With AI expected to dominate this year’s RSAC sessions and keynotes, we spoke with Dr. Paul Mockapetris, the inventor of the Domain Name System (DNS), about the role of AI on cybersecurity, the latest about DNS-based risks, and what it takes to become an impactful leader in the tech industry. Note: This interview has been lightly edited and condensed for clarity.
AI
AI itself is not new. There was a huge wave of AI around 1985 with the Strategic Computing Initiative, but in 1990 that wave wasn’t observable anymore. I think much of the current success of AI is due to silicon providing more processing power than any new deep understanding.
AI aids both sides [defenders and adversaries] in the cyber conflict. While we’re going to have an era of surprises with AI and security, one area today where it is already helping adversaries is phishing attacks. AI-generated phishing attacks will typically pass the Turing Test substantially in 2024. AI will tailor the attacks with personal information. Users can no longer identify machine-generated copy from human-generated copy. There are significantly fewer clues, such as misspellings, etc. As a result, phishing attacks have become almost impossible to detect by inspecting the content.
There is no playbook for AI right now and for the foreseeable future. I think the government needs to try and regulate it, but it’s not going to be easy.
Cybersecurity
First of all, you should not depend on any single tool. And remember that the security of your vendors is as important as your own. All the big names in technology have been hacked at one time or another. So, you have to be cognizant of that and try to figure out how to assemble your infrastructure so you don’t have a single point of failure so even if something is infected, perhaps harm will be prevented. Successful security works in layers that can protect each other; it works in series rather than parallel.
DNS
When I think of DNS, I have two axes for improvement. First, improve what we have and make it more reliable and secure. The IETF is continuing to do that, and for example, there’s work to change how a parent set of domains coordinates with children, the so-called DELEG proposal. The second axis is: how do you create something that’s a totally new capability? You need a capability that people really want so that they will actually use it and then the mechanism to do it. For example, I think we need to think about more ways to make DNS domain entities that can figure out how to cooperate with each other.
Regarding threats, domain abuse is not going away, but having the government decide isn’t ideal because there’s no universal definition of “bad stuff.” Governments will continue to shut down obvious criminals. But beyond that, the ruling authorities can’t, won’t, and shouldn’t impose who’s okay and not okay. Instead, we must figure out how to empower the end users to make those decisions. Typically, since maintaining threat intelligence is hard work, they will delegate to a trusted third party.
As long as you have vulnerable devices, you will have DDoS. You can think about various ways to regulate against it, but DDoS is always going to be with us. And nation-state actors will continue to use botnets to commit crime because the cost of a botnet is fixed and the amount of damage you can do depends on how long it takes the FBI or whomever to take it down.
Leadership
To be an impactful leader, I think you first need to study the great ones. I’ve benefited incredibly from my colleagues and mentors including Dave Farber, Nicholas Negroponte, Bob Kahn and others. Once you tell the people that you’re trying to lead what you want, you need to get mostly out of the way so they can do it. And remember that you’ve got to hire people that are smarter than you or at least know more about something than you do.
Obtaining life balance in the tech industry is hard, but not impossible. People argue that success as a startup is really a sprint, not a marathon, or it’s really a marathon, not a sprint. I’ve heard both lectures many, many, many times, and I think the answer is that it’s both. You’ve just got to figure out how to save yourself for when the sprint matters.
*****
We’re attending RSA Conference, are you? Schedule a meeting with our team by reaching out to hireus@bigvalley.co.
