Digital: Disrupted: The Growing Threat of AI on Cybersecurity

Episode Transcript:  

Paul Muller: Alright, so the old adage is that it takes a band five to 10 years to become an overnight success. Well, the same might be said to be true of ChatGPT, the generative artificial intelligence that's taken the technical world, and now the creative world, by storm. You might even say it has taken it by hostage. Well, even if you haven't heard of it, it's probably touching your daily life, whether it's news articles, the words you read in a marketing advertisement, songs, strategy papers, even homework is now being automatically generated by nothing more than an algorithm. It's incredibly powerful, but potentially also frightening stuff. And there's no shortage of pundits, myself included, who are arguing that society isn't really ready for the ethical implications of what I think is the knowledge worker equivalent of the meteor that killed the dinosaurs. And that's just when it comes to the good guys. 

What about the bad guys? The criminals, the nation states that might seek to turn automated intelligence against its creators. Well, before we jump into it with today's guest, I want you to do me two favors. If you don't mind the first, it's a really quick and simple one. If you like what you're hearing, if you like what you've been listening to in previous episodes, please do give us a thumbs up, or better yet, leave a quick review on your podcast player. I cannot tell you how much of a difference it makes to us. The second is, please do check out the website of today's sponsor rocketsoftware.com to see why over 10 million IT professionals rely on Rocket Software every day to run their most critical business applications, processes, and data. But welcome, I'm your host, Paul Muller, and welcome to Digital Disrupted. Our guest today is a French tech entrepreneur who co-founded Europe's leading crowd lending platform, October, which financed over 500 companies across France, Spain, Italy, Netherlands, and Germany. I'm sure others. Today he joins us as founder and CEO of Riot, which is an all-in-one cybersecurity company platform for employee protection. And he's here to talk about the impact of ChatGPT on cybersecurity. Please welcome to the show, Benjamin Netter. Hey mate. 

Benjamin Netter: Hey, man. 

PM: How you doing? Where do we find you today? Are you actually in France? 

BN: I'm in Paris, right, right now. 

PM: Oh, beautiful. 

BN: Riot started in San Francisco, but I'm back in France for now. 

PM: It's kind of nice to get out of, I call it the Silicon Valley echo chamber, right? Because you start to feel like everyone's sort of saying the same thing in Silicon Valley. It's nice to get a bit of perspective. Do you agree? 

BN: No, I think they keep a lot of secrets in San Francisco and in The Valley that you don't hear anywhere else, so I tend not to agree. I enjoyed the time I was there before COVID hit and it got pretty messy, so I had to go back to France. 

PM: Oh, fair enough. Fair enough. Well, we can talk about that maybe after the show. Hey, let’s jump into today's episode. I'm really excited. I haven't actually heard anyone talking about ChatGPT from the perspective of the cyber aggressor, so I'm keen to see what you've been learning. But before we get into it, we do something we call the lightning round on the show to get to know our guests through a slightly quirky lens. Are you ready to do this thing? 

BN: Yeah. All right, let's go. 

PM: All right, let's do this. First question, what would people say is your superpower? 

BN: I read people very easily. 

PM: Okay. Read me. 

BN: I'm not sure. I would have to know more about you. Probably not as easily as this. Maybe by the end of the show I would have an opinion. 

PM: Alright. That's going to be your test at the end of the show. Second question, the most disruptive technology of all time? 

BN: Oh, that that's, that's easy, antibiotics.  

PM: Oh, I don't think we've had that one. That's great. 

BN: How's that possible? You know, they say when we discovered antibiotics life expectancy grew overnight by 10 years. 

PM: Yeah, no, I don't think we've had it. We've had so many wonderful answers, but I don't think we've ever had that one. That's great. Mine, by the way, was the beehive, just to give you an example of maybe how to read me. But yeah, without beehives, you don't have crops, you don't have pollination, you don't have mass farming, nothing happens.  

BN: It feeds people. 

PM: Exactly. Exactly. You're getting my drift. All right, next question. The best quality a leader can have? 

BN: To be a good listener. What would you say? 

PM: I'm listening. 

BN: Probably the best quality. I mean, pure, good listener. It helps a lot with everything you need to be doing as a leader. 

