Payton Returns to ISC West: Protecting Your Business From AI, Deepfakes and Voice Cloning in a Converged World

Reflecting a heightened awareness that physical and cyber security are now inextricably linked, ISC West is bringing back one of its most popular speakers: a featured Bridge Stage address by former White House CIO Theresa Payton, who will explore how bad actors are leveraging AI and other advanced technologies to put businesses in harm’s way. Payton, who served in the George W. Bush administration as the White House’s first female CIO and appears regularly in major media outlets commenting on cybersecurity news, sat down with ISC News Editor-in-Chief D.J. Murphy for a quick preview of her talk this year.

D.J. Murphy: When you spoke at ISC West last year, generative AI and ChatGPT were relatively new. How have the threats from generative AI evolved in the past year?

Theresa Payton: AI, machine learning and AI algorithms have been around for a very long time. But putting a chat-like interface on the ability to access that technology has really been a game changer for businesses in combating cybercrime. But cybercriminals and nation states that want to take on nefarious cyber operations have also benefited tremendously.

I'll be unveiling the tradecraft and how easy it is for cyber criminals to take advantage of us. They are masters of understanding human nature. Just recently an individual who was following all of his company’s protocols was tricked by deepfakes that simulated his real teammates and convinced him to do an unauthorized wire transfer. He thought it was legit, so here we are.

But I want to tell people is it's not bleak. We can beat them at their own game, we just have to take a moment to think, “well, how do we outsmart and out-design them?” There are some really great best practices that organizations and individuals can leverage and I'll be sharing a lot of those. There are some really creative ways to upskill your organization to be able to spot and stop the manipulative use of generative AI before it becomes a problem.

DM: Without giving away too many spoilers, do have an example of one of the techniques you would recommend?

TP: One thing everybody can do right now in their personal life and in their work life is to think about a series of pass phrases that aren't easily guessed using social media and have a rotation of those past phrases ready. Bad actors are using AI to steal people’s voices and commit “virtual kidnapping” where they demand ransom even though they don’t actually physically have the person. They present it as part of a conversation to a loved one in order to get them to act quickly to send money.

If you have a pass phrase when you have something like that, you can find out if this is really my loved one in danger and should I be wiring this money or is there something else going on here? I'll give you the money, but I just need the loved one to give me the pass phrase.

That technique works for businesses as well. You might get a call and it's your CEO's voice and your CEO's phone number asking for a wire transfer. If you have a pass phrase you can authenticate that it’s really the CEO. There are ways to outthink and outsmart cyber criminals, it just takes a little bit of preparation, a little bit of design, a little bit of training.

DM: Is there anything about how threats have evolved over the last year that has surprised you?

TP: I shouldn't be surprised, but the level of effort and tenacity of cyber criminals to get what they're after is insane. They are more persistent than a squirrel is with the bird-proof bird feeder. Every year I think I've seen it all. And then, nope, I haven't seen it all. Maybe that's the biggest surprise. I've seen thousands and thousands of creative ways to commit cybercrimes, but there's always something new.

DJ: At ISC, we've been talking about the convergence of cyber and physical security for years now. Is there a physical threat that stems from a cybersecurity posture that's particularly bad right now?

TP: I'm increasingly concerned about the risks posed by connected devices in smart buildings. That’s is a tough nut to crack for physical security and cybersecurity teams. I do predictions two years out, and a prediction for 2024 that I did in 2022 is that ransomware syndicates would move to smart buildings and would lock a building with people inside turn off HVAC, do all kinds of things demanding money to release hostages.

I hope that doesn't happen, but for everybody attending ISC West, we'll have a conversation about how to think about that prediction and how to prepare your buildings. In the event that ransomware syndicates move to buildings and away from systems, they’ll be ready for it and that their people are prepared and know the workarounds.