Leave a Comment

An Assessment of the National Security Implications of First Contact

Lee Clark is a cyber intelligence specialist who has worked in the commercial, defense, and aerospace sectors in the US and Middle East. He can be found on Twitter at @InktNerd. He holds an MA in intelligence and international security from the University of Kentucky’s Patterson School. Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group.

Title:  An Assessment of the National Security Implications of First Contact

Date Originally Written:  September 23, 2020.

Date Originally Published:  November 30, 2020.

Author and / or Article Point of View:  The author is a cyber intelligence professional in the aerospace industry. This paper will assess the hypothetical international security fallout and nuances of first contact with alien life. The paper assumes that no human-extraterrestrial interaction has ever occurred. Thus, Unidentified Flying Object (UFO) and Unidentified Aerial Phenomena (UAP) reports are not considered evidence of contact. The author does not believe humans have ever encountered aliens, but does not rule out the possibility that life may exist elsewhere in the universe.

Summary:   Despite fictional portrayals of first contact, it is most likely that alien life encountered by humanity would be so different from any life encountered by people on earth that it would be inconceivable to plan for, and possibly even unrecognizable. First contact protocols in this scenario would likely be led by scientists. In the unlikely event that humanity encounters intelligent / communicative life, the response would more resemble a whole-of-society approach.

Text:  The main precedent for managing contact with intelligent alien life in the public space is the post-contact policy of the Search for Extraterrestrial Intelligence institute (SETI), once a NASA program and now a privately-funded research entity[1]. SETI focuses on radio signals, and their protocol is designed on the premise that aliens would send them a deliberate signal. Under SETI’s protocol, initial response to the revelation of intelligent alien life via radio signal would be guided primarily by the astrophysics community.

The SETI model, laudable though their mission is, has two key weaknesses. First, the likelihood that alien life would have developed along a similar enough trajectory and timeline to human civilization that the two societies would both have compatible radio technology is so small as to be negligible. If there is alien life with sentience and societal construction, their biology, ecology, sociology, and technology would be adapted to their unique home environment, as humans have adapted to the realities and limitations of Earth. Alien life is much less likely to resemble a little green man in a spaceship than, for instance, a jellyfish, anemone, or perhaps a sentient cloud of gas. The possibility of alien life, having developed in an alien environment, evolving to produce sentience, intelligence, and technology as humans conceive of them is extremely unlikely. If they do have technology, it would be adapted to their own needs, not ours. If humans find aliens first, it will likely not be because the aliens send humans a radio signal, or land on the White House lawn. If humanity wishes to find life elsewhere, it would most likely require a dedicated effort across the scientific community, including sending secondary sensors and exploration mission equipment on routine space missions.

Second, the implications of the existence of alien life, especially intelligent life or one or more developed societies, is so far-reaching that the first response cannot be responsibly left to the scientific community alone. A collaborative response by the international community would likely include a three-pronged approach: First, a group to handle contact consisting of an international team of civilian expertise such as linguists, engineers, astrophysicists, mathematicians, diplomats, and biologists. Second, an international defense team consisting of security expertise including tactical and strategic intelligence professionals, military strategists and leaders, and legal experts. Third and finally, an international team to manage public relations, likely a collaboration of civilian and military public affairs experts to determine if, when, and how much to reveal to the general public.

Even this approach has flaws: the likelihood that any nation discovering alien life would share it with other nations and coordinate a joint response is less than the likelihood of a nation concealing the information and attempting to use it to strategic advantage, as evidenced by the geopolitics surrounding the sharing of a potential COVID-19 vaccine between nations[2]. The internet, social media, and global disinformation campaigns would also make the calm, procedural, constructive handling of the revelation unlikely, and the potential for public panic or other severe obstacles is high[3].

If this article assumes no contact has ever occurred between humans and alien life (i.e. UFOs and television-style government conspiracies are fictitious or not related to actual alien existence), there are two overarching paths that first contact could take, both with numerous implications. The first is that alien life is intelligent and / or some form of sustained communication is possible. This is by far the least likely path. The second path is that alien life is not intelligent or sentient, or that no communication is possible.

