On this episode of the Zero Hour Podcast, we talk to Jon Bateman, a fellow in the Cyber Policy Initiative at the Carnegie Endowment for International Peace. We explore Bateman’s experience as an intelligence officer and talk about the major cybersecurity issues of our times. In particular, we discuss the dangers of emerging deepfake technology for financial services, and the legal precedents being set as the result of the infamous NotPetya malware attack.
Deepfake Technology Risks for Financial Services
"Cyber issues and digital threats should not be confined to a specialized cadre of information people somewhere in your company. Ultimately they're all risks to the pillars of your company, whether that's cashflow, goodwill, access to capital,” Bateman explained.
“If you can start to think about cyber and informational threats as business risks, then it becomes clearer that the CEO and the board need to take ownership of these issues."
Facing up to Global Malware and Deepfakes
Podcast hosts George and Ashley discussed the topic of synthetic media and deepfake technology with Bateman. He shared his expertise on the subject, having written a paper about the threat scenarios for financial services.
“It's the use of artificial intelligence and machine learning to fabricate media content or to alter media content. So we're all familiar with traditional forms of media manipulation that have existed for decades or even centuries in some cases. You can splice videos together. You can airbrush someone out of a photo. You can forge a paper document,” Bateman explained.
“What synthetic media is is the application of AI algorithms to this. Creating new types of digital deception that either weren't possible before, or required resources that most people didn't have.”
Deepfakes are deeply concerning in the disinformation age. These AI-generated media rely on algorithms that can synthesize deepfake images of people and fictional objects, and even write bogus text that imitates human writing. In his Techdirt article, Bateman delved deeper into the adverse impact of deepfake technology on financial services:
“Deepfakes have inspired dread since the term was first coined three years ago. The most widely discussed scenario is a deepfake smear of a candidate on the eve of an election. But while this fear remains hypothetical, another threat is currently emerging with little public notice. Criminals have begun to use deepfakes for fraud, blackmail, and other illicit financial schemes.”
Cyber culprits could combine these two techniques to create seemingly authentic, albeit fake, social media accounts. With AI-generated profile photos and AI-written posts, deepfake software can create fake accounts that could easily pass as human and earn real followers.
“We've already been seeing the use of synthetic photographs by intelligence services, and these shadowy online influence actors, in order to create fake social media accounts. So that's just a small piece of this that's already being used in the wild by some more sophisticated actors,” said Bateman.
Bateman believes that the continued proliferation and democratization of this technology is highly concerning.
“We're talking about software becoming more user-friendly. Processing power, becoming cheaper and more accessible. We're also talking about better algorithms being developed that are more convincing and require less training data to work.”
When asked about how CISOs can handle such threats, Bateman said they don’t necessarily have to become experts in deepfakes and ransomware. “Cyber issues and digital threats should not be confined to a specialized cadre of information people somewhere in your company. Ultimately they're all risks to the pillars of your company, whether that's cashflow, goodwill, access to capital,” Bateman explained. “If you can start to think about cyber and informational threats as business risks, then it becomes clearer that the CEO and the board need to take ownership of these issues.” He reiterated that it’s important to supervise these issues more intensively and create a more agile structure.
Microsoft recently developed a tool that could spot deepfakes. But while detection tools are improving, so is deepfake technology. Bateman believes a combination of technology, institutional changes, broad public awareness, and education are sustainable solutions.
Designing Cyber Capabilities for the US Military
Bateman previously served as director for Cyber Strategy Implementation in the Office of the U.S. Secretary of Defense. He developed the first comprehensive policy for military cyber operations and helped to establish a unified Cyber Command to protect against any possible cyber attacks on U.S. government.
“That was a fascinating journey into understanding some of the most complex and sophisticated threats in cyberspace, and how they intersect with geopolitics,” Bateman recalls.
“I spent some time at the Pentagon as well, trying to develop the US military response to these threats, including the US military's own cyber capabilities”
Bateman also co-founded the central oversight element for all defense cyber activities, the secretary’s Principal Cyber Advisor Staff.
There have been numerous cyberspace attacks in the past decade, but Bateman believes we still haven’t seen The Big One.
“There's more and more risk accumulating in the system, whether it's distributed risk like ransomware, or systemic risk such as malware like WannaCry or NotPetya. It’s more of a monoculture, that could create accumulated catastrophes across the world in a single incident.”
As more and more of human life is transferred online, more assets are at risk. “Cyber risk has more of an impact on individual human lives. We just saw the first documented death caused by a cyber attack,” he continued.
“The NotPetya attack was so big that I think the insurance industry and its customers learned some uncomfortable lessons. They learned that cyber risk is simply bigger than we thought it was before, and it's more likely to be aggregated or accumulated across many victims at the exact same time.”
You can listen to the podcast episode here, and is also available on Stitcher, Apple, and Spotify. The Zero Hour Podcast is the intersection of information security and business innovation. Learn from industry experts in cybersecurity, marketing, and business management. We talk about the challenges and opportunities that come with new technology.
At SafeGuard Cyber we empower enterprise businesses to embrace new technologies and innovate without fear. Get a single solution to detect, prevent, and defend against threats in all your social media and digital channels. SafeGuard Cyber's digital risk protection platform can help you defend your business from cyberspace attacks. Contact us for a demo to hear more about how we can discover, protect, and mitigate against these threats.