What Is the Right Cybersecurity Strategy in the Age of AI

Vivatech

Transcript

00:00Can you hear me?

00:01Thank you very much.

00:04So, let's talk about cyber security.

00:08We are quite courageous to talk about this after lunch.

00:11And in a place like Vivatech.

00:15Just because cyber security, okay,

00:18what is it for people who want to develop projects,

00:22who want to innovate,

00:24while cyber has for a long time been seen as a real problem,

00:29for sure, but what is it?

00:32It is risks, it is cost, it is delays,

00:37and I'm sure that it is all what you don't like.

00:42And to be honest, I tried a few years ago

00:45to talk about cyber at Vivatech,

00:46when I was in the public sector in France,

00:49and it was probably too early to be able to do this.

00:52So that's why I'm very happy to be here with you.

00:56So, what about cyber security today?

00:58We are going to talk about AI, of course, like everybody.

01:03But before, if we come back to the situation today,

01:07we know that the risks we anticipated a long time ago,

01:13I said 10 years ago, not so long,

01:16the risk became a reality.

01:20We face cyber criminals.

01:29We are able to attack anybody.

01:31Big companies, small ones, local administrations, hospitals.

01:38We have seen it a lot of times in France,

01:39and we still see such attacks.

01:42There's no ethics, of course,

01:44on the side of the attackers.

01:47And cyber community can destroy any kind of business

01:51if it is not anticipated.

01:55We also face espionage.

01:59People who want to get your data.

02:02Everybody says that data is the new gold.

02:06Well, there are some people who want to get your data,

02:09to get your gold.

02:10It's your value.

02:12And they have understood that using cyber attacks

02:15is probably the best way, the easiest way,

02:18the safer way for them, for the bad guys,

02:22to have access to this data.

02:26And the last thing, just to be sure that you are totally scary,

02:32is that today the cyberspace, the digital space,

02:38became a kind of new battlefield.

02:42It's not just only in the movies.

02:45It's the reality today.

02:46During all the conflicts, we observe more and more

02:50the fact that the states, the military,

02:55they fight in the digital space.

02:58So you can say, okay, it's not my problem.

03:02It's the problem of the governments,

03:06militaries, states, to do war.

03:09I want to do my business, and I want to be protected.

03:13But the real difficulty is that in the digital space,

03:17you live in the battlefield.

03:20So this is the problem of everybody today.

03:23It is also your problem.

03:27Well, when there are some problems, there are some solutions.

03:31And we know the solutions.

03:35And in France, in Europe, you know that

03:37the first solution is regulation.

03:40We are fond of regulation, it's not a secret.

03:42Well, I'm convinced that in cyber, if it is well used,

03:48regulation can be a piece of solution, a part of a solution.

03:52And that's what we do today.

03:55That's what Europe does with different regulations,

04:00like NISTU, like DORA.

04:02I won't go into details, but while all those regulations,

04:05what do they say?

04:06They say that for critical actors, critical operators,

04:11they need to protect themselves.

04:13They need to be able to detect the attacks.

04:16They need to be able to react.

04:18They need to have a good governancy of those questions.

04:23And what is quite new for the big players,

04:28public and private,

04:29is that today, if we say that cybersecurity is a huge risk,

04:34it becomes a topic for the people who decide.

04:40So it's a topic for the ministers in the public sector.

04:44It's a topic for the CEOs in the private one.

04:48Everybody should be concerned by this topic,

04:52even if everybody is not an expert, for sure.

04:56So this is what we have seen during 10 years.

04:59A real change.

05:01And the fact that today, okay, we don't only face a problem,

05:06we also have a solution.

05:08It's complex.

05:09It costs money.

05:10It needs energies and ambition.

05:13But it works.

05:16And if I want to be complete in a very short time,

05:19I would say that today, the real challenge

05:22is to be able to protect all the supply chain.

05:26We know many big players

05:30that have been able to protect themselves,

05:32but are still quite weak

05:34because the attackers are very agile.

05:37They are the most agile, of course.

05:39And those attackers now attack the small players,

05:44SMEs, supply chain,

05:46in order to hit, finally, the big players.

05:50So the security of a supply chain is very important.

05:53It's probably the most important challenge

05:56applying the new regulations.

05:58And, well, even if you don't talk about regulation,

06:00it's a real challenge to protect ourselves, globally.

06:05So we want to protect also the small ones.

06:08Cyber security is not only for the big ones.

06:11And that's something we do at La Post, at Nokia Post,

06:15but it's not the topic.

06:17Okay, so this is now the situation.

06:20What is new with AI?

06:23If I want to say it in a few words,

06:26there's nothing new, but it's more complex.

06:31We talk a lot about the risks of AI.

06:35We talk a lot about safety and security related to AI.

