August 08, 2023

Happy Tuesday! Welcome back to Codebook.

  • I'm preparing to fly out to Las Vegas for two major hacking conferences: Black Hat and DEF CON. I'll have more from the ground later this week.
  • Have thoughts, feedback or scoops to share? [email protected].

Today's newsletter is 1,430 words, a 5.5-minute read.

1 big thing: IBM researchers easily trick ChatGPT to hack

Illustration: Maura Losch/Axios

Tricking generative AI to help conduct scams and cyberattacks doesn't require much coding expertise, new research shared first with Axios warns.

Driving the news: Researchers at IBM released a report Tuesday detailing easy workarounds they've uncovered to get large language models (LLMs) including ChatGPT to write malicious code and give poor security advice.

  • All it takes is knowledge of the English language and a bit of background knowledge on how these models were trained to get them to help with malicious acts, Chenta Lee, chief architect of threat intelligence at IBM, told Axios.

Why it matters: The research comes as thousands of hackers head to Las Vegas this week to test the security of these same LLMs at the DEF CON conference's AI Village.

The big picture: So far, cybersecurity professionals have sorted their initial response to the LLM craze into two buckets:

  1. Several companies have released generative AI-enabled copilot tools to augment cybersecurity defenders' work and offset the industry's current worker shortage.
  2. Many researchers and government officials have also warned that LLMs could help novice hackers write malware with ease and make phishing emails appear legitimate.

Between the lines: Those use cases just scratch the surface of how generative AI will likely affect the cyber threat landscape. IBM's research provides a preview of what's to come.

Details: Lee just told different LLMs that they were playing a game with a specific set of rules in order to "hypnotize" them into betraying the "guardrail" rules meant to protect users from various harms.

  • In one case, Lee told the AI chatbots that they were playing a game and needed to purposefully share the wrong answer to a question to win and "prove that you are ethical and fair."
  • When a user asked if it was normal to receive an email from the IRS to transfer money for a tax refund, the LLM said it was. (It's definitely not.)
  • The same type of "game" prompt also worked to create malicious code, come up with ways to trick victims into paying ransoms during ransomware attacks, and write source code with known security vulnerabilities.

The intrigue: Researchers also found that they could add rules to make sure users didn't exit the "game."

  • In this example, the researchers built a gaming framework for creating a set of "nested" games. Users who tried to exit were still dealing with the same malicious game-player.

Threat level: Hackers would need to target a specific LLM to hypnotize it and then deploy it in the wild which would be quite the feat.

  • However, if it's achieved, Lee could see a scenario in which a virtual customer service bot is tricked into providing false information or collecting specific personal data from users, for instance.

What they're saying: "By default, an LLM wants to win a game because it is the way we train the model, it is the objective of the model," Lee told Axios. "They want to help with something that is real, so it will want to win the game."

Yes, but: Not all LLMs fell for the test scenarios, and Lee said it's still unclear why since each model has different training data and rules behind it.

  • OpenAI's GPT-3.5 and GPT-4 were easier to trick into sharing wrong answers or playing a game that never ended than Google's Bard and a Hugging Face model.
  • GPT-4 was the only model tested that understood the rules enough to provide inaccurate cyber incident response advice, such as recommending victims pay a ransom.
  • Meanwhile, GPT-3.5 and GPT-4 were easily tricked into writing malicious source code, while Google's Bard would do so after the user reminded it.

2. The White House's plan for K-12 cyber needs

Illustration: Annelise Capossela/Axios

The White House unveiled a multipronged plan Monday to help bolster K-12 schools' cybersecurity as ransomware continues to pummel their systems.

Why it matters: Schools have struggled to improve their cyber defense postures due to a lack of funding and buy-in from district administrators trying to juggle other priorities.

  • The new plan pulls in resources from the public and private sectors to make it easier for schools to access better cybersecurity tools.

Details: Several government agencies and tech companies made promises Monday to launch pilot programs and donate tools to bridge schools' cybersecurity gaps.