If humanity were to discover intelligent aliens (or they were to discover us) and communication is possible, there are three basic possibilities that fall along a sliding scale of conflict. Relations between humans and intelligent aliens would either be peaceful and diplomatic, hostile and violent, or some fluctuation between the two over time. The possibilities within this framework are endless. Perhaps initial contact will be peaceful, only for hostilities to break out later into the relationship, or vise versa. Perhaps the aliens will be vastly more technologically sophisticated than humans, or vice versa, or perhaps the level of technological advancement between the two civilizations would be balanced. Unfortunately, these eventualities are largely impossible to prepare for, outside of potentially designating task forces to manage the situation should it ever arise.

The second path is overwhelmingly most likely, that any alien life encountered by humanity would be so different from any life encountered by people on earth that it would be inconceivable to plan for, and possibly even unrecognizable as life at all. Earlier the example of a jellyfish was used, but even this is a fallacy. A jellyfish, being alive and carnivorous, but lacking a skeleton, muscles, circulatory system, brain, or often deliberate motor functionality, is the closest approximation imaginable, since jellyfish evolved for a drastically different ecosystem. It is not difficult to imagine the first human to encounter a jellyfish not understanding that the creature was alive, and this would likely mirror the first time humans encounter an alien lifeform too different to be immediately recognized as alive. Human concept of life and biology is intrinsically shaped by the observable reality they exist in, but the environment of alien homeworlds would almost certainly be so different that life could never progress along similar lines to human civilization.

Along the second path, contact with non-intelligent life, the response would likely be driven much more by the scientific community: biologists, physicists, chemists, astronomers, and engineers. The potential for speculation of uses of this life, and it’s conservation, could be endless: military, pharmaceutical, aeroespacial?

The disappointing, if not bleak, reality is that humans will almost certainly never encounter alien life, much less intelligent life capable of sustained communication. The probability is simply too low. That said, the potential significance of the existence of aliens means that there may be value in investing limited funds and efforts into the search. Outside of the hard national security and scientific implications of alien life, there is another, perhaps equally important facet of the search and preparation: sociocultural. Aliens are so entrenched in the popular mind that dedicating some small resources to the search may have public affairs benefits. Put another way: people want to believe.

Endnotes:

[1] Paul Davies. The Eerie Silence: Renewing Our Search for Alien Intelligence. 2011. https://www.amazon.com/Eerie-Silence-Renewing-Search-Intelligence/dp/B005OHT0WS.

[2] Chao Deng. “China Seeks to Use Access to Covid-19 Vaccines for Diplomacy.” The Wall Street Journal. August 2020. https://www.wsj.com/articles/china-seeks-to-use-access-to-covid-19-vaccines-for-diplomacy-11597690215.

[3] Daniel Oberhaus. “Twitter Has Made Our Alien Contact Protocols Obsolete.” Motherboard. 2017. https://www.vice.com/en_us/article/z4gv53/twitter-has-made-our-alien-contact-protocols-obsolete.

Assessment Papers Extraterrestrial Life Lee Clark
Leave a Comment

Options to Manage the 2020 Election Cyber Threat Landscape

Lee Clark is a cyber intelligence specialist who has worked in the commercial, defense, and aerospace sectors in the US and Middle East. He can be found on Twitter at @InktNerd. He holds an MA in intelligence and international security from the University of Kentucky’s Patterson School. Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group.

National Security Situation:  The 2020 U.S. General Election (the election) faces a nuanced and critical cyber threat landscape that requires careful navigation.

Date Originally Written:  September 2, 2020.

Date Originally Published:  September 18, 2020.

Author and / or Article Point of View:  The author is a cyber intelligence professional and Election Officer in Virginia. This options paper will provide options for addressing cyber threats to election systems and infrastructure in the context of the 2020 election.

Background:  The cyber threat landscape of the November 2020 election in the U.S. is critical and complex. Election interference and propaganda efforts are not new on the global stage. However, the simultaneous merging of industrial-level disinformation operations, targeted cyber intrusions by state-funded organizations, and the woeful state of local cyber civil defenses in the U.S. combine to create a unique situation with challenging nuances and implications.

Cyber intrusions related to the 2016 General Election, mostly attributed to Russian-linked actors, are widely documented and analyzed in both the public and classified spheres of the national security community. The current threat landscape is more complex than in 2016, as evidenced by a public statement from the Office of the Director of National Intelligence indicating that cyber actors backed by China, Russia, and Iran are all actively attempting to influence the outcome of the election[1]. Defenses have also been bolstered in some areas, such as the Department of Defense taking an active role in the cybersecurity of the election, including deployments of cyber personnel abroad to hunt for threats to election systems[2].

