- AI and 5G will lead to an explosion in cybersecurity risks, according to an FBI agent and the general counsel of $50 billion professional services firm Marsh & McLennan.
- Ari Mahairas and Peter Beshar have built a relationship educating the public sector and industry about the risks of cyber attacks, as well as solutions to the threat.
- New tech will make it easier for bad actors to attack things like internet-connected devices, potentially leading to catastrophic attacks on nuclear power plants, they said.
- The pair also discussed protecting 5G networks and the growing demand for privacy regulation in Silicon Valley.
- Visit BusinessInsider.com for more stories.
Ari Mahairas, a special cybersecurity agent at the FBI’s New York office, and Peter Beshar, the general counsel of $50 billion professional services firm Marsh & McLennan, have an unusual relationship.
Over the years they have forged an unlikely public/private partnership, making it their mission to collaborate and discuss cyber risks and solutions in the context of both national security and corporate security.
The pair have appeared at conferences together, penned an op-ed for The New York Times, and now sat down for an interview with Business Insider.
Speaking over the phone from New York, the pair focused on how AI and 5G will create an explosion in cybersecurity risks over the coming years, which law enforcement and companies will need to grapple with.
Read more: This FBI agent says terrorists are plotting to wipe out the 911 emergency system in an attack ‘only limited by your imagination’
AI and 5G will make it easier for bad actors to attack internet-connected devices, potentially leading to catastrophic attacks on sensitive infrastructure like nuclear power plants. The technology could also make deepfakes a threat at a corporate level, with attackers able to impersonate CEOs and get employees to wire funds.
“We’re engaged in a race without a finish line,” Beshar says of the threat. “Cyber is a unique threat that poses a threat to both government and industry both sectors have been breached repeatedly. Neither one of us is immune.”
The pair also discussed protecting 5G networks, in the context of concerns over Chinese tech giant Huawei contributing to infrastructure, and the growing demand for privacy regulation in Silicon Valley.
Scroll on to read the Q&A with Ari Mahairas and Peter Beshar in full. The transcript has been edited for length and clarity.
Jake Kanter: Let’s start with the risks of AI and 5G.
Peter Beshar: You can think about these two new technologies as essentially two accelerants that are being poured on the cyber fire.
Ari Mahairas: So I think we all know, based on what we’re seeing, that 5G is not coming it’s already here. It already started its rollout and it will continue to roll out globally. And I think 5G is a very interesting technology because we know exactly what it does.
When we think about it in terms of the industrial control systems, in SCADA (supervisory control and data acquisition systems), obviously it creates another vulnerability.
What do I mean? We know that IoT (internet of things) and operational technology devices are critical components of industrial control systems and SCADA systems. In fact, any research that I’ve looked at or graph that I’ve looked at shows an upward trajectory of these types of devices being connected. In other words, the proliferation of these devices has and will continue to grow.
In 2014 we had about 12.5 billion devices. In 2018, they estimated 20 billion. And by 2022 they’re saying 30 billion devices will be connected. I came across a report that said 50 billion — I think it’s a matter of not if but when we’ll eventually get there.
When we reach that number they’re saying that’s equivalent to about five connected devices per person. So obviously what that does in the concept of the threat landscape — each one of these devices creates a new threat vector but it’s also big business right. Because again, there’s another estimate that shows it’s going to be a $14-plus trillion business by 2020.
They’re estimating about five hundred million devices connected via 5G. But I think that’s going to grow as well. And this is the reason why we’ve seen historically dumb devices being converted to smart devices.
Let’s take a plant or some kind of warehouse as an example. You have a forklift. You have products from a shelf. You have a container and a trailer. If you attach sensors to these devices these items you can see where the forklift is moving around in the warehouse and what it’s picking up, when the product is picked up, when it’s loaded into that container, when the container is closed, then when it’s put on the trailer, and then you can track the trailer as it moves.
So if we think of that just for a moment what a tremendous business enabler these are IOT devices have. Historically they were very expensive. It has been the plummeting cost of these transistors and sensors that is allowing this to happen.
And so as we move more towards cellular networks we’re looking that those devices that have wide area applications, so cars, machines, manufacturing supply chain process meters, all those types of things I think will increase as the 5G rolls out. 5G increases speed. It also increases the bandwidth. And so when that bandwidth increases you can push through a lot more data.
Now with all that information and the data going through these data pipes, there’s a lot of information there are privacy issues associated with that security issues associated with that. So that’s always our concern from a security perspective. But we also recognize that it’s going to provide a lot of opportunities to sort of monetize that information efficiently. And I think that’s where AI comes in.
