Ilia Kolochenko, CEO of ImmuniWeb and adjunct professor of cybersecurity practice and cyber law at US-based Capitol Technology University, said the Five Eyes statement “makes perfect sense. However, it should have been sent in late 2023. Today, careless implementation and imprudent use of legitimate AI systems is a much bigger threat than any misuse of AI.”
He added that while the practical recommendations, such as the reduction of organization’s external attack surface, are relevant, they have little direct relationship with the modern AI risks. AI accelerates and amplifies the detection of misconfigured, obsolete, or vulnerable systems exposed to the internet, he agreed, but such issues have been around for more than a decade. “There are thousands of freely available non-AI tools that can quickly find the low-hanging fruit, which are oftentimes even better and much cheaper than LLMs, so AI is not even relevant here,” he said.
The biggest risk, Kolochenko said, stems from within organizations. Driven by the fear of missing out, corporate leadership frequently decides to precipitately deploy various AI systems across their organizations without even informing their CSO, let alone conducting a comprehensive risk assessment. Eventually, he said, AI introduces countless new attack vectors and vulnerabilities, becoming a much bigger risk than cybercriminals with AI.
