POPPY GUSTAFSSON: Let’s take as known that novel threats are the new normal. We are always gonna be facing an attack that we don’t quite anticipate or was unexpected. And how do you protect the business? And AI is a really powerful tool in that. And yes, AI can be leveraged by the attackers as well but cybersecurity, it’s nuance and it’s evolving, it’s self-learning, and that makes it such a natural home to be able to use AI. 

BOB SAFIAN: You really get excited about this, like I’m, I’m just, we were/

GUSTAFSSON: It’s maths! I love it!

SAFIAN: Hi everyone, it’s Bob Safian. That was me with Poppy Gustafsson, the CEO of cybersecurity firm Darktrace, out of London. We talked about how AI has helped both attackers and defenders in an escalating cyber war that’s raging across the dark web. If that all sounds mysterious, it is, though cybercrime has also become way more professionalized and businesslike than I’d realized. 

Poppy is both a guide to this world and a passionate advocate for how technology can help us get the most from… technology. We also talked about deep fakes, which are getting richer and more common; and how our biggest cyber risks come from human weaknesses, not software. Cybersecurity is an area that businesspeople would rather not think about, but they should – and it’s actually quite fascinating. So here’s me and Poppy, getting into it. ​ 

[THEME MUSIC]

Inside the commercial ecosystem around cyber attacks

SAFIAN: All right, so let’s jump in. So, Darktrace is one of the fastest-growing tech firms in Europe. You’ve got more than 9,000 corporate clients around the world. Just a few days ago, Darktrace released a report about, sort of, the state of cybersecurity risks right now.

And one of your colleagues said to me, uh, threats are evolving at an insane pace.

GUSTAFSSON: That’s absolutely the case. So, as you said, we just published our threat report as a look back on the last year, and one of the biggest takeaways from me is that innovation isn’t something that’s just available to the good guys. The bad guys are innovating and evolving constantly. 

We’re seeing a huge rise in the number of what we call as “service tools,” so ransomware as a service, malware as a service, all the tools of the attackers are now available to rent. 

SAFIAN: It’s like a commercial ecosystem around cyber attacks.

GUSTAFSSON: There are helplines for the criminals to use to help them say, oh, I’m trying to do this ware as a service. I’m having a little problem, so I press button A or press button B. This is big business that’s operating on the other side of the dark web.

SAFIAN: That’s both fascinating and terrifying all at the same time.

GUSTAFSSON: It is very much a business. There was a big breach last year on the sort of pipeline attack across the U.S., which is all sort of people sort of queuing for gas stations and there was a sort of huge uproar as people are getting very frustrated, not being able to sort of fill their cars. And I remember at the time the attackers sent out a statement saying: “oh, I’m so sorry that we caused so much harm and disruption to society, and in the future we are gonna do sort of better diligence as to the types of organizations that we hack into.”

And you think, hang on a minute, this is a business, albeit an illegal business, that’s basically signaling their sort of principles in a way that any legitimate business would do. And it was a real moment of: this is big business that’s happening on the other side of these attacks.

SAFIAN: Recently the director of CISA, the U.S. Security Infrastructure Agency, testified before Congress about the risks of societal panic, and they’re talking about state actors from China and, why can’t the U.S. or the UK government just take care of all this — it’s just too hard. It’s too big.

GUSTAFSSON: One of the biggest misconceptions I always think about cyber is that it’s a binary problem. So you have bad things or good things and that it’s a static challenge. And if only it were, because then you could just say, look, here’s all the bad actors. Here are all the threats. Button down the hatches against this and you are done.

But the reality is it’s much more analog than that. It’s things are a bit bad or something that starts out as benign, but can become malicious or something that’s malicious, could become benign, but it’s constantly changing and evolving and transitory, which means it’s very hard to keep up with, which is why it’s become such a large-scale problem.

Davos. You know, the World Economic a third of the businesses there were saying that they have suffered financial impact from significant cyber threats in the last 12 months. 

SAFIAN: I mean, the Hollywood version of cyber attacks is like, you know, some evil tech genius who is finding software gaps or something to sneak into systems. It sounds like the range of threat actors and threats is even more complicated than that. 