PB: Most people think sword, shield. There is a defensive component that obviously infosec officials are excited about, including the enhanced capacity to detect anomalous behavior. But in this field, offense is a lot easier than defense.
Obviously, the attack landscape is much broader than it used to be. And so in the past, you had DDOS attacks that would leverage a bunch of different devices. And for example, disable Business Insider’s website.
Now they have swarm bots and hive nets. It’s kind of the beehive concept of just swarming around and leveraging instead of hundreds or thousands of IoT devices, now you’re talking about really leveraging hundreds of millions of devices and then targeting those IoT devices at a particular target really at scale.
And so our view is that while there’s obviously promise in AI and machine learning for defensive purposes, the hackers are working just as assiduously to utilize these tools for their purposes as something like the process for writing malware. It’s a reasonably labour-intensive process, or it has been. If you start really using AI enabled tools to write the malware and then to deploy it at a much broader scale, that’s the obvious downside.
Jake Kanter: Have there been any examples that you can point to?
AM: I’m not going to speak specifically to whether or not we’ve seen AI being used maliciously but it’s easy to sort of put that in perspective. So when we consider AI, what it actually does right is a platform that has predetermined values input values and output values. It’s a decision-making tool again that provides for efficiency and speed of transactions.
One of the concerns is when we’re looking at the information especially the possibility of manipulation of integrity, the whole concept of garbage in garbage out. Then we can see how the platforms, the AI platforms, could potentially yield bad decisions based on bad information coming in. So although the AI itself might be compromised, though that is a possibility, the easiest example is compromising the information on which the AI relies so that the output is bad.
PB: Another example might be so-called deepfakes. Really trying to use sophisticated new technologies to create a disinformation campaign. So if you think of the two most common forms of threat: spearfishing [and] social engineering. Obviously, AI can leverage spearfishing at a much greater scale, with brute force password testing and the like.
On the social engineering side, if you just take a simple example you can mimic people’s voices. Now in such a way that you can track the language specifically that they’re using. So the CEO is deemed to leave a voicemail for example that literally uses the CEO’s language, taken from public statements for example and it’s left on the CFOs voicemail to wire a certain volume of funds or something along those lines. They’re just that kind of basic disinformation campaign can get extended more broadly.
JK: So you’re talking about deepfakes being used on a smaller scale, to potentially disrupt a business.
PB: The other place we wanted to go was briefly on the CIA triad. The C is confidentiality. I is integrity. A is availability.
And so confidentiality we have clearly seen myriad examples of the breaches in which confidential data then becomes public. Availability. We’ve seen myriad examples of that now where malware like Petya is essentially a form of a ransomware attack and the availability of your systems is just shut down. The place that we are seeing increasing and potentially potent examples is in this integrity area.
Take the operation of a nuclear facility, for example, there obviously temperature controls on that nuclear facility and if you can start using AI and machine learning to penetrate the defenses and simply manipulate the temperature gauge on the cooling systems, all of a sudden you can set into course a series of events that could be quite destructive.
The hackers are quite astute at the second step of this, which is their obviously override systems and safety shut off systems and they use software, again the software the names are instructive, Crash Override for example, where they basically figured out how to disable the safety or shut off valve system — and those are examples in the Middle East.
There have been concrete examples where hackers have penetrated the electrical operations of a large energy company and done precisely — that manipulated the controls and then manipulated the shut off systems.
JK: Are those live threats?
AM: What Peter has described is absolutely possible. In the example of the nuclear attack facility, depending on the network configuration and how it’s designed, you may have that risk of an attack from the outside. But that is absolutely certainly possible from an insider threat perspective as well.
PB: Do you think the insider threat is greater or the outsider threat? What do you see at the Bureau?
AM: We’re obviously more engaged on attacks that are being perpetrated by outsiders from any one of the typical bad cyber actors, from the nation states all the way down to the hacktivists. But we are very concerned about the insider threat as well, especially when we pause to consider some of the things that the insider can be responsible for. From a business perspective, the insider whether that insider is acting intentionally or unintentionally, can be responsible for the theft of intellectual property or trade secrets, can be responsible for economic espionage or even just internal fraud, which creates a slew of issues for the company.
DB: If you think of something like the NSA, you know the big breaches of data at the NSA. How many had been caused by insiders and how many have been caused by outsiders? And so there really is a divergence of views in the space about where the greatest threat is. One of the things that we’re intrigued by is using external data feeds to try to assess the company’s vulnerability. So for example if your Glassdoor rating is quite poor, the workforce views the management in quite a negative light. That is an indicator that the insider threat at that institution is greater than it a place where the institution happens to be well-regarded by the workforce. So there are a lot of these data inputs that can essentially drive the strategies that you try to develop.
