The State of Criminal A-I

By William J. Cook, Of Counsel
Law Offices of Burton A. Brown, Cook Consulting Services

No true rogue A-I and remediation attack has happened to date. By this I mean a pure machine-based assault with no clear human connection. However, experts predict such an attack in the near future.

The first of these attacks will likely look like stand hacking experts:

•       Phishing emails

•       Drive-by downloads from website

•       Active placement by someone with access to the system

•       Exploit server operations (root access control)

•       Theft of login credentials

•       Theft of payment card information

•       Extortion

o   Ransom ware

o   Denial of service

o   Destruction of exfiltrated data

•       Theft of intellectual property & trade secrets

•       Social engineering - Linkedln, Facebook, etc.

•       Unauthorized access from vendors

•       Ransomware

These base hacker attacks will be followed quickly to escalate to a network, assault capable of overwhelming, intrusive, hostile code in Mission Impossible. In the film, a state-of-the-art Russian submarine shows an attack by a The Russian submarine responds by launching a return torpedo. As the torpedo closes in on the enemy sub, and its torpedo disappears and a potential enemy sub that launches a torpedo. At the last second the enemy sub disappears, and their torpedo disappears.

At that point, the code changes the path of the torpedo, and it homes in on the Russian submarine causing the demolition of the Russian submarine.

In an effort to control potential A-I technology, companies must prepare a full scope of security policies that include physical, technical, and administrative controls.

Physical Controls

•       Examples include fences, walls, and other barriers; locks, safes, vaults; armed guards; sensors and alarm bells are not very helpful to the digital environment but necessary.

Technical Controls

•       Examples include: firewalls, intrusion detection software, access software, antivirus

software, passwords, smart cards, biometric tools and encryption processes.

Administrative Controls

•       Examples include personnel management, employee use policies and discipline.

In view of the A-I threat "reasonable security" requires companies to develop, implement and maintain:

•       A comprehensive written information security program (WISP)

•       That contains physical, technical, and administrative safeguards.

•       That are appropriate to:

o   The company size and complexity

o   The nature and scope of its activities, and

o   The sensitivity of the information

o   That addresses specified categories of controls, and

•       That are reasonably designed to:

o   Ensure the security, confidentiality, and integrity of the covered information.

o   Protect against any anticipated threats or hazards to the security or secrecy of such information.

o   These security controls have to be reasonable under the circumstances.

•       Must implement "appropriate" measurers to protect data such as:

o   U.S. -Privacy Act of 1974, GLB, HIPPA, state data security law

o   UN Convention on Electronic Communications

o   EU Data Protection Directive; Albania, Bahamas, Belgium, Canada, Denmark, Estonia, Greece, Iceland, Ireland, Isle of Man, Liechtenstein, Lithuania, Malta, Netherlands, Philippines, Poland, Portugal, Slovenia, Sweden, United Arab Emirates, UK, Finland, Germany, Hungary, Italy, Spain

o   U.S. state data security laws

o   Australia, Russia, France (useful), Hong Kong (practical)

CONCLUSION

In the event of rogue A-I attack, the course of recovery will come from any attaching systems that can be found or from evolving comment law negligence claim based on the lack of security of victim systems.