Pt.1 Beyond Phishing: Cyber Threats in the Age of AI with Four Flynn

**Four Flynn** (0:07)
The goal of the project is nothing short of helping improve the security for the whole industry by finding vulnerabilities and helping the open-source community get them resolved for everybody to benefit from around the world.

**Hannah Fry** (0:23)
Welcome to Google DeepMind the podcast. I'm Professor Hannah Fry. Now, cyber attacks have never been easier. From deep fakes that are so convincing they can fool your own family, to phishing emails that look just like the real thing. AI has allowed these attacks to scale at a dizzying pace. But there is some hope that the same technology that's fueling these attacks could also be the key to preventing them. And few people know this battle better than my guest today. Four Flynn is VP of Security at Google DeepMind and a cyber security legend. He was in the room during Operation Aurora back in 2009, when a massive attack on Gmail rewrote the rules of cyber security. Today, he is on the front lines again, taking on a new wave of AI-powered cyber attacks. And in fact, Four had so much to say, so many totally fascinating insights to share, that we decided to make this into a podcast of two halves. Next time, we're going to be talking about the human side of cybercrime, how we can be manipulated and tricked by bad actors, and how all of that is changing with the era of agentic AI. But for this episode, we wanted to focus on the battle itself. The ways into systems that attackers seek to exploit, and what we can do to defend them.
Well, thank you so much for joining me, Thor. It's a pleasure. Now, I thought I might start by talking about one of the most notable security instances in Google's history, Operation Aurora. How do you fit into that story?

**Four Flynn** (1:54)
Yeah, well, so Operation Aurora was a huge moment in the history of cybersecurity at large, really, for the industry as a whole. I think the idea that a nation state would compromise a private company was quite a shock to really all of us. We had essentially a case in which China was compromising Google or attempting to compromise Google. And, you know, as part of that campaign, they actually attempted to compromise a number of other companies. And it was part of a long running process that they had to conduct espionage across a great deal of various institutions in the West.

**Hannah Fry** (2:33)
And specifically they were looking for people who had been vocal against human rights abuses in China.

**Four Flynn** (2:38)
Yeah, that's what we believe at this point. Of course, at the time, whenever you're dealing with these situations, it's very hard to figure out who the actors are or what they're attempting to gain access to. And so way back in the early days, when we first detected the attack, which was something my team was responsible for, is sort of finding that attack and responding to it. There's many, many, many people across Google that were contributing to figuring out what happened. And then of course, after we figured out what happened to evict the attacker from our environment, and then maybe even more importantly over the following years to harden our environment based on the lessons that we learned.
But, you know, definitely in the moment, you have this thing called the fog of war, where you really have no idea what's going on. You really have no idea even what the bits are of the attack, and you're doing forensics to try to figure that out. And so there's still many people I work with here at Google that were instrumental in sort of the determining of that, Heather Atkins and others, that are just absolute, unbelievable experts in the subject matter that I'm lucky to work with.

**Hannah Fry** (3:41)
Just take me back to that time then. When did you first realize that something was up? When was the first moment of detection?

**Four Flynn** (3:47)
Back then, it was sort of famous. Maybe it still is. You could almost guarantee that when you have a big Christmas vacation planned, most likely that's when the cyberattack is going to come to light. And so it was in December, I remember, when all the details started to come out. And many of us worked tirelessly, really, over the break, but also for months, trying to ascertain what happened, and trying to put the puzzle pieces together, when you don't even really know what the puzzle looks like. And so you're faced with this picture of just bits and pieces of technical data.

**Hannah Fry** (4:22)
I mean, presumably, you didn't get Christmas holiday that year.