Artificial Intelligence & Machine Learning , Election Security , Fraud Management & Cybercrime
ISMG Editors: Who Isn't Hacking the US Election?
Also: The AI Voice Tech Debate; Highlights From the Black Hat 2024 Conference Anna Delaney (annamadeline) • August 16, 2024In the latest weekly update, Information Security Media Group editors discussed the Trump campaign's leaked documents and the many hacker groups targeting the U.S. presidential election, the potential for OpenAI's new voice feature to blur the line between AI and human relationships, and insights from the Black Hat Conference.
See Also: The SIEM Selection Roadmap: Five Features That Define Next-Gen Cybersecurity
The panelists - Anna Delaney, director of productions; Mathew Schwartz, executive editor of DataBreachToday and Europe; Rashmi Ramesh, assistant editor, global news desk; and Tom Field, senior vice president, editorial - discussed:
- Why Donald Trump's campaign official accused Iranian hackers of stealing and leaking internal documents as part of a broader election interference campaign targeting the 2024 U.S. election, raising concerns about other foreign meddling;
- Whether criticisms of OpenAI's new GPT-4o Voice Mode saying that it blurs the line between AI and human relationships are valid or overblown;
- Key takeaways from conversations with speakers at the Black Hat 2024 conference in Las Vegas last week.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Aug. 2 edition on why data breach costs are rising and the Aug. 9 edition on whether Russia is waging a war through ransomware.
Transcript
This transcript has been edited and refined for clarity.
Anna Delaney: Welcome to the ISMG Editors' Panel. I'm Anna Delaney. Today, we'll explore the implications of leaked documents in the Trump campaign, the potential for open AI's new voice feature to blur the lines between AI and human relationships, and the latest insights from industry leaders at the Black Hat conference. Our panelists today include: Tom Field, senior vice president of editorial; Rashmi Ramesh, assistant editor, global news desk; and Mathew Schwartz, executive editor of DataBreachToday and Europe. Good to see you all.
Tom Field: Thanks for having us over.
Rashmi Ramesh: Great to be here.
Mathew Schwartz: Great to be here.
Delaney: Mat, let's talk about U.S. election security. The Trump campaign has accused Iranian hackers of stealing and leaking internal documents as part of a broader election interference target effort targeting the 2024 U.S. election. Do you think this is a sign of what's to come in the next few months?
Schwartz: That's what we're hearing from some experts in disinformation, misinformation and active measures. Apparently, there's probably going to be more of this in the pipeline. What's caught some people by surprise though is that this appears to involve Iran. Now, the big word here is that allegedly Iran is involved. Certainly, the Trump campaign is saying it believes Iran is responsible. It's pointing to a report that was recently released by Microsoft warning of an increase in attacks tied to a man who appeared to be targeting a presidential campaign. Now, Microsoft didn't name the campaign, but the Trump campaign named the campaign, and other media outlets have spoken to people with knowledge of these attacks who've said, "Yes, this was the Trump campaign." So, there are some bizarre aspects to this, one of which mentioned in Microsoft's report is that a former Trump campaign official's email accounts were compromised, which was used to send a spear phishing attack against the campaign and a current senior member of the campaign. Apparently, that was successful. So, the former member of the campaign who was targeted was Roger Stone, who you may remember from the Trump administration previously, had a couple of brushes with infamy. We'll leave it at that. So, some old names coming up here. Again, this is an alleged campaign. The FBI has said it's investigating. Some officials are saying, off the record at least, that they believe this is probably Iran. This is surprising because traditionally, we have seen Russia in this sort of milieu, right back in 2016 when then-presidential candidate Trump was running against the then presidential candidate Hillary Clinton. There was the hack and leak of a bunch of Democratic Party emails that was attributed by the U.S. government to Russia, as part of a campaign to meddle. I don't always love that word, but interfere in the U.S. election. In American democracy, things are a little bit different now than before. Trump was saying, find those emails that were supposedly deleted by the Clinton administration calling on anybody to do it, and also adding that, wasn't it a beautiful thing when it happened. Now, that the Trump campaign is the focus of this, they don't sound so pleased. And that is, of course, as it should be. And a lot of people who are in politics now or used to be in politics on both sides of the aisle, saying, frankly, this is unacceptable. Will we see more of this as you asked? We probably will. We don't know how much was stolen from the Trump campaign. Certainly, there have been attempts by not just Iran to access the emails of campaign officials. That's what we've been hearing. What happens next remains to be seen. The big takeaway here is everybody should be vigilant. Hopefully, media outlets won't just go publishing what they're giving because this is foreign nations attempting to meddle in U.S. democracy. So, kudos to Politico, which broke this story and said that there was an attempt to get it to publish this stuff, it chose not to and instead reported on what was being attempted. That's great. We need more of that.
