APRIL 2019
BCG TECHNOLOGY ADVANTAGE
• Are You Spending Enough on • Do You Have the Courage to Be an Cybersecurity? Agile Leader? • At Anheuser-Busch InBev, • Agile Leadership and the Art of Artificial Intelligence Is Letting Go Everywhere • When Agile Meets Outsourcing • Are Blockchain and the Internet • Using Agile to Help Fix Big Data’s of Things Made for Each Other? Big Problem • Bringing Digital Transformation to Airbus
AI Is a Threat to Cybersecurity. It’s Also a Solution. Boston Consulting Group (BCG) is a global management consulting firm and the world’s leading advisor on business strategy. We partner with clients from the private, public, and not-for-profit sectors in all regions to identify their highest-value opportunities, address their most critical challenges, and transform their enterprises. Our customized approach combines deep insight into the dynamics of companies and markets with close collaboration at all levels of the client organization. This ensures that our clients achieve sustainable competitive advantage, build more capable organizations, and secure lasting results. Founded in 1963, BCG is a private company with offices in more than 90 cities in 50 countries. For more information, please visit bcg.com. Preface Contents
This is the first edition of BCG Technology Advantage that I FEATURE am bringing to you as global leader of the Technology AI Is a Threat to Cybersecurity. Advantage practice. I’m thrilled to be leading such an im- It’s Also a Solution. 2 portant practice at BCG at such an important time— when digital, data, and analytics are reshaping industries, ANALYSIS competitive environments, and societies. Are You Spending Enough on Cybersecurity? 8 I hope you will find the articles in this collection helpful as you consider new technology and the impact it may have across your own organiza- Q&A tion. They cover a variety of topics including scaling AI, perspectives on At Anheuser-Busch InBev, cyber, experiences of bringing digital transformation to aerospace, and Artificial Intelligence Is several important elements of our high-impact work in agile. Everywhere: An Interview with Tassilo Festetics, Vice President I have just attended my second Davos—the annual meeting of the World of Global Solutions 14 Economic Forum. Technology topics and technology leaders were preva- lent throughout the agenda. I was struck by the evolution in the nature ANALYSIS of the discussions in the course of just a year. The focus is shifting from Are Blockchain and the broader concepts of “digital” to a clear understanding of where and how Internet of Things Made for technology and data will affect our businesses, our societies, and our Each Other? 17 lives. We live in exciting times for sure! Q&A Three themes emerged for me as I engaged in conversations and listened Bringing Digital Transformation to presentations at Davos. One is the incredible impact of AI and data at to Airbus: An Interview scale. There are many real applications of these technologies in today’s with Marc Fontaine, Digital business environment (and even more are emerging), and the impacts Transformation Officer 22 are significant. Another theme: the fact that there are many issues still to be resolved. There’s a real call to action for leaders, particularly when it VIEWPOINT comes to how we build and use algorithms, how to ensure ethical and Do You Have the Courage appropriate uses of data, and, importantly, how we help our workforces to Be an Agile Leader? 25 adapt to the rapidly changing environment. And, finally, there is a need for convergence in our thinking about technology and humanity and PERSPECTIVE putting people at the center of transformations. There are some really Agile Leadership and the Art important topics—from embracing design thinking, to agile and new of Letting Go 28 ways of working, to new approaches to workforce management and en- ablement—for leaders to consider. FOCUS When Agile Meets What technology-related themes are you following? Let us know at Outsourcing 30 [email protected]. FEATURE Karalee Close Using Agile to Help Fix Big Global Leader, Technology Advantage practice Data’s Big Problem 36
Boston Consulting Group | 1 FEATURE AI IS A THREAT TO CYBERSECURITY. IT’S ALSO A SOLUTION. by Ryan Goosen, Anna Rontojannis, Stefan Deutscher, Juergen Rogg, Walter Bohmayr, and David Mkrtchian
n May 2018, the New York Times reported that criminals, bad state actors, unscrupulous Ithat researchers in the US and China had competitors, and inside threats will manipu- successfully commanded artificial intelligence late their companies’ fledgling AI programs. (AI) systems developed by Amazon, Apple, The second is that attackers will use AI in a and Google to do things such as dial phones variety of ways to exploit vulnerabilities in and open websites—without the knowledge their victims’ defenses. of the AI systems’ users. It’s a short step to more nefarious commands, such as unlocking Companies are in a cybersecurity arms race. doors and transferring money. And while As cybersecurity firm Crowdstrike’s 2018 Alexa, Siri, and Google Assistant may be the Global Threat Report makes clear, attackers most widely used AI programs in operation, have easy access to more tools as the lines be- they are hardly the only ones. It’s not hard to tween state actors and criminal gangs fade. imagine cyberthieves targeting a financial Malware and identity theft kits are easy to institution’s AI-controlled customer recogni- find and inexpensive to buy on dark web ex- tion software or a shady competitor attacking changes. AI-enabled attack kits are on the another company’s AI pricing algorithm. In way, and we can expect that they will be fact, more than 90% of cybersecurity profes- readily available at commodity prices in the sionals in the US and Japan expect attackers next few years. to use AI against the companies they work for, according to a survey by cybersecurity Yet for all the inherent risk AI presents, part firm Webroot. of the answer might lie in harnessing the power of AI itself to strengthen existing cy- bersecurity set-ups. Our experience shows Companies can protect that companies can begin to protect their sys- tems by integrating AI into their security, their systems by integrating starting now. AI into their security. A New Risk for Companies… The list of actual AI applications is already For people with responsibility for corporate long and growing. Faster and more accurate security—everyone from CIOs to CISOs and credit scoring for banks, improved disease di- CROs—AI presents two types of risk that agnosis and treatment development for change the nature of their jobs. The first is health care companies, and enhanced engi-
