AI fuels rise in attacks from ‘unsophisticated threat actors,’ federal cyber leaders say
A day in the life of the Treasury Department’s top cybersecurity official is an unrelenting game of Whac-a-Mole that has only grown more intense in the age of artificial intelligence and the corresponding rise of inexperienced-yet-prolific attackers.
For Sarah Nur, Treasury’s chief information security officer and associate CIO for cyber, that arcade-style battle to protect federal networks from adversarial threats is “nonstop.”
AI has made it “a lot easier” for “unsophisticated threat actors … to create these attack scenarios,” Nur said, “so that they can go ahead and launch and play around in our current infrastructure.”
Speaking Tuesday at a Scoop News Group-produced GDIT event in Washington, Nur and other federal cyber officials spoke of the proliferation of AI-fueled cyberattacks and how much more critical coordination and information-sharing has become as use of the technology among amateur hackers has surged.
Cynthia Kaiser, deputy assistant director of the FBI’s cyber division, said she’s seen “a crop of adversaries who are becoming at least mildly better” at their craft due to AI. The technology eases hackers’ ability to perform basic scripting tasks and identify coding errors, Kaiser said, while deepfakes are leveraged in social engineering campaigns and increasingly refined spearphishing messages.
“A beginner hacker can go to the intermediate level,” she said, “and even the most sophisticated adversaries can be more efficient.”
Gharun Lacy has also observed a leveling up among threat actors in his role as deputy assistant secretary for cyber and technology security in the State Department’s Bureau of Diplomatic Security. Those adversaries are “using AI as an amplifier,” bettering their best skills as a result.
“Do you have a threat actor that is extremely proficient in human engineering? Then they’re going to get better at human engineering,” Lacy said. “That phishing email will now call you by a nickname that you had in high school.”
The Treasury Department is especially susceptible to this onslaught of new-age threats given its role as the federal government’s sanctions arm, Nur said, not to mention the fact that the financial industry is one of the most targeted critical infrastructure sectors. Hackers today can simply look up a CVE, plug it into an AI system and ask it to provide “an undetected attack scenario that I can utilize,” Nur said, noting that packages of this kind on the dark web are “ready to go.”
“I heard someone say ‘fight AI with AI.’ I get what that means,” Nur said, “and I think that’s a very key concept. We really have to look at leveraging AI to quickly detect these anomalies and any kind of fraud or unusual suspicious activity.”
The silver lining for federal security officials is that AI still provides defenders with a decided advantage over attackers in cyberspace. The key to maintaining that advantage, they say, is doubling down on coordination with public and private-sector partners.
Kaiser said the use of large language models to “more rapidly draft text” for interagency memos and private-sector alerts represents “a huge win for everybody” in the battle against threat actors.
At the State Department, the chief AI officer, chief data officer and members of the agency’s Center for Analytics have successfully leveraged AI in “reducing the noise in terms of threat intelligence,” Lacy said, sifting through “massive amounts of data” to make it “more actionable directly for us.” Streamlining data and threat intel leads to more valuable insights that State can provide to its partners, he added.
“If I know this piece of information is not useful for me, but it may very well be useful to one of my private industry partners, I need to know how to get that information to them quickly,” Lacy said, noting that the White House has provided a quality blueprint for sharing intelligence and has encouraged agencies to be “very forthcoming now in terms of naming, blaming [and] shaming when incidents happen — and doing it quickly.”
Lacy pointed to a State Department collaboration with foreign ministries from the United Kingdom, Australia, Canada and New Zealand that brings together those countries’ cyber defenders in a quarterly meeting to “share a lot of information.”
“I think we’re past the sharing; we’re on to collaborating,” Lacy said. “I think that’s … the phase we’re in right now. But the collaboration has to yield collective action.”
Treasury’s in a similarly collaborative mode at the moment, fresh off its launch last month of Project Fortress, a public-private partnership aimed at protecting the financial sector from cyber threats. Nur said the agency has been active in onboarding companies and organizations to the group, ensuring that participating financial institutions have access to top tools and are practicing good cyber hygiene before truly “aggressive AI attacks” become the norm.
Whether it’s meeting regularly with other CISOs, coordinating with international partners or establishing communication channels with industry, agency cyber officials across the board agree that mitigating AI-fueled threats will only be possible with more collaboration and better sharing of information.
“In the past, what really prevented us from sharing that information is that embarrassment, that reputational impact,” Nur said. “We can no longer think in those ways. We need to shift our mindset to say, ‘hey, look, we’re going to expect at least two to three a year, maybe even more, and that’s OK.’”