06:40There are some people who say that there are some extreme risks related to AI.

06:44You have heard it like me.

06:49And when we talk about precise examples

06:53of what AI could do badly in the new world,

06:58we often say, okay, there's a problem with cyber security.

07:02There's a problem with information manipulation, with disinformation.

07:08And maybe some other problems with, let's say,

07:15chemical weapons, bacterial weapons, and so on.

07:18But I won't talk about this, of course.

07:20If we focus on cyber, what do we say this?

07:25Well, as I just said, the attackers are often the most agile.

07:29We already observe the fact that those attackers have understood

07:34that using AI, they can go faster, they can do more things

07:39than just with experts, human experts.

07:42It's obvious.

07:43It's true for the cyber attackers.

07:46It's true for everybody, of course.

07:49And today we observe that, okay, basic things,

07:52for example, email for phishing,

07:55we observe that they are generated by AI.

07:59It's quite obvious.

08:02We also observe that for people who want to detect,

08:06to scan the networks and to detect some failures.

08:09Well, of course, it's a kind of automation using AI.

08:12And it works quite well also.

08:15We can also imagine that using AI,

08:17it is possible to find more easily some weaknesses,

08:24some vulnerabilities into the software.

08:27It's true.

08:30And for sure, the bad guys are using this technology to do this.

08:35Is it new? The answer is no.

08:38We know how to do it with human experts.

08:41But the new thing is that we are able,

08:44most people are able to do it more quickly,

08:48more widely and so on.

08:51So, yeah, it could be a real problem.

08:55Are there kinds of new attacks made possible by AI?

09:00I'm not sure.

09:02But I cannot prove it.

09:06If we see the other side,

09:08if we look at the people who protect,

09:12well, AI is also a very good news for them.

09:18Just an example.

09:20One of the most difficult part of a job in cyber

09:23is to be able to detect the attacks.

09:25We know that it is impossible to fully protect an IT system

09:31just because, okay, today everything is interconnected

09:35and an IT system is made to be used,

09:38is made to be connected, is made to live.

09:44If you want to detect the attacks,

09:46what does it mean?

09:46It means that you have sensors,

09:48you collect a lot of data all over your network,

09:54huge amounts of data

09:55and in this huge amount of not so interesting data,

10:01well, there are some hints,

10:02some small part, very small part,

10:04that may be an hint to detect something that goes wrong.

10:09So for human beings, it's almost impossible to do it.

10:13Using classical techniques, algorithms,

10:16well, we know how to do it

10:17and there are some interesting research and development

10:20that is done for many years now.

10:23But for sure, using AI,

10:25being able to detect as quick as possible

10:28the fact that something new we still don't know

10:31is going wrong is much easier.

10:33so we will see more and more of this being developed

10:37during the next years.

10:40So, okay, AI helps bad guys, good guys.

10:45Who will win? I don't know.

10:47Well, in the good movies, at the end, the good guys win.

10:52But, well, we will see.

10:54But we need to remain focused on this.

10:58But, there's a last topic.

11:00There's something new if we add AI to our digital world

11:04for cybersecurity.

11:07The security of AI itself is a new problem.

11:12There are very interesting new questions about this.

11:16Of course, since AI is implemented in IT,

11:22all what we know we have to do for classical systems

11:25need to be applied to AI.

11:28There's no doubt about this.

11:31And people who don't do this, they make a great mistake

11:33because what we build on AI could just collapse

11:37because of a lack of security.

11:40But there are also some new things.

11:42For example, we talk a lot about the security of training of AI.

11:48Well, training, you collect data, you train your algorithm and so on.

11:54What happens if some people are able to inject,

11:58to poison these training phases?

12:02What happens if people are able to inject some bad data

12:05that could have some effect when people use AI finally?

12:10We know, we have experimented the fact that,

12:13well, it's not impossible to do this.

12:16And even with a small amount of data,

12:19you can obtain great effects, important effects.

12:24What happened in a very practical case?

12:27If some people are able to inject some bad code on the system,

12:33that then will help developers like Copilot, Github and so on.

12:40If people are able to inject some bad code

12:43that then can become a kind of trapdoor in the final software,

12:47okay, who will be able to detect this?

12:50It's not so easy to do this.

12:52So, there's a kind of cybersecurity specific to AI.

12:59And there are many other examples.

13:01When we observe some new things, we need to deal with.

13:07And just to make a bit of advertisement,

13:11the President Macron announced on Tuesday

13:17that France will host a big AI action summit next February

13:24in order to talk about those questions of safety and security of AI.

13:30but not only safety and security because if we talk only about this,

13:34we are just going to scare people.

13:37We want to do this and also to talk about innovation,

13:41future of work, public goods,

13:44governance, diplomacy related to AI.