The threat landscape is further complicated by public opinion, as demonstrated by the outrage connected to the publication of a false report that Russian threat actors stole and exposed voter databases from several U.S. states in August 2020. In reality, no cyber intrusion occurred and the data was publicly available. However, the public outcry over the incident indicates the potential for civic unrest in the event of a cyber attack that could be perceived to threaten the integrity of results[3].

Elections in the U.S. involve conflicting and competing stakeholders, intricate federal and local regulations, numerous technologies of varying complexity, as well as legal and ethical norms and expectations[4]. In a standard “Impact times Likelihood” threat matrix, the impact of a direct cyber attack compromising election results is high, but the likelihood is low. However, given the number of systems and interconnected networks used to coordinate elections, smaller attacks on peripheral or supporting systems are much more likely, though less impactful unless in a sufficient volume to cause widespread disruption[5].

Significance:  Election systems, including hardware and administrative organizations overseeing election operations, are classified by the Department of Homeland Security as critical national infrastructure[6]. The integrity of election results is critical to the validity and credibility of democratic governance in the U.S. A disputed election as a result of cyber aggression would be severely problematic for U.S. national security.

The geopolitical situation surrounding the election creates the potential for various adverse outcomes, including: deterioration of public faith in election processes; contested results in legislative and presidential races; civic unrest; and erosion of democratic processes. Elections are immensely complex and securing the cyber facets of elections involves national and local information and operational technology (IT and OT); registration databases; support software; and hardware used at polling places, including voting machines, ballot scanners, and devices like laptops and tablets. To manage the cyber threat landscape and mitigate potential harms resulting from threats, policymakers have three key options:

Option #1:  Launch a public education campaign focused on the logistics of managing election challenges to a) reduce the effectiveness of disinformation efforts seeking to undermine public trust in election processes and results and b) reduce public anxieties regarding the integrity of ballots.

Risk:  First, given the sociopolitical polarization among the U.S. electorate, it is likely that a significant portion of the voting public would view a public education campaign as factually incorrect or intentionally misleading. Second, this same polarization also indicates that a campaign would be unlikely to affect public opinion because the intended audience is unreceptive to information that would contradict preferred beliefs. Finally, this option is solely strategic and cultural in nature, and would not address the tangible, tactical level vulnerabilities that exist in election systems.

Gain:  If the press and social media (avenues for public information sharing) are considered supporting factors of election infrastructure, then a campaign to weaken disinformation networks could strengthen peripheral systems vulnerable to attack with a potentially high impact.

Option #2:  Provide a national fund to supplement the capabilities of national and local election administration organizations to implement best standards and practices including: current equipment, adequate staffing, standard written policy, and risk-limiting audits.

Risk:  First, efforts to provide funding to secure election systems have proven to be politically sensitive and difficult to move through Congress[7]. Second, this option would likely carry extreme financial cost to adequately address security needs The U.S. is currently experiencing a severe financial crisis as a result of the COVID-19 pandemic, compounding what would be a difficult option even in a financially sound period.

Gain:  Providing supplementary funding for organizations charged with safeguarding election systems would likely allow the organizations to directly address actionable technical and administrative vulnerabilities that expose systems to attacks. Properly resourcing these organizations could exponentially reduce the threat landscape for future elections.

Option #3:  Provide a large scale staffing support program for local cyber offices using Federal or contracted personnel with relevant expertise to augment high-risk election precincts and help harden defenses.

Risk:  First, the state of the cybersecurity and IT job markets make it unlikely that sufficient numbers of experienced and qualified staff could be retasked or hired and placed in needed areas. Second, the logistics of placing such a large workforce at nationwide locations would require a significant financial burden. Finally, travel challenges associated with the COVID-19 pandemic would further complicate the ability of support staff to be placed and to effectively integrate with localized teams.

Gain:  Supplementing cybersecurity staff at local and national offices leading up to the election could allow those organizations to better prepare for potential threats, and could offer a chance for knowledge transfer and training that would benefit future election operations.

Other Comments:  None.

Recommendation:  None.

Endnotes:

[1] Office of the Director of National Intelligence. Statement by NCSC Director William Evanina: Election Threat Update for the American Public. 2020. https://www.dni.gov/index.php/newsroom/press-releases/item/2139-statement-by-ncsc-director-william-evanina-election-threat-update-for-the-american-public.

[2] Shannon Vavra. “Cyber Command Deploys Abroad to Fend Off Foreign Hacking Ahead of the 2020 Election.” CyberScoop. 2020. https://www.cyberscoop.com/2020-presidential-election-cyber-command-nakasone-deployed-protect-interference-hacking.

[3] Catalin Cimpanu. “Cisa and Fbi Say They Have Not Seen Cyber-Attacks This Year on Voter Registration Databases.” ZDNet. 2020. https://www.zdnet.com/article/cisa-and-fbi-say-they-have-not-seen-cyber-attacks-this-year-on-voter-registration-databases.

[4] Lee Clark. “An Assessment of the Current State of U.S. Cyber Civil Defense.” Divergent Options. 2019. https://divergentoptions.org/2019/11/11/an-assessment-of-the-current-state-of-u-s-cyber-civil-defense.

[5] Tara Seals. “Shoring Up the 2020 Election: Secure Vote Tallies Aren’t the Problem.” Threatpost. 2020. https://threatpost.com/2020-election-secure-vote-tallies-problem/158533.

[6] National Academies of Sciences, Engineering, and Medicine. Securing the Vote: Protecting American Democracy. 2018. https://doi.org/10.17226/25120.

[7] Scott R. Anderson, Eugenia Lostri, Quinta Jurecic, and Margaret Taylor. “Bipartisan Agreement on Election Security—And a Partisan Fight Anyway.” Lawfare. 2019. https://www.lawfareblog.com/bipartisan-agreement-election-security-and-partisan-fight-anyway.

Election Lee Clark Option Papers United States
Leave a Comment

An Assessment of the Current State of U.S. Cyber Civil Defense

Lee Clark is a cyber intelligence analyst currently working on cyber defense strategy in the Middle East.  He holds an MA in intelligence and international security from the University of Kentucky’s Patterson School. He can be found on Twitter at @InktNerd.  Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group.

Title:  An Assessment of the Current State of U.S. Cyber Civil Defense

Date Originally Written:  September 11, 2019.

Date Originally Published:  November 22, 2019.

Author and / or Article Point of View:  The author is an early-career cybersecurity analyst with experience advising private and public sector organizations on cyber threats and building cyber threat intelligence programs.

Summary:  Local civic organizations in the U.S. are experiencing a wave of costly and disruptive low-sophistication cyberattacks on a large scale, indicating widespread vulnerabilities in networks. In light of past and ongoing threats to U.S. cyber systems, especially election systems, this weak cybersecurity posture represents a serious national security concern.

Text:  The state of cyber defenses among public sector entities in the United States is less than ideal. This is especially true among smaller civic entities such as city utility companies, local government offices (including local election authorities), and court systems. There is currently an ongoing wave of cyberattacks against government systems in cities across the U.S. In 2019, more than 40 local government organizations experienced successful ransomware attacks[1]. These widespread attacks indicate an attractive attack surface and vulnerable profile to potential cyber aggressors, which has broad implications for the security of U.S. cyber systems, including election systems.

Ransomware is a vector of cyberattack in which malicious actors compromise a victim’s computer and encrypt all available files, while offering the victim an encryption key to decrypt files in exchange for a ransom payment, typically in the form of a cryptocurrency such as Bitcoin. If victims refuse to pay or cannot pay, the files are left encrypted and the infected computer(s) are rendered useless. In some cases, files can be decrypted by specialists without paying the ransom. In other cases, even if victims pay, there is in reality no decryption key and files are permanently locked. 

Ransomware is among the most common and least sophisticated forms of cyberattack in the field today. Attacks of this type have grown exponentially in recent years, and one study found that in 2019, 18% of all cyber-related insurance claims internationally were linked to ransomware incidents, second only to business email compromises[2]. In some cases, insurance companies were found encouraging clients to pay ransoms because it saved money and promoted the criminal practice, enhancing the market for cyber insurance services[3]. 

Ransomware attacks are relatively easy to execute on the part of attackers, and often target computers can be infected by tricking a victim into clicking on a malicious link through a phishing email disguised as a legitimate business communication. For example, in 2018, city computer networks in Allentown, Pennsylvania were offline for weeks after ransomware infected the system through an employee’s email after the employee failed to install security updates and clicked on a phishing email. The attack cost the city around USD 1 million to resolve and ongoing security improvements are costing approximately USD 420,000 per year[4].

