Generative AI in Cyber Warfare and Navigating the Post-Quantum Battlefield

Please welcome Chris Cuba. The stage is yours. Hello everyone. How is everyone doing? So it is my pleasure to be here again in Sophia, Bulgaria. Uh the last time I was here, I was here last year talking about uh Google being extremely evil and doing very naughty things in Venezuela, getting people killed, tortured, and detained. So um I do a lot of uh very active research and my research areas and I'm pleased I can talk about a lot of this during the keynote involves uh IT IoT uh control systems also different types of artificial intelligence natural language processing and takes advantage of land space sea and air. Now part of my background is I do come from the US

military. I was busted when I was a kid. So when I was allowed to use a computer again, uh they never really know what to do with people like us, right? Uh I became an aviator and then I went into space command and it gave me a very unique view of the world and before the term cyber or even cyber warfare uh was even discussed, we were seeing these types of things in space and all sorts of digital attacks. Well, obviously we've had a humongous shift in the past less than three months. Oh, of a geopolitical shift in the world. And uh before I forget because I never want to uh be without thank yous. Also, thank

you very much for hosting me here. So, big question is what the heck is happening with NATO, right? It's a Bulgaria is a very valued NATO member and uh the last time that this particular administration was in power I had the privilege of helping to run the EU uh NATO cyber warfare exercises in Brussels and during that time we wrote up a letter for part of the exercise and I'll do it from memory 2016 during the first presidency. Now the scenario was that there was a huge cyber warfare attack against Eastern Europe and London and it started killing people and the response from the US government was per Donald Trump. When I was last at

the NATO headquarters, I begged them. I pleaded with them to increase their military spending. However, they did not do so. We see what's going on in Europe. Our hearts are with Europe. However, American blood will not be spilled. Now is the time to eur for Europe to stand on its own two feet. Now, that's a letter that we wrote in 2016. Uh we had representatives from Bulgaria, the UK, you name it. And we were hoping that they would listen to us and actually prepare for what we see right now. Unfortunately, we see how well that's worked out. Um, who here thinks that NATO is going to be around in the next 5 years? Raise your

hand. There's about 40% of the audience. Uh, and would you have the same would you have had the same opinion last year? No. No. So, it's very problematic when we take a look at what's going on in the United States. Now coming from uh a background of cyber warfare I'm very happy to tell you that I was supposed to be on the US defense science board which is the top 40 experts in their field who are US citizens and mine I was supposed to be for generative AI and cyber warfare. Unfortunately because our chairperson is a woman and they could not officially fire us. paused the board indefinitely. The people who are working with season election

interference, they fired them. They had to rehire them, but they have just been put on paid administrative leave and not permitted to do their job. Who here here feels safer hearing that? Nobody. All right. Now, I have to stress uh at least from my point of view, I think that we are at war. Now, if you don't know that much about my background, I was actually in Kev in 2022. I was called in uh in case there was a nuclear cyber incident. Now, my background is also nuclear cyber incidents. I've handled numerous ones and that's probably one of the worst things you want to actually talk about, right? Yeah. Yeah. Yeah. It's not a good

thing. The reason being is years ago I got a hold of the Chernobyl IoT radiation detector and I was able to adjust it and reported it to uh the Ukrainians in the US and got put on the radar uh with part of my nuclear work and that's why I was called up. Again, I do want to stress you do not want a radiation detector belonging to Chernobyl hanging on the public internet that somebody can take advantage of. I I seem to recall there was a guy who became an MEP because I met him at the European Parliament uh where he had been a presenter here in Bulgaria and he was a comedian. And on the show they go, "Oh

no, there's something going on at Chernobyl." and then it clicked off and then 20 minutes later it came back on and it was a joke. But I was told it was not a very comfortable feeling during that time. Now I've seen the effects and the devastating effects of cyber warfare. When I was trying to get over the border to the safety of the European Union and to Armania, we chose a southern central route through PMC Vagner troops. And here we were at the border and night was falling and Russian troops had gone into Chernobyl and kicked up a bunch of dust and our radiation detectors started pinging very very lightly. At the same time, there was specifically

aimed uh misinformation against Ukrainian males. And what the messages said was, "You won't be able to stay with your families. But there is this stream against the border and if you go over the stream you will cross into Romania and the border guards will be obligated to rescue you out of that water and it was the dead of winter. The BBC confirmed last year that hundreds of Ukrainian men died. Imagine that desperation because you may never see your families again when you drop them off at the border. Then in the middle of the night, Russia hit the Ukrainian state border guard with a wiper virus similar to the Shimoon virus that hit Saudi Aramco which almost obliterated

worldwide economies. So when you saw pictures of people like me trying to get over the border in the dead of winter, some people froze to death because the traffic was halted. They were down to pencil and paper. When you try to leave a country with children, they want to make sure that your children are your children. So if your house was on fire and you couldn't grab the paperwork and they couldn't access the database for various identification, you were turned back. And that's where we are right now. And that was three years ago. And now we have this what the f is going on with NATO? what's going on with our allies or our close ally which is

now turning into instead of a friend a friend of me. So when I think about some of the ways that technology is being used against us, I now have an opportunity to take that doom and gloom that I have just given you in bit of a reality check to turn it around a bit and instead uh because we're going to combine the keynote and my technical presentation uh talk about some of the research and an invitation for collaboration on what we are trying to do uh with technology because quite frankly I'm tired of technology being weaponized against everyday people. So some of the projects I am looking for to collaborate with I think you will

like and it is a call to action because I think that everyone in this room and everyone watching has the mindset, the ability and the skills to help out. Number one, we are attempting a hot rescue of an individual somewhere in we'll just say central Asia who decided in 2021 when terrorist troops were coming into their government facilities to give up his seat and his family seat to leave that country to go back in and completely wipe and write over the biometrics and employment. information of any individuals that had worked for Western powers. Now, he has been on the run with his family. Due to an recent executive order, his family's visa to the United

