The year 2024 had dawned with forebodings of a new wave of security threats, and security specialists the world over, had braced for a wave of attacks along a wide spectrum. Their concerns essentially stemmed from fears arising out of new threats posed by Artificial Intelligence (AI) and its different manifestations, including Generative AI and Artificial General Intelligence (AGI). Together with the expanding horizons of disinformation and cyber threats, the outlook seemed distinctly gloomy.
The 33rd Summer Olympic Games in France, during July-August 2024, were seen as a real and tempting target for digital, including cyber and other criminals. Experts across the world were, hence, bracing themselves for digital attacks of a kind they had not encountered hitherto, quite apart from those launched by known terror groups.
Such fears were not unfounded, given the rising profile of both AI and cyber, and the consequential increase in disinformation attacks. Several months down the road, the absence of any spectacular attack has been a relief. This is no reason to relax the vigil as newer variations of digital threats are beginning to emerge. The Paris Games ended peacefully, but eternal vigilance is still the price that security agencies need to pay to ensure proper safety. Undoubtedly, an Olympic Games of this size passing off without a major incident is indeed a triumph for security managers engaged in providing security for the Games, yet vigil can hardly be relaxed.
The year so far
It might be worthwhile to look back and see what did, or did not, happen in 2024. The year started seeming to confirm the prognosis that 2024 may well be the year when the world confronts a cornucopia of security threats. Disinformation was already having a field day in the run up to the elections in Taiwan in January 2024, and the atmosphere was loaded with fake posts and videos, causing widespread confusion. This was attributed to China, but we live in a world today where nothing is what it seems. What was, however, evident was that the advent of AI seemed to have made it far easier to spread disinformation cloaked in the garb of reality. AI was the principal, though not, perhaps, the sole culprit.
It is indeed true that spreading disinformation has become far easier with the advent of AI. Deep fakes, comprising digitally manipulated video, audio, or images, repeatedly hit the headlines today, causing a miasma of disinformation. The truth is revealed much later — and after the damage has been done.
Yet, there is not enough comprehension today, about the threat posed by AI generated or other types of deep fakes. Together with cyber attacks, the world needs to realise that we face a new and grim reality which cannot be ignored any longer. National security stands imperilled by these newer threats. But even when it manifests itself, there is not enough comprehension of what is taking place. A combination of cyber attacks and AI-enabled disinformation had and is still, causing grave havoc in the conflict in Ukraine. Ukraine is a good case study of how two sides in a conflict could employ disinformation — including AI-enabled disruption — against one another, to each other’s disadvantage. Together with cyber attacks, this has led to major disruptions in critical infrastructure, including telecommunications and power grids.
The CrowdStrike outage as ‘preview’
The world had a preview last month of what could happen, or is in store, in the event of a massive cyberattack, whether AI-enabled or otherwise. A ‘glitch’ in a software update concerning Microsoft Windows caused a massive outage, which initially affected parts of the United States, but rapidly spread to different parts of the globe, including India. It disrupted flight operations, air traffic, stock exchanges and more. The Indian Computer Emergency Response Team (CERT-IN) issued a severity rating of ‘critical’ for the incident. This was, however, not a cyberattack, but it provided a preview of the kind of disruption that could take place in the event of a cyberattack. According to Microsoft, over eight million Windows devices failed, leading to global disruption on a massive scale.
Human memory tends to be short, and it may be necessary to remind the world about some of the better known cyberattacks in the past, which caused mayhem across the globe. The world may, or may not, remember the widespread disruption that occurred in 2017 in the wake of the WannaCry ransomware attack employing the WannaCry ransomware cryptoworm, which infected well over 2,30,000 computers in 150 countries, resulting in damage amounting to billions of dollars. The same year witnessed another cyberattack using the Shamoon Computer Virus which was directed mainly against oil companies such as SA ARAMCO (Saudi Arabia) and RasGas (Qatar), and was labelled, at the time, as the ‘biggest hack in history’. Again, around the same period, a cyberattack involving the ‘Petya’ Malware severely affected banks, electricity grids and a host of other institutions across Europe and the United Kingdom, as also the U.S. and Australia.
Few cyberattacks have, however, had a more devastating impact than that caused by the Stuxnet ‘attack’ in 2010. Over 2,00,000 computers were impacted and physically degraded as a result. Stuxnet was a malicious computer worm, believed to have been in development for nearly five years, and specifically targeting supervisory control and data acquisition systems. The target in this case was the Iran nuclear programme, leading to the inference that it was state sponsored. What is now known is that Stuxnet’s design and architecture is not domain specific, but could be tailored for attacking most modern systems in use.
Also Read: Misinformation during Indian elections: The saga from 2019 to 2024
Growing cyber threats
While the potential threat posed by AI disinformation looms large across the global landscape, for ordinary individuals, cyber is already a persisting threat. The number of victims of cyber fraud and cyber hacking has grown exponentially in recent years. Our day-to-day existence is threatened by fraudsters posing as delivery company agents and making delivery attempts, and, in the process, obtaining personal information for malicious use.
There is today a rising curve of false credit card transactions, obtaining personal information in the process to defraud unwitting individuals. Compromising business e-mails is on the increase. One of the most widespread cyber frauds is ‘phishing’, that involves stealing personal information such as customer ID, credit\debit card numbers, and even PIN. The list is extensive and extends to ‘spamming’ as well (where someone receives unsolicited commercial messages sent through one of the many electronic messaging systems). ‘Identity theft’ is among the most serious dangers that has now become widespread.
Across the democratic world, governments are seeking to put in place proper systems to deal with digital threats. Industry and private institutions, however, appear to be lagging behind. It is the latter segment that is, perhaps, the most vulnerable to digital attacks. Having in place firewalls, anti-virus defences and a good back-up and disaster recovery system are not enough. Most CEOs of companies, again, are not adequately equipped to deal with digital threats. Hence it might be useful to have a chief information and security officer to look at their systems and advise them as to what they should do.
Awareness of the growing danger of digital threats is but the first step in the battle against cyber and AI-directed threats. Unauthorised use of Generative AI content has already become the stock-in-trade of digital bullying. Preventing this demands a great deal of effort and adequate budgetary allocations — whether in the private or public domain.
More than anything else, potentially dangerous digital technologies require more, and the specific, attention of those in-charge, specially in the case of democracies. Awareness about digital bullying and other forms of manipulation is fundamental if we are to prevent situations getting out of hand. More than anything else, there is a need to create a realisation that the struggle against digital threats calls for coordinated action. Also, a realisation that nations, especially democracies, are today under attack from a new and different source. There is, hence, every need to counter digital surveillance, disinformation, bullying and manipulation, for our survival.
M.K. Narayanan is a former Director, Intelligence Bureau, a former National Security Adviser, and a former Governor of West Bengal