Cybersecurity Today: Deep Seek Disruptions, NVIDIA Vulnerabilities, and More – Weekend Panel for February 1, 2024

Release Date: February 1, 2025

Introduction

In the February 1, 2024 episode of Cybersecurity Today, host Jim Love engages in a dynamic discussion with a panel of experts: Laura Payne from White Toque, Dana Proctor from IBM, and guest David Shipley, a culture critic and head of Beaucer on Security. The panel delves into the latest cybersecurity threats, data breaches, and strategies to secure businesses in an evolving digital landscape.

Deep Seek's AI Release and Security Implications

Jim Love kicks off the conversation by highlighting a significant event: the release of a new AI model by Deep Seek. Described as an advanced, open-source version comparable or superior to existing models, this release has stirred considerable attention.

Jim Love [00:34]: "AI is the great shadow it. And if you have people in your office who actually got on there the first day and were putting corporate or personal information on a server in China from a software they'd barely heard of... that's just over the top."

Laura Payne raises concerns about the motivations behind offering such powerful AI tools for free, questioning the timing and potential ulterior motives linked to Nvidia's recent challenges.

Laura Payne [04:23]: "Nvidia has seven vulnerabilities with patches out for them. There's three, three high. One of them allows full execution, arbitrary execution if you exploit it and it is exploitable."

Dana Proctor from IBM emphasizes the importance of securing AI infrastructures, noting that the Deep Seek incident underscores existing best practices in cybersecurity.

Dana Proctor [04:59]: "We're not well equipped in securing data centers right now. That's why we continue to have data center breaches."

The panel discusses the implications of open-source AI models, balancing the benefits of transparency against the risks of widespread access by malicious actors.

NVIDIA's Vulnerabilities and Market Impact

The discussion shifts to NVIDIA, which has disclosed seven vulnerabilities, three of which are high severity. These vulnerabilities have had a direct impact on NVIDIA's stock price, exacerbating concerns about their security practices.

Laura Payne [04:23]: "Nvidia has seven vulnerabilities with patches out for them... a double whammy for Nvidia on that side of things this week."

David Shipley explores the broader market and geopolitical implications, linking Deep Seek's release to potential stock market manipulations and highlighting the influence of Chinese hedge funds in technological advancements.

David Shipley [09:14]: "Short selling is when you take a bet that the stock is going to perform poorly. And short sellers made 6 billion plus Monday when Nvidia's stock tanked."

The panel reflects on how these vulnerabilities and market reactions signify deeper security and economic challenges within the tech industry.

The Open Source Debate in AI Security

Jim Love champions the benefits of open-source software, acknowledging its potential for improvement through community scrutiny but cautioning against hastily integrating such technologies into business environments without proper security vetting.

Jim Love [06:16]: "It is an open source program. It will though. That's the beauty of it from a security point of view is that the code can be exposed to, people can look at it, we can improve it."

Dana Proctor concurs, stressing the need for a secure pipeline in AI development and deployment.

Dana Proctor [06:31]: "The challenge with AI is we don't know if there's exfiltration. Are they injecting code... secure the pipeline, the machine learning pipeline."

David Shipley warns against the potential misuse of open-source AI, drawing parallels to other technologies like 3D printers that can be used maliciously.

David Shipley [22:50]: "The more that this gets open source, the more that this is going to be abused. I can't believe I'm actually coming out support of not the OpenAI if you're listening."

The panel debates the ethical responsibilities of releasing powerful AI tools into the public domain and the balance between innovation and security.

API Security Concerns and Rising Vulnerabilities

A significant portion of the discussion centers around API security, highlighting a report by Wall Arm that reveals a staggering 1,025% increase in Common Vulnerabilities and Exposures (CVEs) related to APIs over the past year.

Jim Love [28:06]: "A staggering 1,025% increase in CVEs from the last year that were attributable to APIs."

David Shipley underscores the complexity of managing non-human identities and access controls within APIs, comparing it to the proliferation of IoT devices.

David Shipley [29:47]: "Non human identities are to the Internet what IoT is to humans. There's like 50 to 100 billion devices now on the Internet compared to the 8 billion plus humans."

Laura Payne criticizes the reliance on security by obscurity in API development, calling it ineffective.

Laura Payne [29:53]: "APIs were built with the security by obscurity was the model and like nobody will never will ever guess my one key that allows access to everything."