GUSTAFSSON: I always think about the level of threat as a sort of the r and d roadmap, if you like, of attack innovation. And the top end, there’s a lot of expertise in nation state attacks, and how do you protect corporate infrastructure from very targeted attacks to get to a specific thing that could be in water infrastructure, for example? But once you’ve created that technology like the cat’s out the bag, it then rolls into these enterprises that roll these attacks out at scale and mimic a lot of the business practices that we see in legitimate businesses, such as the, as a services, model that are referred to earlier.

And then at the other end you’ve got your bedroom hackers who are just there to sort of showcase their skills, and expertise and just to cause that disruption all the way through to malicious insiders. So people who are legitimate employees of an organization but are feeling disgruntled and they want to sort of punish that organization. 

So there’s such a broad spectrum of understanding where that attack may come from, it becomes very challenging for security professionals to anticipate where it’s gonna come from, by whom for what benefit.

How AI can keep us one step ahead of the attackers

SAFIAN: Like Darktrace was sort of predicated on the idea that AI could be a tool to sort of stay ahead of that. But it seems like as you talk about these, these things that serve the solution become the problem, the problem becomes the solution, that now AI and with generative AI, that it’s being used by threat actors to make it more complicated again.

GUSTAFSSON: We set out 10 years ago; let’s take as known that novel threats are the new normal. We are always gonna be facing an attack that we didn’t quite anticipate or was unexpected, and how do you, in that knowledge, protect the business from a threat when you don’t know what it is going to be?

And AI is a really powerful tool in that. And yes, AI can be leveraged by the attackers as well, and I’ll touch on that in a moment, but cybersecurity – it’s nuanced and it’s evolving, and it requires an ability to reassess decisions that have been made in the past.

It’s iterative, it’s self-learning, and that makes it such a natural home to be able to use AI to put the defenders on the front foot because ultimately the defender has the home turf advantage. 

They are the people that know the business and its culture, and its digital identity better than anyone else. And by leveraging AI, they’re able to arm those defenders with that knowledge and stay one foot ahead of the attacker.

How hackers are using generative AI

SAFIAN: I saw this recent report about deep fakes, a finance worker in Hong Kong who was scammed out of like $25 million by a video call with who they thought was their CFO. But turned out to be someone else masquerading as their CFO.

GUSTAFSSON: It doesn’t surprise me. It’s something that we see all the time, the advent of, you know, tools such as chat, GTP, that use AI and generative AI to create conversational prose. These are tools that a lot of us benefit from our day-to-day lives, but they’re tools that attackers benefit from.

Like we’re seeing phishing emails being crafted using these tools. The linguistic complexity of those emails have got far broader as it becomes much easier for people to communicate in a way that feels much more natural and human. It might not be their first language, but suddenly they’re able to talk in a much more convincing way.

That means you’re more likely to click on that link or do that thing that they’re trying to get you to do that you wouldn’t do otherwise. So, extrapolating that further as we think about, you know, future innovations, making it much easier to create these deep fakes, whether it’s an audio or audio visual. 

Whether it’s your Slack or your teams or your chatting interface, whatever it is, all of which broaden the footprint that an attacker could potentially find their way into an organization via. So it’s a really complicated and expanding challenge.

Think about the outcome, not the motive

SAFIAN: And like even on this call, like how do I know that you are really you? And how do you know that you’re actually talking to me and not someone who’s pretending to be me?

GUSTAFSSON: One of the things that we try and look for is the outcome rather than motive. So often what attackers are trying to do is to create a quick response that if you had time to think about it, perhaps you wouldn’t do, but if you’re under pressure, they’re trying to create an urgency so you respond before you’ve had the chance to think.

So it’s not about saying, how do I authenticate this image that I’m receiving necessarily, but what is the behavior that has been trying to be driven out of this communication? Are they trying to create a sense of urgency? Are they steering you to a behavior that is unusual for your organization or you and your behavior?

So what we tend to look for is not saying is this a threat, but what is the outcome of this? And could that be threatening to the organization or something that’s indicative of a behavior that you’d wanna control?

SAFIAN: And when you find yourself that it maybe is that to sort of pause and try to find the right way to confirm that this is actually something that, because business does move at a much faster pace than it ever has. And so we are being put on under pressure to act quickly in ambiguous situations in a different way.

