In this TNGlobal Q&A with Gaurav Keerthi, Head of Advisory and Emerging Business at Ensign InfoSecurity, we delve into the rapidly evolving landscape of Generative AI (GenAI) in the context of cybersecurity challenges and opportunities. With a unique perspective shaped by his experiences in both public and private sectors, Keerthi provides a nuanced understanding of GenAI’s dual role in cybersecurity. He highlights its transformative potential for enhancing defensive capabilities while simultaneously acknowledging the escalating threats posed by its misuse by attackers. Keerthi underscores the importance of understanding the technology at a fundamental level, including its inherent risks, to effectively harness its benefits and mitigate its dangers.

The conversation then shifts to the critical considerations organizations must address when integrating GenAI into their cybersecurity frameworks. Keerthi emphasizes the need for a balanced approach, where the benefits of GenAI are leveraged alongside a thorough understanding and mitigation of its associated risks. He advises organizations to carefully evaluate their GenAI usage strategies, particularly in relation to data privacy, ethical considerations, and the challenges of using cloud-based solutions.

Additionally, the discussion touches upon the unique vulnerabilities of sectors like healthcare and financial services in Singapore’s growing digital ecosystem. Keerthi also shares insights on the importance of understanding cybersecurity from an attacker’s viewpoint, which aids in developing more effective incident response strategies against advanced GenAI-based attacks.

Gaurav is the Head of Advisory and Emerging Business at Ensign InfoSecurity. His Advisory team helps organizations’ Boards and Leadership navigate complex cybersecurity risks in their digital transformation. In his Emerging Business role, he is exploring new transformative capabilities to serve a wider range of companies with cybersecurity protection.

Prior to joining Ensign, he was the Deputy Chief Executive of the Cyber Security Agency of Singapore and concurrently the Deputy Commissioner for Cybersecurity, where he led the development of national cyber defence capabilities, doctrines, concepts, and shaped key regulatory requirements. He also represented Singapore at the United Nations on cybersecurity matters.

Gaurav is a Brigadier General in the Republic of Singapore Air Force, and last served as the CIO and oversaw the cybersecurity of their warfighting systems and networks. Gaurav completed his undergraduate studies at Stanford University, and his graduate studies at Harvard University, where he was a recipient of the prestigious Littauer Award.

Gaurav Keerthi, Head of Advisory and Emerging Business at Ensign InfoSecurity

With your background in cybersecurity in both public and private sectors, how have you observed the role of GenAI evolving in advanced cyber threats?

GenAI is undeniably one of the hottest emerging technologies right now, and it is not all hype. There is real substantive change happening. It is important to go beyond the beautiful pitch slides and understand the technology underlying it. I sometimes go as far as reading the research papers or patents that explain how the technology claims to work.

GenAI is helping the blue teams (the defenders) be better, but it is also helping the bad guys (the attackers) do more harm. GenAI is also a technology itself, and just like any technology, it has its own inherent risks and problems to grapple with.

For the defenders, GenAI is promising. Analysts are currently overwhelmed by information, and GenAI can augment them to be more efficient and effective in dealing with large volumes of data. GenAI tools are designed by cybersecurity solution providers to make their jobs easier, detecting threats better and responding rapidly to contain them. The exact nature of how GenAI is implemented to help defenders depends on the tool, the vendor, and the problem statement at hand.

Attackers are also using GenAI to gain the upper hand and do more harm. The most obvious example of this is in the generation of more realistic and tempting phishing attacks, whether through emails, fake websites or even sophisticated deep fake voice and video messages to trick unsuspecting victims. Given that phishing emails remain a significant way in which attackers gain access to systems, this trend represents a significant threat. Known attack codes can also be rewritten now to avoid detection. The threat from GenAI will only increase as threat groups start standardising their tactics and procedures, including self-evolving malware and attack variants.

Finally, GenAI itself is a tool, and has its own inherent risks, just like any other technology. There is also a high risk of data breach and identity theft, given all the personal and company information the generative AI tools have access to. The complex algorithms employed in generative AI apps make it difficult for developers to spot potential security risks, thereby introducing new vulnerabilities to the entire network. There have been numerous reports of individuals using “prompt injection” to get GenAI tools to perform actions that were supposedly disallowed.

It will be a cat-and-mouse game between defenders and attackers in the use of GenAI. Vigilant and agile organisations should, however, be able to stay ahead.

What are the key considerations that organizations should keep in mind before employing GenAI in their cybersecurity frameworks?

GenAI is a double-edged sword. While it is important to introduce the productivity-enhancing opportunities of GenAI, it is equally critical to understand and mitigate the risks it will inevitably introduce. I generally advise organisations to take risks – but risks that they understand, have mitigated, and eventually accepted at the right level. Taking risks “blindly” is gambling with the organisation’s security.

