Will AI Make Cyber Swords or Shields: A few mathematical models of technological progress
This work addresses policy debates on technological progress in cybersecurity, though it is incremental as it applies existing models to new AI scenarios.
The paper tackles the problem of predicting AI's impact on cybersecurity by applying mathematical models to phishing, vulnerability discovery, and patching-exploitation dynamics, finding that AI may overestimate phishing effects but increase undetected attacks, vulnerability discovery favors attackers, and exploit automation benefits attackers more than patch automation.
We aim to demonstrate the value of mathematical models for policy debates about technological progress in cybersecurity by considering phishing, vulnerability discovery, and the dynamics between patching and exploitation. We then adjust the inputs to those mathematical models to match some possible advances in their underlying technology. We find that AI's impact on phishing may be overestimated but could lead to more attacks going undetected. Advances in vulnerability discovery have the potential to help attackers more than defenders. And automation that writes exploits is more useful to attackers than automation that writes patches, although advances that help deploy patches faster have the potential to be more impactful than either.