2 | BCG Technology Advantage neering and production capabilities for man- neers in this field, cybersecurity is of less con- ufacturers are just a few examples. A survey cern to companies that are lagging behind. in 2017 by BCG and MIT Sloan Management (See Artificial Intelligence in Business Gets Real, Review found that about 20% of companies a report by the MIT Sloan Management Review have already incorporated AI in some offer- in collaboration with the BCG Henderson In- ings or processes and that 70% of executives stitute, Fall 2018.) expect AI to play a significant role at their companies in the next five years. Companies’ AI initiatives present an array of potential vulnerabilities, including malicious With all the benefits, however, come substan- corruption or manipulation of the training tial risks. For example, machine-learning al- data, implementation, and component config- gorithms and certain other types of AI work uration. No industry is immune, and there are by using “training” data to learn how to re- many categories in which machine learning spond to different circumstances. They then and AI already play a role and therefore pres- learn by doing, incorporating additional data ent increased risks. For example: as they work, refining their approach in an iterative manner. (See “The Building Blocks •• Financial (credit fraud might be easier, for of Artificial Intelligence,” BCG article, Sep- example) tember 2017, and “The Big Leap Toward AI at Scale,” BCG article, June 2018.) From a secu- •• Brand or reputational (a company might rity perspective, that methodology presents appear discriminatory) two challenges. •• Safety, health, and environment (systems might be compromised that control Companies’ AI initiatives cyberphysical devices that manage traffic flow, train routing, or dam overflow) present an array of potential •• Patient safety (interference might occur in vulnerabilities. medical devices or recommendation systems in a clinical setting)
First, AI systems are generally empowered to •• Intervention in, or meddling with devices make deductions and decisions in an auto- connected to the Internet of Things (IoT) mated way without day-to-day human in- that use machine learning or AI systems volvement. They can be compromised, and that can go undetected for a long time. …And an Opportunity, Too Second, the reasons that a machine-learning The good news for companies is that they can or AI program makes particular deductions tap the power of AI to both upgrade their cy- and decisions are not always immediately bersecurity capabilities and protect their AI clear to overseers. The underlying deci- initiatives (so long as they layer in appropri- sion-making models and data are not neces- ate protections to the AI systems being used sarily transparent or quickly interpretable (al- for defense). Moreover, investments in AI will though significant effort is underway to likely have multiple forms of payback. improve the transparency of such tools). This means that even if a violation is detected, its For one, companies can build in better purpose can remain opaque. As more ma- protection and the potential to at least stay chine-learning or AI systems are connected even with the bad guys. AI not only enhances to, or placed in control over, physical systems, existing detection and response capabilities the risk of serious consequences—including but also enables new abilities in preventative injury and death—from malevolent interfer- defense. Companies can also streamline and ence rises. And we have already seen that improve the security operating model by while cybersecurity concerns are a consider- reducing time-consuming and complex ation in the adoption of AI, especially for pio- manual inspection and intervention
Boston Consulting Group | 3 processes and redirecting human efforts to improving methods that understand what supervisory and problem-solving tasks. AI baseline, or normal, network and system cybersecurity firm Darktrace claims that its activity look like. AI algorithms can detect machine-learning technology has identified any changes that appear abnormal—without 63,500 previously unknown threats in more needing an advance definition of abnormal. than 5,000 networks, including zero-day Another shift is to move beyond classic exploits, insider threats, and subtle, stealthy approaches based on machine learning that attacks. Consider the number of cyber require large, curated training datasets. Some incidents that the average large bank deals companies have employed machine-learning with every day, from the ordinary and programs in their security systems for several innocent (customers mis-entering passwords, years, and more advanced AI-based detection for example) to attempted attacks. They need technologies (such as reinforcement learning automated systems to filter out the truly and deep neural networks) are now gaining dangerous signal from the more easily traction, especially in IoT applications. AI can addressed noise. In the medium to long term, also provide insights into sources of potential companies that invest in AI can offer threats from internal and external sensors or operational efficiencies and potential small pieces of monitoring software that operating-expense savings. evaluate digital traffic by performing deep packet inspection. Note that for most compa- nies, AI-based detection and potential The future of cybersecurity automated attribution will require careful policy design and oversight to conform with will likely benefit from more laws and regulations governing data use.
