Geopolitics and Gen AI: Is a Cybersecurity Storm Brewing?
-
bookmark
-
print
- Keywords:
Between the rise of artificial intelligence (AI) and geopolitical tensions, could a cybersecurity storm be brewing? The more business leaders can understand the forces driving an increasingly sophisticated cyber environment, the better that companies can protect themselves. These were just some of the topics discussed at the “Weathering the Looming Cyber Storm” session I participated in at the 18th annual Toronto Global Forum organized by the International Economic Forum of the Americas (IEFA).
The panel, which touched on pressing cybersecurity issues facing companies and governments, included:
-
Mark Fernandes, Global Chief Information Security Officer at CAE
-
Gillian Kerr, Partner, Litigation, McCarthy Tétrault
-
April Fong, Executive Editor at The Logic (Moderator)
A growing risk to consider
The greatest risk comes from nation-states, where military groups and intelligence organizations work alongside cybercriminals to deploy malicious software for political and financial gains. Ports, water facilities, energy companies and even internet service providers could be at risk.
Cybersecurity will likely become a more integral geopolitical tool. In warfare, adversaries could use cyber to impact a conflict, and, indeed, we’ve already heard rumblings of nations disabling government sites and even nuclear facilities.
AI’s soon-to-be-felt impact
Generative AI, which is a type of AI that creates new content by learning from existing data patterns, will complicate the cybersecurity sector and how businesses protect themselves. Mark Fernandes from CAE noted that one of the key threats is employees putting company information into external AI programs and bad actors somehow getting that data to use for nefarious purposes. Even with enterprise versions of these solutions, someone could, quite easily, accidentally access the public version, he said. CAE has embarked on a training initiative to ensure its people are using generative AI properly – until then, it’s restricting external usage of AI sites.
A larger threat looms, however – what Fernandes calls the “weaponization of AI.” This is when bad actors use generative AI to mimic real people, such as creating deepfake videos or replicating people’s voices. While some of this is happening today, it’s not yet occurring in a significant way, he said. That could change over the next few years as this technology evolves.
Right now, threat actors prefer to use the path of least resistance to commit crimes, and AI is still too complicated for them. That will likely change, though
To that end, we’re finding that AI can be an effective tool to prevent fraud. For instance, in one situation, a person called our call center saying she was a new customer and the ATM she was using was not working. An AI model we created creates a risk score for calls between zero and 100, where 100 is fraud. In this case, the model suspected fraud, so we told this person to find her nearest branch. A short time later, the AI model detected the voice of the same caller, except this time claiming their cheques were locked up. We may not have caught this person without the AI.
Prepare for a potential attack
However, now is the time to prepare your business for a potential attack. As we say in the cybersecurity world, it’s not a matter of if an attack will occur, but when. Gillian Kerr from McCarthy Tétrault’s Litigation Group pointed out that she is often brought in after an issue arises. Instead, she advised that companies should talk to lawyers as they create a security plan. She also suggested that companies should identify the internal and external providers potentially needed to deal with a cybersecurity issue, including public relations, technical experts and others. Incidents can be messy and move quickly, she said, so put retainers with professionals in place now.
From my perspective, a lot of companies focus on developing strategies around how the technical side of a breach should be handled. While that is important, a quality team will help manage that for you. Based on the many incidents I’ve seen, one of the biggest risks from a breach is reputational – what could happen today from an attack, but also, what does a hack mean to your business in a month or even a year from now? What sort of counterparty risk does your company have? How might employees react to a breach?
Communication is also critical, and I’ve found it’s the hardest part. Executives must have a plan for what they’re going to tell their staff about a breach and how it happened. Many employees may wonder if they still have a job or if they should come to work the next day. What if they don’t have remote access anymore? I also tell CEOs to be prepared to call their top 10 customers after a breach. And, you have to consider ahead of time how you’re going to communicate with regulators and the news media. You have to anticipate all of this before something happens – think ahead and practice.
Larry Zelvin is the Head of the Financial Crimes Unit at BMO Financial Group where he is responsible globally for cyber security, fraud, physical security and …(..)
View Full Profile >Between the rise of artificial intelligence (AI) and geopolitical tensions, could a cybersecurity storm be brewing? The more business leaders can understand the forces driving an increasingly sophisticated cyber environment, the better that companies can protect themselves. These were just some of the topics discussed at the “Weathering the Looming Cyber Storm” session I participated in at the 18th annual Toronto Global Forum organized by the International Economic Forum of the Americas (IEFA).
The panel, which touched on pressing cybersecurity issues facing companies and governments, included:
-
Mark Fernandes, Global Chief Information Security Officer at CAE
-
Gillian Kerr, Partner, Litigation, McCarthy Tétrault
-
April Fong, Executive Editor at The Logic (Moderator)
A growing risk to consider
The greatest risk comes from nation-states, where military groups and intelligence organizations work alongside cybercriminals to deploy malicious software for political and financial gains. Ports, water facilities, energy companies and even internet service providers could be at risk.
Cybersecurity will likely become a more integral geopolitical tool. In warfare, adversaries could use cyber to impact a conflict, and, indeed, we’ve already heard rumblings of nations disabling government sites and even nuclear facilities.
AI’s soon-to-be-felt impact
Generative AI, which is a type of AI that creates new content by learning from existing data patterns, will complicate the cybersecurity sector and how businesses protect themselves. Mark Fernandes from CAE noted that one of the key threats is employees putting company information into external AI programs and bad actors somehow getting that data to use for nefarious purposes. Even with enterprise versions of these solutions, someone could, quite easily, accidentally access the public version, he said. CAE has embarked on a training initiative to ensure its people are using generative AI properly – until then, it’s restricting external usage of AI sites.