Field: Interesting three months or so here Mat, because on one hand, you understand if you've got the two big cyber adversaries - Russia and China - they fundamentally want different outcomes in the presidential election. Iran has got its own reasons for getting in the middle of things now. So, you think, on the one hand, yes, we have to see a lot of activity. On the other hand, Russia is very embroiled with Ukraine. China is entangled with whatever may or may not happen with Taiwan. Iran is now ramping up hostilities with Israel. We do not know what we will see.
Schwartz: No and it keeps changing. The red lines are very different now than they were back in 2016. Things are a bit more fraught with Russia and finding the balance of what it can and can't do, especially with the Ukraine invasion still being a massive thing. China has some geopolitical dancing that it's trying to do. Then, you have Iran, where maybe they get some free shots, if you will, because they're trying to express their dismay with the West. But maybe don't have a lot of ways to do it. It seems to me a little bit like they're trying to throw their toys out of the pram here and say, "We're very upset about things, and we wish to stand up to Western imperialism." If so, this is a better way to go about it, potentially than, say, missiles or invasions, kinetic warfare, that sort of thing. Obviously, I'm not trying to pass judgment on the tactics being used. But, of course, all of this stuff doesn't happen in a vacuum. It is part of the current, as you say Tom, the geopolitical reality right now, which is much different than it was four or six years ago.
Field: It is and, domestically, it is as well. And this is something that none of you can see. But what concerns me, living in the U.S., is the potential for violence at the polling places. At Black Hat last week, I happened to run into Lester Godsey, the CISO of Maricopa County in Arizona, which is an election central when it comes to one of the hot states. They are moving polling places away from public schools because of concerns about violence at the polling places. And I don't think those are unrealistic concerns this year. It's frightening.
Delaney: Mat, what impact has this incident had so far on how we secure elections? We've seen a lot of chatter online. But do we see this as an impetus to make changes and introduce new measures in response to this threat?
Schwartz: I don't have the full rundown on everything that's being done in the U.S. with election security, but certainly two years before that, CISA was bringing some serious chops in terms of the counties and states being responsible for securing elections. It's a big patchwork, but CISA was helping marshal the response to that, and it seems to have been extremely effective from the standpoint of securing how the elections are held, how the votes get counted, election systems not being remotely hacked into and tampered with. All of that has gone extremely well in recent years. So, we're at a good point there. What's more difficult is disinformation and misinformation. How do you counter it? So, in some respects, it is not a bad thing that this effort by probably Iran, which is being branded, is amateurish. It looks just not very good, certainly not like what Russia was doing with cutouts back in the 2016 election. In one aspect, it's good that this has been such a damn squib, because it's giving people the ability to say, "Look, this is what we're facing, and if we see more of this, please use your critical faculties. Don't take all this at face value. Know that people are trying to prevent Americans from exercising their constitutional right to vote."
Delaney: Yeah, and we've seen foreign interference already. This is not the first election cycle we've seen leaked documents. We've seen mis- and disinformation being spread. Perhaps, the public is becoming more discerning or skeptical of leaked documents during these cycles, but let's see what the next few months bring us. Thank you so much. Mat. That was great.
Schwartz: Thank you.
Delaney: Rashmi, could OpenAI's new GPT-4o voice mode be blowing the line between AI and human relationships? You've written this week that experts are raising concerns, warning that getting too attached to its lifelike interactions might impact our social dynamics and even our mental health. So, tell us about this new feature, and whether you think these concerns are valid or just overblown.
