Combating Cybercriminals with Cognitive Computing

This past summer, the entire world was speculating about how dangerous North Korea is. Does Kim Jong-un have atomic bombs? Are they deployable? Will he use them?

While the world trembled, a voice from Silicon Valley sounded off on Twitter: “North Korea should be low on our list of concerns for civilizational existential risk.” There is something far more dangerous, read the Twitter post: “Competition for artificial intelligence superiority at the national level will most likely be the cause of World War Three.”

Those words of warning came from Elon Musk, the inventor of the Tesla electric car. He may be an eccentric, but other commentators see it the same way. Russian President Vladimir Putin, for instance, recently said that the country that becomes the leader in artificial intelligence technology will be “the ruler of the world.” Such visions of state-driven cyberwar smack distinctly of Hollywood and its Terminator and Matrix science fiction movie franchises. Hacker attacks on individuals and corporations, on the other hand, are very real indeed.

Even though hackers do not yet employ any artificial intelligence in the sense that Elon Musk and Vladimir Putin envisage, the damage they cause is devastating, and the list of crimes is long. From online fraud and phishing scams, it extends to a major wintertime electrical grid shutdown in Ukraine and to a ransomware attack that infected 200,000 computers across 150 countries. Presidential elections in Kenya and the USA were even affected.

Two years ago, Ginni Rometty, the CEO and chairwoman of IBM, was already calling cybercrime “the greatest threat to every company in the world.” In two separate virtual robberies from Internet firm Yahoo, hackers stole one billion data records in 2013 and then another 500 million in 2014. In 2016, hackers purloined a total of more than four billion data records worldwide, more than in 2014 and 2015 combined. IBM thus dubbed 2016 “the year of the mega breach.” And just recently a data breach at Equifax was made public. Although “only” 143 million data records were compromised in that incident, they contained some highly sensitive information because Equifax, the USA’s largest credit-reporting agency, maintains a vast database of personal financial information on consumers. Equifax’s stock price immediately plunged by a third.

Virtual thefts don’t just hurt stock prices, they also strain budgets. IBM estimates the average cost per data breach at USD 3.62 million, which equates to USD 141 per data record stolen. That’s why corporations are spending more and more on protecting data. US market research firm Gartner projects that USD 86.4 billion will have been invested in data security solutions in 2017 alone.

The good news is that in contrast to hackers, the data defenders are already employing forms of the aforementioned artificial intelligence today – like SIX, for example. In early 2018, SIX will open Switzerland’s first security operations center (SOC) built on IBM’s Watson cognitive computing platform. That platform, by the way, has nothing to do with Sherlock Holmes; it is named after IBM’s first CEO, Thomas J. Watson. 

IBM Watson solves tricky cases nonetheless. In 2011, it defeated two previous champions on the US television quiz show “Jeopardy!”. Ever since then, IBM Watson has been put to work widely. For example, it reportedly diagnoses cancer more quickly and precisely than conventional procedures and produces more accurate weather forecasts. A Hollywood film studio even recently employed IBM Watson to edit a movie trailer. Using other trailers as models, it condensed two hours of film material down to six minutes, shortening the work for the film cutter many times over. This illustrates the power of cognitive computing. A system like IBM Watson assists users in an advisory capacity and supports them by constantly acquiring new knowledge on its own.

SIX operates a network that interconnects the players in Switzerland’s financial sector. Each act of accessing this network can pose a security issue. To properly protect the network, SIX operates a security center that continually monitors and logs all network access activity. The network is accessed more than a billion times per day and over 30,000 times per second during peak moments.

An individual access event says little. Correlations first emerge in the aggregate. The security center detects them and alarms the security analysts of SIX if there is suspicious access activity that potentially poses a security issue. The analysts are on standby around the clock. Their job is to understand and judge access activity A cluster of failed login attempts could stem from a hacker or merely from a smartphone that doesn’t yet know the new WiFi password.

Here’s where the new IBM Watson system comes into play. It compares suspicious access activity with external data. Is the login attempt coming from a suspicious IP address? Does it match a known attack pattern? Does a prior offender’s name pop up? Where an analyst heretofore has had to manually consult databases for this information and spend precious time checking the history of an IP address, IBM Watson now does that automatically. It also combs through and analyzes unstructured data such as content from websites, blogs or news archives, for example. This way IBM Watson continually learns and expands its knowledge, and it even imports knowledge from other companies.

Another benefit is that IBM Watson graphically depicts access activity and thus makes hidden correlations visible. "That enables us to judge attacks faster, more accurately and with fewer resources," says Thomas Rhomberg, Head Security Transformation, SIX. As the man in charge of setting up the new SOC explains, "a work step that otherwise would take a half hour to complete can now be performed by an analyst in just a few clicks."

IBM Watson’s intelligence today provides assistance in judging suspicious access requests. An analyst then decides how to best orchestrate a defense. But in the near future, IBM Watson may also learn how to devise defense recommendations by itself.

Setting up an SOC and operating it 24 hours a day is a costly endeavor, and it takes time to find the analysts needed to run it. The job profile is new, and there are only a few qualified specialists on the market so far. That’s why SIX is setting up its new SOC not just for itself. "It’s almost gotten to the point where a single company can no longer safeguard its digital security on its own," Rhomberg says, adding that SIX will offer use of the new SOC to other companies as well.

In recent years, banks particularly have had to be far too preoccupied with the issue of cyber security. In early 2015, hackers blackmailed the Banque Cantonale de Genève, and an attack by Bosnian cybercriminals on a “big bank” based in Zurich came to light last summer. “The banking sector is the preferred target of cybercriminals,” writes industry portal finews.ch, and the Swiss Financial Market Supervisory Authority (FINMA) says that Switzerland’s banking sector exhibits deficiencies in identifying potential threats and in its defense mechanisms. “We would like to enable banks to refocus on their core business, thereby making our contribution to the security of Switzerland’s financial sector,” Rhomberg expands.

This past spring, an edition of the renowned British business and politics magazine The Economist bore the title “Why computers will never be safe,” and rightly so because computers, like the humans that use them, will always pose a security risk. This makes it essential that companies be able to quickly detect and immediately react to threats.