February 17, 2023
Happy Friday! Peter here once more before Sam returns to these shores. Thanks for joining me while I do my best to keep Codebook humming along. It's honestly been a lot of fun.
- 🤖 It's also been a dizzying week of AI analysis, and there's more below waiting for you.
Today's newsletter is 1,321 words, a 5-minute read.
1 big thing: AI's dual role in the future of cyber
Cybersecurity experts are cautiously optimistic about the new wave of generative AI innovations like ChatGPT, while malicious actors are already leaping to experiment with them.
Cyber leaders see multiple ways generative AI can help assist organizations' defense: reviewing code for efficiency and potential security vulnerabilities, exploring new tactics that malicious actors might employ, and automating recurring tasks like writing reports.
- "I'm really excited as to what I believe it to be in terms of ChatGPT as being kind of a new interface," Resilience Insurance CISO Justin Shattuck told Axios. "A lot of what we're constantly doing is sifting through noise. And I think using machine learning allows us to get through that noise quicker. And then also notice patterns that we humans aren't typically going to notice."
- "Text-based generative AI systems are great for inspiration," Chris Anley, chief scientist at IT security company NCC Group, told Axios. "We can't trust them on factual matters, and there are some types of questions they are currently very bad at answering, but they are very good at making us better writers — and even better thinkers."
Reality check: The idea of using chatbots to review or write secure code has already been called into question by some experts and researchers.
- A Cornell University study released in November showed that AI assistants led to coders creating more vulnerable code: "Overall, we find that participants who had access to an AI assistant based on OpenAI's codex-davinci-002 model wrote significantly less secure code than those without access," researchers wrote in the study’s overview.
- "Additionally, participants with access to an AI assistant were more likely to believe they wrote secure code than those without access to the AI assistant."
- Anley conducted an experiment last week in which he asked ChatGPT to find vulnerabilities in various levels of flawed security code. He found a number of limitations: "Like a talking dog, it’s not remarkable because it’s good; it’s remarkable because it does it at all."
Using generative AI to review code strikes some experts as particularly dangerous.
- "How the hell are software engineers pasting their code into something they don't own?" Ian McShane, vice president of strategy at security firm Arctic Wolf and a former Gartner analyst, told Axios. "Would you phone up random Steve off the street and say, 'Hey, come and have a look through my financial auditing. Can you tell me if anything's wrong?'"
- McShane does see benefits in the approachable chatbot user interface for lowering the barrier to entry to security. But unknowns around data set information and transparency also make him pause.
- "What mustn't get lost is that this is still machine learning, or machine learning to train from data that's provided," he says. "And you know, there's no better phrase than 'garbage in, garbage out.'"
Meanwhile, hackers and malicious actors, always on the prowl for ways to speed up their operations, have been quick to incorporate generative AI into attacks.
- Researchers at Check Point Research spotted malicious hackers last month using ChatGPT to write malware, create data encryption tools and write code creating new dark web marketplaces.
- "Recent AI systems are excellent at generating plausible-sounding text and can generate variations on a theme quickly and easily, without telltale spelling or grammar errors," Anley said. "This makes them ideal for generating variations of phishing emails."
The bottom line: Shattuck maintains that organizations exploring AI usage should see through the larger hype and "understand the limitations, like truly understand where it's at."
- "It's not a one size fits all," he said. "Don't try to apply it to something it's not …. Don't push it to prod[uction] tomorrow."
2. Florida, South Dakota turn down cyber grants
Both Florida and South Dakota have reportedly declined millions of federal dollars intended to go toward bolstering state and local cybersecurity.
What's happening: The infrastructure bill signed into law in 2021 contained $1 billion for U.S. states and territories to beef up their cybersecurity programs. Applications to receive the first round of funding were due on Nov. 15.
- The Record reported this week that among the 56 eligible states and territories, only Florida and South Dakota declined to submit applications.
- A spokesperson for the Florida Digital Service confirmed to Axios that Florida didn't pursue the federal grant "in favor of our state grant that better suits local governments and has more funds appropriated on an annual basis."
- Neither the Cybersecurity and Infrastructure Security Agency, which is assisting in managing the program, nor South Dakota offered confirmation or comment on the applications.
Catch up quick: The four-year grant program was launched in September to provide state and local governments with both starter funds and the momentum to craft ongoing cybersecurity strategies.
- For the first year, only $185 million of the $1 billion pool will be available, with each state eligible to receive a minimum of $2 million.
The intrigue: Florida’s decision not to apply for federal cyber grants comes a week after Gov. Ron DeSantis released his proposed Framework for Freedom Budget, which requests $149 million from state lawmakers to enhance cybersecurity through "security intelligence, modernization, training and resiliency."
- "As cybersecurity threats continue to become more sophisticated, it is vital that both state and local governments have the tools necessary to protect critical public resources and sensitive information," the budget reads.
- Florida's lieutenant governor, Jeanette Nuñez, announced a $30 million Local Government Cybersecurity Grant Program yesterday, designed to build up and improve local government cyber plans.
Between the lines: Both DeSantis and South Dakota Gov. Kristi Noem have been outspoken critics of the Biden administration and many of its policies.
- Additionally, both governors are considered potential presidential candidates for next year's race.
What they’re saying: "We will certainly invite them to apply again in year two because we believe that across the country, there are needs that need to be addressed, and this is a viable program to ensure that our local communities and our states have resources to address those needs," CISA official Trent Frazier said at an event in January, The Record reported.
3. Catch up quick
🕵️♀️ The FBI says it has contained a malicious cyber incident on its computer network, with two sources saying it involved the FBI New York Field Office. (CNN)
💣 Nuspire’s newly released Q4 2022 and Year in Review Threat Report found 2022 to be the year with the most threat activity in history. (Nuspire)
⚡️ Deputy Attorney General Lisa Monaco announced an interagency partnership between the Department of Justice and the Department of Commerce, called the Disruptive Technology Strike Force, aimed at protecting American technology and data from rival nations. (CBS)
🔓 Data on Atlassian employees and vendor offices was leaked online Wednesday after a breach the software company says it learned about earlier that day. (Cyberscoop)
🤺 Hackers have launched a new financially motivated campaign using a variant of the Xortist commodity ransomware named MortalKombat. (BleepingComputer)
📱 The Cybersecurity and Infrastructure Security Agency encouraged users of various Apple products to update their devices after vulnerabilities were detected, cautioning that an "attacker could exploit these vulnerabilities to take control of an affected device." (CISA)
⚖️ The City of Oakland’s interim city administrator declared a state of emergency Tuesday, one week after a ransomware attack struck local government operations. (The Record)
🦾 GitHub says it has improved its Copilot AI coding assistant and notes it is now being used to generate 46% of new code on its site. (BleepingComputer)
🚗 Automakers Hyundai and Kia are offering a free software update to millions of vehicles after a viral TikTok challenge inspired a wave of thefts. (The Verge)
4. 1 fun thing
Since I'm filling in for Sam, I couldn't resist this opportunity to share my own cat pic. This is Ella, and though she has since gone to that odorless litter box in the sky, she gave me and many others 15 years of total joy.
- This week marks the 17th anniversary of when Ella and I first met, and my life has been so much better for it. ♥️
Have a great weekend! Sam will be back in your inbox next week.
Thanks to Scott Rosenberg for editing and Khalid Adad for copy editing this newsletter.
If you like Axios Codebook, spread the word.