GUSTAFSSON: Let’s take a step back. Cyber threats come wherever we mix people and technologies, and the gap between those two is what an attacker is trying to exploit. And if we had businesses that had no technology, there’d be no cyber threat. And likewise, if we had businesses that were just technology and had no humans in it, there’d be much, much, much easier to protect.

So it’s that combination that attackers are constantly trying to push their way between. But technology is a huge enabler for so many businesses, and cybersecurity is the thing that allows people to embrace that technology. 

If we really do our jobs properly, they shouldn’t be having to see that through a cybersecurity lens. You shouldn’t be having to have a conversation with me thinking: “Ooh, can I trust Poppy?” Technology has the power to be able to take care of that and do a lot of that understanding and dissemination itself.

SAFIAN: The way you describe it, it’s like the people are the problem. Like if it were just machines talking to machines, we wouldn’t have the same risks.

GUSTAFSSON: Without people, there would be far less cyber attacks. I think that’s safe to say, but it’s also safe to say that people are an essential part of what makes our businesses brilliant. And at Darktrace we wanna let the people in the business focus on what it is that they do best.

The relationship between blitzscaling and security

SAFIAN: I mentioned the congressional testimony from the security folks earlier, and one of the things that was brought up was almost an admonition to business that in the push to get things to market quickly that security is sometimes being de-emphasized. 

Almost like there’s an underlying vulnerability throughout the tech business because people are rushing too fast. My colleague Reid Hoffman talks about the need for blitzscaling, that it’s important to go faster than you think you can, and let some fires burn and, you know, put products out that may not be perfect yet.

In the lens of cybersecurity, is that just like a bad idea?

GUSTAFSSON: This is the idea that software should be secure by design. Wherever possible, people should be building products that have inbuilt security, such that it makes the attackers job far harder, and I agree with that.

Let’s make the attacker’s job harder wherever we can as a first port of call. But a lot of this is based on the idea that the attack will be known and it’ll be in some way predictable or repeatable. And the reality is the vast majority of these attacks are novel and unpredictable.

And so you can never eradicate all risk by building in that, secure by design. That pressure to bring products out quickly is very real, and there’s some very real benefit to people bringing things out to market in an accelerated fashion.

So the reality is a compromise between those two, but the idea that we could eradicate all risk, I think, is unrealistic.

How Darktrace finds bespoke solutions for each business

SAFIAN: And for you in running your business, in running Darktrace like you are having to respond to new threats, novel threats. So there’s a certain pressure on you guys to get products out quickly that can do that. But at the same time how do you manage that sort of push to get there quickly with the need to make your own products secure and safe in that way?

GUSTAFSSON: This is the brilliance of what we do at Darktrace. So, cyber can be viewed through two lenses. And the first is just as you’ve described, so what’s happening outside there in that big, bad world, and who are the attackers and what are all of the known attacks and what do we think that the threats of tomorrow gonna be?

And then lock all the doors and fasten all the windows against all of that known threat. But the reality is something’s always forgotten or missed. Or the human whose job it was to lock the doors and windows had a bit of an off day and didn’t quite do it.

There’s always something that goes wrong with that plan. And that’s where Darktrace comes in, and we see the problem through the opposite lens. So instead of saying what’s happening out there in the threat landscape and what are the baddies up to, we say, let’s look at you and your business and your organization and just observe the daily ebb and flow of digital activity to learn your unique digital culture, your unique digital fingerprint if you like.

And once you know that, you can always spot when it changes.

You can find the aberration that says. This could be a big alarm bell. There’s something very different that doesn’t normally happen for your organization is happening over here. Or it could be lots of small crumbs of evidence that come together. 

It could be a number of different things. But we spend our time learning and studying the business rather than the threat, which means: when there’s a big new ransomware attack, such as the ones that, you know, U.S. water facilities are currently suffering from, when there is a big event like that, we don’t have to come scrambling through and say, quick, now let’s update the doc, trace 9,000 customers that we are protecting for this new form of ransomware.

It will just find it. By virtue of the fact it’s not the business that it’s studying. There’s no update or push required. The AI learns on the job that by virtue of the fact it’s not normal for that organization. It knows that it’s a threat that needs to be intercepted and controlled. And of course, all of this done entirely autonomously, entirely by the software and without human intervention.

