Cyber Security Strategy 2030 - what happens when an AI does the thinking?

NCC Group exists to make the world safer and more secure, so we continually monitor the latest legislation relating to cyber security.

When analysing the Cyber Security Agency of Singapore’s (CSA) updated cyber security strategy in October 2021, we noticed a pattern of familiar themes and messages in its accompanying press release. The content mirrored similar announcements from the Australian Government in summer 2020, the European Commission in December 2020, and the US White House in May 2021.

This commonality and aligned messaging is a good thing, but it did raise our curiosity and, in-keeping with our ‘cyber as a science’ approach, it gave us an idea.

We wanted to find out if it was possible to identify common pillars within national cyber security strategies through Artificial Intelligence (AI). We wanted to know what would happen if we fed a machine learning model the text from various nations’ cyber security strategies from the last five years, and trained it to write a global cyber security strategy based on what it had read.

This would help us to answer two questions:

1.  Would the AI also identify common pillars in national security strategies?
2. Could AI and machine learning be deployed by national governments to help inform their development and drafting of cyber strategies?

At a time when the UK’s Intellectual Property Office is consulting on whether it should allow patent applications to identify AI as the inventor, we wondered whether government ministers and advisers could one day have a willing team of AIs to churn out policy ideas and content based on political aims.

Employing machine learning text generation techniques, we used a Recurrent Neural Network (RNN) that predicts the next character in a sequence based on the previous characters it has read. After tasking it to read the strategies we provided it with 20 times over, it generated the Resilience of the Community Cyber Strategy that you can read here.

In summary, the eventual result of our experiment was a strategy that was comprehensible, but distinguishable from a human-written document, and there were few lines that could be considered a legitimate policy consideration. This is because machine learning models in their current state cannot draw logical and contextually aware conclusions. Even with significant amounts of training, the eventual auto-generated text will always have some artefacts that don’t quite scan or read well.

The model’s outputs were dependent on a statistical manifestation of common themes, keywords and phrases it identified. That said, it was remarkable how many common themes and key messages appeared in the Resilience of the Community Cyber Strategy document. It proved to us that the patterns identified within the national cyber strategies were true, as the AI’s output also recognised similar threat analyses, problem statements and solutions.

It raised the question - why do governments continuously look to curate bespoke solutions to borderless challenges such as cyber resilience, when they are looking to solve the same problems? The most likely answer is digital sovereignty, with each nation favouring a tailored approach that protects its own national interests. Nevertheless, the extent of common ground should make international collaboration ever easier, and perhaps even allow governments to learn from each other.

Elsewhere in the document, we were particularly struck by the prominence that collaboration with the private sector had in the document, with ‘private sector’ and ‘private industry’ mentioned eight times. It demonstrates the emphasis that governments around the world put on the expertise of industry, utilising its knowledge and insights to inform legislation and aid national efforts to fight cyber crime.

In closing, there is some way to go when it comes to Artificial Intelligence taking the lead on drafting cyber resilience strategies and humans will need to take a crucial and continued role when taking the lead on reasoned argument – at least for now.

Additionally, whilst we had great fun in undertaking our experiment, there are more serious lessons that we can take about the language processing capabilities of machines, how nation states currently go about tackling the cyber challenges and role of the private sector in cyber resilience strategies.

You can have a read of the Resilience of the Community Cyber Strategy document here.