myself, I thought that would be a really good topic. But when it came to putting
something on paper, it was really hard to just constrain it. I, you know, was tempted to go in
the direction of talking about, you know, the dangers of building your own LLM. I was tempted
to go down the path of, you know, talking about how to know,
you know, how to discover shadow AI in your environment, co-pilots or other manifestations.
I was tempted to go down the rabbit hole of, you know, ethical considerations or, you know,
or of attacks, right? Like poisoning and bias and drift and some of the ways that folks might
actively skew your AI results.
And it just kind of felt like
anything that I chose would be both
too much and too little.
And so I ran into this blog
called you and we said
let's make it a conversation instead.
So that's, thanks for
indulging me and doing that instead.
And with that disclaimer, you know, we will
not cover the whole universe of practical
AI considerations, but hopefully we will talk through some of them.
I get that a lot from the stuff I do because, you know, Rick, you should, you know, limit
it.
Okay.
Stop talking about the world.
Maybe you're talking about one specific thing.
So it is a common problem.
We both need editors.
Right. we both need editors right and it kind of also felt like if i constrained it it would feel
artificial but you have to constrain it so um yeah and and to be honest like i also was tempted
to go back in historic time to like you know because in a lot of ways, AI is in present form, really machine learning.
And that is nothing new, has been around for decades. So anyway, yes, it's a...
Well, let's talk about that because you and I are both sticklers about, you know, throwing these
terms around. I know when you and I first met, we were on an AI panel, I think, in Colorado, and we were educating the audience about the differences between, let's say, AI and machine learning and LLMs.
You want to give that a crack while we're here?
I have sort of given up that type to some extent because I'm using, even like in the intro here,
I'm using AI in the term that,
like in the definitional sense
that it's currently being tossed around,
which is the idea that, you know,
folks are using capabilities
that are basically, you know,
analytics over large pieces of data.
So what I'm talking about, I think, is ML in a traditional sense.
We're not talking about this kind of generative AI idea,
which I think is still debatably not real.
You know, like the idea that an AI would have sentience
or would be able to produce some original material.
I even hesitate to say the word thought, right?
Because I don't know, but I believe that a machine can think.
I think most of us think, you and I, I think, when we think of AI,
when we think in terms of you know movies like
the terminator and maybe uh the movie her when the artificial intelligence wakes up
becomes aware of itself and you know becomes a some sort of being in in the sci-fi world that's
called um the what's it called when that happens in the world? I forget the singularity. That's what
I was looking for. Right. The singularity. Right. Um, so when I, yeah, so debatable as a,
you know, I think it is a, a thought exercise to, um, use terms like that. I don't think that we're, at least in my view, we are not necessarily on a
course where that ends in that. Well, and I agree that, you know, in future forecasters,
they've been saying the Singularity has always been 10 to 20 years away, you know, 50 years ago,
right? So it's always somewhere out in the future. But I will say that there are some experts in the field
that could say that it could happen as early as 2050.
We'll see, okay?
You think it won't happen is what I hear you saying.
Yeah, I think that if you look at the evolution of our tech wall,
it has been punctuated by really radical transformations,
so like the internet or
mobile computing,
cloud computing.
These are really functionalities more than they
are computers taking
over human
capabilities. And I
think that there is something
inherently human. Computers
essentially do what you program them
to. So even if that is
to build upon analytics that uh get sort of abstracted away from the underlying task
and so i think you can get many layers deep in that kind of you know computer reasoning uh process
but it is always a process it is never like an original thought or a, you know, like,
I don't think that a computer can fall in love or have its feelings hurt or come up with something
truly novel, you know, as a, in the sense that humans can.
So a subset then of AI is machine learning, which in the security realm, it's been around since, I don't know, 2015.
I mean, it's really good at very specific tasks.
Do you want to take a crack but I consider machine learning to be sort of like the convergence of the fact that we have a ton of data now, and then we can reason upon it in a more holistic and more timely way. So I really think that the rise of machine learning is due to a couple of factors, including
the growth in processing power and the strength of compute that has formed over the last few
years, which of course has underpinnings in hardware and chips.
There's a lot of unsexy parts of this that have allowed for the parts that we see at the surface.
But also kind of the increasing reliance
on sort of like data-driven answers to guide us
in how we think about problem sets.
Right.
You know, so I think...
So it uses statistical models to make predictions about, you know, problems we're trying to solve.
And like I said, security vendors have been using that as an example very successfully with, you know, identifying malware.
They can take a file that nobody has ever seen before and predict whether or not it's malware with like a 97% accuracy.
So like you said, machine learning has been around for a while and it's very useful in very individual cases.
Yeah, exactly.
And I think there is, you know,
obviously there are use cases in the security world
for doing security work.
There's also use cases that are not security related,
but that need to be secured.
You know, like there's levels of relevance for a CISO
who's considering how to kind of take these technologies
and use them responsibly.
As you mentioned, you know, in threat intelligence,
in malware analysis, in, you know,
the areas like anti-DDoS that are inherently reliant on scaled processing,
I think it's especially helpful and influential,
but it's also something where I think
most sophisticated shops are also really concerned
about the possibility of, you know,
the poison and drift that happens
when folks do targeted attacks on your own though,
but also just the fact that these models
have a tendency to get it wrong sometimes.
Yeah.
And the more we've built upon them,
the harder it is to interrogate them.
So that brings us to large language models
that kind of popped up in our imagination in 2022
when chat GPT was released okay which we all
looked at that said oh my god the world has changed and you know these these large language models are
you know they're natural language processing okay it's it's um it's an application of AI and machine learning to generate human-like text.
And the leap that we found, you know, back then was,
we were all gobsmacked at how wonderful it was
or how the, you know, impactful it looked like it was going to be.
Yeah, you know, I resisted the urge to have ChatGPT
write my essay for this piece.
But, yeah, you know, as with all forms of current quote unquote AI,
chat GPT has a lot of really good use cases.
And then it also hits barriers, right?
I was seeing this morning,
some folks are posting that they actually asked ChatGPG to unlock protected documents.
And that's our show.
Well, part of it.
There's actually a whole lot more, and if I say so myself, it's all pretty great.
So here's the deal.
We need your help so we can keep producing the insights that make you smarter
and keep you a step ahead in the rapidly changing world of
cybersecurity. If you want the full show, head on over to the cyberwire.com slash pro and sign up
for an account. That's the cyberwire, all one word, dot com slash pro. For less than a dollar a day,
you can help us keep the lights and the mics on and the insights flowing. Plus, you get a whole bunch of other great stuff
like ad-free podcasts, my favorite, exclusive content, newsletters, and personal level-up
resources like practice tests. Within 2K Pro, you get to help me and our team put food on the table
for our families, and you also get to be smarter and more informed than any of your friends. I'd
say that's a win-win. So head on over to the
cyberwire.com slash pro and sign up today for less than a dollar a day. Now, if that's more than you
can muster, that is totally fine. Shoot an email to pro at intuk.com and we'll figure something out.
I would love to see you over here with the rest of us at Int2K Pro. One last thing, here at N2K, we have a
wonderful team of talented people doing insanely great things to make me and the show sound good.
And I think it's only appropriate you know who they are. I'm Liz Stokes. I'm N2K's CyberWire's
Associate Producer. I'm Trey Hester, Audio Editor and sound engineer. I'm Elliot Peltzman, executive director of Sound and Vision.
I'm Jennifer Iben, executive producer.
I'm Brandon Karf, executive editor.
I'm Simone Petrella, the president of N2K.
I'm Peter Kilpie, the CEO and publisher at N2K.
And I'm Rick Howard. Thanks for your support, everybody.
And thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.