Transcript
and information for protecting against today's cyber threat landscape. I'm your host, Rebecca Craddock, and I'm delighted to welcome back today's guest. Drawing from his deep programming and software engineering expertise over the last nine years, my guest has overseen the rapid evolution of not just Armis, but its core platform, Armis Centrix. Broadening Armis' custom offering from early days of advanced asset intelligence and visibility to vulnerability management and remediation, and more recently, early warning threat intelligence capabilities, Armis Centrix is recognized as the most complete platform for cyber exposure management on the market today. My guest is, of course, Nadir Israel, CTO and co-founder of Armis. Nadir, welcome back to Bad Actors. Thanks for having me here. I'm excited. So another year has passed. This is our third cyber warfare report, and this year entitled Warfare Without Borders, the AI arms race. So the headline stat, inevitably, little surprise, an acute rise in AI powered cyber threats, which I think we actually predicted last year. Could you elaborate on how AI is actually transforming the nature of cyber warfare and what actually this will mean for global security? Of course. First of all, yeah, as the kind of title mentions, it's actually an arms race, and the idea of warfare without borders also has deep roots into what we're actually seeing. So AI, I think, is transforming the entire cyber warfare space in a number of very interesting and specific ways. First of all, it is supercharging the scale and sophistication of attacks for the existing players. I think it shouldn't surprise anyone that some of the world's leading nation states and some of the superpowers out there have a leg up when it comes to both leveraging AI as well as researching and developing novel methods of using it that way. I think that AI over the last 12 months has evolved dramatically. I think that with the current notion of anything from MCPs to other frameworks of how to allow AI to use APIs of different products, leverage and perform actions, things like that, that's just the tip of the iceberg of what's happening in the back end for some of these leading nation states and their development of offensive and defensive AIs. So first of all, the technology itself has evolved dramatically and supercharged from a scale and capability perspective what those nation states could already do. The second thing, though, is that AI is lowering the bar for different organizations, be it nation states or affiliated organizations, to enter this race where before they couldn't. If you roll back time a few years, being a significant power within this space required expertise, required people, required experience. These days, the more AI develops, the more AI becomes the main area or the main platform of use. It lowers the bar of entry for organizations and nation states that we've never even heard about, maybe, let alone seen them in a prominent place in this arena. So AI, the second point is that it's lowering the bar, and that's really also where the warfare without borders somewhat comes as well. The more threat actors there are out there that can leverage AI effectively, the more it makes them just a significant player in the space. And the last thing I'll say is the AI platforms themselves. And this goes a little bit into some of the predictions into the future. But if you think about today's use of ChatGPT or any one of the equivalents, most people in the last couple of years have become accustomed to using them as their sidekick, as their assistant on a regular basis. This means that these assistants often know things that no one else knows about you. They know things your spouse doesn't know about you. They know things your workplace doesn't know about you. And even if it doesn't appear that way to you at the moment, the ability for these AI agents to build a model of who you are, to build a very successful campaign against you for phishing or for anything else, to do a lot of very nasty things is significantly improved. Now, during this coming year, I think that that paints a huge target on these organizations. And we might never know that a compromise ever even happened. At the end of the day, we see what the FBI is saying about how well entrenched and infiltrated China is into a variety of different systems within the United States. It is not inconceivable that that would be the case with some of these leading AI vendors as well. And I think that that becomes a very frightening and interesting attack surface for organizations and for individuals. And I foresee a lot of that. I mean, we see the beginning of that, but I foresee a lot of that being the target over the coming years. And I want to talk a bit about the skills gap and sort of the use of AI technology in a positive way later on. But I think one of the things, to your point, 85% in the report, 85% of IT leaders reported that their traditional security measures had been breached. So what you're saying about this increase in the tools that they're using, you know, has already happened. 85% is nearly 100. So everybody is understanding that this has now been breached. To your point, China is widely known, you know, other nation state bad actors have been operating probably at the similar scale. What are the current inherent weaknesses of current cybersecurity frameworks that we need to sort of really focus on for the next year and years to come to try and stop some of this attack surface manifest and get bigger? Well, there are a lot of different weaknesses. But I think that fundamentally, when you think about the current frameworks, the biggest weakness of all that is pervasive across all the different frameworks is that there is an underlying assumption, implicit or explicit, that it's a team of humans fighting a team of humans. It's inherent in the assumptions about the scale of attacks. It's inherent in the assumptions about what's feasible to actually fix with a team of humans who need to go fix things. And it is highly oriented towards a combination of defense in depth and an idea that detection and response can solve at least part of the problem, if not the majority of the problem. All of these are fallacies in the world of AI. And that's why I think all of these IT leaders believe that all of these traditional security measures can be bypassed by AI. To your point, it's nearly 100%. So why is that? Because AI has the scale and sophistication of some of the best cyber offense teams out there. And it's not limited in the sense of how fast it can operate and how vast it can operate. As an example, most organizations have millions of vulnerabilities within their environment. If you're looking at a large enterprise, most security frameworks go as a sort of best effort, prioritize that list, understand that list, work