Ramesh: I'll talk about the key findings that were interesting, but this specific aspect of the report just stands out. So evidently, users have started to express sentiment toward AI that suggests a sort of deepening emotional connection between the two. One of its safety testers was recorded telling the GPT model that this is our last day together. So, this is not unexpected. There are dozens of fictional movies and books relating to this topic, but even AI developers have known that this is a potential reality. OpenAI CTO Mira Murati said last year in an interview that these types of bonds could exist and they could pose risk if the models are developed in the wrong way. Now, what are these risks? It can one, undermine healthy social relationships with other humans. This could mean fewer conversations, but it could also mean treating humans as machines. Now, AI does not have preferences. It gives you what you want, when you want it, however you want it. So, you can be polite, you can be rude, and people often are if you read studies on this and that behavior can be perpetrated in conversations with other humans as well. Now, it can also build a false sense of trust. Look what happened with Google's AI overview feature. Nobody hopefully put glue on their pizzas. But you have to not trust but verify. And this is getting harder and harder to do when chatbots are being developed to be more and more human-like. And it does not help that GPT-4o is deliberately designed to sound emotive, have an arguably familiar voice and even respond in a timeframe that is similar to human conversations. Now, OpenAI in the report said that these bonds seem harmless, but we don't know the long-term risk because nobody has studied them yet. There are other very interesting parts of the report. One is how GPT-4o sometimes clones voices without authorization. OpenAI said that it usually emulates the user's voice in rare instances, for example, when they speak in a high background noise environment. But, it has fixed this issue. And the report says that the model also infringes on copyrighted material. OpenAI said that it has now trained the GPT to refuse any requests for copyrighted content. The company has, at this point, sought so much on this issue. I don't know what to believe. It told the U.K. Government, for example, that there's no way to train LLMs without copyrighted materials. While fighting so many copyright infringement lawsuits, I've lost count of how many there are there right now. And, it also scores very low on the cybersecurity scale, because GPT-4o does not have enough real-world vulnerability exploitation to meet the company's minimum risk threshold. So, those are some of the highlights.
Delaney: Absolute fascinating times. Rashmi, do you think OpenAI and others are doing enough to address the concerns about emotional attachment or is more needed?
Ramesh: So, not just emotional attachment, but other risks as well, right? But, to fix a problem, you need to know that there's a problem and how big the problem is. There needs to be a uniform process to evaluate behavior and standards to determine the extent of this problem. We don't have any of that right now. Right now, it's the Wild West. I love how we use this whenever new tech comes by or makes a retro appearance. But anyway, with AI, it is each company to its own. Google is doing its own thing. Microsoft and OpenAI are doing their own thing, and the White House is making voluntary commitments that these companies will develop safe AI without defining what safe even means. So ideally, we do the defining first, build applications with that safety standard and then test it against known guidelines. With AI, we're doing all of this process backward. So, the answer to whether they're doing enough is it varies on who you ask.
Delaney: Sure, and I wonder if this could redefine our relationship with technology, or maybe just another step in the long line of advancements here. But thank you, Rashmi. Lots to think about there. Tom, you've landed in the ISMG studio. You're in Vegas.
Field: Yes. To follow up on something that Mat was talking about in terms of the work that CISA has done, I would say CISA has done admirable work over the past two years. But one thing that was clear at Black Hat in our conversations is good number of those CISA executives are abandoning ship now and heading into the private sector in advance of potentially an administration change of one or another. We saw Eric Goldstein leave for the private sector earlier this year, and since we spoke to Alaina Clark at RSA in May, she has left and gone to work for AT&T. So, the number of shifts in that agency is at a critical time. So, that was one of the conversations at Black Hat. But, if you think about the things that we discussed there, you couldn't go into a single conversation and not talk about AI. Rashmi, I bet that doesn't surprise you. We talked about who owns AI within an enterprise in terms of cybersecurity. We talked about governance and what organizations are doing to bring stakeholders together and have some order around this. Talked about maturing use cases, such as securing their LLMs, whether they've developed them internally or using some of the more public offerings we're aware of and the evolving regulatory landscape. With all that discussion, there's still a lot of immaturity. There are still a lot of organizations trying to get a hold of what is being done and when they are applying it to cybersecurity; it's automating a lot of manual processes when it comes down to it. I came away with a feeling from some of the chief privacy officers I spoke to that Shadow AI is a big concern, because anybody can go out with their credit card or a corporate card and subscribe to a service and start using corporate data in their private uses. Shadow AI is way bigger than shadow IT as what I was told and potentially a lot more costly as this regulatory environment develops - something to pay attention to. Now, the name that hasn't come up in this conversation yet surprisingly, and we'll do it now - CrowdStrike. CrowdStrike was a very popular topic, and it was in terms of discussing why we can't have a single point of failure as we talked about ever since - the update and the results of it. Discussions around a lot of vendors being very cautious, not wanting to say something, because, hey, this happens to all of us, and we don't want to be out there casting stones. And then, some concerns about whether the market was shifting toward vendor consolidation and platformization. Also, does this update and maelstrom urge a lot of organizations to reconsider that mode. That was interesting. I had this conversation many times, and someone would always say, "Well, CrowdStrike wasn't a cyber incident." Well, yeah, it was. And what they mean by that is, no, it wasn't an adversary that did something that caused this response, but it was friendly fire, so to speak. It was an update that resulted in exactly what would happen if there was a cyber incident. We got to test a lot of response plans as a result of that. So, CrowdStrike was a very popular topic. I had the opportunity to do a number of interviews with thought leaders from around the world, and some of the ones that stood out to me. Very privileged to have the opportunity to speak with Hans de Vries, the cybersecurity leader with ENISA - the European cybersecurity agency. We talked about critical infrastructure protection across the European states. We talked about the election security map and how ENISA, CISA and other national cybersecurity agencies are doing a lot of information sharing about what they're seeing in their elections to help prepare one another. And we did talk about the evolving AI regulation and how Europe is taking a leadership role there and hoping that other continents and nations take the lead. I also had the opportunity to speak with Jeff Williams of Contrast Security. And Jeff and I go back to when he was with Aspect Security many years ago and was a consultant to OWASP when there was one OWASP Top 10 list. They're in excess of 20 Top 10 lists now over various aspects of application security. But, Jeff's big campaign right now is for ADR - application detection and response, and it's a natural progression from talking about endpoint detection and response - XDR. ADR, it's time has come, and they debuted at Black Hat, and are looking forward to spreading that gospel and getting people on board. That's the smart thing. One of the interviews I enjoyed the most was with Joe Marshall; he is with Cisco Talos. And he was talking about his involvement with Project PowerUp in Ukraine. Once the Russians targeted critical infrastructure and were trying to take down the electrical grid, what the people from the outside noticed was that, yes, there was some physical damage, and it's challenging enough to go in and try to replace physical infrastructure and natural conditions, never mind having adversary shoot at you while you're trying to do it. But they also targeted by disrupting GPS. Now, if your critical infrastructure systems don't know what time of day it is and how to respond, you effectively have to shut them down. And so Cisco Talos had to come in and try to find a way to defend against attacks on GPS, which was a new tactic for them, and thankfully, they're bringing lessons learned from that out to the rest of the world. So, if we encounter such adversaries and tactics down the road, we've got some ways to combat it now. So, lots has happened over the course of a few days. It was wonderful to catch up with some people.
Delaney: Tom, how would you describe the overall atmosphere at this year's Black Hat? Was there a sense of urgency or optimism perhaps?
Field: Because it was in Las Vegas, it was very festive. And I would say that the attendees there, you're overwhelmed by everything that's going on, whether it's having 8000 people in the keynotes, or the thousands of people across the floor, or the many opportunities you had over the course of the day to go to a party, go to dinner, go see a concert, go do a sporting activity. There was so much distraction that I don't think there was a lot of room for urgency. But, when you look at the topics that we're discussing in terms of events such as CrowdStrike, ransomware and election security, there are some very urgent topics upon us, and there were discussions of those. But, for the most part over the course of the week at Black Hat, a lot of people got away from those and went off and recreated a bit and maybe cleared their heads.
Schwartz: I love the CrowdStrike recap that you were sharing Tom. It's interesting with people saying, "Wow, not a cybersecurity incident." We got lucky there, because with great disruption and expense for some organizations, it highlighted this problem that there is partially with Windows and why did Windows crash? Why couldn't Windows have recovered in this sort of situation? And I know that there's a lot of that questioning, and some regulators in Europe, for example, they're saying, "Microsoft, you need to make this risk go away." This wasn't exploited by an adversary, thankfully. So, a little bit like the Trump campaign theft and attempted hack and leak not being done very well. Could have been worse, and we're lucky in the sense that it wasn't worse, and hopefully. we can safeguard ourselves to make it better.
Field: Short answer - yes! I don't know about where you live Mat, but where I live in rural New England, I have people approaching me over the weekend after crowd out and saying, "Is this what Y2K was supposed to be?"
Delaney: Tom, that was a marvelous recap, and we look forward to watching all those interviews. Marvelous. Thank you everyone. Excellent work and excellent insight. Thank you so much for sharing.
Schwartz: Thanks for having us.
Delaney: Thank you so much for watching. Until next time.