Cybersecurity To Protect From Malicious AI: Steve Tang Of iconectiv On How To Develop An Effective Product Security Strategy

An Interview With David Leichner

Stay positive — Cybersecurity can be a tough business and it’s important to keep a level-head when incidents occur and not let them negatively affect your emotions or your decisions.

The era of malicious AI presents a unique set of challenges to organizations, including the escalating need to identify vulnerabilities and minimize security threats to their products. How do product security officers prioritize risk management and mitigation to safeguard their organizations in this new frontier? As a part of this series, I had the pleasure of interviewing Steve Tang, Executive Vice President, Chief Technology Officer and Head of Engineering at iconectiv. He is responsible for consolidated software development, quality assurance, system/usability engineering and supporting business partners with emerging technologies.

Tang is a seasoned professional with more than 20 years of experience developing highly scalable, robust products that enable the seamless interconnection of devices, applications and networks globally. He previously held positions at leading telecommunications companies, including Motorola.

Tang holds a Bachelor of Science degree in Computer Science from Rutgers University.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

When I was a kid, I worked in the family business, which was in food services, and I did that through college. It really helped me develop a strong work ethic and learn the value of good management and customer service. All these things helped lay the groundwork for my career.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I didn’t initially pursue a career in cybersecurity but when I worked at Bellcore, a telecom-related company, one of my mentors encouraged me to get involved in as many different functions of the business as possible. Then, with the advent of digitalization and evolving landscape of technologies, cybersecurity became top of mind and I was drawn to it.

Can you share the most interesting story that happened to you since you began this fascinating career?

Early in my career, I was out in the field a lot. We were deploying a Voice over Internet Protocol (VOIP) network, and it was a ton of work — 80 hours a week for months at a time. I remember thinking back to all the effort that went into that and being amazed that something that we take for granted — just making a phone call — took so much time, manpower and equipment to make happen.

Likewise, I came to appreciate how much time and effort are required for an organization to optimize its cybersecurity. There are so many complex threats out there that can be difficult to anticipate and defend against. This can be exhausting for IT teams, but the struggle is well worth it. Like making a phone call, the idea of keeping a network safe might sound simple, but it’s so much more nuanced than people realize.

You are a successful leader. Which three character traits do you think were most instrumental to your success?

1. Honesty — It’s important to do what you say and say what you mean.
2. Decisiveness — The ability to make tough decisions by looking at the issue strategically, considering all sides and angles.
3. Leadership — You have to be able to see the big picture and help your teams simplify and prioritize.

Are you working on any exciting new projects now? How do you think that will help people?

At iconectiv, we’re working hard to bolster trust in the communications ecosystem by protecting the integrity of the phone number, which has become the key digital identity for a person or business. That’s because the phone provides the convenience and simplicity that consumers demand, the reliable, verifiable data that businesses need and the global ubiquity that national registries cannot replicate.

More specifically, iconectiv provides authoritative phone numbering intelligence that can be used to verify the digital identities of consumers and businesses. This helps enterprises protect their brand and revenue while boosting consumer confidence in voice and text communications. This also helps government bodies protect residents and legitimate businesses to ensure their customers know the business is who they say they are when they call.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber-attacks prevalent today?

The landscape is very broad, and the criminals are agile and always changing their attack vectors and techniques. When speaking about cyberattacks via a voice call or SMS text, they typically involve a fake call or text attempting to make the victim divulge sensitive account information or click a malicious link. Now, with the explosion of AI, the problem becomes more complex as fraudsters utilize deepfake robocalls where an AI-generated clone of someone’s voice is used to trick victims into thinking they’re talking to someone they’re not.

For example, a fraudster might call someone claiming they’ve kidnapped their child and demand a ransom for the child’s safe return. The cloned voice of the child would serve as false proof that the child is indeed in the kidnapper’s custody. Likewise, using an AI clone and social engineering, a fraudster could call an employee at a particular company and claim to be that person’s boss — demanding that they immediately withdraw funds from a corporate account.

These tactics have been largely effective. Research from McAfee indicates that 77% of victims in AI-enabled scam calls said they lost money.

How do you ensure the ongoing monitoring and detection of potential security threats posed by AI systems? What tools, technologies, or processes do you use to stay vigilant and respond promptly to emerging threats?

iconectiv has a series of trusted independent data exchange platforms and the numbering intelligence we have is deterministic data that helps protect digital identity. That’s really important when you think about an AI world where even the AI itself is using probabilistic information to create fake personas and mimic humans. So, being a definitive, trusted source helps validate the activity and the ownership of the phone number.