A larger threat looms, however – what Fernandes calls the “weaponization of AI.” This is when bad actors use generative AI to mimic real people, such as creating deepfake videos or replicating people’s voices. While some of this is happening today, it’s not yet occurring in a significant way, he said. That could change over the next few years as this technology evolves.
Right now, threat actors prefer to use the path of least resistance to commit crimes, and AI is still too complicated for them. That will likely change, though
To that end, we’re finding that AI can be an effective tool to prevent fraud. For instance, in one situation, a person called our call center saying she was a new customer and the ATM she was using was not working. An AI model we created creates a risk score for calls between zero and 100, where 100 is fraud. In this case, the model suspected fraud, so we told this person to find her nearest branch. A short time later, the AI model detected the voice of the same caller, except this time claiming their cheques were locked up. We may not have caught this person without the AI.
Prepare for a potential attack
However, now is the time to prepare your business for a potential attack. As we say in the cybersecurity world, it’s not a matter of if an attack will occur, but when. Gillian Kerr from McCarthy Tétrault’s Litigation Group pointed out that she is often brought in after an issue arises. Instead, she advised that companies should talk to lawyers as they create a security plan. She also suggested that companies should identify the internal and external providers potentially needed to deal with a cybersecurity issue, including public relations, technical experts and others. Incidents can be messy and move quickly, she said, so put retainers with professionals in place now.
From my perspective, a lot of companies focus on developing strategies around how the technical side of a breach should be handled. While that is important, a quality team will help manage that for you. Based on the many incidents I’ve seen, one of the biggest risks from a breach is reputational – what could happen today from an attack, but also, what does a hack mean to your business in a month or even a year from now? What sort of counterparty risk does your company have? How might employees react to a breach?
Communication is also critical, and I’ve found it’s the hardest part. Executives must have a plan for what they’re going to tell their staff about a breach and how it happened. Many employees may wonder if they still have a job or if they should come to work the next day. What if they don’t have remote access anymore? I also tell CEOs to be prepared to call their top 10 customers after a breach. And, you have to consider ahead of time how you’re going to communicate with regulators and the news media. You have to anticipate all of this before something happens – think ahead and practice.
2024 Toronto Global Forum
PART 1
Why Sustainability Is Good Business: Key Takeaways from IEFA Toronto 2024
Honourable Brian V. Tobin, P.C., O.C. | November 01, 2024 | Business Strategy
There is no shortage of challenges for governments and investors to deal with, including geopolitical risks, global warming and widening inequality b…
PART 2
Building Infrastructure for the Future
Grégoire Baillargeon | November 04, 2024 | Business Strategy
In a world where businesses seek to decarbonize and where our build environment will need to be more resilient than ever to withstand a more volatile…
Related Insights
Tell us three simple things to
customize your experience
Banking products are subject to approval and are provided in Canada by Bank of Montreal, a CDIC Member.
BMO Commercial Bank is a trade name used in Canada by Bank of Montreal, a CDIC member.
Please note important disclosures for content produced by BMO Capital Markets. BMO Capital Markets Regulatory | BMOCMC Fixed Income Commentary Disclosure | BMOCMC FICC Macro Strategy Commentary Disclosure | Research Disclosure Statements
BMO Capital Markets is a trade name used by BMO Financial Group for the wholesale banking businesses of Bank of Montreal, BMO Bank N.A. (member FDIC), Bank of Montreal Europe p.l.c., and Bank of Montreal (China) Co. Ltd, the institutional broker dealer business of BMO Capital Markets Corp. (Member FINRA and SIPC) and the agency broker dealer business of Clearpool Execution Services, LLC (Member FINRA and SIPC) in the U.S. , and the institutional broker dealer businesses of BMO Nesbitt Burns Inc. (Member Canadian Investment Regulatory Organization and Member Canadian Investor Protection Fund) in Canada and Asia, Bank of Montreal Europe p.l.c. (authorised and regulated by the Central Bank of Ireland) in Europe and BMO Capital Markets Limited (authorised and regulated by the Financial Conduct Authority) in the UK and Australia and carbon credit origination, sustainability advisory services and environmental solutions provided by Bank of Montreal, BMO Radicle Inc., and Carbon Farmers Australia Pty Ltd. (ACN 136 799 221 AFSL 430135) in Australia. "Nesbitt Burns" is a registered trademark of BMO Nesbitt Burns Inc, used under license. "BMO Capital Markets" is a trademark of Bank of Montreal, used under license. "BMO (M-Bar roundel symbol)" is a registered trademark of Bank of Montreal, used under license.
® Registered trademark of Bank of Montreal in the United States, Canada and elsewhere.
™ Trademark of Bank of Montreal in the United States and Canada.
The material contained in articles posted on this website is intended as a general market commentary. The opinions, estimates and projections, if any, contained in these articles are those of the authors and may differ from those of other BMO Commercial Bank employees and affiliates. BMO Commercial Bank endeavors to ensure that the contents have been compiled or derived from sources that it believes to be reliable and which it believes contain information and opinions which are accurate and complete. However, the authors and BMO Commercial Bank take no responsibility for any errors or omissions and do not guarantee their accuracy or completeness. These articles are for informational purposes only.
Bank of Montreal and its affiliates do not provide tax, legal or accounting advice. This material has been prepared for informational purposes only, and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. You should consult your own tax, legal and accounting advisors before engaging in any transaction.
Third party web sites may have privacy and security policies different from BMO. Links to other web sites do not imply the endorsement or approval of such web sites. Please review the privacy and security policies of web sites reached through links from BMO web sites.
Please note important disclosures for content produced by BMO Capital Markets. BMO Capital Markets Regulatory | BMOCMC Fixed Income Commentary Disclosure | BMOCMC FICC Macro Strategy Commentary Disclosure | Research Disclosure Statements