AWS CISO: Generative AI is just a tool, ‘not a magic wand’

Chris Betz is neither fearful nor overly optimistic about the role of generative AI in cybersecurity. Instead Betz, CISO at AWS, balances both ends of the spectrum — he treats it just as he does any other burgeoning technology.

“For what it’s worth, I’m not sure that the sky is falling,” Betz told Cybersecurity Dive.

The security industry has not yet seen evidence that substantiates broad concerns about threat actors using generative AI to initiate cyberattacks more quickly, more often or with more damaging outcomes.

While researchers expect AI to amplify the impact for defenders and attackers, threat actors' use of AI in their operations is limited, according to Crowdstrike’s annual global threat report. “Throughout 2023, generative AI was rarely observed supporting malicious computer network operations development and/or execution,” the firm said last month in the report.

It’s tough and too early to say if the advantages afforded by generative AI rest with defenders or attackers, according to Betz. Threat actors and security professionals are leveraging the technology in scenarios that play to their strengths.

For defense, generative AI can resolve problems faster and more efficiently. Organizations can use AI to scan for hard-to-find vulnerabilities and determine steps for remediation.

AWS CISO Chris Betz

Permission granted by Amazon

“There's a ton of information for security analysts to understand. There's a ton of information for an application security engineer to understand. That ability to synthesize, to help answer questions, to help lead and find the right data and bring it together in a usable way is incredibly powerful for defenders,” Betz said.

“That's perhaps the place where attackers are not quite in the same place. They don't have that rich data about the people that they're attacking. And so this could be a case where there's an advantage to the defender.”

AWS wades into generative AI

While the other cloud giants Microsoft Azure and Google Cloud have rushed to scale products built on generative AI, AWS is taking a cautious approach. Company executives aren’t keen to overemphasize the capabilities of generative AI, yet Amazon has released multiple products built upon the technology.

The world’s largest cloud infrastructure operator presents generative AI, and the products it's built around it, as a tool that requires AWS to apply the same underpinnings it does with any other technology. Consistent data governance models, identity and access management, logging and traceability are critical, Betz said.

His conversations with customers on generative AI typically revolve around unforeseen risks and the opportunities businesses have to improve operations and build applications with the technology in a secure manner.

The flipside is that attackers now have access to the same tools, and “that’s always been true in cybersecurity and always been true in technology,” Betz said. “That doesn't mean that there are not real threats that we need to pay attention to here.”

Threat actors could gain significant leverage from the social engineering capabilities and faster code development attributes of generative AI, according to Betz. Yet that outcome, too, isn’t determined or irreversible. “It’s hard to read at this point,” Betz said.

The ability to deliver generative AI’s capabilities in a way that exceeds the same bars of integrity, competence and trust as other AWS technologies is what’s important, he said.

“It’s a tool in the toolbox. It’s not the only tool. It’s not a magic wand that could change the world, but there’s some really cool ways that you can use it,” Betz said. “I’m more focused on using it than trying to figure out the relative advantage. It’s just an important tool.”