It’s often said that cyber risks are constantly evolving, so to keep up, cybersecurity technology has to change with it.
Lou Steinberg, founder and managing partner of CTM Insights – a cybersecurity research lab and incubator – says on the most recent episode of The Insuring Cyber Podcast that this process imitates what happens in nature.
“Co-evolution says that when the lions get faster, the gazelles get faster, because slow gazelles get eaten. And when the gazelles get faster, the lions get faster, because slow lions starve,” he says. “And so what happens is over time, both the lions and the gazelles ratchet up their capabilities. And we see the same thing in cyber security.”
The problem, however, is that cyber criminals are the lions in his metaphor.
“The attackers and defenders are both evolving capabilities at this crazy pace,” he says. “But the issue, of course, is that we’re the gazelles, right? We’re just trying not to get eaten.”
Steinberg says this fast pace of evolution explains how the internet is moving toward web 3.0, which is the next anticipated phase of the internet’s development.
Web 1.0 served as the original web of the 1990s and early 2000s before web 2.0 came along, which is the version of the internet that is widely used today. If smartphone technology and social networking have been behind the growth of web 2.0, experts say web 3.0 will be largely driven by artificial intelligence and machine learning.
Web 3.0 is often described as a decentralized version of the internet, with information housed in multiple locations, breaking down the large databases that currently hold data and giving that control to web users. Data generated by things like phones, desktop computers, and even vehicles and appliances would be sold through decentralized data networks so that users can retain ownership.
Steinberg says this iteration of the internet can benefit insurers as all of this data on the internet can be used for machine learning to train artificial intelligence technology.
“Imagine how much smarter an Alexa-like device would be if it understood every post ever written, and the posts aren’t being filtered or controlled,” he says. “So in cyber insurance, we could dramatically improve our understanding of risk by including way more information about threats and vulnerabilities, and massively expand training data to create a step function in AI capability.”
That said, opportunities don’t typically come without risks, and Steinberg says the decentralized aspect of web 3.0 could lead to misinformation and bias within artificial intelligence technology if not carefully navigated.
“A decentralized web that’s free of controls is a strength that can lead to a weakness,” he says. “When anyone can publish anything, accurate or not, the consumer of information now has to take responsibility for correctness before they use it. The real challenge with AI is we often don’t know how it reached the conclusion it came to, and so we’re going to have to ensure that the inputs to our models have data that’s free from bias.”
Steinberg believes that internet users need to move from critical thinking to critical consumption in order to clear these hurdles.
“When you consume information from random sources online, you have to consider the source, and you also have to consider the possibility that what you’re getting is intentionally biased or flat out wrong,” he says. “We probably need some kind of a consensus mechanism for data correctness. Until then, I think we have to be careful about having good models with bad inputs. We might build a great engine, but if we feed it water instead of gasoline, it isn’t going to run well.”
Although the internet hasn’t fully evolved toward web 3.0 yet, should this concept and the risks that come along with it be keeping insurers and cybersecurity professionals awake at night? Even though it remains a future concept for now, Steinberg says it’s important to always be prepared.
“Our problem as gazelles is what happens when the lions get jet packs? What happens when they get much faster, and all of a sudden, have a new capability that we didn’t prepare for?” he says. “When you’re only playing defense against somebody who’s only playing offense and they get a new offensive weapon, you better have predicted it and planned for it. And sometimes they catch us a little unaware.”
To find out what else Lou has to say, check out the rest of this episode and be sure to check back for new episodes of The Insuring Cyber Podcast publishing ever other Wednesday along with the Insuring Cyber newsletter. Thanks for listening.
Was this article valuable?
Here are more articles you may enjoy.