SAFIAN: And, and so each, installation of Darktrace for each business is effectively different because it’s learning from that business and understanding that business separately.

GUSTAFSSON: With the passage of time, each of those installations becomes entirely unique and completely bespoke to that organization. But when it comes out the box. So on day one, when that license key is typed in, it’s exactly the same software. Whether you are protecting a global financial bank that’s got offices all over the world, or whether it’s one of my favorite customers is a small hospice down the road from near where I live or anything in between. It’s exactly the same thing, which is artificial intelligence that goes into that organization and learns. Its unique digital DNA.

SAFIAN: The unique digital DNA of an organization. That’s pretty cool. What surprised me most listening to Poppy though was her description of cyber attacks enabled by software-as-a-service providers. I never realized the dark web was so businesslike. Next up, Poppy’s gonna explain the challenge of running a business where, best case for your clients: nothing happens. We’ll be right back. 

[AD BREAK]

SAFIAN: Before the break, we heard Darktrace CEO Poppy Gustafsson talk about the rapid evolution of cyber threats, and how AI is both an accelerant and a tool for defenders.

Now we go into the odd psychology of running a cybersecurity business, plus cyber impacts on elections, handling problems that don’t have answers and more. Let’s get to it.

You mentioned sort of the traditional way that cybersecurity works, does an organization need that along with Darktrace? Like, is Darktrace a supplement?

GUSTAFSSON: You need a combination of approaches. So typically an organization will ensure that first line defense will be on a threat base, you know all the attacks of the past. You’ve got that rearview mirror of what has happened historically. Let’s not suffer those same attacks again. So at the perimeter, you will keep those out, and that’s your antiviruses, that’s your firewalls.

But the moment that something gets through that, your next line of defense, by definition, can’t be relying on the same approach. It has to see the problem from a different perspective. And that’s what we do here at Darktrace.

The 3 chapters of Darktrace’s evolution

SAFIAN: And then once your group maybe identifies that the firewall technology will then be adjusted to try to block those kinds of attacks, right? Then you’re looking for the next one.

GUSTAFSSON: Exactly. So the evolution of us as a business has gone really sort of through three chapters, and the sort of first phase was to say: we’ve identified an attack and an alarm bell would ring and we’ll say, woo-hoo. And we think, yeah, great job, Darktrace.

But very quickly we realized that that sort of reactive approach wasn’t enough. Like you can’t simply be another alarm bell ringing. And so we moved into what I think of as like the active phase, the middle period of, of Darktrace’s, life to date. It’s not enough for me simply telling Bob that he’s been attacked. We need to help Bob by stopping that attack and kicking it out. So how do you autonomously make changes within that organization to stop the attack within its tracks? And that is done by the software itself. It’s done by the way, it integrates with the rest of the technology stack, but it’s about saying: you have been breached, but we’re gonna stop it right now. So you might have lost a few files, but you’re not losing a whole bunch of data. 

And in the most recent phase is what we call the proactive phase. So given we have this unique understanding of your organization. You very quickly gain an understanding of how this organization is uniquely vulnerable, where its crown jewels are.

You know, there’s a window that’s been left that we can identify that window’s slightly ajar, but it only goes to the stationary room. That’s probably not, you know, high-risk. Whereas, you know, over here, this door is unbolted and that takes you to the crown jewels. How do we proactively wrap a blanket around that risk and actively harden against those?

Cause you end up with this wonderful virtuous circle where each phase feeds into the next. And only because you have that really rich understanding of how best to respond to an in-progress threat, would you then think, oh, we now know how to proactively harden against that in a way that’s unique to that organization.

Which then means you are more uniquely are able to understand when that business is, is breached, and so on and so forth. So you end up with this lovely, virtuous circle where each part informs and enforces the other.

SAFIAN: You really get excited about this, like I’m, I’m just, we

GUSTAFSSON: It’s math! I love it.

SAFIAN: You just, you light up about the sort of the structure of all this 

GUSTAFSSON: I think it’s because I’m a mathematician. I studied math at university and I loved my math lecture, but in those days it was a big overhead projector and people writing formulas and then algorithms and projecting it onto this big whiteboard, and it felt very ethereal and filled with people with leather patches on their elbows.