For example, if a number has been ported — changed from one phone company to another — we’re the custodians of that information as the definitive source. So, being able to flag that kind of activity as a fraud indicator is key because if you can’t trust the phone number, which is tied to your digital identity, that becomes problematic.

With the increasing use of AI in various industries, how do leaders strike a balance between maintaining security and enabling innovation? What approaches or methodologies do you follow to ensure security without stifling technological advancements?

A balance between maintaining security and enabling innovation is largely driven by how much responsibility AI developers and users are required to take on. For example, in New York City, employers and employment agencies that utilize Automated Employment Decision Tools (AEDTs) within the city are required to have those tools audited annually by an independent third-party for bias across protected characteristics.

Measures like this help ensure security but don’t halt the innovation process — allowing AI developers and users to move forward with a series of checks and balances in place.

Collaboration and information sharing among organizations are crucial in combating security threats from malicious AI. How do leaders foster collaboration within the industry, both in terms of sharing threat intelligence and developing common best practices to protect against evolving threats?

Collaboration, certainly, is key. Banks that experience cyberattacks, for example, will often share information about the incident with other banks, regulators and law enforcement to help prevent what happened to them from happening to another financial institution.

In the telecom world, the Federal Communications Commission (FCC) is consistently working with communications service providers and telecom vendors, such as iconectiv, to understand how fraudsters are using AI to assist in their illegal activities and mitigate the impact to consumers and businesses alike. In February, for instance, the FCC issued a declaratory ruling prohibiting unsolicited robocalls with AI-generated voices. This was essentially an addendum to the Telephone Consumer Protection Act (TCPA).

Can you share a real-world example where an organization effectively prevented or minimized a security threat from malicious AI? What measures did they take, and what lessons can other organizations learn from their experience?

Recently, a software engineer for Microsoft discovered that the latest version of an open-source software program called XZ Utils had been deliberately sabotaged by one of its developers. This move could have carved out a secret door to millions of servers across the internet, which would have been nirvana for hackers. The aforementioned software engineer, however, was able to avoid catastrophe because of his attention to detail. He uncovered the issue when he noticed the program intermittently using an unexpected amount of processing power on the system he was testing. Proving, once again, that AI is useful but the human factor is critical.

As it pertains to the telecom world, one of the most important things when it comes to minimizing the affects of malicious AI is education. Organizations, employees and families all need to be educated on the importance of their digital identity. This includes thinking about when, how and why they should be sharing information, such as their phone number, because those are all entry points to their digital identity, regardless of whether AI is the perpetrator.

What are the “5 Things You Need To Create A Successful Career In Cybersecurity” and why?

1. Stay positive — Cybersecurity can be a tough business and it’s important to keep a level-head when incidents occur and not let them negatively affect your emotions or your decisions.
2. Hone your skills — Make sure you have a solid base of abilities to draw on when cyber incidents occur.
3. Stay flexible — Keep an open mind and make sure you’re able to adapt when needed.
4. Be honest with yourself — Know your strengths and weaknesses, and seek help when you need it.
5. Pick your team carefully — Surround yourself with a diverse group of people with different backgrounds and perspectives to ensure your team is well-rounded and capable of responding to any incident.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger.

I would encourage people to stay educated on the evolving landscape of technology. For example, as I discussed earlier, it’s crucial that people are educated on the importance of their digital identity and what they can do to protect it.

Individuals should independently verify what they’re being told. If employees, for example, think their boss is calling with some questionable requests, they should verify those claims with other members of the company to ascertain if it might be a scam. Likewise, if someone believes their loved one is in trouble, they should hang up and call that person back or contact other friends or family members and not immediately act on impulse.

Indeed, we now live in a world where so much of what we do — from making purchases to financial transactions, data sharing and more — relies on global communications networks. No matter the flavor of information exchange, we appreciate the sheer convenience that our mobile devices provide us. But when there is so much at stake (personal details, financial information), this convenience also brings tremendous risk and responsibility. Because of this, one of the biggest challenges with digital identity is truly knowing the “who.”

To that end, there are mechanisms in place to drive consumer confidence in voice calls and text messages. For example, consumers in the U.S. looking to engage with their favorite stores, their bank or pharmacy, can opt-in to receive text messages via a trusted SMS Short Codes. These text messages, which come from 5- or 6-digit numbers, are much more reliable because businesses must go through a strict vetting process to get them, and consumers must opt-into receiving them. In fact, consumers can add these businesses to their contact list so that the name of the business shows up on the caller ID. Likewise, to better protect consumers and businesses from voice scams, government regulators in the U.S. where the first in the world to implement a framework called STIR/SHAKEN, which mitigates illegal robocalls.

How can our readers further follow your work online?

Our website

Our LinkedIn

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is a member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.