off of it as much as you can to be successful. Now, that's good in theory. And if you think about an offense team that's also a bunch of humans, then it makes sense because they too cannot actually enumerate over millions of vulnerabilities. They will probably pick some of the kind of higher criticality ones and try to use them. The problem is that AI can not only leverage, let's call it bottom of the list vulnerabilities and build a successful attack chain that can get them into and inside of an organization, it can also combine attacking both the systems as well as the human element very successfully. An AI attack platform can rattle the fence in one side of the house and then send exactly at the right timing, the right two-factor authentication message or something to a security professional that would be expecting exactly that and trick them into giving them access. They can do a whole host of increasingly sophisticated attacks based on feedback loops of what works and what doesn't. And this is not science fiction. This is very much science fact. And I think that the only good thing about this stat is that it seems that most leaders understand just how flawed the current approach and frameworks are. And it gives me and us, I guess, hope that this can be overcome in the future. Yeah. Yeah. I think it definitely shows more awareness of the issue, maybe not the full fix of how to address it, but definitely better awareness than maybe was perceived in our last report. I think just parallel before we move on, there was another stat that stood out, which was 75, so slightly less, but 75% of the same IT decision makers believed that cyber warfare was actually targeting democratic institutions. So we know obviously a big election year was in 2024 in the US and many countries in Europe. If that is true, and as you say, science facts, most likely, how do you think these attacks manifest specifically in that threat vector? And what are the broader implications for society, if that is indeed happening? Well, first of all, this stat makes perfect sense to me in the sense of, it's not that I think that most cyber warfare attacks are targeted specifically at democratic institutions, but in the context of democratic institutions being attacked by nation state actors, for sure. I mean, why wouldn't they? I think that if I put myself in the shoes of a nation state, a superpower otherwise in the world, this is an incredibly cost effective way of waging war in order to change diplomatic outcomes without doing almost anything. I think that unfortunately, the implications of today attacking through cyber warfare, if you're not causing damage at a wide scale, or otherwise putting people's lives in danger, the implications of getting caught, quote unquote, is very small. I think that the reality is you get a slap on the wrist at best. And I say this because we are clearly experiencing and seeing that all around us. And yet, none of these constitute an act of war the same way as other things happen. But if I'm China, or Russia, or North Korea, or Iran, and I'm thinking, how do I make my life easier? How do I change the game in the world in a way that is the most cost effective I can possibly imagine? Attacking the democratic institutions, attacking things like elections, attacking the mindset of Western society that makes these decisions and elections makes perfect sense. This is exactly what I would do if I were them. And in fact, these things do happen. Some of these don't happen directly by attacking ballots, for instance, or things like that. Some of these happen by spreading misinformation, by doing a lot of other social engineering, and other types of psychological warfare. But the reality is, all of these are part of the same manifold. And especially in a world where AI can leverage each and every one of these different points at the same time, you can't really separate these elements one from another anymore. And they're all part of one campaign that is meant to ultimately change foreign policy and wage war in a way that doesn't trigger the usual responses that we're accustomed to. Yeah. So then, I guess the question is, if AI and technology, AI technologies are being used as a aggressive tactic, how can we then flip it on its head and use the same technology in a more proactive way for defence and, you know, innovation that changes the game for everybody? How do organisations implement that way of thinking as opposed to defence and reaction? So that's where I get very excited and optimistic and where I think we all should be looking to and we all should be thinking about. So first of all, let's assume for a second that we had an all-powerful defensive AI that kind of governs security and does everything for us, the way that we're sort of imagining in our fantasies. What are the pros and cons of that? First of all, the huge advantage that this AI would have over any kind of offensive AI is a home court advantage in terms of data. Presumably, that AI would have access and understand all of the weaknesses within the entire organisation. It would know of those millions of vulnerabilities. It would understand which of those vulnerabilities would be useful to an attacker. It can place itself into the mindset of the attacker and run its own version of a penetration test, but in a way that we cannot even imagine today. In a way that can look at all the different paths and create ultimately a thesis of what should be done about them. Not only that, it can successfully parry and attack a variety of different approaches by understanding and monitoring everything that could go along those paths. Now, it's not an end-all be-all. It's not that it's an all-knowing AI and it will have its own blind spots, but presumably, statistically, way less blind spots than an attacking AI that doesn't have the benefit of understanding all this information from the inside. The second thing is that that AI would be able to augment the existing teams within security to do that much more. It would amplify orders of magnitude, the amount of work and their success in repelling attacks and shoring up defenses. Each security individual could presumably be worth 100 security individuals through the use and scale of such an AI. The biggest issues to me of using this approach and the biggest things that we'll have to get over, both psychologically as well as practically, is we would have to give a great degree of autonomy and automation to this form of AI, which means that we would have to change a lot of the paradigms of how we go about doing security today because today, it's extremely common with organizations to have a human in the loop in any kind of decision made within an environment. The second thing is, we have to take into account that that AI can be tricked and that AI can be hacked, just like any other system. It's a matter of