We aim to demonstrate the value of mathematical models for policy debates about technological progress in cybersecurity by considering phishing, vulnerability discovery, and the dynamics between patching and exploitation. We then adjust the inputs to those mathematical models to match some possible advances in their underlying technology. We find that AI's impact on phishing may be overestimated but could lead to more attacks going undetected. Advances in vulnerability discovery have the potential to help attackers more than defenders. And automation that writes exploits is more useful to attackers than automation that writes patches, although advances that help deploy patches faster have the potential to be more impactful than either.
翻译:我们的目标是通过考虑钓鱼、脆弱性发现以及补丁与开采之间的动态,展示数学模型对于网络安全技术进步的政策辩论的价值。 然后,我们调整这些数学模型的投入,以适应其基础技术可能取得的一些进展。 我们发现AI对网钓的影响可能过高估计,但可能导致更多的袭击无法察觉。 脆弱性发现的进展有可能比维权者更能帮助袭击者。 写出机会的自动化比写补丁的自动化对袭击者更有用,尽管帮助安装补丁速度更快的进展可能比两者都更具有影响力。