The dawn of the Robot CEO: Are we making it easier for cybercriminals?

Adam Maskatiya, General Manager, Kaspersky Lab

Earlier this year, Alibaba CEO Jack Ma made headlines for proclaiming the imminent arrival of the robot CEO. He told an audience at a conference in China that we are only decades away from having robots run our companies. He backed that claim up shortly after via a television interview with CNN, predicting that, in 30 years, a robot would grace the cover of Time Magazine.

As implausible as that scenario might seem to some, he’s not isolated in his thinking. Earlier this year, SoftBank CEO Masayoshi Son spoke at Mobile World Conference 2017 about the concept of ‘singularity’ – the point at which machine intelligence will surpass our own and start improving itself at an exponential rate – which he predicts will happen as soon as 2047.

In fact, the entire jobs market looks set to suffer from the rise of robotics and AI – results from a report by Nesta, published this month, include widespread predictions that 40 to 60 per cent of jobs could be lost to robotics and artificial intelligence by 2030, as many become automated.

When taking into consideration the advantages that robots hold over their human counterparts – having continuous availability and working without breaks, holidays or even sleep – robot CEOs may seem an attractive prospect to a company board. A human CEO working 16 hours a day, 5 days a week would still do less than half the hours of a robot CEO in 7 days.

Not only that, but the variables to which humans are subject (chiefly emotions) wouldn’t have any bearing on performance. In many ways, a robot CEO would make a lot of sense.

So where does this leave us? Well, if we are to believe the hype, it won’t be long before speculation over the size of the CEO’s salary and bonus becomes irrelevant, and the corner office (not to mention the best parking spot in the building) will be up for grabs. It might not be that bad after all, right?

Well, there are some potential pitfalls of course. Aside from the obvious fact that your new robot boss might lack the emotional intelligence needed to navigate complex people issues, there’s also the issue of vulnerability to tampering, or hacking.

Human factor: the saving grace?

A human CEO can be corrupted by outside influence, but generally they have the freedom to make up their own minds and will face life-changing consequences should their impropriety be discovered.

Robot CEOs on the other hand, could be completely ‘brain-washed’ by cybercriminals. For all of their incisive decision making and their unfaltering commitment to the company’s balance sheets, board and shareholders, a robot CEO could effectively ruin a company in seconds, or – if obfuscation is the game – quietly skim the company of profits in a ‘death by a thousand cuts’ approach.

Kaspersky Lab researchers think the idea of robot CEOs is intriguing, but has some very real concerns about a future where robots are given too much responsibility.

Cybercriminals go where the money is. That means if the robot stands between them and the possibility of substantial financial gain, they’ll find a way to exploit it. It’s always a cat and mouse game in cybersecurity. We come up with a defence; they find a way around it. It would be no different for a robot CEO.

One example could be a firmware level attack, such as was seen in 2015 when Kaspersky Lab researchers uncovered the Equation Group APT. A threat of such an advanced nature would be very expensive to create, but hard to detect and could have devastating consequences for the robot (and anyone relying on it). Kaspersky Lab researchers believe such an attack, is not beyond comprehension. There are currently plenty of attacks on robots that make critical decisions. Robot CEOs will face the same challenges.

Does this mean robot CEOs are simply inviting cybercrime to the door?

CEOs in the cybercrime crosshairs

Towards the end of 2014, Kaspersky Lab researchers uncovered the Darkhotel APT hacking campaign, which was aimed at stealing swathes of data from the laptops of thousands of senior business people from across the globe. The victims were specifically targeted according to their seniority and the likelihood of their laptops containing sensitive company information.

CEOs make excellent targets for cybercriminals. They have access to, and often store, all manner of sensitive information on their laptops and mobile devices that could be used in a multitude of ways by a nefarious hacker. Whether directly to achieve ill-gotten gains, indirectly to more easily gain access to a company network, or (as is becoming increasingly common) to carry out CEO fraud.

CEO fraud is growing fast. According to Kaspersky Lab’s most recent research, one fifth (21%) of phishing attacks targeting businesses globally now involve communications from a cybercriminal masquerading as the boss.

In fact, so prolific is CEO fraud now that Cisco recently claimed Business Email Compromise (BEC), as it is otherwise known, earns more money for cybercriminals than ransomware. In its mid-year cybersecurity report, citing data from the Internet Crime Complaint Center, Cisco claims that between October 2013 and December 2016 business email compromise (BEC) resulted in £3.9bn being stolen from businesses – equating to £1.25bn a year. In comparison, ransomware exploits took £740m from businesses in 2016.

CEO fraud has serious implications for business. Last year Brussels-based Crelan Bank lost USD $76 million to CEO fraud in one of the largest known attacks. While such considerable rewards are on offer, there’s little doubt that CEOs will continue to be one of the favourite targets of cybercriminals.

The importance of security by design

Whether a robot CEO would have greater ability to defend against such attacks is question that can only be answered in time. Until then, one thing is certain. Before we start entrusting robots with executive decision making powers (in fact, before we even build them), a great deal of thought will need to be put into the security systems and safeguards around such technology.

The arguments for and against robot CEOs are equally powerful. But whether biological or artificial, CEOs will always be attractive targets and in need, therefore, of intelligent and layered protection from the cybercriminals who would seek to prey on them.