balancing the risk versus reward of this. I think it's hands down very clear what needs to happen, but it doesn't come without any kind of risk and we will start seeing those forms of attacks as well. That partnership, you touched on earlier the skills gap that's required to use technology to that degree. In the report, the data pointed to only half of IT teams feeling they had the necessary skills. How do we make up that knowledge gap? We leverage AI, we go into a partnership with humans and AI to combat the threats, but how do we then keep that knowledge gap diminishing so that the staff and the teams can really leverage it for better use? I would ask myself first, what even are the necessary expertise to implement AI-driven security solutions? I would argue that that book is being written in front of us right now by security individuals who all feel like they're ill-equipped to do this. Same for security vendors who I think all feel like they should be moving faster and should be doing more in this space. I think the reality is we're a product of our own generation and the people who are in the different IT teams and security teams will develop the necessary skills because that's the mandate of the hour and that's what we're doing right now. That book is being written as we speak. Now, realistically, I think security vendors have a huge part to play here in making the expertise, tools, platforms accessible to people who obviously don't know a whole lot about how to leverage this. Things need to be very simple, very easy, and if anything, I would say that the access and the ability to use these products should be actually easier, simpler, faster than the current tool sets and the current things that require lots of training. But as things develop, the promise of AI, especially LLMs and the type of agentic AIs that are being built right now, is to crowdsource the understanding of also those expertise, those playbooks, and reiterate them back to folks. I think the power of something like ChatGPT today isn't just in the ability for you to ask questions. It almost is predictive and prescient when it comes to how it can think about what you actually wanted to know and what you actually wanted to do. So, in short, I would say that the half of people here that think they do know that expertise would actually help the other half inadvertently, if implemented correctly, understand what to do. Yeah, and I know, I mean, just working in Armis, you are at the forefront of driving that capabilities within our own teams, and not just in IT development and R&D, but across different divisions. We're starting to embed AI technologies in absolutely everything we do for the greater speed of supporting our customers. So, I know it's very top of your mind and it's definitely an exciting playbook that we're all part of developing. Taking a step back, we always talk a lot about cyber warfare and some of the threats that we're experiencing. On a different note, what do you worry about the most? What keeps you up at night at the moment? I think two things. One is that there is still a huge gap between how advanced AI is on the attack and offense front versus the defensive front. And my fear and concern is about that gap and how to close it as fast as possible before a cataclysmic event happens in the meantime. I think that if we roll back time five years, COVID times and slightly after, we saw a huge uptick in the amount of ransomware and the damage that that has done. Now, it's been curbed to some degree by security tools evolving as a result, but there was a lot of damage that happened in the interim. I think the potential for the amount of damage that can happen here is orders of magnitude higher. And that keeps me up at night. I feel like that element in and of itself is very concerning and I don't think that there's enough visibility and understanding of just how much those areas are a discrepancy and how much of a window that leaves open for attackers. The second thing is that I feel very much that we are at the hype stage of using AI where we rely on a personal level more and more on it. And that creates a significant attack surface that didn't exist two years ago, and we are ill-equipped to protect today. Yeah, I think it's becoming obvious that the more and more people are aware of these tools and the widespread nature of them, that there's not enough maybe guardrails being put in place for that, especially in the consumer world. I think businesses are a little bit more aware, but some of the sort of viral memes that have been going around the last couple of weeks, when you create your own doll on chat.ggp and the sheer volume of data people are giving out is definitely something we should be pausing and concerning ourselves with. So if we sit down again this time next year, this will be our fourth Cyber Warfare Report. I think I know what you're going to say, but what do you hope may have happened, but what in reality do you think the data will actually show? Well, I hope that we have elevated by that point the security space, the defensive security space, to leverage significantly AI in how we both proactively manage risk, as well as reactively manage threats. I think in reality, we're not going to be there yet. We're going to be at the very early stages of this implementation, and it would have been too late. It would create too big of a gap in a window for attackers to use. The other thing I hope we will see, but in reality I'm extremely skeptical, is that I hope that we will see a level of security on some of the leading AI platforms that is equivalent to how much we trust today the big tech companies to secure our data in our cloud. But in reality, I think that there will be likely large-scale breaches of AI platforms, whether we know about them or not. And that is something that it is impossible to quantify how much of a threat that would create to people and businesses worldwide, if that ever comes to fruition. Well, I mean, it's a somber note, but I think lets you continue doing what you're doing and the rest of the cyber vendors that are working on these problems, because we have to get ahead of it, as you say, and you're alluding to the fact that we have a very finite window before this overtakes us. And it might not get to the terminator sort of horror stages, but there are going to be significant impacts for what this will entail. I know we've run out of time, but I really, really appreciate always speaking to you and catching up. And thank you so much for joining me today. I really appreciate your time. Absolutely. Thank you for having me as usual. And if you want to find out more about the report, you can visit our website on www.armist.com forward slash cyber warfare. Thank you to our viewers and listeners for joining us today. I look forward to our next episode soon. Until then, goodbye.
