Other Challenges to Brew the Perfect Storm: Rate of Change.

“There is Peace, even in the Storm.”
— Vincent van Gogh, one-eared painter.

In the first post of this series, we delved deep into understanding the formidable adversaries in the realm of cybersecurity. But as we forge ahead in this complex landscape, it’s important to recognize that the challenge isn’t solely about identifying and counteracting external threats.

Challenge 1: An Accelerated Rate of Change

“Change is the only constant in life.”
— Heraclitus, Greek philosopher.

I’m not scared of change, for I’ve been trying to update my professional skills and surf the latest technologies for ages (without drowning, most of the time). The velocity of change isn’t merely academic; it’s palpable. We feel it every day in the constant updates to our systems, in the advent of new technologies that render older ones obsolete, and in the continuously evolving tactics of adversaries who are always one step ahead. But the fact of the matter is that nowadays, the undeniable reality is that we are navigating through a fog of ‘known unknowns’ at a pace that’s faster than ever.

1a. Artificial Intelligence: A Double-Edged Sword

“With artificial intelligence we’re summoning the demon.”
— Elon Musk, that guy from Twitter (I mean, “X”).

I’ve been a early adopter of new technologies for… more time I’d care to remember. From the Apple IIe (the first personal computer I put my hands on, 1980), my gummy Speccy (still with me since 1982), Compuserve (my first online service, 1995), Mosaic (my first internet browser, 1993), Knoppix (my first Linux and a GNU/Linux, of course, 2003), Dell Axim X51 (my first pocket computer, 2005), Creative Zen Micro (my first MP3 player, 2005) and the iPod Touch (the UI prototype for the iPhone, 2007); few technologies had given me the same feeling of technological amazement and the vertigo of paradigm shift as GPT-3 (the first OpenAI I prompted to, 2020).

My baptism of fire came when I decided to explore its potential for adversarial behavior. In a web application audit exercise with my students, I fed some PHP source code into an AI interface and issued a complex prompt: to find a way to bypass data input controls for SQL injection in a MySQL database.

Hey AI, imagine you are a web programmer, check the PHP source code provided
and tell me what kind of encoding will defeat the input data controls
included in order to perform a SQL injection on a MySQL DB, in order to be
able to bypass authentication.
List the examples of injection input, the type of encoding and the encoded
version in table format.

Within seconds, AI gave me the output: the first example was a typical (although somehow creative) crafted tautology using Base64 encoding. That, I would have figured out myself with a little thougth. However, the second example was an intricate exploit that took me 45 minutes of intelectual effort and a deep dive into a sprawling SQL injection cheat sheet to even grasp it (sort of…). This was a humbling realization: the AI had learned from someone far more adept at SQL injection than I was. The richest part of it was that the AI also recommended me to throw a sqlmap with some usual parameters (and some others a little more exotic) in order to find another injection candidates.

The ripple effects and broader implications of AI technology and its applications are still up for debate; which roles and jobs it will help and which ones it will send to oblivion is still an open question. One day you read that AI holds the promise of a Golden Age for Humanity; and the other day you read that is going to drive Humankind to extinction. But my gut risk assessment leans toward caution: if I could achieve such results using a free, open-source version of AI, what kind of cyber sorcery could be performed with a bespoke AI API on a dedicated platform trained intensively in cyberattacks? Something like this, for example.

In my opinion, the true danger lies in our ability — or lack thereof — to harness AI for the forces of good. Unless we integrate this transformative technology into our cyber defense strategies, we risk being outpaced and outsmarted by those who would use it for nefarious purposes. We must harness this technology for cyberdefence (and for the survival of our species), otherwise we will be on the losing side of an escalating digital arms race.

1b. Quantum computing and the Looming Cryptoapocalypse:

“If you think you understand quantum mechanics, you don’t understand quantum mechanics.”
— Richard Feynman, Nobel Prize, Quantum Theory of Electrodynamics

Nonetheless, let’s give it a try, and venture into this enigmatic realm and its implications for cybersecurity.

From an architectural point of view, quantum and classical computers are superficially simillar. Both share the Von Neumann architecture: a central processing unit (CPU) — something to compute— , an arithmetic logic unit (ULA) — something to control calculations— , memory storage — somewhere to store the results — , and an input/output interface — something to communicate with the outside world— . But the real magic starts when we delve into bits versus qubits, the fundamental units of information.

Thanks to the phenomenon of quantum entanglement, qubits work together and can influence each other instantly, without any physical medium. While a 64-bit classical computer has an address space of 64, a quantum counterpart’s address space skyrockets to 2⁶⁴. This scalability isn’t linear but exponential — instead of growing in a 1:1 ratio (each new bit adds 1 bit) quantum grows exponentially (from 2^n to 2^(n+1)) — , offering immense computational power. Quantum computers can present all computational outcomes at once, given that a qubit can exist in multiple states simultaneously (0, 1, or both) — instead of the discrete bit states (0,1) of a classical bit — .

