The NCSC has released its assessment report of how AI will impact the efficacy of cyber operations and how AI will impact the cyber threat over the next two years.

Most notably, the NCSC cautions that AI will “almost certainly” increase the volume and heighten the impact of cyber-attacks. This is due to cyber threat actors using AI to evolve and enhance existing tactics, techniques and procedure used during cyber-attacks. For example, the NCSC assessment predicts that AI will primarily offer threat actors capability uplift in social engineering. A key observation by the NCSC is that a wide range of cyber threat actors are already using AI to varying degrees.  Generative AI (GenAI) can already be used by threat actors to enable convincing interaction with victims, including the creation of lure documents, without the translation, spelling and grammatical mistakes that often reveal phishing. Additionally, threat actors will utilise AI to enable them to analyse exfiltrated data faster and more effectively, and use it to train AI models. The NCSC also predicts commoditisation of AI-enabled capability in criminal and commercial markets will make improved capability available to cybercrime and state actors.

However, the NCSC’s assessment assumes no significant breakthrough in transformative AI before 2025. These alarming predictions may very well be offset by the developing use of AI and machine learning tools to enhance cyber security resilience through threat hunting, detection and monitoring as well as improved security by design programmes. 

Additionally, since many ransomware incidents result from non-AI attack vectors, organisations should ensure robust cyber security assessments are carried out to protect themselves to thwart or minimise the impact of an incident, and have an incident response plan in place ready to mobilise. The NCSC assessment, and related cyber security hygiene advice is a worthwhile read for all organisations as they manage their cyber security risks. The NCSC assessment is also an important read for insurers evaluating the evolving cyber risks they underwrite.