Whose job is it to stop AI-powered DDoS attacks, anyway?

This article is part of our Opinions section.

AI is keeping some C-Suite executives up at night. According to at least one survey, AI-enabled cyberattacks are expected to be the norm come next year. Combine AI and DDoS, and you suddenly have a very unhappy marriage that spells chaos for IoT devices and cloud platforms.

AI has become a tug-of-war battleground for cybersecurity. For every benefit it offers defenders, it seems to offer just as many advantages to hackers.

Let’s have a look at how AI has changed the playing field, and who’s responsible for thwarting AI-enabled DDoS attacks.

The makeup of an AI-based DDoS attack

Regardless of where you stand on AI’s potential to ‘change everything’, what’s not up for debate is that the ongoing advancement of AI will have significant consequences. This includes faster attack speed, bigger scale and greater sophistication of cyberattacks. In general, there’s been a correlation between increased technology automation and the rising popularity of DDoS as a cyberattack technique.

These AI-powered attacks just add more oil to the DDoS fire. They combine the brute force of traditional DDoS with advanced intelligence and automation. They use machine learning to analyse and exploit network vulnerabilities, making them more adaptable and more challenging to counter. By automating the attack process, hackers can quickly adjust tactics in real-time, targeting the most vulnerable aspects of a network for maximum damage.

These AI-driven attacks follow a three-stage lifecycle: delivery, penetration and exploitation. Each stage is made more effective by AI dynamically adapting strategies, making these attacks not only highly efficient but also incredibly difficult to predict and mitigate.

The potency of AI in DDoS attacks against critical infrastructure is particularly worrying.

Private or public – who needs to step up?

In a way, AI has reignited a longstanding debate: whose responsibility is it to protect critical national infrastructure (CNI)? As threats become more advanced, the need for specialist expertise and technology only grows. If attackers are using AI to augment and automate attacks, defences must keep up, using similar tactics and technology to stay one step ahead.

A likely scenario is that we will see hackers with teams similar to SecOps teams that process vast amounts of security telemetry data into an AI engine to develop datasets to feed into machine learning models. Effectively, this will be the hacker team’s ‘recon’ effort to determine which organisations are less protected to stop their DDoS attacks. This data then gets fed through AI and ML algorithms to best decide how to execute the next attack.

Protection against DDoS attacks will eventually become a boxing match – a flurry of virtual punches and counter-punches, and heaps of data processed that benefit both parties. AI won’t replace human security experts, but, if attackers are already harnessing AI for automation and analysis, then security teams need access to the same tools.

Obviously, providers of CNI can’t (and shouldn’t) be expected to be experts in DDoS protection, especially as AI enters the mix to complicate matters further. They need specialist support from private company solution providers with the tools and intelligence to counteract these more intelligent attacks.

However, CNI organisations might see such advanced protection as an investment they can’t justify (or don’t want to). While education around the topic can certainly help here, the government and regulators also have a key role to play. The industry needs increased regulations that set cybersecurity standards for CNI in line with rising threat levels.

Thankfully, we are starting to see more and more of this. The European Union’s incoming NIS2 regulation covers 15 critical sectors (split into ‘essential’ and ‘important’) and sets new standards for risk management and business continuity. Across the pond in the US, several federal agencies are increasingly encouraging or in some cases mandating national infrastructure organisations to follow the NIST Cybersecurity Framework.

Beyond this, government support needs to extend to funding cybersecurity measures, offering tax incentives for security investments, and boosting cybersecurity skills in the workforce. Examples of this include the Cybersecurity and Infrastructure Security Agency (CISA) Grants in the US. By offering financial incentives for CNI to implement better cybersecurity practices and technology, they can not only help meet the immediate threat of AI-enabled DDoS but also set stronger foundations for cyber resilience moving forward.

The role of network operators

However, there is one other major player when it comes to protecting national infrastructure from DDoS attacks – internet service providers. As the digital transformation of national infrastructure continues around the world, more and more critical services have become reliant on internet connectivity to function. If the internet goes down, so does much of the infrastructure that relies on it.

DDoS attackers, particularly nation-state groups, recognise this, and we’ve seen a huge increase in DDoS attacks on these networks, many as direct attempts to bring down national infrastructure, such as attacks we’ve seen on Ukraine.

Naturally, a national infrastructure organisation has much less control over this, beyond having redundancy plans, like a backup network for when/if the primary one goes down. But networks are becoming increasingly vital for critical services, so much so that they are almost critical infrastructure themselves.

Governments are starting to recognise this: for example, the already-mentioned NIS2 directive covers ‘digital providers’ for the EU. ISPs then not only have a growing legal responsibility to protect national infrastructure, but it’s also in their commercial interests to do so. Networks with higher resilience may become the go-to choice for critical infrastructure, and we’re also seeing an increase in ISPs offering advanced DDoS protection as a service – turning DDoS attacks from a cost centre to a financial incentive.

Ultimately, protecting critical infrastructure from rising DDoS threats will always be a collective effort. CNI organisations themselves have a responsibility to ensure they have as much protection in place as possible, but private security specialists will be needed to bring the expertise and technology required to stay ahead of AI-enabled attackers.