With the GeekPwn 2018 International Cybersecurity and AI Contest in Las Vegas just over, TechNode interviewed Daniel Wang, CEO of KEEN, the Chinese whitehat hacking collective that organizes the annual GeekPwn competition. As a pioneer in the field, Daniel talked to us and shed new light on how we should view and approach AI-related security challenges.
Wang founded the KEEN team in 2011 after working as a senior cybersecurity analyst at Microsoft. He led KEEN to win numerous international competitions in the following years, such as the famous hacker competition, Pwn2Own, and gained international acclaim.
A new look at an old problem
Wang takes a counterintuitive perspective on the relationship between artificial intelligence and security. Wang’s starting point was when he encountered the concept of “generational confrontation network.” He had a simple yet valid premise: “Can I generate a dirty sample to confuse AI systems, and what’s the result?” He found that he could disorient simple AI with simple tweaks and realized that there were a lot of serious implications for our everyday lives.
Through this process, Daniel developed a philosophy that he uses as the North Star to guide his actions. He believes that hackers do not exist because of vulnerabilities, but rather it is the other way around. This means that in order to solve today’s cybersecurity problems, we need to start thinking from a hacker’s point of view. When an exploit is discovered and patched, it is one less loophole that malicious hackers can use to destroy our systems, and hence enhance our security.
Wang goes on to say that if we are seriously concerned about attacks, adopting the hacker’s mindset will be helpful for our future development of AI. In fact, hacking is employed here as a method of learning, and as we continually discover our own weakness, it is actually the best offense and defense we can have against malicious attacks.
Unknown attack, known defense
In the past 13 years, Wang and his team have done comprehensive research on security loopholes, as well as criminal investigations to determine how hackers attacked. The majority of the research done by Wang and the whitehat hacking community has largely been on software security because it was the predominant form of information communication in the digital age. That meant mainly Windows or the security of Unix and Linux systems.
At that time, he realized that the term “security” was too broad. It could mean firewall protection, or it could mean anti-virus protection or any other broad definitions. After much thought, Wang developed and adopted the concept of “unknown attack, known defense” as a guideline when creating his products, and has since set an industry standard for the cybersecurity community to follow.
In more detail, the idea implies that if you don’t know what will attack, you should focus on prevention and minimizing the damage. So, he created a product for operation and maintenance security that companies can use to secure basic functions. Although it cannot guarantee that someone’s computer or server is fully protected, it decreases the time it takes to find out what is causing the abnormalities.
What used to take three hours or even three days or three weeks can now be done in only three minutes, or even thirty seconds. “This is important because it minimizes the window of opportunity that hackers can use to cause damage. The quicker that we can secure vast and critical information systems, the better we can effectively contain the threat,” Wang says.
In 2012, with the rise of Weibo, WeChat, Alipay and other critical social functions being used in mobile, Wang and his team noticed the shift and adapted the direction of their research accordingly. They knew that in order to survive, they had to play the game right and decided to take part, and won, in the world’s top hacking competition, Pwn2Own. This achievement brought the team into the international limelight and created a lot of partnerships and opportunities for Wang to move forward with his vision.
Mobile security will face problems of the past
Wang believes that mistakes that were made in the past with the PC will be repeated as people are still not putting enough emphasis on mobile security. Wang’s belief seems to be placed in good faith and sound data. The number of mobile devices around us will far exceed the PC. According to Statista, in 2016, an estimated 62.9 percent of the population worldwide already owned a mobile phone. The mobile phone penetration is forecasted to continue to grow, rounding up to 67 percent by 2019. The amount of data and access to these data, if hijacked, will be disruption on an unimaginable scale.
He points out that the essence of cybersecurity is the confrontation between people because computers are written by people. As long as people are making mistakes, hackers can use these errors as a gateway to attack. To hackers, vulnerabilities are seen as errors in processes like R&D. Thus to reduce such instances, hackers need to go deep and deal with the root cause of the issues.
Therefore, the premise of all attacks is vulnerability. The reason for vulnerability is human error and human error stems from only considering how to make a product faster and faster or more and more convenient rather than how a hacker would come in. “Think about it, if you are designing a car, do you design the airbag first? The process of development prioritizes functionality before security,” he asked rhetorically.
In short, the goal of whitehat hackers is not to eliminate vulnerabilities, but to reduce vulnerabilities and increase the cost of attacks.
Doing small things with big impact
Looking back, artificial intelligence has been able to solve many security problems, yet it has also been used maliciously for attacks. We have seen that through vulnerabilities in the handwriting feature, voice activation, verification code and, especially in this past year, data tracking and AI can be weaponized in the wrong hands.
Now that AI is developing at a faster rate, many have voiced their concerns about the threat of AI, or rather their fear of the unknown. Daniel seems to be a bit more optimistic, however.
When talking about his vision for GeekPwn, Daniel said that although GeekPwn is a small stage, it aims to make security researchers better—and security researchers are getting better. He believes that the industry can improve, and if the industry is good, it can help ensure the safety of other industries.