Prevention is better than cure, or so the well-known adage goes. At cybersecurity events over the past decade, this seemed to be less and less the aim of vendors. More and more investments went towards detection and response, prevention became more or less an afterthought. AI can change this again, argues Roger Sels of BlackBerry.
We speak to Sels, VP Solutions EMEA at BlackBerry, primarily in the context of the upcoming election in the Netherlands, even though the discussion will eventually go in an entirely different direction. We’d like to know his take on cyber threats around voting. As we still vote with pencil and paper here, precisely because it’s deemed more secure, there are no voting booths that can be hacked or otherwise tampered with. However, somewhere along the line systems come into play that process election data. So there is a potential risk there. Manipulation of those systems is possible if malicious parties gain access to them.
Whether this is realistic is debatable. There are plenty of other ways to push votes in a certain direction without breaking into these systems, as we have seen in the past. Consider, for example, the Facebook/Cambridge Analytica scandal. As such, the risk of cyber attack on systems processing election data isn’t huge, Sels believes. Manipulating voting behaviour can be done in other ways, such as via fake news. “The risk in the Netherlands of manipulating actual voting is relatively small, because you cannot vote digitally from a remote location,” he indicates. This does not mean that it is not possible, but that it is very unlikely.
So, the systems that calculate and determine election results and the distribution of seats may not be the first target of actors seeking to manipulate election results. Nevertheless, it is worth bearing in mind one of the distinguishing features of these systems. One of the conditions for using the OSV2020-U software used in the Netherlands is that the systems it runs on are not connected to any other network. This is explicitly stated on the website of the Kiesraad (the Electoral Council).
Allowing no network connectivity has specific consequences for the security of systems. At first glance, of course, this only seems like a good thing. After all, many threats enter via the worldwide web. The other side of the coin, however, is that systems now cannot automatically get new signatures, patches, and other updates. If someone gains access to a system, it is not visible from the outside what is happening and it cannot download any patches or new signatures. While the Electoral Council gives the clear advice that municipalities using OSV2020 must ensure that they set it up “without physical or logical access for unauthorized persons to the server,” this does not mean that it is impossible. It will largely revolve – as it so often does – around eliminating human error.
AI for prevention of cyber attacks
As far as Sels is concerned, systems such as those discussed above, which process votes and calculate seats, are a good example of environments in which AI can prove its added value in terms of prevention. Not entirely coincidentally, this is also a spearhead of BlackBerry’s strategy. A few years ago, the company acquired Cylance, the largest acquisition in the company’s history ($1.4 billion). At the time, that company was already a market leader in AI-driven security. In the years since, BlackBerry has carried this on. “If you zoom in on AI for cybersecurity, today we are achieving 100+ patents per year,” Sels states. There are few other players in their industry, he says, who can claim this. Meanwhile, with BlackBerry Cyber, a fully AI-driven security solution for endpoints is available, which includes the Cylance AI engine.
The big advantage of using AI for cybersecurity purposes is that you don’t use signatures. With signatures you are actually always on the back foot. After all, a threat must first be detected before a signature can be created for it. That ensures that you often have to update and supplement the signatures of your security solution. For this you usually need a network connection. That network connection, however, is an important attack route for the very threats you want to keep out.
An AI-driven solution – if properly trained, of course – can operate completely independently. You don’t need to feed it new signatures and it doesn’t even need a network connection. It operates on the basis of static analysis of applications and files. That is, it analyzes their features even before an application or file is executed. Per application, it looks at up to 1.6 million features and also takes into account the context. Based on the results of this analysis, it determines whether something is malware or not.
From detection to prevention 2.0
You could say that with the help of AI it is possible to look beyond detection and response again, towards prevention. That is, files and applications that don’t pass analysis just won’t run. The security solution has marked them as malware. With more traditional security solutions, detection only takes place, in the best case, when a piece of malware becomes active. By then it is actually too late, even though you can, of course, design the subsequent response in detail and still react to it reasonably adequately.
Mind you, AI-driven endpoint security is still not prevention as we know it from firewalls. It is still possible to get malware on systems. The prevention piece is in preventing malware from actually becoming active. So looked at this way, this new way of detection is actually the new prevention. “Why detect without prevention, if you have the opportunity possible,” Sels reasons.
Finally, to illustrate the power of the platform using the Cylance AI Engine, Sels cites Wannacry. This ransomware attack took place in May 2017. To test the predictive qualities of the AI in the platform, they looked at from which version/year it detected Wannacry. This turned out to be the case as early as 2015, indicates Sels.
Our conversation with Sels thus started at the Dutch elections, to finally arrive at AI-driven endpoint security in general. A somewhat curious route to take perhaps, but the link between them is actually very interesting as far as we are concerned. A fully autonomous security platform based on AI can effectively protect even completely isolated environments, should the need arise. More importantly, the AI-driven approach ensures that we can think more in the direction of prevention again. Because prevention is still better than cure. It would be nice if we could get back to that.
The big question is what the criminals do with AI, to get around this relatively recent development. In other words, are we really not one step behind these actors anymore? Typically, an innovation like this provides a temporary level playing field. After some time, ‘the other side’ comes up with something new again, to which the security market then has to come up with something. Cybercriminals are also automating and have more and more bandwidth available (partly due to the advent of 5G) to be able to exploit, for example, large data leaks quickly. Is AI-driven security different? Will cybercriminals who deploy AI themselves get another step ahead? We’ll keep an eye on it, but it’s already a good sign that BlackBerry’s platform was able to recognize the 2017 Wannacry malware for what it was back in 2015, even though the malware didn’t even exist at the time.