Pt.2 Beyond Phishing: Cyber Threats in the Age of AI with Four Flynn

**Hannah Fry** (0:05)
Who do you think wins in the long term? Is it cyber criminals or security?

**Paul Flynn** (0:09)
I think the defenders ultimately will win. We won't necessarily win every battle, but I hope that we can win the war.

**Hannah Fry** (0:17)
Welcome to Google DeepMind the podcast with me, your host, Hannah Fry. We are bringing you part two now of our conversation with Paul Flynn, VP of Security at Google DeepMind. In the previous episode, we talked about the terrifyingly large numbers of ways that our digital systems are vulnerable to attack, as well as the on-going fight to defend them. And four is completely full of stories and incredible insights having spent the last two decades at the very forefront of international cyber security. So, if you haven't watched that one yet, press pause on this, go and have a listen, come back here later, we'll still be waiting for you. But for the rest of you, enjoy the episode.
Well, up until now, we've been talking about the real technical challenges that come with protecting our systems. But as you mentioned at the end of the last podcast, that's really half of the problem in a lot of ways, because there is also this very human side too. Who's creating the attacks, the tactics that they're using to trick us as people, and also how all of that is changing in the era of AI. So, I wanted to pivot to talk a bit more about that, if I may. And maybe it's worth starting off by talking about these bad actors. Like, who actually are they? What is their motivation?

**Paul Flynn** (1:27)
Well, I mean, bad actors come in all shapes and sizes, I guess. There's a number of different classes of these. I think in general insecurity, we break them down to nation state actors that I think are largely focused on geopolitical aims, often espionage or offensive cyber attacks that are in support of warfare operations on the ground. I think there's also a recent concern about pre-positioning. Even if there's not a hot war going on between two powers, oftentimes there's cyber offensive operations happening as a pre-positioning.

**Hannah Fry** (1:58)
Like maneuvering in case a hot war starts.

**Paul Flynn** (2:01)
Exactly. So we've seen in some areas signs of this happening in places like power grids or critical infrastructure.

**Hannah Fry** (2:07)
Right. So knowing that there's a potential real world conflict, you infiltrate the power grid system so that you can act on it later.

**Paul Flynn** (2:16)
That's right. And maintain your presence and validate that you continue to have command and control of those environments periodically. Because every few months, you'll see somebody come back, make sure the lights are on, make sure that their systems still work, make sure they can disrupt things, and then they go away. So that's unfortunately fairly more common than most people would like to admit. And then you sort of see sub-nation state quite a bit. And some nation state activity blurs into this, but a lot of that is financially motivated. And so you'll see, for example, ransomware, which I'm sure you have heard quite a bit about over the last five years, which is very unfortunately quite common. And usually that's an attack that basically causes a company or a person to have their data basically stolen and encrypted and held for ransom. The more modern incarnation of this is that you as a company would have a core database that you rely on as well as a backup to serve your customers. And your whole business depends on it. They would slowly and quietly compromise your company unbeknownst to you.
And then all of a sudden, one day, they would lock out your ability to get access to your backups and your database. And your whole company is offline. You would get a demand for a certain number of Bitcoin or what have you, cryptocurrency, to pay them to get the data unencrypted in your business back and running.

**Hannah Fry** (3:39)
And when you say sub-nation state, is this, I don't know, for example, a country that has a number of sanctions on them, it's sort of a way to generate funds?

**Paul Flynn** (3:47)
Yeah. So you do see nation states actually using it as a way to raise funds. But you also see sort of independent attack groups loosely affiliated or unaffiliated with nation states conducting these sorts of attacks sometimes as well.

**Hannah Fry** (4:00)
Is there a bit of gray area in terms of whether someone is bad or good? I'm thinking here, we were talking about how there are these zero-day vulnerabilities all over the place. We don't know where they are. But finding them can be worth a lot of money. I mean, if you were an individual searching and found a zero-day vulnerability, you presumably have the choice to sell it to a bad actor. But you could also sell it back to the company itself, no?