Cybersecurity

There have been many important milestones in the history of the cybersecurity industry. Noteworthy events include the release of the first malicious software program, the emergence and use of artificial intelligence for both positive and negative purposes, and new laws and regulations to fight cybercrime and increase the number of workers in the field.

The First Worm—and the Beginnings of Cyber Events that Affect the Public

In 1988, a Cornell University graduate student named Robert Tappan Morris released the first malicious software program (later called a worm) onto the Internet. The program caused an estimated 10 percent of all computers connected to the Internet to fail. Morris was indicted and received the first felony conviction in the U.S. under the Computer Fraud and Abuse Act. It was determined that Morris had no malicious intent (he released the worm to attempt to gauge the vastness of the Web). Morris received three years of probation and was ordered to perform 400 hours of community service and pay a $10,000 fine. Today, Morris is a university professor and a wealthy tech entrepreneur, and attacks by worms and other types of malware cost billions of dollars in damages each year.

Artificial Intelligence and Cybersecurity

The first step toward artificial intelligence (AI), or machine learning (ML), as we know it today occurred in 1943, when Walter Pitts and Warren McCulloch, two University of Chicago researchers, conceived of the first neural network. IBM describes neural networks as computer systems that “try to emulate the human brain, combining computer science and statistics to solve common problems in the field of AI.” The work of Pitts and McCulloch prompted neural network research into the biological processes in the brain and the application of neural networks to what would eventually be called artificial intelligence. In 1956, John Clifford Shaw, Allen Newell, and Herbert A. Simon of the Rand Corporation created a computer program called The Logic Theorist. It was the “first program deliberately engineered to mimic the problem-solving skills of a human being,” according to Jeremy Norman’s HistoryofInformation.com. A mathematics professor named John McCarthy first coined the term “artificial intelligence” in 1956 at the Dartmouth Summer Research Project on Artificial Intelligence workshop. In his plan for the workshop, McCarthy stated that the event was “to proceed on the basis of the conjecture that every aspect of learning or any other feature of intelligence can in principle be so precisely described that a machine can be made to simulate it.” In the 1960s and 1970s, the U.S. Department of Defense began training computers to mimic basic human reasoning.

The emergence of Big Data collection and analytic techniques, improvements in computing power and storage, the creation and use of advanced algorithms, and the development of deep learning techniques have fueled the expanding use of AI in a variety of industries—including cybersecurity.

AI is used for both cyber defense and to commit cybercrimes. Positive applications include vulnerability management; intrusion detection and prevention; phishing, malware, and other types of fraud detection; threat hunting and intelligence; network security and traffic analysis; Web and domain name system filtering; and the automation of some security tasks to save time and reduce costs. Negative uses include spear phishing and other types of social engineering attacks, forgeries (including the creation of deepfakes and other potentially harmful synthetic media), password cracking attacks, and generating malware at a faster pace than it can be detected. Positive uses of AI can be co-opted by adversarial AI programs for malicious purposes. For example, Accenture reports that adversarial AI “causes machine learning modules to misinterpret inputs into the system and behave in a way that’s favorable to the attacker.”

“While AI and ML in cybersecurity offer potential for a future of greater threat protection and resilience, this new dawn is certain to expose fresh challenges,” advises zvelo, a provider of cyber threat intelligence and Web content classification data services. “In particular, ethical considerations, concerns over automated systems, and the threat of AI-powered malware and increasingly complex cyberattacks demand careful attention. In the end, balancing the power of technology with the wisdom of human oversight will be key.”

The National Institute of Standards and Technology (NIST) issued the Artificial Intelligence Risk Management Framework (AI RMF 1.0) in January 2023. It describes AI RMF 1.0 as a “guidance document for voluntary use by organizations designing, developing, deploying, or using AI systems to help manage the many risks of AI technologies.” (AI RMF 1.0 can be viewed at https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf.) In late October 2023, President Joe Biden issued an executive order regarding “safe, secure, and trustworthy artificial intelligence.” Much of the Biden administration’s executive order is based on AI RMF 1.0. It empowers the U.S. Department of Commerce (NIST’s parent agency) with playing a major role in implementing the directives. Despite these efforts, comprehensive federal data protection and privacy legislation still does not exist in the United States. “The executive order only calls on Congress to adopt privacy legislation, but it does not provide a legislative framework,” according to the PBS News Hour. “It remains to be seen how the courts will interpret the executive order’s directives in light of existing consumer privacy and data rights statutes. Without strong data privacy laws in the U.S. as other countries have, the executive order could have minimal effect on getting AI companies to boost data privacy.”

The National Cyber Workforce and Education Strategy Seeks to Address Critical Worker Shortages

The cybersecurity industry is facing a severe shortage of skilled professionals. Nearly 1.5 million cybersecurity workers were employed in the U.S. in 2023, according to ISC2. But the industry association reports that there was a shortage of more than 1.3 million workers in the United States. A shortage of cybersecurity professionals increases the level of risk to companies and other organizations, as well as creates stressful work conditions for current employees.

Industry organizations, government agencies, and other entities are creating programs and initiatives to address these shortages. In 2023, the Biden Administration unveiled the National Cyber Workforce and Education Strategy (NCWES), which seeks to address both immediate and long-term cyber workforce needs. The NCWES has four main pillars:

1. Equip Every American with Foundational Cyber Skills by making foundational cyber skill learning opportunities available to all and educating people about career options
2. Transform Cyber Education by building and improving cyber education at all levels, expanding competency-based cyber education, and making cyber education and training more affordable and accessible
3. Expand and Enhance the National Cyber Workforce by adopting a skills-based approach to recruitment and development and increasing access to cyber jobs for everyone, including underserved and underrepresented groups
4. Strengthen the Federal Cyber Workforce by communicating the benefits of cybersecurity careers in public service, reducing hiring and onboarding barriers, attracting a more diverse federal cyber workforce, and improving career pathways in the federal cyber workforce

While it’s too early to gauge the effectiveness of the National Cyber Workforce and Education Strategy, industry experts believe that, if fully implemented, the initiative will greatly increase the number of people who pursue careers in the cybersecurity industry. It’s also important to note that such initiatives are only as strong as their backing by the current presidential administration. Future administrations may eliminate or reduce funding of the initiative, which could cause employment gains to be reversed.

More information about the initiative can be found at https://www.whitehouse.gov/wp-content/uploads/2023/07/NCWES-2023.07.31.pdf.

New Rules Affect Public Companies and Cybersecurity Industry

In response to rising rates of cybercrime, the U.S. Securities and Exchange Commission (SEC) adopted new rules in 2023 that required publicly traded companies to disclose cybersecurity incidents (including, but not limited to, data breaches) within four days after determining they are serious enough to be important to investors. They also are required to periodically detail their efforts to identify and manage cyberthreats. The rule allows for delays if the U.S. Department of Justice deems it necessary to protect police investigations or national security. “The introduction of this new SEC rule signifies a paradigm shift in cybersecurity…organizations must get started in gearing up for a new era of increased transparency and accountability,” says Avani Desai, the CEO of the consulting firm Schellman at the organization’s Web site. Opponents believe that the new rules are unnecessary because existing requirements already address these issues. Others believe that the new rules place an onerous regulatory burden on companies, and some believe that they could offer a roadmap to cyber criminals regarding the company’s tech vulnerabilities. Although it’s too early to gauge the long-term effects of the SEC rules, it’s likely that additional cybersecurity compliance professionals will be needed to analyze and write reports on incidents and summarize their organization’s efforts to identify and manage cyberthreats.