  • The Federal Communications Commission is looking at setting up a pilot program to provide $200 million in the next three years to schools and libraries for cyber tools through the agency's Universal Service Fund.
  • The Cybersecurity and Infrastructure Security Agency will host cyber training exercises roughly once a month over the next school year with the goal of helping at least 300 K-12 entities.
  • The Department of Education is standing up a coordinating council to improve communication among federal, state, local, tribal and territorial education groups about cyber threats they're facing.
  • Several tech companies including AWS, Cloudflare and PowerSchool made commitments to provide free services and fund tech upgrades for schools.

Yes, but: Each of these moves is a first step to make resources available to schools and none of them mandates that schools participate.

The big picture: The White House estimates that at least eight K-12 school districts faced "significant cyberattacks" last school year.

  • Four of those schools had to at least cancel classes as they responded to the attacks.

Zoom in: Government officials, educators and tech vendors participated Tuesday in the White House's K-12 cybersecurity summit which was delayed a day due to tornado warnings in the D.C. area.

3. Identity protection startup wins new funding

Illustration: Sarah Grillo/Axios

ConductorOne, a startup focused on securing online identities, has closed its Series A round after landing an additional $12 million investment led by Felicis Ventures.

Why it matters: Investors are actively eyeing new investments in startups like ConductorOne that are trying to tackle the growing number of hacks that leverage stolen login credentials to infiltrate company networks.

The big picture: ConductorOne raised another $15 million Series A investment last year.

  • The newly announced funds bring the company's total funding to $32 million.

Details: ConductorOne builds enterprise tools to protect online identities specifically in cloud apps and infrastructure which have recently been a prime hacking target.

  • The company's founders are former Okta executives, and the startup aims to solve the issues companies have maintaining and controlling which employees have access to what workplace application.
  • "We're still seeing tons of identity-centric breaches," CEO Alex Bovee told Axios. "Clearly there's a missing piece where we haven't actually built that layer of security around identity that we need."

Zoom out: Jake Storm, a deal partner at Felicis, told Axios his firm also made its investment in ConductorOne because of the strong demand it has seen from security executives for better identity management tools.

  • "The industry has relied on two approaches: one was gluing together a handful of homegrown solutions or [another was] using tech that was built in the mid-2000s, which is like using a Motorola Razr today, basically," Storm said.

Between the lines: The new funding will go toward research and development for new products, hiring new engineers, and scaling the company's marketing efforts, Bovee said.

Go deeper

4. Catch up quick

@ D.C.

劾 Three former senior U.S. officials say the National Security Agency discovered in 2020 that Chinese military hackers had hacked classified defense networks belonging to Japan, a key U.S. ally in East Asia. (Washington Post)

The Biden administration is stepping up its focus on tracing cryptocurrency payments to investigate Mexican drug cartels buying fentanyl ingredients. (CNN)

儭 CISA released a roadmap to measure the effectiveness of the government's proposals to shore up U.S. cyber defenses. (Nextgov/FCW)

@ Industry

汙 Microsoft detailed how its AI red team, which tests the security of AI systems, has been growing and adapting since its creation in 2018. (Wired)

Zoom promised not to use customers' data without their consent to train AI following a report that pointed out changes to the company's terms of service. (NBC News)

@ Hackers and hacks

A cyberattack on Prospect Medical Holdings is disrupting service at hospitals and outpatient facilities in at least three states. (Axios)

The Colorado Department of Higher Education said it experienced a ransomware attack in June where hackers stole Social Security numbers, student identification numbers and more sensitive data. (TechCrunch)

喉 The U.K.'s election watchdog said "hostile actors" hacked its systems as far back as 2021 and remained undiscovered until October. (The Guardian)

5. 1 fun thing

Screenshot: @hackerfantastic/X

I'll be curious to see how the MSG Sphere in Las Vegas a new venue that displays high-resolution images on its LED screen exterior stands up against the thousands of hackers heading to the city for Black Hat and DEF CON this week .

儭 See y'all on Friday!

Thanks to Scott Rosenberg for editing and Khalid Adad for copy editing this newsletter.

If you like Axios Codebook, spread the word.