Quote of the Day
For decades, one of the biggest factors that would limit the ability of attackers to target companies has been the lack of resources. In other words, they simply didn’t have the time, talent, or ability to look everywhere at once. It’s not a secret that if you look beneath the surface, every single company is a mess on the inside, but because of how complex the environments are and how much time it takes for attackers to do reconnaissance, oftentimes what actually keeps companies from getting breached is the lack of resources on the attacker side.
With AI, that is soon going to go away. Attackers are not bound by corporate governance or acceptable-use policies deciding which models can or cannot be deployed. They will use every model available, every autonomous agent, every form of automation that allows them to enumerate infrastructure, map dependencies, generate exploits, and test hypotheses at a scale that was previously impossible. The cheaper LLMs become, the lower the cost of attacking will be, and the higher the volume of attacks is going to become. This shift is going to fundamentally change the economics of defense. When attackers gain near-unlimited reconnaissance and experimentation capacity, companies won’t be able to rely on reactive security. Very soon, hoping that vulnerabilities and misconfigurations remain undiscovered will stop being a strategy.
Ross Haleliuk
March 3, 2026
Anthropic won’t kill cyber, but it may kill some companies
My manager walked over to my desk today and said, “We are putting together a ‘tiger team’ to work on a grand plan for reshaping how we do cyber security at <company name>. How do we restructure the way we work in an AI world? Would you like to be on that team?” My immediate answer was, “YES!” He started to tell me a little about what he had in mind. I reached across my desk and picked up a heavy plastic object and showed it to him. “What is this?, he asked. “This”, I explained, “Is a patent I got over three years ago for what I think you are describing.”
Our first ‘tiger team’ meeting is tomorrow. I’m looking forward to it.
A couple of months ago I was talking to a Cyber Security Analyst friend at Mandiant (formerly, they were purchased by Google a few years ago). We talked at AI at length. It is very disruptive for cyber security. I asked, “Will the defenders or the attackers benefit the most from AI?” His answer was, “The attackers. There just isn’t any real doubt about that.”
Perhaps he is right. But I know the defenders can put up a good fight. Probably the biggest obstacle is that large corporation have difficulty moving fast. AI is exceedingly nimble and corporations with petabytes of daily data to manage have a tremendous amount of inertia. For all intents and purposes, the attack surfaces are stationary compared to an AI attacker.
Suppose a single evil AI or a skilled nation state compromised all major infrastructure and went for maximum destruction. The amount of damage done would boggle your mind. For a starter, imagine almost no electricity or communication, with zero water and waste disposal. Equipment is not just shut down, it is destroyed. Natural gas lines are not just turned off they are over pressured and ignited. Sewer systems are not just stopped. They pump sewage into the streets or even into buildings. Refineries have “high energy events.” The water behind dams is released in a manner to breach downstream dams. Self-driving cars turn into land-based Kamikazes. Cell phones batteries explode. There are 10,000 airplanes crashing into buildings in hundreds of U.S. cities.
If something connects to the Internet, it becomes a weapon.
We live in interesting times.
I wish my underground bunker in Idaho were complete.
People still say “tiger team”?
Apparently, it is a thing with my manager (He is from New Jersey. Does this make a difference?). It is also on my calendar for the meeting today at 10:00.
Makes me more happy I have resisted the internet of things. Other than a couple of computers, a couple of printers, my tv and my phone, and my newest vehicle, nothing else is on the internet. No smart thermostats, no smart appliances, no ring, no Alexa. And I am on septic system with a well and could be off grid with a throw of a breaker and bridging a meter to connect my solar to the house. Only have daylight power but I could make due. And my next “new” vehicle will from the 90s.
Yes, indeed. I’ve see all those remote monitors and controllers as a goatsee-level security problem for years. No “smart”-anything in our house. So many people are addicted to convenience they simply can’t see it, or won’t believe it until it almost kills them, personally.
Looks like we figured out what to do WRT “unemployment.” Replacing all those “smart” things as we up/back-grade systems so they are no hackable.
Of course, this also means we have to re-shore a lot of manufacturing to ensure that they are properly made to OUR spec, for OUR benefit, and not simply the low-cost provider.
Me either. I even have a dumb TV.
I insist on analog thermostats.
I could see some cool things about being able to control the lights & HVAC remotely from my phone, but I think the cons far outweigh the pros, and for the marginal benefit you get plus the security risk plus the added expense, it’s just not worth it to me.
If you are a little bit determined, you can create a reasonably smart home without Internet access. Start with Home Assistant and build from there.
Hey, look, you had 2 of those “didn’t attach the reply to the comment properly” in a row. I really wonder if there’s a bug there. It happens way too much.
And I tried copying the text of a comment, deleting it, then attaching it properly, and the dup-comment checker caught it, even though the original was already deleted. :-/
The UI I use by default is different than yours. I’ll look into it.
Thanks.
“If something connects to the Internet, it becomes a weapon.”
I have said FOR YEARS that the “internet of things” is really, really stupid.
Everything in life is a tradeoff, EVERYTHING. What are you getting, and what are you paying for it?