PM: I find so many leaders spend a lot of time talking though, right? Well, maybe they're not so good leaders. All right. Your advice to people starting their careers? 

BN: Don't focus so much on the salary probably. So, choose the best experience for you, not the best salary. 

PM: Yeah, it's an interesting one, right? The salary kind of comes, especially in your sort of thirties to forties, is when the rewards of the experience of the early years of your career come. Do you find that? 

BN: Yeah, exactly. So last Sunday I watched an interview with Will Smith where he explains that after the Fresh Prince of Bel-Air, he had an offer for a movie for I think $10 million. And his manager told him not to do it because the movie was not great, and he ended up doing a movie that paid a $100,000. That was a big hit. 

PM: That's the trick, isn't it? Yeah. That's tough though, because it's easy to get exploited in that situation too, and we don't want that. The first thought that comes to mind when you think about cybersecurity? 

BN: First thought, probably human. It's a human problem. To me at least. It's a human problem. 

PM: Yeah, I agree with you. Finally, if you could use technology to solve one world problem, what would it be and why? 

BN: That's a tough one. Probably climate change right now, that’s the biggest challenge we all face in the next hundred years? What would you say? 

PM: For me, I still think at the moment the technology problem we need to solve sort of related to today's conversation, which is that of disinformation and misinformation. And we are seeing now the idea of artificially generated content is only going to, I think, amplify what is an extremely dangerous environment we are in at the moment where the authenticity, the veracity, the lineage of the content that we read, that we listen to, that we see is going to get harder and harder to verify. And it's going to be easier and easier for us to, I think personally, have World War III start over something that happens on the internet. 

BN: I think that can be solved more easily than climate change. Probably. 

PM: Well, let's see. We're going to find out from you today. Tell us a little bit about your background. How did you come to be talking about cybersecurity and ChatGPT? And maybe a little bit about your background as a French entrepreneur, because we don't really associate Europe. We talked about this on the show a couple of times, despite the Spotifys of the world, and there's a couple of other examples. We don't really think of European well, not so much Europeans, but the European environment as being a great place to build tech entrepreneurship. 

BN: Yea, and we actually started in the U.S.. So, I'm not even sure we’re French anymore. Most of them doing the VC money comes from the U.S. too. So hard to tell if we're French or American. I don't even know. 

PM: So, tell us a bit about your background. 

BN: Sure. Prior to Riot, I co-founded a FinTech called October that was doing loans, I mean still doing loans for small businesses across Europe. I think to this day, we have landed one billion euros total over companies, probably over one thousand companies in Europe. So, we grew the team from two people to 150 people across Europe. And part of my concern, I mean I was CTO, was how I created this platform, handling hundreds of millions of Euros of transactions every year. And how do I make sure that hackers don't find a loophole and hijack the money somehow? And I was investing a lot on how to protect the platform, so investing in testing, bounties, and so on. And what happened one day is that an employee ended up clicking the wrong email entering its password, and that's how we got breached. That was 2019. I was doing cybersecurity awareness on the side of everything. I mean, you work with smart people, so you imagine that they won't fall for a phishing attack. And I was doing yearly talks, an hour-long talk about cybersecurity and thought that what that was enough to prepare them for cyberattacks. That's how Riot actually started. 

PM: Wow. 

BN: Yeah, it started as a side project.  I was waking up two hours earlier every day, and I was trying to launch, simulate a phishing attack on employees to see how they behave when they receive Phishing emails. And I ended up launching an attack on my previous company, October. And the first person who clicked and entered its password was the CFO.  I think at that time we had just closed 300 million Euros fund, and she was the first person who clicked and entered her password. And then 20% of the company ended up clicking and entering their password. And so that's how Riot actually started as a side project. I talked with CTO friends, and they were pushing me to try Riot on their team, and that's when I decided to apply to Y Combinator (YC). I ended up leaving October to work on Riot full-time. 

PM: An incredible story. Before we get into the connection between ChatGPT and what Riot's trying to do, let's start by trying to explain ChatGPT, because I am still amazed at how many people haven't heard of it yet. As I said in the opening, they've probably seen the output from ChatGPT and not even noticed it. So maybe do you want to explain to our friends and listeners what chat GPT is all about? 

