Jen Easterly, former director of the Cybersecurity and Infrastructure Security Agency (CISA), has used the last couple of weeks to spread her idea that AI could spell the end of the cybersecurity industry. Why?
Both in the pages of Foreign Affairs and at the AuditBoard’s user conference “Audit and Beyond,” Easterly claims that AI might soon be able to fix vulnerable code and software so fast that we won’t even need cybersecurity teams anymore.
According to Easterly, the threat landscape has never stopped evolving. Since data, platforms, and devices are proliferating, the attack surface has also expanded massively.
If cybercrime were a country, it would be the third biggest in the world, just behind the US and China, Easterly said. Indeed, threat actors from Russia, China, Iran, and North Korea regularly attempt to disrupt Western systems – hacks and leaks are everywhere.
The ex-CISA head admits, “America’s digital defenses are failing.”
However, Easterly explains that a key truth is actually overlooked.
“The United States does not have a cybersecurity problem. It has a software quality problem. The multibillion-dollar cybersecurity industry largely exists to compensate for insecure software,” wrote Easterly in Foreign Affairs.
To Easterly, it seems that software vendors have always prioritized speed and lower cost over safety. That’s why software is “bad” and ridden with vulnerabilities.
For example, China’s People's Liberation Army is relying on flaws in routers and other network devices rather than exotic cyber weapons to lay the ground for a full-scale attack in the event of war against Taiwan.
The United States does not have a cybersecurity problem. It has a software quality problem.
Jen Easterly.
Now, AI also helps bad actors spot these flaws more quickly. The technology also assists the cybercriminals by creating stealthier malware and “hyper-personalized phishing,” Easterly said at the AuditBoard conference in San Diego.
But AI can – and does – also help the defenders. Soon, Easterly hopes, advances in AI will make it possible to secure code at scale – transforming the economics of software safety by rapidly finding and fixing defects, repairing legacy code, and helping to build products that are secure by default rather than endlessly patched after the fact.
“With the right incentives and the responsible development and use of AI, cybersecurity as we know it could end – not because the threats disappear, but because our technology finally becomes resilient enough to withstand them,” she said.
Overly optimistic? Probably. After all, most breaches today aren’t the result of bad code: they’re the result of bad assumptions and practices, as Harry Hoffman, Northeastern University’s chief technology and security officer, puts it.
“Attackers don’t need new exploits when they can live off the land, use built-in tools, manipulate trust, and pivot through the gray areas between systems,” said Hoffman in a comment replying to Easterly’s ideas.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked