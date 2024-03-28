Some financial institutions are not moving fast enough to adopt adequate risk management frameworks that could help address AI-related cybersecurity threats, according to a report released Wednesday by the Treasury Department.

Cybercriminals who deploy hacking techniques based on tools such as generative AI chatbots are likely to have an advantage over banks, at least in the short term, adds the analysis, which cites 42 interviews with financial firms, professional associations and cybersecurity service providers.

The Treasury investigation was organized as part of a sweeping executive order on AI in which the federal landscape was tasked with studying and reorienting its operations around the rapidly evolving technology that has dominated headlines over the past year for its rapid adoption in consumer markets.

The order identifies financial services, alongside education, housing, law, healthcare and transportation, as sectors likely to suffer from misuse of a given AI technology. Several federal agencies have been asked to write sector-specific reports assessing the risks and benefits of AI with varying due dates after the guidelines are signed.

AI chatbots and related tools, like OpenAI's ChatGPT or Google's Gemini, have been hailed as powerful productivity enhancements, but the tools can also increase hacker abilities to carry out increasingly credible cyberattacks and social engineering scams.

These include phishing campaigns, in which hackers create a cloned email, web page or other common digital item with an underlying program that siphons victims' data or installs malware on their systems. “They click on it, according to a Treasury official who spoke to reporters before publication. .

Email phishing attempts against monetary entities are starting to look more realistic, the official said, recounting conversations the agency has had with institutions. Historically, many phishing emails contained language signaling to targets that the hacker did not speak perfect English, but AI systems have made those attempts more accurate, the official said.

Scammers also tried voice cloning technologies to impersonate victims and access their financial information, the official added.

Such AI tools are also used for malware and code generation. One example described involved using a generative AI platform to create a fake copy of a company's website to harvest customer identifying information. Hackers have also considered using such tools to scan websites for vulnerabilities, the report said.

While institutions more frequently share anonymized threat information with cyber vendors, financial firms are less willing to share fraud protection information with each other, the analysis found, adding that the lack of sharing of Fraud data likely affects small institutions more significantly than large institutions.

The report is being widely distributed across Capitol Hill offices on Wednesday, hoping to gain buy-in from lawmakers for its findings, the official later added.

Other data-specific risks highlighted by the Treasury report include data poisoning, data leaks, and data integrity attacks, all of which target sensitive information used to train the AI ​​models themselves. same. By compromising fundamental information in the source data, attackers can permanently change the output of a large language model, leading an AI system to produce biased, unethical, or false responses in response to a prompt given.

Although fundamental training data is a prime target for hackers, all data processed throughout the development and production cycle of an AI system requires protocols that would protect it from access by cybercriminals, advised the Treasury.

Financial regulators frequently sound the alarm about AI systems and their integration into investment services. Securities and Exchange Commission Chairman Gary Gensler said unchecked AI systems could cause a financial collapse in the future.

The SEC issued a rule that requires publicly traded companies to disclose hacking incidents this could materially affect their investors. It aims to provide more transparency about the impact of cyberattacks on companies' bottom lines by requiring them to report breaches within four days.