BN: ChatGPT was created by a company called OpenAI, who's been working on artificial intelligence for the past 10 years. Actually, OpenAI was created as part of YC, and it was also created by Sam Altman, who's a previous YC president, I think.  

PM: YC is Y Combinator just for people.  

BN: Yeah, exactly. And so ChatGPT relies on the layer called GPT three with the third version of an algorithm that they created at OpenAI that has been trained on, I don't remember exactly, but I think 45 billion text. And it's very good. GPT is very good at predicting text in a comprehensive way. So that's the end layer. And ChatGPT is just the layer where you can just ask a question to GPT three and GPT three generates an answer. 

PM: Just to put it very, very clearly, it generates human readable text in multiple languages actually. So that looks and reads for the most part, because sometimes it obviously has some grammatical flaws and factual errors, but to most people, I'd say 90, 99% of the content looks like it was written by a human. It’s almost indistinguishable in many respects. Have I got that roughly right? 

BN: Yeah, exactly.  

PM: Yeah. So far, so good. As I've said, it's been used to create news articles. People are doing their homework with it now, all sorts of scandalous stuff. There's a whole bunch of ethical concerns about when the content gets created, how the original authors are compensated, that we won't even get into that side of things. How is it being used by the bad guys and what's the connection to Riot? 

BN: Up to this point, I'm not even sure it's currently being used because GPT three has been product protected by OpenAI. They don't want the bad guys to have access to this tool to generate attacks. But we've seen, we've been trying out GPT three for the past few years now at a Riot, and we've been generating targeted phishing emails with it, like really hard to actually spot for the past years, and it's actually pretty impressive. 

PM: So just to put that into context, when we talk about phishing emails, and I suppose this even includes text messages because I literally yesterday got two messages from my bank, and  my bank saying you need to reset your password or do something like that via SMS message or iMessage. Obviously, email's another one where you get these phishing emails.  give an example of what a phishing email might look like to one of our audience members. 

BN: Absolutely. So, there's really different kinds of phishing emails. The very simple one is you won a contest, click here to claim your prize, and you have to enter your credit card details and it'll steal your money. But much more complex phishing emails would probably be your CEO asking you for a service that's urgent and you would end up spending money or wiring money to an external party. So that's probably the more complex scenario. 

PM: And if I understand correctly, what these bad guys will do is they'll do a bunch of research on your company, on your organization. They'll scrape LinkedIn data, they'll look at all of the information about who reports to who inside the company, and they'll pull all that together to create the most convincing and compelling email they can, usually with a sense of urgency associated with it to try and get you to do something sort of appealing to authority. Is that roughly right? 

BN: Yeah, exactly. And something that we have seen a lot lately is they use LinkedIn to actually understand how your company is structured and craft much more clever attacks on you. 

PM: So, what's the connection? Well, you've been doing this research I'm assuming you've tried to create more convincing phishing emails using ChatGPT as some sort of test. Is that roughly what you're thinking about at the moment? 

BN: Yeah, exactly. So GPT three is very good at imitating. You can provide a few emails from someone and imitate the way the person writes. And obviously it's only the first part of the problem, because the next iteration would bring voice to it. I wouldn't be surprised that, in the next year, we see automated phishing attacks imitating the voice of someone and calling you and asking you for a service. 

PM: And I suppose the reason this is a problem is today, if you're going to launch a sophisticated phishing attack on a target organization, it's been expensive from a human capital standpoint. You have to take the time to do the research, you have to take the time to try and imitate the person's voice. And by voice we mean the tone of their email, their writing style, not their actual voice. Tools like ChatGPT would automate that. And if we know anything from this show, it's the bad guys are lazy. I don't mean that in a bad way. If they can reduce their cost of attack, they'll do more attacks, right? 

BN: Yeah, exactly. I think what brings ChatGPT or GPT three is that it makes it possible to do targeted attacks, but at scale. If I wanted to target you, I would go on your LinkedIn look at people and imitate the signature of someone, and it it'll take some time to actually target, create a sophisticated attack on yourself when GPT three makes it much easier. 

