With the goal of driving awareness and preparedness, Cristin Flynn Goodwin addressed M3AAWG’s 64th General Meeting, held earlier this month in Vancouver, in her keynote presentation titled, “Emerging Tech, Threats, and Risks: How Agentic AI and Quantum Computing Will Change Everything.”

She is recognized worldwide as a leading authority on the intersection of cybersecurity and law and currently serves as Managing Partner at Advanced Cyber Law in Seattle and Principal at Good Harbor Security Risk Management in Washington, DC.

In these early days of AI-driven online abuse, the soon-to-be-unleashed power of quantum computing will likely fuel malicious activity at an unprecedented scope and scale, and Cristin’s message is clear: attacks leveraging and against AI are starting to emerge, giving us valuable insight into future risks from quantum computing. The entire security community has a unique opportunity to get ahead of those risks by investing in security and defenses now, in order to help mitigate problems caused by nation-state actors and cyber criminals.

“Capitalizing on the momentum and positive reception of Douglas Stebila’s 2024 keynote at M3AAWG62 on Post-Quantum Cryptography (PQC), M3AAWG continues to invest heavily in preparing our community for these emerging threats and helping to fortify our defenses,” said Amy Cadagin, M3AAWG Executive Director.

Agentic AI, Overarching Policies, and the Minimally Viable “Problem”

Cristin opened the keynote by distinguishing between two types of AI: 

• Generative AI: focused on creating content like text and images 
• Agentic AI: acts autonomously, making decisions with minimal or no human oversight to achieve specific goals.

When it comes to the explosion of AI technologies, Cristin acknowledged that safety approaches and terminology vary significantly across AI providers, and overarching governance to safeguard users is particular to the company, rather than reflecting industry standards and consensus. Nation states and advanced attackers will take advantage of that, looking for weaknesses to exploit. She encouraged the crowd to “think like an attacker” and anticipate future abuse of agentic AI, and eventually, of quantum.

Further complicating matters, AI technologies these days are released with security as a second-order priority, with the market demanding minimally viable products (MVPs). AI providers attempt to keep pace by launching products in these early stages, where security is not yet “front of mind.” This means the technology is functional enough for user deployment but lacks sufficient security to protect users. Cristin challenged AI providers to consider a new standard for AI products that includes security as a foundational requirement, and for those in the security, fraud, and abuse community to push for defenses now that can help prevent exploits from occurring in the future.

Quantum Computing’s Imminent Dangers

Quantum computers remain on the horizon, and while they are not fully here yet, the processing power enabled by quantum physics will solve complex data puzzles at a rate that is likely to positively transform humanity, especially in critical fields like healthcare and biosciences. However, these advancements will also bring unprecedented and highly complicated cybersecurity risks.

Malicious actors are actively engaging in “harvest now, decrypt later” strategies. This allows them to capture encrypted data now with the eventual goal of decrypting it in the future, once quantum computers can break current encryption standards. 

“Agentic AI and PQC are emerging technologies that, when combined, will fundamentally change the threat landscape. If organizations do not protect their information now, the future consequences and liability risks are clear. The security and anti-fraud teams have a rare green-field opportunity to start to anticipate where the threats will be, and prepare mitigations and defenses now, before they become crises. Time is of the essence for defenders to stay ahead of these threats before they become everyday occurrences.” Cristin said.

Nation/State-Sponsored Issues Emerging

Cristin’s discussion also delved into nation- and state-sponsored issues involving these technologies. Currently, state-sponsored actors are spreading propaganda and false narratives through deepfakes and other means. The potential use of AI combined with quantum computing will enable attackers to execute attacks with consequences previously unknowable, and defenses that do not yet exist today. Beginning to think now about quantum-enabled offense and defense is important, because it’s already on the radar for nation states. 

“If we're going to be successful, we have to keep up with these emerging threats through education and action,” said Janet Jones, M3AAWG Expert Advisor and co-chair of the M3AAWG Data and Identity Protection Committee.

The Call to Action

As outlined in the keynote, it’s crucial for the cybersecurity community to think like attackers and anticipate all the ways these emerging technologies could be manipulated to cause havoc. From a policy perspective, it is essential that organizations like M3AAWG continue to keep regulators and policymakers informed about the abuse issues underlying these technological breakthroughs and encourage the security community to stay ahead of the attackers.

Additionally, it is critical to engage company executive teams and boards early to ensure they understand the potential scope of AI and quantum exploitation, the importance of proactive measures, and where resources must be allocated to prevent potentially devastating consequences. Clearly, companies and boards need to care about how AI agents will act “on behalf of a company” and ensure that technology and security measures are in place to do so. With the looming threat of “harvest now, decrypt later” attacks posed by quantum computing, migration to quantum-safe encryption is also a near-term priority. 

To further support this effort, we encourage you to join M3AAWG if you are not already a member. For existing M3AAWG members, you can get further involved by joining M3AAWG Initiatives, the AI and Data and Identity Protection Committees, and by attending an upcoming General Meeting to learn more.