AM: I mean with the NSA it was good to point out to the very thing you mentioned that some of the most significant data breaches that we’ve seen at least from the government perspective is a lot of these insider threats whether it’s the Edward Snowden types of the world that have taken really highly sensitive information and you know from the inside and it published it out. So that’s why it’s considered from the government perspective and the national security perspective. A very significant threat but also from the corporate perspective a significant threat as well.
JK: If we could jump back to the data harvested by internet connected devices and how that will be further enhanced by 5G. I wonder if you could just talk to that a little bit more.
AM: There are estimates out there that say by the end of 2019, we’ll have 500 zettabytes [thanks to the Internet of Things] per year. So that is a ton of information. We can see how the increase in the information is going to be exponential as opposed to linear. So 500 zettabytes this year is going to be who knows what in three years from now. And that becomes an extremely difficult problem to solve when we’re discussing huge amounts of information.
The warehouse example that we used in terms of efficient movement of the various components in your supply chain, that’s going to add value if we can eliminate wasted time or loss of product. But we need to sort of use the AI and conduct a deep technical analysis that I mentioned to extract those bits of information. So then the next question becomes how is AI going to help us analyze that information. So AI going to be very valuable in that respect.
PB: One other way to think about it is where are the areas that public and private partnership is working most effectively. I’d say big picture its financial services, defense, industrial base, and really the telecom providers, and as 5G becomes more pervasive, and really the new standard, the role of the telecom providers and other infrastructure, their role and the importance of a collaborative and effective working relationship with the Bureau with the Department of Homeland Security with various government agencies obviously is going to increase markedly.
JK: There are very serious conversations going on America and across the world indeed about how Huawei contributes to 5G networks. The technical infrastructure that goes into creating 5G networks, how careful do governments have to be about who is contributing to that infrastructure?
AM: So I’m not going to touch on it as it relates to Huawei, so there’s no comment with regard to what they’re doing with regard to establishing the infrastructure in many countries across the globe some on which the 5G will ride on.
I think though the question about how careful governments need to be with regards to their technical infrastructure is a fair question and my answer to that would be they absolutely need to be very critical about what that technical infrastructure is going to look like because not only do their citizens rely on it to communicate, their corporations to conduct business, but also for the government to function.
So when we look at it from that perspective and when we acknowledge the risks associated with that type of technology, I think it’s incumbent upon all governments or peoples or corporations to be really cognizant of what the technical infrastructure looks like, what the security mechanisms are associated with, and whether or not reasonable considerations and decisions are being made with regard to who is going to provide that.
JK: It’s very much on the record that the US does not want Chinese involvement in the 5G infrastructure because of concerns over spying. The US government is being very bullish about this at the moment.
AM: I would refer you to the comments made by the director [Christopher Wray]. So I don’t know that I can say anything different. I agree with what the director has said but for a specific response, I’d refer you to director Wray’s comments.
PB: And then just going in a slightly different direction. You know we’re talking about the infrastructure of the internet. There obviously are infrastructures to a whole array of critical services that are vulnerable.
The article that we wrote on the water supply system for example obviously the electric grid and the like. And what’s quite fascinating is really how the public and private intersect in those roles. What’s the percentage of that infrastructure that is really owned or managed by the private sector and in the US it’s quite high in other countries around the world, that percentage is really markedly different.
And so part of I think what Ari and the Bureau are doing so effectively is being this engaging actor, as opposed to the traditional law enforcement role. Of really having a significant part of their mandate be reaching out into the business community.
JK: When you’re doing press events and you’re speaking at conferences is that something you have in mind, Ari?
AM: Absolutely. And I don’t know that I could have found a better partner in that Peter Beshar because Peter is a big advocate a proponent of not only helping the FBI but really trying to change behavior in corporate America and understanding the value that engaging with law enforcement brings to the table and particularly engaging with law enforcement prior to an actual bad event.
PB: Just one other quick thought on the US versus Europe on this point. So 85% of critical infrastructure is owned and operated by the private sector in the US. Ari and others have I think made really significant strides in trying to lessen the chasm that can exist between government and industry.
If you go to your side of the Atlantic [in Europe], there’s obviously a much more profound sense of the importance of privacy, that privacy is a fundamental human right. I don’t know the percentage of critical infrastructure in Europe, for example, is owned and operated by the private sector.
But if there is this more uneasy relationship between government and industry in Europe, it will potentially complicate the process of figuring out how to share threat intelligence in a credible way and really learn from the latest forms of attack so that the collective security of the continent is stronger.