PM: It'll scale. And then I hadn't stopped to think about this, but we actually have had, I'm trying to remember the name of the guest. We talked about generative AI being used to create a voice print similar to the original author, and you could basically get that person to say anything. And I believe if memory serves that now extends through a video. So with a couple of frames of video, you can create a compelling audio and video experience that is generative, and you could get your boss to FaceTime you, I suppose, or Zoom you and say, “hey, listen, I need to get this done right now,” and start screaming at you until you give them a password or reset something or send some money or whatever it is they're asking to do. I mean, all of this sounds completely, utterly terrifying. The question is, is there anything we think we'll be able to do about this, or are we just going to be subject to more and more of this?  We're going to see, as you say, if your CFO's clicking on a relatively unsophisticated email, what's going to happen when they're subjected to all of this advanced technology? 

BN: I mean, that's also why we're focusing right now on bringing better cybersecurity awareness to companies at Riot. Because if hackers target you to get to your company, that’s usually how it works, they target you to get to your company and to attack your company, they will probably use your personal phone number, and that's something that you're not preparing for with cyberattacks. And in the end, the human is the last barrier to a successful cyberattack. But that's why, for us at least, no algorithm will solve this. There's no silver bullet, and in the end the humans have to be better at spotting attacks. 

PM: Fair, I'll take that, but is there any way that we could use the technology to spot those attacks? Because I suppose if you've got a generative adversarial network, the two of them basically, I mean, can we use AI to detect AI or at least machine learning to detect some of these attacks and help maybe shield us from them? Because I suppose if they're being automated, the volume is eventually going to wear somebody down. 

BN: Not for a few years. I wouldn't be sure about this. So basically, I think detecting an imitated voice in real time is really something that you can't do at scale. It might come from Apple or Google, but that would mean listening to everything that's happening on your phone. That is a lot and I'm not sure they would have the capacity to do it in the next year or two. 

PM: Not to mention some of the ethical and privacy concerns that raises. So what can we do to protect people? You said this is a people problem. What can we do to do things like raise awareness? Because I feel like I get an email every second week from somebody in one of my organizations saying, “hey, you need to do this,” or go through some sort of cyber training, and you almost become fatigued by the amount of training you're getting at the moment to the point where I think sometimes people even just switch off. What are your thoughts? 

BN: No, that's true. And so that's exactly what we're trying to do better. We’ve created a cybersecurity awareness program that employees love to do. It's a really different format from what you've experienced in the past. And I think one thing that we do really well is guiding you through better security. A very simple example that I usually give is with LinkedIn, which is a great source for hackers. And we have a course where we actually scan for your LinkedIn profile, and we give you advice on how to configure your privacy settings on LinkedIn to better protect your profile. There's really six low-hanging fruits on the privacy settings of LinkedIn that you can easily set up and will make life much harder for hackers. And unfortunately, most of the time today, it's not set up. And so that's something that's a good example of what we're trying to do differently. 

PM: That's fabulous stuff. I'm just going to get you to go through what they were, I'm curious now.  

BN: There's two of them that are very easy to set up, but your family name is visible to everyone on LinkedIn and the family name is usually used by hackers to make targeted attacks. And another one is the profile picture. I don't think that you have to share it more than your extended network. And so those are probably the two first things I would do if I was a listener of your podcast to protect my profile. 

PM: Yeah, a couple of minutes and you're done. And is the same true of other forms of social media or is it really LinkedIn because it is so closely tied to business and business-level attacks? 

BN: Obviously there's other social media. Facebook is a good one. If you show a picture of your dog and you mentioned the name of your dog and it's a public post, hackers might use the name of your dog and try it out as your password, because that's probably a very common example of picking your password. That's the name of your dog, 

PM: Dog name, 1, 2, 3. Yeah, exactly. See that now? Yeah, there you go. With the dollar sign at the end. Yeah, we've all seen it. Unbelievable.  

BN: It’s much more common than you would think. 

PM: Yeah, it's terrible actually. I can't believe some of the passwords that when you talk to your family and friends and, every now and again, they share your password because you're trying to get onto their laptop for them or something, or I get asked to fix technical problems, I'm like, what's your password? And they tell me, and I just look at them in horror like, well, what are you doing? 

