The cybersecurity world has many problems to confront, but the most pressing one at the moment is speed.

The introduction of OpenAI’s ChatGPT language-based artificial intelligence engine has become a central focus for businesses and society at large as the adoption curve continues to expand at a dramatic pace. It took Instagram two and half years to reach 100 million users. Facebook needed more than four years to reach the milestone. ChatGPT was adopted by 100 million users in 64 days.

That single metric speaks volumes about the pace of change in the tech world today, and the security community has taken notice. Security researchers are scrambling to assess what mass deployment of generative AI will mean in the broader context of protecting critical systems.

“We can all hear the roar of the ocean,” Rohit Ghai (pictured), chief executive officer of RSA Security LLC, said in his keynote address at the RSA Conference in San Francisco this week. “Without good AI, bad AI will take us for a ride.”

Impact on social engineering

Alarm bells for ChatGPT began to ring in the security community months ago. Researchers were concerned not only about the tool’s rapid adoption, but its innate ability to translate basic written instructions seamlessly into powerful results as well. That has led to worries among top security researchers that generative AI could dramatically improve the ability of threat actors to generate phishing attempts that will be much more convincing.

“I believe the new developments are going to have an impact on social engineering,” said Adi Shamir, cryptographer and co-inventor of the RSA algorithm, during a conference session this week. “The ability of ChatGPT to produce perfect English to interact with people is going to be misused on a massive scale.”

Adi Shamir

The operative question at the moment is how quickly the cybersecurity industry can move to protect against the intrusion of bad AI. In a presentation at the conference on Wednesday, SANS Institute researcher Stephen Sims described how ChatGPT rejected his initial attempt to write a ransomware attack using the tool. Yet when Sims broke down the request into separate steps, such as writing encryption code and checking for a bitcoin wallet, the AI platform delivered.

In an interview with SiliconANGLE, Joseph Mlodzianowski, a security solutions architect and a longtime analyst on activity involving the dark web — the shady corner of the internet reachable with special software — indicated that he has seen a noticeable increase in conversations on various criminal forums about ChatGPT and potential use of the technology for future attacks.

“I can see it, there is a certain amount of chatter,” Mlodzianowski said. “But it was happening before ChatGPT came out.”

The security community is already moving quickly to use generative AI in creating new tools to combat exploits. The exposure management company Tenable Inc. published a new report on Thursday that highlighted four tools built using generative AI applications.

Tenable’s researchers found the use of large language models to be helpful in accelerating capabilities for reverse engineering, debugging code, improving web app security and increasing visibility into cloud-based tools.

What may ultimately buy time for the security industry is the simple fact that OpenAI’s technology is still in its infancy. Tenable’s report noted that despite its robust capabilities, ChatGPT still has limitations in what it can accomplish.

“A lot of professional threat services are going to start using this because it makes their job wildly easier to break in,” Robert Hansen, deputy chief technology officer at Tenable, said in a press briefing before the report’s release. “But this is superman as a child.”

Central hub for cybercrime

Hansen’s use of “professional” to describe the burgeoning threat landscape is not accidental. How the cybercriminal community deploys and makes money from misuse of powerful tools such as generative AI will play out in the dark web, the world’s largest criminal marketplace.

The dark web has established itself as the active central hub for cybercrime. Mlodzianowski told RSA attendees on Wednesday that there are now 5 septillion addresses on the dark web. That’s a trillion trillion.

At this scale, it’s almost inevitable that stolen data or access credentials from small to large enterprises will ultimately appear in the dark web. That has led to the rise of a number of companies that specialize in burrowing into the darkest corners to find and report problems to unsuspecting firms.

One of these companies is Searchlight Cyber, a U.K.-based firm that was founded in 2017 to provide investigative dark web products. Earlier this month, the company launched Stealth Browser, a secure virtual machine for cyber professionals to access the dark web and conduct investigations anonymously.

The need for this service underscores the growing role that the dark web is playing as the largest marketplace for cybercrime activity. “Everything is run through layers of encryption,” Ben Jones, co-founder and chief executive of Searchlight Cyber, said in an interview with SiliconANGLE. “You can buy botnets by the hour if you want to go attack somebody.”

The process for dealing with the impact of data leakages on the dark web has become a tricky proposition. When one of Mexico’s largest financial institutions, Grupo Financiero Banorte, discovered that data allegedly stolen from it has been posted on a dark web forum, the bank employed a cybersecurity firm to send a “cease and desist” letter to the forum’s administrator.

The result was a response from the forum threatening to release the bank records outright rather than selling them. “This is like asking for your information to be put out there,” Mlodzianowski said. “Don’t do stuff like that.”

The speed of activity on the dark web coupled with rapid advances in artificial intelligence point to a year in which complacency will not be a favorable option. This belief was echoed by John Chambers, former chief executive of Cisco Systems Inc. and now founder and CEO of JC2 Ventures, who spoke at an RSA keynote session on Wednesday.

“What has changed is speed,” Chambers said. “As a nation we’ve become too complacent without a sense of urgency. We’ve got to win the war on AI and we’ve got to win the war on cyber.”

Photos: Robert Hof/SiliconANGLE