A team of researchers from the University of Cambridge, including Steve Barrett, Malcolm Murray, and their colleagues, has published a technical report that aims to quantify the cybersecurity risks posed by advanced AI systems. The researchers have developed a methodology to model these risks, with the goal of helping cybersecurity teams, AI developers, and policymakers make more informed decisions.
The researchers have created nine detailed cyber risk models that analyze the impact of AI on various aspects of cyber attacks, such as the number of attackers, attack frequency, probability of success, and resulting harm. They have used the MITRE ATT&CK framework to decompose attacks into steps and estimate how AI affects each step. To produce these estimates, the researchers have employed both human experts and LLM-based simulated experts, who mapped benchmark scores from Cybench and BountyBench to risk model factors. The results indicate that AI can systematically increase attack efficacy, speed, and target reach, with different mechanisms of uplift across risk models.
The researchers have used Monte Carlo simulation to aggregate individual estimates and produce a range of possible outcomes. They acknowledge that their estimates carry significant uncertainty, but argue that publishing detailed quantified results can help experts pinpoint exactly where they disagree and collectively refine estimates. The researchers hope that their methodology and initial application attempt will help to shift the assessment of AI risks from qualitative to quantitative, similar to the shift that has occurred in other high-risk industries, such as nuclear power.
The practical applications of this research for the energy sector are significant. As the energy industry becomes increasingly digitized and interconnected, it is more vulnerable to cyber attacks. The ability to quantify the risks posed by advanced AI systems can help energy companies prioritize their cybersecurity investments and make more informed decisions about the deployment of AI technologies. The research can also help policymakers set risk thresholds and regulations to ensure the safe and secure use of AI in the energy sector.
The research was published in the journal “Nature Communications”.
This article is based on research available at arXiv.