BN: Exactly? So, something that I like to also mention is the passcode on your phone, because your phone probably has a lot of personal information on you, and usually people use a four-digit passcode, and most of the time it's a very simple passcode, like 1111, 2222 or 2580 or your birthdate or something. That's actually very easy to find. And I mean, once I have access to your phone, I have access to a lot of information that I can use against you. 

PM: Not to mention a lot of the authenticator apps now that people are using for two-factor authentication are on your phone.  

BN: You get the text message and you also get the text message to validate the second step. So, I mean, yeah, phones are a big problem too. 

PM: Yeah, it's a really good point. Look, I guess we are probably at the point now where maybe we wrap up. What do you see the future of automated cyberattacks and cybersecurity looking like over the next couple of years? What do you think listeners can expect to see and how can they better prepare themselves for what's coming? 

BN: I think the format will change. As you mentioned, we've seen phishing, so attacks over text messages have been growing very rapidly in the last year. Think of the basic email phishing mail that you get, that's not the current state of phishing attacks today. It'll evolve from text messages to probably phone calls. I wouldn't be surprised if we see more phone calls probably in six to 12 months, and it'll be much more common that you get attacked over a phone call in 2024. So the format will change, AI will be obviously involved because it's much easier. It'll be much easier to make this phone call using a script. So yeah, I think it'll evolve. The format will be the biggest difference. 

PM: This is a question without notice, so if you don't have a point of view on this, feel free just to pass on it, but cybersecurity is I think famous personally for saying, ah, the one thing you need is X, Y, Z. Yeah, it might have been SEM tools 10 years ago or firewalls 20 years ago. There's always a magic bullet, a silver bullet in the security world. It's never real, but it gets the market talking about these things. Zero trust is often put forward as the one silver bullet to solve all your problems. If you have zero trust, it doesn't matter, you can never be fully breached. What are your thoughts on that? Is that something you've heard, and do you have a reaction to that? 

BN: No, I think zero trust is good. It's a good mentality as long as you zero trust everything, but most of the time it's very hard for companies to actually set up zero trust especially for existing companies. I don't think most companies are ready for zero trust, but it's a good solution if you can set it up. 

PM: Not to mention, I guess if you hand your password to somebody that doesn't, the zero trust probably doesn't really help that much as well. Right? 

BN: Yeah.  Attacks happen much more often in your personal life now than in your professional life, and that's something where zero trust is a bit limited. 

PM: I suppose that the last word on cybersecurity education is there is no silver bullet. You have to be constantly aware on the lookout, take some basic precautionary steps, but always assume that,  the zero trust should extend to how we as humans interpret things like emails and phone calls and so forth. Trust, but verify. 

BN: Yeah, as you said, no silver bullet. 

PM: Well, I think we're stuck with this problem for a long time to come. This has been an absolutely fascinating conversation. I'm going to definitely do a lot more research into it. If people are interested in learning more about this, where can they go to learn more? 

BN: TryRiot.com works well. Riot is very easy to set up. I think cybersecurity awareness is probably the first step you have to take in terms of cybersecurity and growing the knowledge of your employees. And I think Riot makes it very easy. It takes 45 minutes to set it up on your team. 

PM: Right? Check it out. Final question for you. A big shout out to Rocket Software, the show sponsor. They've got a set of values they like to talk about that matter to them. Empathy, humanity, trust and love are what matter to Rocket. I'm just curious what matters to you right now 

BN: Probably protecting against the next generation of cyberattacks? 

PM: That's a great answer. You're in the right job in that case. Well, with that, thank you so much, merci Benjamin. Thanks again to Rocket Software for bringing us another episode of Digital: Disrupted. Thank you all for tuning in. If you like what you've heard, do give us a thumbs up. As I mentioned, on Apple to iTunes, Spotify, or wherever you get your freshly baked podcasts. You can also reach out to me on Twitter. Yes, I'm still on Twitter because I'm like, I'm just that age where I'm not going to change @Xthestreams. I'm just there to watch it melt down or our show sponsor @Rocket. If you've got any questions for our guests or topics that you'd like to hear covered dear, just reach out, drop us a line. We'd love to hear from you. With that, we'll see you all next week. Everyone. Stay disruptive.