Within the next five years, the world will witness an AI-driven cyber-attack with consequences which will trigger a global economic shock and be bigger than 2017’s ransomware attacks.

Speaking at Infosecurity Europe in London, Jonathan Kewley, co-chair of the global tech group at Clifford Chance, said this crisis won't be the result of a failure, or law, or of regulation. It will be a failure of culture. “A failure to embed cyber and AI resilience into the very DNA of our businesses and our society,” he said.

“Those who emerge unscathed will not be those companies with the biggest compliance manuals of policies, but those whose leaders treat security as a core business value.”

Comparing the prediction to recent attacks on the retail sector, he said that with AI-prompted incidents added into the mix, “we're talking about an existential risk here for all of us.”

Cultural Shift

Kewley said the answer to our security problems lies not in evermore draconian legislation, but in a cultural shift, specifically a change in attitudes in the boardroom, and security experts should have a more powerful seat at the boardroom table. 

He said that regulators around the world are running in different directions very quickly and that the world “is in a state of flux” and that divergence has only intensified. “There's a very real concern that unregulated technology poses a threat, not just to democracy, but to our families, our children, our very way of life.”

Regulation and Prevention

Looking at the recent cyber-attack on M&S, he said that regulation would not have prevented it, and admitted “we're never going to stop cyber-attacks of this type.” 

He said: “No regulation can substitute for a culture of preparation. Compliance is not the same as resilience. Hackers don't follow a rule book, and we just can't defend against every hostile state or employee tempted to click a link. On top of these good old-fashioned attacks we go and add AI into the mix.”

Kewley said that the same mistakes are being made, as with the internet in the old world, but faster. “AI is in everyone's pocket: we've given to every employee a shiny new toy, but we have little visibility of how it's used, what they're putting into it, how they're silently leaking IP, and confidential information outside previously secure perimeters.”

Saying we’ve been monitoring email and the internet for decades, he asked “why aren't we doing the same with generative AI?”

Not Legal but Cultural and Technical

He said this isn't a legal question or a legal problem, but a cultural and a technical one, and about pausing before launching and embedding security into the lifecycle, pushing back on the board request to deploy when you're not ready.

“It's about being confident each and every one of us to say, I'm not comfortable with how opaque this is. Let's take a moment. I'm not happy. This isn't about law. It's about common sense.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.