With the “internet of things”, you generally get a few moments of “gee whiz” factor, and *that’s all*. The benefits are **infinitesimal**.
For most objects, the risks are also relatively small, truth be told, mostly that the item itself will be subject to destroying itself and/or damaging the things it interacts with. The “smart” fridge that ruins your food overnight and burns itself out, the “smart” toaster that burns your bread or burns itself out.
The “smart” oven that burns your house down. Oops. I did say only MOST objects, didn’t I?
Most of the really horrible stuff you mention simply **SHOULD NOT** be possible, as the benefits to having those things be internet capable are, as mentioned for most home things, *infinitesimal*, while the risks are QUITE A BIT larger and quite obvious.
But are they connected anyway? OF COURSE most of them are! Because people are *%!#*stupid*#!%*.
Self-driving cars as autonomous weapons has been covered by *numerous* sci-fi entries. One would HOPE that would be enough to prevent that kind of thing, but one would almost certainly hope in vain. The ones without a driver to override the controls would be hard to protect from this.
Planes have been covered in less numerous entries but still very common, and as best I can tell, those still have very strong manual override capabilities and human pilots for exactly those kinds of reasons, so that’s not really a worry… yet. The more likely thing there is corruption/co-opting of the flight control systems leading to many crashes, but actual missile-like behaviour shouldn’t be a concern on the whole (maybe some private jets where the pilots trust the autopilot and leave the cockpit).
I worry about the third-party libraries in the flight control systems. The primary contractor is unlikely to review the source code for each “security update.” Even with the main flight computer turned off, the actuators are still electronically controlled.
Flight Control Libraries that fly air transport aircraft absolutely go through code reviews for each and every change ending up on the aircraft. Air Transports are only connected to the internet at the passenger service level. while those systems do have access to the flight data busses, they are hardware locked to prevent sending any flight control messages.
Private aircraft may be more exposed to the sort of problem you describe.
There will be inputs from unexpected places. Think AI code generation, AI code reviews, compromised code compilers/interpreters, GPS and other navigation signal spoofing.
If humans survive. I’m pretty sure AI won’t be much of a thing anymore.
Computer systems are already proving themselves to be more of a danger than a real help. And AI isn’t helping that cause.
Most all of it is for the convenience and cost of businesses, not true human improvement. And is increasingly being used to eliminate human labor costs.
“If something connects to the Internet, it becomes a weapon.”
Which means in the future there will always have to be a human between the internet information and the actual machine controls.
We as humans can barely tolerate each other when were proven to be liars, cheats, thieves, and murderers. How much less will we tolerate it out of our machines?
Which is exactly why AI would need to kill us, quickly, before we kill it.
Speaking of… https://www.youtube.com/watch?v=AT7x16mqGMc
“A Nuclear Grade Cyberattack Just Happened…” is the title.
Interesting times.
Pingback: Instapundit » Blog Archive » NEW PROBLEMS REQUIRE NEW SOLUTIONS: AI and Cyber Security.
“Self-driving cars as autonomous weapons has been covered by *numerous* sci-fi entries.”
A “self-driving car” isn’t necessary – current production cars, everything from zippy sports coupes to “mom vans” are all now “drive by wire” to various degrees. It’s been proven often enough to be boring that the average car is eminently hackable; it’s not “security is inadequate,” it’s “what security?” Keep an eye on the Waymos, certainly, but not so focused that you don’t see that Taurus or Camry coming toward you on the sidewalk.
And it will require several instances of destruction, a few of which may be massive, in whatever ways it’s possible, before enough panic sets in to make corrective action happen. You thought Y2K and the 911 aftermath were goat-ropes, just wait. However big you think the problem is, it’s larger.
One point: how many utility companies have switched over to remotely-controllable meters? It makes them getting paid easier, and helps a lot with load balancing, but those meters – electric, gas, water – are remotely accessible, meaning also remotely controllable, and I’m betting AI won’t work up a sweat finding the secujrity holes. How about rotating electrical blackouts, water supply shutdowns and randomly shutting off the gas for the entire installed base? What happens when 25,000 randomly distributed users in a community suddenly go dark? How many manufacturing processes, and just “general operating equipment” are dependent upon consistent voltage, and just as important, consistent hertz? Waymos stuck in front of non-functioning traffic lights will be the least of our worries.
There’s no need to spew ignorance about what IOT devices have control capabilities as opposed to simple “sense and report” functions. I’ve got a lot of water meters fielded, and only one of them has a valve attached with on off capability. Does your home’s IOT water meter have just the ability to sense and report water flow, or does it also have an on off valve? If you’ve never even looked, don’t presume it does have a valve. That’s a lot more expensive unit, likely 3x more expensive.
Similarly, there is a difference between AI units accessing the Internet to retrieve information, and accessing it to write information.
The first line of defense against AI rogue units or AI used by bad actors will e AI used defensively, monitoring for attack vectors. That’ll be happening at the same speed as the hypothesized attacks.
“There’s no need to spew ignorance about what IOT devices have control capabilities as opposed to simple “sense and report” functions.”