Companies need to determine what they intend to allow their staff to use GenAI for. If employees are using it to process or write official documents, then the organisation must also be comfortable for this data to be made public, making the privacy of this information unimportant. If companies want to use GenAI but not rely on cloud-based public options, then the costs and technical challenges involved will be significantly higher. Are there security and data loss monitoring tools in place to prevent confidential data from being sent out? Are there personal data privacy concerns to take note of? If GenAI is being used to support certain decisions, are there ethical or business considerations to take note of? Every organisation needs a strategy that answers these questions (and more) before they embark on using GenAI internally.

Singapore has a growing digital ecosystem, making it an attractive target for cyber attackers. Why do you think sectors like healthcare and financial services are the most vulnerable in this region?

It was once said “Why do people rob banks? Because that is where the money is.” In the digital context, hackers target large and lucrative data sources. FSIs (Financial Services, Insurance) have access to vast amounts of data, and are thus typically bigger targets. Our annual Cyber Threat Landscape Report shows that FSIs are at the top of the vulnerability tree consistently. Threat groups are continually interested in acquiring data and sensitive information from the sector for financial gain.

Healthcare also broke into the top five target sectors last year. Healthcare also has access to vast amounts of data and have large-scale technology estates constituting Internet of Things (IoT) and Operational Technology (OT), both of which have inherent challenges in cybersecurity risk management. Threat actors may be more inclined to target healthcare organisations because these organisations may be under tremendous pressure to pay off the ransom quickly to resume their life-saving business operations immediately.

Why is there a need to understand cybersecurity from an attacker’s point of view? Could you elaborate on how this mindset helps in adapting incident response strategies to counter advanced Gen AI-based attacks?

Cybersecurity is perhaps the only domain where you have both competitors and adversaries – and that dynamic competition (not just against other cybersecurity vendors, but more importantly against the attacker) is something that keeps us on our toes. As such, it is critical to know who you are up against. Ensign InfoSecurity prides ourselves on taking a Threat-Informed Defence approach to cybersecurity. Cyber threat groups are ever-evolving and keeping tabs with their attack patterns can help organisations secure defences and develop response plans.

We believe that we are serving a public mission, and thus we publish our Cyber Threat Landscape Report annually, where we unveil detailed analysis of sectors, geographies, attackers, and data insights that are important for companies to know. We look at five major territories in APAC – Hong Kong, Singapore, South Korea, Indonesia, and Malaysia to determine which sectors are the most vulnerable and the types of attacks they face. This information is crucial in preparation of adequate measures and eventually combatting cyber threats.

Your team aids organizations in navigating complex cybersecurity risks during digital transformation. Can you share some practical steps organizations can take to protect themselves from increasingly sophisticated cyber attacks?

I believe that good cybersecurity advisors operate like the Formula 1 racing team engineers – our goal is to help you win the race, and the objective of the safety systems of the car is to give the driver the confidence to drive faster, turn sharper, and ultimately win. The safety systems should not be the reason you lose the race. Likewise, our goal is to help customers make the most of digital technology – with the confidence that they will be able to do so securely and navigate those risks with our support.

While every organisation is different, there are some practical and simple steps that can be taken to dramatically reduce the risks of a cyber breach. Very broadly, you should start by knowing your own assets – what are the software, hardware, and data that your organisation needs to protect most? Simple cyber hygiene measures like enforcing multi-factor authentication, patching software in a timely fashion, using some form of malware protection, and backing up your data are all practical steps that can immediately help protect the company against most threats. Finally, train your people on how to use their systems securely, and how to respond to incidents – because people are your first and last line of defence

Given your experience in shaping key regulatory requirements and representing Singapore at the United Nations on cybersecurity matters, how do you see international cooperation playing a role in combating GenAI-enabled cyber threats?

Cyber threats, especially those powered by GenAI, transcend national borders. Attackers can originate from one country, target assets in another, and route their attacks through multiple jurisdictions. There is a definite need for international collaboration. Sharing of threat intelligence can lead to early detection and mitigation of threats. We are still at the early stages of this conversation for GenAI, but increasingly I am seeing this topic at conferences. I recently hosted a conversation with policy and business leaders at GovWare 2023 on this.

Different countries also have access to different levels of resources and competencies. Sharing resources and technologies can help boost individual national capabilities. A developing nation could always use help from developed ones and could thus respond to threats immediately. International cooperation can help build capacity by sharing knowledge and providing technical assistance. International cooperation can help build capacity by sharing knowledge and providing technical assistance. Collaboration on AI research and its applications, including GenAI, can help ensure that the technology is developed responsibly and with security in mind.

Can you share success stories or case studies that showcase how organisations use emerging technologies to stay ahead of the curve?

Every company employs emerging technologies in unique ways to achieve different benefits. In my personal perspectives, our team must invest time with the customer to understand their needs, their challenges, and their goals before we start to propose strategies and ways which they can manage the cyber risks. The best outcomes have always been where our team and theirs are aligned, allowing us to support them to “win the race” analogy, much like in Formula 1.