Writing this blog, even just this first sentence, took creativity, insight, and even a bit of inspiration. Conveying just a small slice of my lifelong knowledge base here, for a particular audience, in an appropriate tone, and in logical order took an enormous amount of ‘backstory knowledge’ combined with a series of if/then questions, asked and answered in my head, as to how to best catch my reader’s attention (you), and then keep you interested so that you’ll hopefully read through to the end to my logical conclusion. Sounds pretty complex, right? Think a computer could do it?
Hacking a computer network follows a similar process; the differences might be:
- Instead of catching a reader’s attention, a hacker is trying to find a way into a network.
- Keeping you interested would equate to lateral movement.
- And the logical conclusion would be the exfiltration of data (or any other nefarious goal).
To be successful, all of the above requires an enormous knowledge base, creativity, insight, and even a bit of inspiration. Sound familiar?
As a former founder and executive of an AI-based start-up, I am continually surprised by the desire of the cyber security industry to completely eliminate humans from the defense equation. My most recent surprise came from a blog, titled “Can Security Analytics Replace Humans?,” wherein the author states that after writing a series of blogs on Security Analytics (an excellent series, by the way) they received numerous questions asking, “Can we remove humans from the decision chain?” Perhaps this shouldn’t have been too surprising, but what was truly surprising to me was that the author thought it was possible. I have some technical quibbles with his solution (more on that in a future blog), but my conceptual objection is as follows:
Why do we, as humans, think that we can eliminate human creativity, insight and inspiration from the process of defending a network from attacking human creativity, insight and inspiration? Cyber security is a contest between human intelligence, not computers — all malware was written, and changed, or programmed to change, by a human. Frankly, it takes even more creativity, insight and inspiration to defend a modern, almost infinite attack surface network than it does to penetrate it. I think we all believe that the attackers have more resources than defenders (especially when considering state actors going after corporations). So even if we were able to create some sort of super smart AI that could defend a network, wouldn’t the attackers be able to create a super duper smart AI to penetrate it? Logically, this points back to the contest that defines cyber-security: an ongoing one-upmanship game between creative, insightful and inspired humans.
Even in Ray Kurzweil’s inspired book, ‘The Singularity is Near‘, wherein he posits that by 2029, computers will pass the Turing Test, and by the early 2030’s they’ll exceed the “capacity of all living biological human intelligence” he provides no logical argument (that I could see in an otherwise incredibly well argued thesis) that these computers will show an ounce of true creativity or inspiration. Well … yes, brute force iterations using infinite computing resource might overcome the power of human intelligence eventually. (Does that mean they’re truly creative? That’s a philosophical debate for a different blog series.) But until that occurs, and at least until 2029 if you believe Kurzweil – a life time in the tech industry – I think CISOs, security architects, cyber analysts, incident responders, and network hunters will be quite safe.