The Conscientious Local Council of Cybersecurity

For years, the cybersecurity industry has worked rather like a conscientious local council. A pothole appears, someone reports it, a committee discusses it, a reference number is assigned, and eventually a man in a fluorescent jacket arrives with a shovel. The system is not perfect, but it has generally kept the roads usable.

Artificial intelligence may be about to turn that arrangement upside down.

Today’s most capable AI systems can examine software at a speed that would leave even the most dedicated security researcher looking like a monk illuminating manuscripts by candlelight. What once took weeks can now be attempted in hours. Soon, what took hours may take minutes.

The consequence is obvious enough. If an AI can discover hundreds or thousands of potential vulnerabilities in the time it takes a human team to investigate one, then the bottleneck is no longer finding the problems. The bottleneck becomes everything that happens afterwards.

Security Bot 9000 sits at a desk holding a coffee mug reading Patch. Test. Deploy. Repeat., while a exhausted human colleague contemplates the CVE backlog. The laptop reports 10,248 vulnerabilities found, 9,137 patches generated, and Humans Informed: Optional.

“AI finds the holes. AI fixes the holes. Humans make sure we don’t patch ourselves into irrelevance.”

The CVE System, and the World It Was Designed For

Our current process assumes that vulnerabilities arrive at a manageable pace. A flaw is found, verified, catalogued, assigned a CVE number, analysed, prioritised and eventually patched. The entire system was designed for a world in which discoveries were relatively scarce and human beings remained comfortably in charge of the paperwork.

That world may be ending.

Imagine a future in which AI systems discover vulnerabilities by the thousand. Security teams would struggle to verify them. CVE authorities would struggle to catalogue them. Vendors would struggle to assess them. Before long, the industry would find itself in the curious position of knowing more about its weaknesses than it has the capacity to repair. The man in the fluorescent jacket would be standing in a field that is almost entirely pothole, looking at a shovel, reconsidering his career options.

Security Bot 9000, by contrast, would find this adorable.

If AI Is Finding Them, Should AI Fix Them Too?

At that point, the obvious question arises: if AI is finding the vulnerabilities, why shouldn’t AI help fix them too? In truth, it probably will. The same technologies that identify software flaws are increasingly capable of proposing patches, testing those patches against existing code, checking for regressions and even estimating how dangerous a vulnerability might be in the real world. In many cases, AI may soon become the first line of defence, not merely the first observer of the problem.

There is, however, a small complication. Writing a patch is one thing. Knowing whether it is safe to deploy is quite another. Software has an unfortunate habit of being attached to important things. Hospitals, banks, aircraft, power stations and government departments tend to become rather unhappy when an automated fix unexpectedly disables a critical system. As a result, human oversight is unlikely to disappear any time soon. Nobody wants to discover that the machine has solved the security problem by accidentally solving the business as well.

The whiteboard in the illustration captures this dynamic with admirable economy. The AI Security Workflow is a satisfying checklist of competence: scan everything, find weaknesses, understand impact, generate patch, test extensively, deploy safely, learn continuously. Then, at the bottom, separated from the main programme by the quiet authority of red ink: Humans: Keep Calm and Oversight On. Humans are not in the workflow. Humans are in the footnote.

The CVE System, Quietly Becoming Antiquated

The more interesting possibility is that the familiar CVE system itself may begin to look antiquated. Today, vulnerabilities are treated as individual events, each receiving its own catalogue entry. Tomorrow, security may become a continuous process in which AI systems discover weaknesses, identify affected software, generate fixes and distribute mitigations in near real time. Instead of waiting for a numbered entry in a database, organisations may consume a constantly updated stream of machine-readable intelligence.

The irony is that this future may not make the world dramatically safer. Attackers have access to AI as well. The same tools that can discover vulnerabilities can also discover ways to exploit them. The race does not end; it merely accelerates. The stack of books on the desk — Exploit Patterns for Dummies, Default: Deny, The Art of Patching, Don’t Trust Input, Fail Safe > Fail Sorry — will require a new shelf before long, and the titles on the next shelf will need to be considerably more advanced.

The Promotion Nobody Asked For

That may be the real lesson here. We are not heading towards a future in which artificial intelligence solves cybersecurity. We are heading towards a future in which artificial intelligence becomes the primary participant. The humans, meanwhile, may find themselves promoted to management.

As anyone who has worked in management knows, that is not always the same thing as being in control. The sticky note on the desk is honest about what survives the transition: Humans: Great at meetings. The smiley face beside it suggests this has been accepted with more equanimity than it perhaps deserves.

Another day. Another zero-day. The coffee, at least, remains entirely within human jurisdiction. For now.