And now I am here running a business where that math, that very same math that we studied all those years ago, is solving real-life problems on real data for real organizations that all of us benefit from. And seeing that math in action is just very exciting.

SAFIAN: It’s kind of a strange business that Darktrace is in because in some ways, and you mentioned the new threat report that came out like bad news in the industry. It’s kind of good news for you, right? Because the more trouble there is out there, the more people need what you have.

GUSTAFSSON: No. I think, you know, very quickly wanna avoid any of that sort of ambulance chasing behavior. But I think for me it’s, cybersecurity’s got such a pessimistic view. Whenever you talk about cybersecurity, people imagine that person in IT that’s wagging their finger and saying, don’t forget to update your password or else, and you feel like it’s, you know, oh God, if I don’t get this right, and the world’s gonna end. It always feels like you’re being told off and you have to do this or else that. It’s a very sort of critical or negative perception. But for me, cybersecurity is such a huge enabler. Like we all love tech and we all love seeing innovation that’s happening throughout society.

And cybersecurity is the tool that enables you to embrace that technology into your business and explore it in a way that if the worst were to happen, you’ll still be okay. 

SAFIAN: But is this strange to be operating a business where, like in the best case scenario, like nothing happens, like you prove your value by nothing happening?

GUSTAFSSON: I mean, if we wanted a round of applause, it’d all go and work for the circus, wouldn’t we? I do think it’s, uh, if we do our job right, no one knows that you’ve ever been there. We’ve got customers, we’ve got a wonderful neonatal unit where those doctors and nurses are doing a real job of caring for babies, and they’re relying on a lot of tech in order to be able to do that properly.

And if Darktrace does its job right, they can just take that tech for granted.

SAFIAN: There’s a lot of discussion in the U.S. about the integrity of elections, and whether results can be trusted and whether bad actors from Russia or other places can influence things. From your perspective, like how much of that is sort of conspiracy theory and how much of it is real? 

GUSTAFSSON: I can’t comment specifically on the terms of the election, but when it comes to cyber threats, attackers are intentionally exploiting human vulnerabilities to their own advantage, trying to shape their behaviors in a way that is advantageous to them.

I can see how that translates to another world when it’s changing perceptions or influence. I can absolutely see that people would be driving to those ends.

SAFIAN: And the idea about sort of hacking into voting machines and tabulation data and things like that, that if that’s happening, that is probably more happening through a human interface than a technical one.

GUSTAFSSON: Again, it’s always that interface between the humans and the technology, and it’s attackers will be leveraging their influence to change human actions to gain an entrance into technology that they wouldn’t otherwise have that access to. 

SAFIAN: As a business leader, aside from the specifics of cybersecurity, is it getting harder to run a business and the role of what business plays, you know, beyond its shareholders?

GUSTAFSSON: Running a business is always hard because you are dealing with stakeholders that are changing and their wants and needs are constantly changing. The sort of balance of culture and principles.

But business leaders thrive in that change and if it was easy, we wouldn’t need CEOs. 

SAFIAN: I mean, only the hard questions should reach your desk, right? But I guess if you’re a mathematician, you like hard math problems.

GUSTAFSSON: Well, the good thing about math problems is there is always an answer. The trouble with business problems is there’s not always an obvious answer,

SAFIAN: Yeah, so how do you decide?

GUSTAFSSON: Quickly, with a lot of good advice from people that you trust around you and with an understanding that if you get it wrong, which sometimes you will, you can change your mind and course correct, and it’s okay.

SAFIAN: Well, Poppy, this has been great. Thank you so much for spending the time with us, really appreciate it.

GUSTAFSSON: All, it was a real pleasure, it was lovely to meet you. Thank you, Bob.

SAFIAN: I could have talked to Poppy for hours. The window she offers into the whole ecosystem of cyber threats fascinates me. The idea that AI can keep us ahead of the baddies, as she calls them, is pretty compelling. But then there’s the reality that baddies are putting those tools to work too — and you just have to come away recognizing that like every other area of business today, cybersecurity is moving faster, with more unknowns, requiring more attention than ever. Whatever the promise of AI and technology, and I really believe in both — our world certainly isn’t getting simpler. I’m Bob Safian. Thanks for listening.