On Wednesday, April 20, 2022, the Office of AUP’s President Celeste M. Schenck hosted the ninth and penultimate event in its Presidential Lecture Series: a lecture by David Wright, Director of Trilateral Research. The Presidential Lecture Series, titled “Technology and the Human Future,” invites speakers to participate in live online events, so they might engage with both theory and practice in responding to the question of how technology will continue affecting our lives beyond the Covid-19 pandemic. Wright presented on the topic of “The Ethics of Technological Self-Defence.”
David Wright founded Trilateral Research in 2004. The company provides research, data protection and platform services to a wide range of clients, from law enforcement authorities to universities, museums, hospitals and government agencies. Trilateral has taken part in more than 70 EU-funded projects, including the ongoing CC-DRIVER project on the human and technical drivers of cybercrime, which Wright coordinates. One aspect of this project was a socioeconomic impact assessment of cybercrime, which suggested that the costs of cybercrime are rising by around 15% a year.
Wright began his lecture by exploring the reasons for this increase. He noted that the “attack surface” of cybercrime is increasing due to the advent of the Internet of Things. “One would not normally think of one’s refrigerator or television as an attack instrument, but such is the case,” he explained. He also noted that cyberattacks are remaining undetected for longer, and that the chances of a cybercriminal being prosecuted are extremely low. “It’s a crime that can be committed virtually without punishment,” noted Wright.
Next, he explored how AI systems may lead to further cyberattacks, both by advancing current threats and by generating new technologies like deepfakes. AI systems themselves are also vulnerable to attack through methods such as model inversion and training data manipulation. AI-era malware may make it harder for individuals to protect their financial information or patterns of daily life, increasing opportunities for blackmail. Law enforcement authorities are unable to deal with the level of attacks currently being experienced by companies around the world, as they lack the relationships with private sector actors necessary to promote what Wright calls “active defence.”
Wright defined active defence as a “set of measures aimed at repelling attacks,” which could either disrupt adversaries or enable network defenders to detect and respond to malicious activities. However, he noted that such methods are a “grey zone” that raise several ethical considerations. Active defence measures range from basic cybersecurity protocols and naming and shaming offenders to online bounties, asset recovery and pre-emptive hacking strikes. Companies don’t always have the legal right to engage in such measures outside of their own networks. “A business cannot legally retrieve its own data from the computer of the thief who took it without court-ordered authorization,” noted Wright.
Wright argued that, ideally, cyberattack responses should serve as deterrents and be proportional, legal and ethical. Responses should also have the blessing of governments and should not harm innocent third parties or violate the EU charter on fundamental rights. He noted, however, that the right to privacy posed problems for active defence, as enforcing transparency in this sector would run the risk of exposing governments’ offensive cyber capabilities. Conversely, companies do not always have confidence in governments to protect them from cyberattacks without a two-way flow of information. He argued for greater collaboration between governments and private sector entities when implementing active defence in order to develop an EU-wide framework that indicates which active defence measures can be used in each circumstance and by whom.
After the lecture, Wright took questions from the audience. You can see the whole presentation and Q&A in the video below.