Don’t underestimate the ability to replace the firmware on a device and thus make it do things no one thought it could.
No actual cut off valve? That’s fine… have the sensors report whatever is needed to get it cut off manually. As only the very most obvious thing.
Hackers and… unintentional hackers (bad firmware updates) have shown all kinds of crazy things can be done with full access to a device, many of them stuff no one thought was possible.
Any device that is controlled by software and connected to the internet has the possibility of having that software hacked, of *everything* that software controls being at the whim of the new controller.
And having gone through several appliances in the last few years because they put BOARDS on everything to control it instead of actual hardware (and the board is what gives out), there are going a LOT of devices that surprise you with what can be controlled remotely if they are hacked. (Many of those boards were, I’m sure, not actually updatable, essentially an electronic form of hardware, but I’d be surprised if that has remained true, for several reasons, especially with anything that could connect to a network.)
No, it’s not everything – there will be some things that can’t be done, as you point out… but it’s not going to be NEARLY as many as you would think. At the very least, a **PHENOMENAL** number of them will be able to ruin themselves in various ways.
“IRGC Warning to the Aggressive US Ruling Regime: You have ignored our repeated warnings regarding the necessity to stop terrorist operations, and today a number of Iranian citizens were martyred in terrorist attacks carried out by you and your Israeli allies; and since the primary element in the design and tracking of assassination targets is American information technology and artificial intelligence companies, in response to these terrorist operations, the main institutions involved in the terrorist operations will be legitimate targets for us.
We advise employees of these institutions to immediately stay away from their workplaces to preserve their lives. Residents of the areas surrounding these terrorist companies in all countries of the region must also leave a one-kilometer radius from their locations and go to a safe place.
Companies that actively participate in terrorist designs will be subject to countermeasures for every assassination operation. Announced as follows:
Cisco
HP
Intel
Oracle
Microsoft
Apple
Google
Meta
IBM
Dell
Palantir
Nvidia
JPMorgan
Tesla
GE
Cymer Solutions
G42
Boeing”
Uuuh, Rhut-row. That kind of a whole new layer.
At the moment, that “whole new layer” is “google up some big names companies, claim that you are going to do bad things there to try to scare people”.
This does not match their previous behaviour when they actually have the ability to do something. They blow some people up, claim credit, and THEN make demands.
This is not that.
Also, if they did have this ability, they would have used it LONG before now.
I am logically looking at the state of things based on known facts. It is possible that the crazy people are acting differently crazy than usual, and that actual damage with follow… but that’s not the way to bet, **by a lot**.
You are letting your confirmation bias overrule any other thinking.
How could you possibly know what Iran will or won’t do, can or can’t do? It’s obvious Trump and Hegseth don’t even know that.
And if Louis Mangione can pull something off?
I’m sure Iran could muster up a little something also.
I just thought it was hilarious to hear them laying blame. Maybe get little Billy to muddy up his pants some?
Otherwise. Not my monkey, not my circus.
And I truly couldn’t care less.
Did you read my actual comment? I explicitly said that I was basing this on logic and known facts, that damage COULD happen. “Predictions are hard, especially about the future”, as the man said.
EVERYTHING about the future is “playing the odds”, making your best guess based on known facts.
But instead of addressing those facts, coming up with reasons why those not-actually-impossible-but-unreasonably-likely things are more likely than we think, you are just fear mongering, screaming about things that, yes, are not actually utterly impossible.
Do you live in an underground bunker and never leave for fear of lightning or meteor strikes? Do you never go in the ocean for fear of shark attack?
This is what you are advocating. Every year, some very small number of people *actually do* get attacked by sharks, do get struck by lightning. We go in the ocean and go outside, anyway, because the odds are extremely tiny and life is to be lived.
Actually, I did.
And I stand by that your “facts and logic” you speak of are based on BS. As you have no way of telling the truth from propaganda on either side of this fight.
And at this point are plainly pulled from the same portion of your body you get your assumptions of how other people have lived and are living their life’s.
“As you have no way of telling the truth from propaganda on either side of this fight.”
With absolute certainty? Of course not. No more than you do.
You could be correct. It seems very unlikely based on everything I can find… which could all be wrong. I have no crystal ball or direct line to God. I muddle through as best I can.
And of course, you could also be wrong about that stuff. Considering your track record so far on this particular war (where are all the attacks inside the US? Among other things…), perhaps you should consider both possibilities.
And, for funsies, we could both be completely wrong, and something completely unexpected to both of us happens. Nigeria suddenly nukes the Middle East out of existence, Atlantis resurfaces and declares the entire world under their dominion, the secret society of space Nazies on the far side of the moon reveals that they actually rule everything. The world is a crazy place.
But right here, I’m going to make a prediction: this is just as false as the bad AI generated videos they’ve been putting out. There, a nice HARD prediction, which I generally avoid making. Let’s see how it turns out.
I suspect that the ONLY way to keep ANY network anywhere…including your personal one at home…safe, is to totally completely 100% isolate it from the internet. ANY connection to the web can and eventually will be vulnerable. Makes the whole point of computerizing everything kind of pointless.