Dana Proctor emphasizes the urgent need for organizations to prioritize API security to prevent exploitation.

Dana Proctor [32:30]: "If I was a CISO of an organization I would say stop the presses, we need to change course and address our APIs."

The panel agrees that the rapid growth of APIs has outpaced security measures, making them a significant vulnerability in modern cybersecurity infrastructures.

Legislative Efforts and Policy Discussions

The episode delves into legislative initiatives aimed at combating cyber threats, with a focus on Canada's Bill C26 and the UK's proposals on ransomware payments.

Jim Love mentions ongoing discussions within the Canadian Parliament to resurrect Bill C26, which aims to strengthen critical infrastructure laws.

Jim Love [36:16]: "Please pass this if you are a political staffer or politician before you put your political interest into the next thing or if parliament survives by the grace of Donald Trump's tariff apocalypse."

Dana Proctor supports the passage of Bill C26, acknowledging its importance despite some concerns over its current wording.

Dana Proctor [37:04]: "Bill C26 it should be the ultimate nonpartisan so it really is a no brainer."

David Shipley introduces the UK's legislative proposal to ban ransomware payments outright or require mandatory reporting, advocating for measures to cut off financial incentives for cybercriminals.

David Shipley [44:10]: "If we can create some disincentives and frictions around that area, it'll be interesting to see if they, they do this."

The panel highlights the critical role of government policies in shaping the cybersecurity landscape and deterring malicious activities.

The Human Factor: Programming Ethics and Security Culture

A recurring theme is the human element in cybersecurity, emphasizing the need for ethical programming and a robust security culture within organizations.

Dana Proctor and David Shipley discuss the importance of integrating security into the development lifecycle (DevSecOps) and educating programmers on ethics and secure coding practices.

Dana Proctor [15:23]: "Modern computer science programs in Canada need to be teaching ethics, need to be teaching critical thinking, need to be teaching security by design."

Laura Payne adds that non-technical staff adopting AI technologies pose additional security risks due to a lack of understanding and oversight.

Laura Payne [16:40]: "There's a lot of people who see the opportunity and they're willing to just set aside that fear or that concern because the deadline that's in front of them is more important."

The panel underscores that technological advancements must be matched with human-centric security measures to mitigate risks effectively.

Closing Remarks and Shoutouts

As the episode wraps up, Jim Love commends the efforts of law enforcement in combating cyber threats and encourages listeners to support increased funding for cyber policing.

Jim Love [45:32]: "A big shout out to them... tell them they might want to put a few more cyber cops in there."

David Shipley humorously criticizes fraudsters targeting Canadians and calls for accountability.

David Shipley [46:37]: "Shame on you... Shame on you."

The panel concludes with final thoughts on the persistent challenges in cybersecurity and the ongoing need for vigilance and proactive measures.

Conclusion

This episode of Cybersecurity Today provides a comprehensive exploration of contemporary cybersecurity issues, from the rapid advancements and associated risks of AI to the escalating vulnerabilities in APIs. The panel's insightful discussions highlight the intricate balance between innovation, security, and ethical responsibility, offering listeners valuable perspectives on safeguarding their businesses in an increasingly digital and interconnected world.

Notable Quotes:

• Jim Love [00:34]: "AI is the great shadow it."
• Laura Payne [04:23]: "Nvidia has seven vulnerabilities with patches out for them."
• Dana Proctor [06:31]: "Secure the pipeline, the machine learning pipeline."
• David Shipley [09:14]: "Short sellers made 6 billion plus Monday when Nvidia's stock tanked."
• David Shipley [22:50]: "The more that this gets open source, the more that this is going to be abused."
• Jim Love [28:06]: "A staggering 1,025% increase in CVEs from the last year that were attributable to APIs."
• Laura Payne [29:53]: "APIs were built with the security by obscurity was the model."
• Dana Proctor [32:30]: "If I was a CISO of an organization I would say stop the presses, we need to change course and address our APIs."
• Dana Proctor [37:04]: "Bill C26 it should be the ultimate nonpartisan."

This summary encapsulates the key discussions and insights from the February 1, 2024 episode of Cybersecurity Today, offering a detailed overview for those who seek to stay informed on the latest in cybersecurity without tuning into the full podcast.