JK: Does Brexit worry you in that regard that the UK might be a bit more cut off in terms of sharing intelligence?
PB: Brexit worries us on multiple fronts. Cyber is perhaps not the highest of them
JK: There’s been a lot of talk about encryption recently and many companies are looking at increasing encryption and making sure that messages remain private between different users. Is that something you consider a good thing?
AM: My position with regard to encryption hasn’t changed over the years. Personally and professionally, we in the FBI are in favor of encryption. We have never said we are not in favor of encryption. It is good.
It becomes an issue when we now think of privacy and security related issues and whether or not law enforcement can do its job in terms of conducting a thorough investigation. So for every device where access is limited due to encryption, though despite a lawful order to gain access to that device as evidence in a crime, that potentially represents a victim who may not see justice.
And so there is a conversation to be had by legislators and by corporate America to figure out what the right balance is between privacy and security. So in short, encryption is good. But there is a conversation that needs to take place between the two competing interests to find that proper balance.
JK: That conversation is ongoing I presume? It’s a big issue, isn’t it? It’s a topic that is only going get more complicated as technology advances.
AM: Absolutely. That conversation has been and continues to be ongoing at the very most senior levels of the FBI. Engaging with their counterparts in private industry.
PB: One way to think about it is that there are three strategies that a lot of experts believe companies and others should be pursuing. Encryption is one, within that there’s encryption at rest and encryption in transit. The second one is multi-factor authentication, not just a single password but something else. The third is the patching of known software vulnerabilities.
So the authority the New York Department of Financial Services in New York State, for example, really put out a landmark piece of legislation essentially directing people to either embrace encryption or to be able to articulate very clearly an annual certification — why you’re not able to meet encryption by particular timetables. And so the notion that we are clearly moving towards a world where encryption will become more pervasive, governments will be more emphatic about requiring it of industry for example and perhaps of themselves.
JK: Where do you come down on the debate that encryption means it’s harder for the security services and law enforcement to get access to evidence which can help bring people to justice?
PB: And I just don’t have a view on it, it’s really a law enforcement issue. There is a balance between privacy and security. What I’m struck by is that the balance in Europe clearly has been towards privacy when the GDPR went into effect in May of 2018.
There was a lot of criticism in the United States about Europe’s over-emphasis, alleged overemphasis on privacy, and what I think you’ve seen really in the 10 or 12 months since the GDPR became effective is that the sky didn’t fall in Europe and that the focus on privacy in the US has become markedly stronger. The new California law that will take effect in 2020 is a manifestation or a mini GDPR.
JK: The big tech companies announcing that they would welcome federal privacy regulation – is that something you have a view on?
PB: As the general counsel of a large company, I would say that right now I think there are over 50 different breach notification regulatory regimes in the United States, there are 47 states that have their own rules, there are counties and municipalities that then layer on their own systems on top of that. That’s obviously a very complex patchwork of rules and regulations that companies and others are trying to honor. Were there to be some sort of a more consistent federal system that everybody could agree, that would probably bring greater consistency and order to the process.
JK: Do you think that the advent of 5G is going to make the US and other countries more vulnerable to cyber attack?
AM: Yeah. I mean if we look at it very simply with regard to the attack surface. If we go from 20 billion to 30 billion devices that attack surface increases by 10 billion devices. Each one of those devices that are not properly secured because manufacturers are concerned with trying to market as opposed to security then that creates a broader landscape. One of the things to keep an eye out for is not only IoT devices in the classic sense but the operational technology devices that are going to be tied into you know more significant manufacturing processes or system processes building management systems, things like that.
PB: We’re engaged in a race without a finish line. And every year that you’ve been covering this space, that Ari and I have been working in this space, 12 months later has been worse. With the advent of these significant new technologies, 5G and AI, clearly malicious actors are going to be weaponizing those tools, just as benevolent actors are trying to utilize them to enhance our collective defenses. And so whatever has been the range or the ambit of potential damage that people think is credible it just seems year on year that that grows in significance. It is not at all fanciful to say that significant disruption in society, damages in the tens of billions of dollars are all credible outcomes of the next several years as the threat intensifies.
Cyber is a unique threat that poses a threat to both government and industry. Both sectors have been breached repeatedly. Neither one of us is immune. And so just uniquely in our recent history this is a threat that to be confronted credibly requires a greater degree of collaboration between government and industry than we’ve seen before.
SEE ALSO: An FBI agent mapped out the countries capable of unleashing a crippling cyber attack on the US
Join the conversation about this story »
NOW WATCH: Facial recognition is almost perfectly accurate — here’s why that could be a problem