Beyond the AI Arms Race: Why Your Defense Needs to Be Unstoppable (Like the '85 Bears)

I just read Ken Elefant's insightful article, "What CISOs Actually Tell Me & Why Many Security Startups Fail." If you haven’t, read it. Ken hits on a pervasive truth: CISOs are overwhelmed, and they need simplification, not more products (which includes AI-enabled products). They're drowning in noise, complexity, and a constant stream of new tools that promise to solve everything but often just add more layers without tackling the root problem. The operational and strategic burden is crushing. And, in the case of OT, the situation is quickly going in the wrong direction with ransomware attacks up 87% year over year, according to Dragos’ 2024 year in review report. 

The AI Asymmetry: Offensive AI is Already Ahead

Let's be blunt: when it comes to cybersecurity, offensive AI is currently outmaneuvering defensive AI. A great report that shows this comes from the UK National Cyber Security Centre. The main conclusions are that offensive AI is ahead of defensive AI and that AI is primarily enhancing and amplifying existing threat vectors, as well as automating attacks at scale. Not good.

While we're still perfecting our AI models to detect threats, the bad guys are already wielding AI to create them at scale and with unprecedented sophistication.

Think about it: AI-powered reconnaissance can sweep networks with incredible speed and precision, identifying vulnerabilities and mapping targets in ways humans simply cannot. AI can also create exploits against those vulnerabilities in what is referred to as (VRED). And then there's phishing. AI can generate hyper-personalized, contextually relevant phishing emails, perfectly mimicking trusted sources, in any language, at an industrial scale. The old "spot the typo" days are long gone. These AI-crafted attacks bypass traditional defenses with alarming frequency.

This isn't an arms race we want to be in for critical infrastructure. Trying to fight AI with more AI today is like bringing a knife to a gunfight when your opponent's gun is a super-advanced, auto-aiming laser. The reactive detection game is fundamentally insufficient when your adversary's capabilities evolve exponentially.

An AI-Resistant Defense, Without AI: Eliminating the Vector

At BlastWave, we've taken a fundamentally different approach to combat AI. Instead of building a better mousetrap to catch every AI-generated spear phishing email or every nuanced reconnaissance probe, what if we made the cheese invisible? What if we simply eliminated the most potent AI-powered threat vectors – reconnaissance and phishing – at their source?

This means a radical rethinking of authentication. We need to move beyond passwords, beyond OTPs, and even beyond many forms of MFA that are still susceptible to AI-powered social engineering or man-in-the-middle attacks. We need unphishable authentication, based on cryptographic identity at the device and user level in which both sides of the handshake are controlled, such that the identity simply cannot be stolen, mimicked, or tricked by an AI-generated prompt.

If an attacker’s AI can't even see your assets because they're cloaked on a "dark network," if their AI-powered reconnaissance hits a wall of silence, and if their AI-crafted phishing attempts simply bounce off an unphishable authentication layer, then their workload goes up, and yours goes down. Dramatically.

Connecting the dots, and verging on “man-splaining” - eliminating or neutralizing categories of threats is my preferred approach as opposed to trying to use defensive AI in an escalating arms race. Here is an example: phishing emails (according to Slashnet’s 2024 “The State of Phishing” report) are up 4154% since ChatGPT launched. Let’s apply some 2nd-grade math:

100% * 0 = 0

4154% * 0 = 0

See how that works? The same math can be applied to external threats, which, when added to credential shenanigans, comprise 95% of attacks (in IT/OT), according to Arctic Wolf’s MSSP data. If someone can find a way to eliminate the unauthenticated attack surface to zero (i.e., zero exposed IP addresses, especially the exposed admin interfaces like we see in all of the “next gen” firewalls), the 2nd grad math yields another goose egg. I’m not saying this is easy, but it’s a paradigm shift worth exploring and experimenting with.

Channeling the '85 Bears: An Unstoppable Defense

Think about the 1985 Chicago Bears Super Bowl XX team (I was living in the Midwest and this was a formative season for me). Their offense was not terrible. However, their defense was next level. They weren’t just better at the fundamentals; they were revolutionary. The principle was to suffocate the line of scrimmage through relentless pressure, moving to eliminate the time and ability to run any play, regardless of how well crafted. If the opposing offense had no time, the play didn’t matter. The Bears weren't reacting; they were dictating the game, making the offense's strategy irrelevant. The final 3 games of that season (including the SuperBowl), the Bears only allowed 10 points - combined.

That's the kind of defense critical infrastructure needs against today's AI-powered threats. Not just reacting to the latest phishing campaign or trying to detect every new form of AI-generated malware, but fundamentally disallowing the attack altogether. If the attacker's AI can't find you, it can't phish you. It can't recon you. It can't breach you.

For critical infrastructure, where human lives and national security are at stake, we cannot afford to be in a reactive arms race where offensive AI is perpetually one step ahead of defensive AI. We need defenses that are fundamentally resistant to AI attacks, not just hoping our AI can keep up. Building an AI-resistant defense without relying on defensive AI to catch every new variant is the pragmatic, immediate answer for securing our most vital assets.

CISOs tell Ken they're tired of the noise, the complexity, and the constant fear of being one step behind. We agree. It's time to build defenses so strong, so fundamentally different in our perimeter-less world, that the offensive AI simply has no play. It's time for critical infrastructure to get off the treadmill and truly secure itself.