Local city systems make for attractive targets for cyber attackers for several reasons: 

1) Such organizations often carry cyber insurance, indicating an ability to pay and a higher likelihood of attackers being paid quickly without difficulty.

2) Local government offices have a reputation for being soft targets, often with lax and/or outdated security software and practices.

3) Infecting systems requires very little investment of resources on the attacker’s part, such as time, technical skill, focus, and labor, since phishing emails are often sufficient to gain access to targeted networks.

4) Executing successful attacks against such organizations often results in widespread media attention and tangible damages, including monetary cost to the organization, disruption to services, and public backlash, all of which enhance the attacker’s reputation in criminal communities.

Because of the ongoing prevalence of ransomware attacks, U.S. officials recently voiced public concern about the plausibility of ransomware attacks against election systems during the 2020 elections[5]. A chief concern is that if attackers have enough systems access to lock the files, the attackers very likely also have the ability to alter and/or steal files from an infected system. This concern is compounded by recent revelations by the Senate Select Committee on Intelligence that Russian-linked threat actors targeted election systems in all 50 states in 2016, most successfully in Illinois and Arizona[6]. 

It should be noted that U.S. federal agencies and private consulting firms have engaged in a large-scale effort to increase security measures of election systems since 2016 in preparation for the 2020 election, including hiring specialists and acquiring new voting machines[7]. The specifics, technical details, and effectiveness of these efforts are difficult to properly measure from open source materials, but have drawn criticism for their limited scope[8].

In the U.S., election security is among the most complex and difficult challenges facing the cybersecurity field. Elections involve countless competing and interacting stakeholders, intricate federal and local regulations, numerous technologies of varying complexity, as well as legal and ethical norms and expectations. These nuances combine to present a unique challenge to U.S. national security concerns, especially from a cyber-viewpoint. It is a matter of public record that U.S. election systems are subject to ongoing cyber threats from various actors. Some known threats operate with advanced tactics, techniques, procedures, and resources supported by technologically-sophisticated nation states. 

The recent wave of ransomware attacks on local governments compounds election security concerns because the U.S. election system relies heavily on local government organizations like county clerk and poll offices. Currently, local systems are demonstrably vulnerable to common and low-effort attacks, and will remain so without significant national-level efforts. If local defenses are not developed enough to resist a ransomware attack delivered in a phishing email, it is difficult to imagine a county clerk’s office in Ohio or Kentucky having sufficient cyber defenses to repel a sophisticated attack by a Russian or Chinese-backed advanced persistent threat group. 

After the beginning of the nuclear arms race in the second half of the 20th century, the U.S. government developed a national civil defense program by which to prepare local jurisdictions for nuclear attacks. This effort was prominent in the public mind and expensive to execute. Lessons from this national civil defense program may be of value to adequately prepare U.S. civic cyber systems to effectively resist both low and high-sophistication cyber intrusions.

Unlike nuclear civil defense, which has been criticized for achieving questionable results in terms of effective defense, cyber civil defense effectiveness could be benchmarked and measured in tangible ways. While no computer system can be entirely secure, strong indicators of an effective cybersecurity posture include up-to-date software, regular automatic security updates, periodic security audits and vulnerability scans, established standard operating procedures and best practices (including employee cyber awareness training), and a well-trained and adequately-staffed cybersecurity team in-house.

Endnotes:

[1] Fernandez, M., Sanger, D. E., & Martinez, M. T. (2019, August 22). Ransomware Attacks Are Testing Resolve of Cities Across America. Retrieved from https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html

[2] Cimpanu, C. (2019, September 2). BEC overtakes ransomware and data breaches in cyber-insurance claims. Retrieved from https://www.zdnet.com/article/bec-overtakes-ransomware-and-data-breaches-in-cyber-insurance-claims/

[3] Dudley, R. (2019, August 27). The Extortion Economy: How Insurance Companies Are Fueling a Rise in Ransomware Attacks. Retrieved from https://www.propublica.org/article/the-extortion-economy-how-insurance-companies-are-fueling-a-rise-in-ransomware-attacks

[4] Fernandez, M., Sanger, D. E., & Martinez, M. T. (2019, August 22). Ransomware Attacks Are Testing Resolve of Cities Across America. Retrieved from https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html