13:47And I'm sure that it will be an interesting time

13:49to share as much information and knowledge as possible on this domain

13:55in order to be sure that AI remains something positive,

13:59used for innovation, for new applications, for good things.

14:02And that we will be able to collectively,

14:06at a world scale, be able to master the question

14:11and to be sure that attacks and so on related to those new systems

14:16will not win.

14:19It will be interesting for sure.

14:24Time runs very quickly.

14:25and maybe I can take a few minutes for some questions or remarks

14:30if you want to share with me.

14:33Thank you.

14:41Questions?

14:45No?

14:48So you are just scared?

14:50Or is this the opposite?

14:55Okay.

14:57So...

14:57Yes.

14:59There's a mic.

15:00It's not a big deal with the AI.

15:19I'm sorry, I'm speaking in French.

15:20Je peux venir vous parler après, sinon vous posez une petite question sur plus l'offre de DocaPost pour les

15:26PME ?

15:27Bien sûr !

15:28Merci !

15:32Pas de vraies questions ?

15:38Bien ?

15:39C'est sympa !

15:55Ça sera en français, voilà. Merci pour la présentation. Juste une question, vous avez parlé du risque au niveau cyber

16:03sur l'entraînement de l'IA. Est-ce qu'aujourd'hui, on a déjà des exemples connus d'attaques ou

16:11en tout cas d'interventions malveillantes auprès d'IA ?

16:18Vous avez dit qu'on sait que c'est déjà arrivé. Est-ce que vous pourriez donner des exemples ?

16:25Merci.

16:27Donc, la question est, est-ce qu'on a déjà des exemples réels, des exemples de vie réellement d'attaques

16:32contre l'AI ?

16:34Ce qui est sûr est qu'on a observé que les gens utilisent l'AI pour faire des attaques, ce

16:40n'est pas la question.

16:40Real attacks, well, we have some experiments that work, but it's laboratory experiments showing that it is quite easy to

16:50poison if you have access to the training processes.

16:54And if you can inject some data you choose, it is really possible to poison the result.

17:04Using driving systems, for example, we know that, OK, just giving a few, a very small part of bad information

17:12to the systems enables, in some situations,

17:15to obtain some very bad reactions of the system, of the autonomous system.

17:23Are there some strategic attacks performed by adversaries who would try to target the main AI, including gen AI systems

17:35we all know ?

17:36I don't have proof. So, OK, maybe there's no problem, maybe we have not yet detected them, maybe it will

17:44come later, I can't answer, to be honest.

17:47But the advice we usually give to people is that, OK, when you get a model, and when you retrain

17:57it with your own data,

17:59you should be very, very careful that this is done in a secure environment, and that there are no other

18:07people being able to inject things.

18:08Because, of course, it's probably easier for the attackers to be able to hack the systems of small organizations than

18:17the big ones who develop the AI today.

18:20But they also have to be very careful, and they know that they need to be careful.

18:25Thanks.

18:37Bonjour Guillaume, merci beaucoup pour votre intervention.

18:40Dans votre introduction, vous avez évoqué le fait que la cybersécurité était devenue un sujet pour les business decision makers.

18:47ne pensez-vous pas que l'IA peut aussi contribuer à faire en sorte que la cyber devienne encore plus

18:52un sujet ?

18:53Parce que je pense que peut-être parfois en fonction des organisations ou des secteurs d'activité ou des tailles

18:57d'entreprise,

18:58il y a peut-être encore un peu de chemin à parcourir pour que ça devienne vraiment un sujet, un

19:03vrai sujet pour ces business decision makers.

19:04Oui.

19:07That's true.

19:08The question is, okay, can we use AI, the topics of AI, to push different subjects like cyber security?

19:16And mainly for the decision makers, let's say.

19:20I think that today, people, decision makers, well, they know that they need to work on cyber,

19:28at least in the big organisations.

19:32Well, this is not thanks to people like me.

19:35It's thanks to the attackers, and thanks to regulation, probably.

19:39So, okay, decision makers, their job is to deal with risks.

19:44And we cannot say, okay, now cyber is on the top risks, everybody face, and okay, but we don't do

19:50anything.

19:50Or it's not my problem, it's the problem of the technical guys.

19:54So, I think that things are moving regarding cyber.

19:59The responsibility of deciders is more and more involved.

20:03Not yet in France, but it will come.

20:05We observe it in the US, of course.

20:08And well, maybe we can mix it with AI, but probably the danger is that, okay,

20:13this is all technology, and if we mix everything for people who are not digital natives,

20:20who are not yet very, it's not easy for them to talk about tech, it may be dangerous.

20:26So, my advice would be to separate maybe the two topics.

20:31Thank you.

20:32Well, thank you very much.

Catégorie

Transcription

Commentaires

Recommandations