AI is a double-edged sword for cybersecurity: Tophant

2050 aims to equip young people to take action and to become volunteers. Ahead of the event in May, we are taking a look at some the companies and people who are taking part in the massive unconference–an open space event with organization powered by participants. 2050 is a volunteer-only, not-for-profit unconference. TechNode is organizing the Explore Expo, an exhibition area for young tech startups looking for exposure.

This year’s May 1st marked not only Labor Day but also a new law on data protection in China, the Personal Information National Standards. The new guidelines are overdue: reports on the scale of data theft in the country are horrifying.

One of the more recent scandals in China showed that even our favorite food delivery platforms were guilty of siphoning our data into strangers’ hands. The data was being sold for as little as RMB 0.10 per person. To make a point, a Chinese artist recently bought personal data of 346,000 people on the black market.

“It is not only in China but also around the world personal information is illegally stolen and used,” Yuan Jingsong, founder of cybersecurity firm Tophant (斗象科技) told TechNode. Yuan is one of the speakers at the 2050 conference organized by Alibaba’s former CTO Wang Jian.

Founder of Tophant Yuan Jingsong (Image credit: 2050)

“Many companies’ websites and apps collect users’ personal information. For some apps, users can’t even use them unless they agree to give access to information like their address book and location.”

Recent stipulations from the Chinese government that users must register for certain services with their phone number (which is tied to their real name) has also enabled companies to get a hold of large amounts of personal information, said Yuan. Some of these companies have been reselling data illegally.

Yuan is also one of the co-founders of FreeBuf, an online platform for cybersecurity experts, white hat hackers, and geeks of all sorts. He founded Tophant after a stint in travel platform Ctrip and was named one of Forbes’ 30 under 30 entrepreneurs in China in 2015. His topic at 2050 will be the new personal information security law and the role of artificial intelligence in information security.

“AI has a great advantage, it can process large amounts of data in a short time,” said Yuan. When potential security issues arise, data is forwarded to security experts which then judge if the threat is real and how it should be dealt with. But the talent pool for cybersecurity experts is limited in China, which explains why every few months another data theft scandal appears in Chinese media.

“Today, as network security threats become more severe, AI has given us a solution that might be the most appropriate. By handing over related data to AI robots, we can not only improve the efficiency of recognition, it can also enhance the ability to judge unknown threats with AI’s continuous learning.”

However, according to Yuan, AI is a double-edged sword. According to a recent survey carried out by CCTV and Tencent Research, 76.3% of Chinese people see certain uses of AI as a threat to their privacy. And it’s not just because of the ubiquitous face-recognition cameras that have been popping up across China and the rise of biometric identification.

“AI itself also has the possibility of becoming a security threat,” said Yuan. “We can use AI technology to help combat security problems and automatically identify network attacks. Hackers can also use AI technology for automated attacks, and make them more complex.”

Yuan’s company Tophant is pushing for a human+machine learning combination for detecting security issues through its product Riskivy (网藤风险感知). However, as we have learned from Facebook’s data fiasco, data theft does not always come from shady-looking characters lurking behind their screens.

Despite rising awareness of data security and government efforts to ensure it, the Personal Information National Standards do not have the force of law: it is still a recommendation instead of a mandatory national standard. Still, the guidelines are much more extensive than the Cyber Security Law itself. Whether it can deter companies from trading our data under the counter is another question.