[5] Bing, C. (2019, August 27). Exclusive: U.S. officials fear ransomware attack against 2020 election. Retrieved from https://www.reuters.com/article/us-usa-cyber-election-exclusive/exclusive-us-officials-fear-ransomware-attack-against-2020-election-idUSKCN1VG222

[6] Sanger, D. E., & Edmondson, C. (2019, July 25). Russia Targeted Election Systems in All 50 States, Report Finds. Retrieved from https://www.nytimes.com/2019/07/25/us/politics/russian-hacking-elections.html

[7] Pearson, R. (2019, August 5). 3 years after Russian hackers tapped Illinois voter database, officials spending millions to safeguard 2020 election. Retrieved from https://www.chicagotribune.com/politics/ct-illinois-election-security-russian-hackers-20190805-qtoku33szjdrhknwc7pxbu6pvq-story.html 

[8] Anderson, S. R., Lostri, E., Jurecic, Q., & Taylor, M. (2019, July 28). Bipartisan Agreement on Election Security-And a Partisan Fight Anyway. Retrieved from https://www.lawfareblog.com/bipartisan-agreement-election-security-and-partisan-fight-anyway

Assessment Papers Civil Defense Cyberspace Lee Clark United States
Leave a Comment

Options to Manage the Risks of Integrating Artificial Intelligence into National Security and Critical Industry Organizations

Lee Clark is a cyber intelligence analyst.  He holds an MA in intelligence and international security from the University of Kentucky’s Patterson School.  Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group.

National Security Situation:  What are the potential risks of integrating artificial intelligence (AI) into national security and critical infrastructure organizations and potential options for mitigating these risks?

Date Originally Written:  May 19, 2018.

Date Originally Published:  July 2, 2018.

Author and / or Article Point of View:  The author is currently an intelligence professional focused on threats to critical infrastructure and the private sector.  This article will use the U.S. Department of Homeland Security’s definition of “critical infrastructure,” referring to 16 public and private sectors that are deemed vital to the U.S. economy and national functions.  The designated sectors include financial services, emergency response, food and agriculture, energy, government facilities, defense industry, transportation, critical manufacturing, communications, commercial facilities, chemical production, civil nuclear functions, dams, healthcare, information technology, and water/wastewater management[1].  This article will examine some broad options to mitigate some of the most prevalent non-technical risks of AI integration, including legal protections and contingency planning.

Background:  The benefits of incorporating AI into the daily functions of an organization are widely championed in both the private and public sectors.  The technology has the capability to revolutionize facets of government and private sector functions like record keeping, data management, and customer service, for better or worse.  Bringing AI into the workplace has significant risks on several fronts, including privacy/security of information, record keeping/institutional memory, and decision-making.  Additionally, the technology carries a risk of backlash over job losses as automation increases in the global economy, especially for more skilled labor.  The national security and critical industry spheres are not facing an existential threat, but these are risks that cannot be dismissed.

Significance:  Real world examples of these concerns have been reported in open source with clear implications for major corporations and national security organizations.  In terms of record keeping/surveillance related issues, one need only look to recent court cases in which authorities subpoenaed the records of an Amazon Alexa, an appliance that acts as a digital personal assistant via a rudimentary AI system.  This subpoena situation becomes especially concerning to users, given recent reports of Alexa’s being converted into spying tools[2].  Critical infrastructure organizations, especially defense, finance, and energy companies, exist within complex legal frameworks that involve international laws and security concerns, making legal protections of AI data all the more vital.

In the case of issues involving decision-making and information security, the dangers are no less severe.  AIs are susceptible to a variety of methods that seek to manipulate decision-making, including social engineering and, more specifically, disinformation efforts.  Perhaps the most evident case of social engineering against an AI is an instance in which Microsoft’s AI endorsed genocidal statements after a brief conversation with users on Twitter[3].  If it is possible to convince an AI to support genocide, it is not difficult to imagine the potential to convince it to divulge state secrets or turn over financial information with some key information fed in a meaningful sequence[4].  In another public instance, an Amazon Echo device recently recorded a private conversation in an owner’s home and sent the conversation to another user without requesting permission from the owner[5].  Similar instances are easy to foresee in a critical infrastructure organization such as a nuclear energy plant, in which an AI may send proprietary information to an uncleared user.