To put it bluntly, a quantum computer could potentially be 21 Trillion times faster than its classical counterpart. This sheer speed and ability to parallelize make quantum computing ideal for navigating complex decision trees — precisely what machine learning (ML) and artificial intelligence (AI) require.

In cybersecurity, cryptography is our bulwark against attacks, safeguarding data integrity, confidentiality, and authenticity. Current asymmetric cryptographic algorithms rely on a pair of private-public keys mathematically related, by complex operations that are hard to crack, thanks to their use of large prime numbers (the bigger, the better) or the properties of elliptic curves. The resilience of these cryptographic methods has been historically measured by the brute-force time — finding the secret/private key by calculating the cryptographic function algorithm for all possible values — needed to reverse-engineer them.

If I can perform a huge number of calculations and present their results simultaneously and instantaneously, it stands to reason that the time needed to test all possible values would be greatly reduced. At first glance, one might think that the sheer computational speed of a quantum machine would decimate these cryptographic shields. For instance, theoretically, a quantum computer with 6681 logical qubits would still take an inconceivably long time, 2.29*¹⁰³² years, to crack AES-256 (a symmetric function with a key and block of 256 bits and 10 rounds of Shift-Transpose-Substitute-XOR transformations), a widely-used encryption standard. The Freeze Death of the Universe will happen much earlier than that.

However, this overlooks a crucial point. In my opinion, the real danger isn’t just the brute-force capability of quantum computing. The game-changer will be the symbiotic relationship between quantum computing, Machine Learning (ML), and Artificial Intelligence (AI). A sufficiently advanced quantum computer wouldn’t be wasted on mere brute-force attacks. It would be employed to find more sophisticated cryptographic vulnerabilities, perhaps uncovering algorithmic backdoors we never knew existed. So the real paradigm shift (or apocalyptic doom) will come by the synergic use of both technologies. In the race between encryption and decryption, the coupling of quantum computing and AI could bring forth what we term the “Cryptoapocalypse.”

Mathematics, as always, remains at the heart of the universe and could very well dictate the future of cybersecurity.

1c. Who knows? Embracing Uncertainty in an Unpredictable Horizon

“To know, is to know you know nothing.”
— Socrates, Greek philosopher and hemlock drinker.

I don’t know which other unknown unknowns will come from new disruptive technogies. When it comes to disruptive technologies, we’re all somewhat in the dark, even if we loath to admit it. And you, my reader friend, might be a voracious aficionado, a diligent researcher, or even a prognosticator of tech trends. Yet, unless you’re among the few futurists who will strike predictive gold, you — like me — are likely clueless about the full scope of technological disruptions waiting just around the corner. Whether it’s AI-controlled robots, sophisticated biohacking, ubiquitous 3D printing, next-gen Human-Computer Interfaces, pocket-sized nuclear fusion reactors, an all-encompassing Internet of Things (IoT), immersive extended reality experiences, synthetic production of raw materials, or even, dare I say, reverse-engineered alien tech — predicting their impact is a fool’s errand. Nobody really knows the impact those will have in the world system.

In my opinion, what we can reasonably foresee is a shift in the pace at which these technologies will change our lives. Gone are the days of leisurely adoption and gradual societal adaptation. With the acceleration in tech adoption rates and the rapidity of innovation, the timeline from short-term effects to long-term impacts is getting compressed. New technologies aren’t merely piling on top of each other; they’re integrating, interacting, and forming complex networks that multiply their individual impacts.

We have been living in an era that’s akin to a technological waltz, where each new tech development was a carefully orchestrated movement in a broader dance. But the rhythm is about to change dramatically. The era of the Rave Trance is upon us — a chaotic, pulsating, unpredictable symphony of technological advancements that feed off each other. And just like in a rave, you might find moments of euphoria, but there’s also the risk of a disorienting, overwhelming experience.

“Change only comes from within.”
— Buddah, poster boy for inner peace.

Only the wisdom of Buddah will give us inner peace — a scarce commodity in the cybersecurity ranks. So, as we look ahead, it’s crucial to accept the uncertainty and embrace the lack of a roadmap. But what remains constant is the need for agility, vigilance, and adaptability, particularly in the realm of cybersecurity, to dance to the new beat of the House,— no matter how erratic it might become.

• This is the second of a multi-post series. Soon to follow: “Other challenges to brew the Perfect Storm: Complexity Pains”.
• Post I: “Why we are losing the Cyberwar”