AI-enabled systems. Response. AI can reduce the workload for cybersecurity analysts by helping to prioritize the risk areas for attention and intelligently To enhance existing cybersecurity systems automating the manual tasks they typically and practices, organizations can apply AI at perform (such as searching through log files three levels. for signs of compromises), thus redirecting human efforts toward higher-value activities. Prevention and Protection. For some time, AI also can facilitate intelligent responses to researchers have focused on AI’s potential to attacks, either outside or inside the perime- stop cyber intruders. In 2014, the US Defense ter, based on shared knowledge and learning. Advanced Research Projects Agency an- For example, today we have technology to de- nounced its first DARPA Cyber Grand Chal- ploy semiautonomous, intelligent lures or lenge, a competition in which professional “traps” that create a duplicate of the environ- hackers and information security researchers ment to be infiltrated to make attackers develop automated systems that can figure believe they are on the intended path and out security flaws and develop and deploy then use the deceit to identify the culprit. solutions in real time. While it is still early AI-enabled response systems can segregate days, the future of cybersecurity will likely networks dynamically to isolate valuable benefit from more AI-enabled prevention and assets in safe “places” or redirect attackers protection systems that use advanced ma- away from vulnerabilities or valuable data. chine learning techniques to harden defenses. This can help with efficiency as analysts can These systems will also likely allow humans focus on investigating high-probability signals to interact flexibly with algorithmic decision rather than spending time finding them. making. Implementation of automated AI-driven re- Detection. AI enables some fundamental sponse will require careful design and strate- shifts. One is from signature-based detection gic planning, especially when it comes to us- (a set of static rules that relies on always ers that should be isolated or quarantined being up to date and recognizing an attack and systems that work at the digital-physical signature) to more flexible and continuously interface (such as critical links in manufactur-
4 | BCG Technology Advantage — Feature ing or supply chains, or critical-care medical and software, which give companies a new devices in hospitals or emergency settings). source of fast and inexpensive innovation, can also be a source of new vulnerabilities.
The Race Is On In addition, AI can actually help malware Cybersecurity has always been an arms race. avoid detection. Although security companies In 2016, then-US President Obama talked to are increasingly introducing AI features and Wired magazine about his fears of an AI-en- behavioral analytics into their products, a lot abled attacker accessing the US nuclear of antivirus and end-point protection soft- codes. “If that’s its only job, if it’s self-teach- ware still rely largely on signature-based de- ing and it’s just a really effective algorithm, tection. In response, attackers develop tool- then you’ve got problems,” he said. AI in- kits that obfuscate the nature and sources of creases attackers’ speed, resilience, opportu- the malware, making it harder to recognize nities, and chances of success. Because AI al- by its digital fingerprint. gorithms are self-learning, they get smarter with each attempt and failure; their endeav- On the dark web today, anyone can buy a ors are continuously better informed and tailor-made virus guaranteed not to be de- more capable. Just as companies can use AI tected by the 10 or 20 or so major antivirus to automate and improve business processes, tools. But defensive systems gain knowledge hackers can automate the identification of over time. This knowledge could be thwarted vulnerabilities and exploit-writing. by an AI algorithm that adds to the stealthi- ness of a malware kit over time, masking AI algorithms tend to be public, often open- the malware’s identity based on what it source, software that is widely available on learns defense systems are detecting. (See the the internet and increasingly easy to use. Just exhibit.) like the software as a service that many com- panies use, malware as a service is common- Think about this scenario. Attackers often use place and a viable business for criminal play- botnets—global networks of hijacked devices ers. There is even a high degree of (like PCs, smartphones, and IoT devices)— competition among cybercriminal vendors to do their dirty work. Botnets are effective (which can leverage AI and machine learning tools, but they can do only what the attackers for competitive advantage) to create superior direct them to do. Suppose, however, that the malware. Moreover, open-source AI libraries command-and-control software directing a
Attack Kit Development and AI Productization Will Weaponize AI
The first attacker NeoSploit kit is released, adding Most sophisticated kit yet, Nuclear, Terror exploit kit can detect toolkit is released obfuscation and anti-decoding begins delivering extremely user environment and deliver as freeware to avoid detection volatile and dynamic payloads specific and targeted exploits
Paid exploit kits are sold Mariposa kit adds Exploit kits begin Discovery of one of the first like commercial software polymorphism to misappropriating cyberthreats using basic machine on the black market evade antivirus tools to avoid detection learning to evade detection
A tt c k k t de elo ment Weaponized 8 8