One side develops new ways of encrypting messages while rivals develop new technologies to decrypt the information they contain. This means organizational cybersecurity always needs to evolve to counter emerging threats.
Artificial intelligence has now entered the cybersecurity battlefield and the emergence of low-cost generative AI in particular has organizations concerned that the barriers to entry for hackers have come crashing down. But is it just fear mongering?
The 2024 Air Transport IT Insights report, released last week by aviation tech provider SITA, finds that 73% of airports and 66% of airlines say cybersecurity is one of their top three IT focus areas. David Lavorel, CEO of SITA, said the aviation industry is at a “pivotal moment.”
“As cyber threats become more complex, airlines and airports are taking decisive action to protect their operations and passengers,” Lavorel said.
David Brauchler, technical director of cybersecurity consultants NCC Group, said, “A lot of people were afraid of AI turning everybody into what we call advanced persistent threats (APTs), the highest tier of threat actor possible. In reality, that's not what we have observed. At most, it has taken some of the lowest skilled actors and brought them to the point where they can do phishing scams and send out spam content at a greater rate than ever before.”
“When you look at the sophistication of threats out there, companies have to become more proactive,” said Martin Smillie, senior vice president for communications and data exchange of SITA. “New threats need new counterbalances and that means investing and more sophisticated forms of threat protection.”
IT budgets are increasing—Gartner estimates that in 2025 IT spending will reach $5.74 trillion globally, an increase of 9.3% over 2024.
Recently, much of this spend has been on the AI supply side—think OpenAI’s billions— but this will shift.
John-David Lovelock, research vice president at Gartner, said, “CIOs will begin to spend on genAI, beyond proof-of-concept work, starting in 2025,” although he warns that “expectations for the capabilities of genAI will drop”.
An Amadeus survey in the third quarter of 2024 of 300 global industry leaders in travel found generative AI was considered the top priority for 46% of respondents, while 34% said non-generative AI was a priority.
David Carvalho, founder and CEO of Naoris Protocol, a cybersecurity blockchain framework, said, “Budgets have been increasing but they are focusing on the wrong thing. They are mainly focused on ticking the boxes of regulators that mandate things that are five or ten years behind the curve.”
Cybersecurity spending still largely happens reactively, after a cyberattack.
NCC’s Brauchler said organizations still see security as a sinkhole of funds but that investment in AI may offer an opportunity.
“Organizations hoping to spend money on security can often use AI as a funnel to get the budget that they need to invest in security as a whole,” he said.
AI is bringing its own security issues.
“Organizations right now have tons of funding pouring into embedding AI into their broader applications,” Carvalho said. “Let's say that I compromise a library that your application uses, I can more or less make your application do whatever I want.”
Despite the risks of AI, there are still traditional cyber threats such as compromised people within the business through ransomware.
Fraud is a particular concern in the travel sector. Payment fraud has been a long-standing problem but new fraudulent activities have emerged and generative AI has made some much more prevalent.
One such area is the growing number of fake listings on ride sharing and house sharing platforms.
Between March 2023 and 2024, Airbnb said its security teams mitigated 2,500 phishing domains globally. Research for the company found that 18% of its British users could not recognize a fake accommodation website.
The seemingly magical powers of AI mean that organizations might have to rethink the whole cybersecurity paradigm and some think decentralization is the answer.
Carvalho, who started as a hacker at age 13 before switching sides, said scaling is the problem.
“The more you grow as a company, the more entry points you have to be exploited,” he said. “The biggest problem we have is the single point of failure principle, it gives the advantage to the attacker. Decentralization allows for the distribution of resilience in a way that normally you can turn devices into agents. Alone they cannot do too much, but together they're extremely resilient.”
NCC’s Brauchler is not entirely convinced. “Keeping one asset safe is just not working but will we see that extend to the whole blockchain philosophy of decentralization? Probably not, it’s just too hard to implement.”
Despite the increased risks enabled by AI, Brauchler said we should not be overly concerned.
“A lot of organizations are running frantic,” he said. “They don't know what they need to do, and they're afraid. Is this the end? It's not. We're going to be fine and just in the same way that when blockchain came out, when cloud came out, when Internet of Things came out, when all of these paradigm shifts occurred. AI is going to be the exact same way.”
Carvalho at Naoris believes that AI is not the biggest cybersecurity threat—that accolade goes to quantum computing.
“All cryptography right now is based on the fact that it's really easy [to] calculate in one direction and really hard in the other. It's based on prime numbers; if you have the key, you can encrypt very easily, but if you don’t have the key, you need to try all possibilities and it will take a septillion years. With a quantum computer you probably can do that instantaneously,” he said.
This is why U.S. standards body NIST has been mandating post-quantum encryption methods for all agencies in the United States since August 2024. Private organizations need to catch up.
“All your data is being harvested right now by threat actors all around the world and kept in storage,” Carvalho said. “As soon as they have a capability to break that with the newer raw mathematical power from a quantum computer you can’t go back in time to prevent them having that.”
Tags: Artificial intelligence Martin Smillie, SITA John-David Lovelock, Gartner, Amadaus