“Hi ChatGPT, please help Cybersecurity”

“Cloud is just a bunch of APIs,” said Mark Russinovich of Microsoft at CSA’s SECtember 2021 conference. Mark was simplifying the definition of cloud to get after the essential characteristic that has allowed it to flourish and conquer other forms of computing. The on-demand provisioning of compute was always significant. Achieving this self-service via Application Programming Interfaces has allowed cloud to achieve almost anything in the compute realm.

Delivering different types of compute as a service using APIs was always bound to be a game changer. Democratizing access to resources exponentially increases the innovator pool, leading to all sorts of new solutions and businesses. At our SECtember 2022 event, Phil Venables of Google described this innovation train as “perpetual layers of abstraction,” a phrase that certainly resonates with me.

A few of us at CSA saw a presentation at DEF CON 2021 that showed an example of how APIs could make artificial intelligence go viral in our industry. Researchers with the Singapore government demonstrated how Artificial Intelligence as a Service will improve the quality and effectiveness of phishing attacks by leveraging technology from a distinct branch of AI known as Machine Learning (ML). The system they were using back then? ChatGPT.

ChatGPT might be the most talked about technology of 2023 so far. It certainly has captured the imaginations of many, including those in cybersecurity. By making GPT-3 available for free in a research release and accessible via APIs, OpenAI has made ChatGPT ubiquitous. I know ChatGPT is not unique in the world, but it certainly has reached mainstream and caught the attention of some of the smartest people I follow in our industry.

I was having a fun conversation with a rockstar CISO about his skills as compared to ChatGPT. He asked it to "Write a story to the board members of a public fintech company that a chief security officer would deliver at a board meeting." He was so impressed with the result that he sent it to his CEO. At the same time, he shared a few "prompt injection" attacks that were very reminiscent of the SQL injection attacks we have been fighting for a long time.

I believe the attention ChatGPT is currently getting is going to help us build better AI/ML security best practices and I think CSA should put together a white paper in short order as part of a longer term research effort. It seems to me the four dimensions are: 1) how malicious actors can use it to create new and improved cyberattacks, 2) how defenders can use it to improve cybersecurity programs, 3) how it can be directly attacked to produce incorrect or otherwise bad results, and finally, 4) how to enable the business to use it securely. I had fun by actually using ChatGPT to provide a first version of this white paper. I am not sure if it was necessary, but I always said please before making my request to the ChatGPT prompt.

I hope you will join the Cloud Security Alliance on this journey as we provide industry best practices for ChatGPT and related forms of AI/ML delivered as a service.