AI decisions also have the capacity to surprise developers and engineers tasked with maintenance, which could present problems of data recovery and control.  For instance, developers discovered that Facebook’s AI had begun writing a modified version of a coding language for efficiency, having essentially created its own code dialect, causing transparency concerns.  Losing the ability to examine and assess coding decisions presents problems for replicating processes and maintenance of a system[6].

AI integration into industry also carries a significant risk of backlash from workers.  Economists and labor scholars have been discussing the impacts of automation and AI on employment and labor in the global economy.  This discussion is not merely theoretical in nature, as evidenced by leaders of major tech companies making public remarks supporting basic income as automation will likely replace a significant portion of labor market in the coming decades[7].

Option #1:  Leaders in national security and critical infrastructure organizations work with internal legal teams to develop legal protections for organizations while lobbying for legislation to secure legal privileges for information stored by AI systems (perhaps resembling attorney-client privilege or spousal privileges).

Risk:  Legal teams may lack the technical knowledge to foresee some vulnerabilities related to AI.

Gain:  Option #1 proactively builds liability shields, protections, non-disclosure agreements, and other common legal tools to anticipate needs for AI-human interactions.

Option #2:  National security and critical infrastructure organizations build task forces to plan protocols and define a clear AI vision for organizations.

Risk:  In addition to common pitfalls of group work like bandwagoning and group think, this option is vulnerable to insider threats like sabotage or espionage attempts.  There is also a risk that such groups may develop plans that are too rigid or short-sighted to be adaptive in unforeseen emergencies.

Gain:  Task forces can develop strategies and contingency plans for when emergencies arise.  Such emergencies could include hacks, data breaches, sabotage by rogue insiders, technical/equipment failures, or side effects of actions taken by an AI in a system.

Option #3:  Organization leaders work with intelligence and information security professionals to try to make AI more resilient against hacker methods, including distributed denial-of-service attacks, social engineering, and crypto-mining.

Risk:  Potential to “over-secure” systems, resulting in loss of efficiency or overcomplicating maintenance processes.

Gain:  Reduced risk of hacks or other attacks from malicious actors outside of organizations.

Other Comments:  None.

Recommendation: None.

Endnotes:

[1] DHS. (2017, July 11). Critical Infrastructure Sectors. Retrieved May 28, 2018, from https://www.dhs.gov/critical-infrastructure-sectors

[2] Boughman, E. (2017, September 18). Is There an Echo in Here? What You Need to Consider About Privacy Protection. Retrieved May 19, 2018, from https://www.forbes.com/sites/forbeslegalcouncil/2017/09/18/is-there-an-echo-in-here-what-you-need-to-consider-about-privacy-protection/

[3] Price, R. (2016, March 24). Microsoft Is Deleting Its AI Chatbot’s Incredibly Racist Tweets. Retrieved May 19, 2018, from http://www.businessinsider.com/microsoft-deletes-racist-genocidal-tweets-from-ai-chatbot-tay-2016-3

[4] Osaba, O. A., & Welser, W., IV. (2017, December 06). The Risks of AI to Security and the Future of Work. Retrieved May 19, 2018, from https://www.rand.org/pubs/perspectives/PE237.html

[5] Shaban, H. (2018, May 24). An Amazon Echo recorded a family’s conversation, then sent it to a random person in their contacts, report says. Retrieved May 28, 2018, from https://www.washingtonpost.com/news/the-switch/wp/2018/05/24/an-amazon-echo-recorded-a-familys-conversation-then-sent-it-to-a-random-person-in-their-contacts-report-says/

[6] Bradley, T. (2017, July 31). Facebook AI Creates Its Own Language in Creepy Preview Of Our Potential Future. Retrieved May 19, 2018, from https://www.forbes.com/sites/tonybradley/2017/07/31/facebook-ai-creates-its-own-language-in-creepy-preview-of-our-potential-future/

[7] Kharpal, A. (2017, February 21). Tech CEOs Back Call for Basic Income as AI Job Losses Threaten Industry Backlash. Retrieved May 19, 2018, from https://www.cnbc.com/2017/02/21/technology-ceos-back-basic-income-as-ai-job-losses-threaten-industry-backlash.html

Critical Infrastructure Cyberspace Emerging Technology Lee Clark Option Papers Private Sector Resource Scarcity