States was cancelled because they decided no more people for Muslim nations for a while. Um, so we are actively looking for contacts in an EU country trying to secure an EU visa, looking for a job for him, uh, and, uh, to get him out. Uh, he did a very, very heroic thing and saved thousands of lives by doing so. Another project that we're working on is something that started last year. Uh, one of my trips to Bucharest, I happened to land on the day of the vote and the surprise election, well almost election, surprise vote for Georgescu. Yay. Does everybody know who George Escu is? Yeah. Don't drink the water. Um, so, uh, it was a surprise. It was

quite funny because uh Dan who runs the DNSC he gave me this uh nickname the cyber harbinger because he said whenever I land in a country something happens. So I land surprise vote right. Whoopsie. I'm surprised they they invite me back. Um so what I did was using natural language processing and four parameters jargon styometrics intent and sentiment. I broke the language barrier and uh scored matching. Does everybody know who Alexander Dugan is? A few people. So he is the author basically of the current um foreign policy of Russia and he has very specific talking points. So I like to use linguistics and produced a scoring methodology to match up everything to Russian influence operations. That work was then broadcast

in 10-minute segments across uh Romania on national Romanian television and it was one of the pieces of the puzzle that enolled that particular vote. So we can actually use the same tools that they're using against us and I'm still active in that. On my last talk here in Sophia, I discussed Google being very very evil and breaking sanctions. So instead, what we've done is we've set up an automated system to look at the tech sanctions lists and the tech stack that is being used in dictatorships to then run reports ready for a lawyer because you have to have a lawyer to file for a sanctions violation on every single one because I have seen the detaining lists myself in Venezuela

and I had to map black torture sites from public sites and I don't want that to happen again. We have another project. It's in Nigeria. What we're looking at is the problem with Booharim. Does anyone know what Booharim actually stands for? No education for girls. So what we're doing and trying to do is leverage natural language processing and a variety of dialects looking at their forums their particular calls for action as well as leveraging IoT sensors uh away from a variety of villages where they love to massacre and they're not just doing it for religion they're also doing it for oil rights by the way there's always money behind it and so we're trying to save

lives and lastly And this involves a bit of AI poisoning. How many of you have heard of the Weaguers in China? Right now, how many of you know that um Hickvision uh has developed a weaker detection system looking at the Turk features? right now. Last year, after uh sanctions from the US were lifted off of Hickvision, they signed a contract with Iran to have hair detection system. So, if a woman removes her hijab, it will send an alert for the religious police to arrest her, etc. etc. Now, years ago before this, when I found out that the Iranian government mandated IoT cameras in every mixedgender entertainment facility, I ended up setting up a dork to find over 10,000 of these

cameras. Now, how well do you think this or how good do you think the security is on 10,000 cameras that have to point into one area? They're going to have all the same username and password, right? And there you go. But with the uh AI system that they're doing uh we have specific poisoning. Now if you are curious of how to absolutely attack AI systems on my research gate uh I spoke in 2018 at Oxford University of how to attack and poison AI systems like this. So, I am looking for help for people who go, "hm, I'm a little tired of this stuff." And I also want to express as of this morning, the United States

government is starting to send letters to allied nations and major corporations demanding that they adhere to the brand new hiring practices of Donald Trump, which means diversity, equity, inclusion, and accessibility. And it's one of the reasons why I'm so glad to be dressed very very feminine to prove that we all have a space here. So I'll take a few quick questions and then I'll go into the technical presentation and thank you very very much for [Music] [Applause] listening. Uh do we have questions? Maybe one one question from my side. Can we uh how can we contribute to this uh your tasks? Contact me um and we will collaborate. Oh, and I almost forgot. I bought the domain

bandwomen.com and I've been restoring all of the removed pages, including the removed pages of Puerto Rican representation in the military because I'm Puerto Rican. They also wiped out our country. Okay thank you. Questions? Don't be shy. Don't be shy. Okay. My favorite color is blue. I like Bad Bonnie. The guys The guys are technical, so maybe the technical presentation will rise more questions. Thank you. Thank you, Chris. Thank you. [Music] Ah, so the one thing to know about me and you like that I crossed out that I was almost uh on the defense science board is I like to hack every single thing and I love encryption and I see the world in ones and zeros. So I have a

wide range of experience because I get bored easily and the moment I get bored I go after the Chernobyl IoT device. So you don't want me to be bored. Now let's talk about generative AI. Now last year I was in Bucharest uh for a big uh government level conference and one of the panels that I was on was called is AI your friend or foe? Now at the time I was so stressed out about Venezuela because man I never want to do that again. Um so I was out smoking. I call it uh tobacco diplomacy. And the director of cyber operations in Malddova happened to be there and he was telling me about their recent election and the

runoff and how much generative AI was hitting them. Uh especially out of a region called Gaga. Has anyone ever heard of that region? Yes. Amazingly, if you go more west, they're like, "What? What's that?" Uh that also shows how much uh the western world knows about the eastern world. And uh he gave me this great quote. Of course AI is your friend for your enemy. So I am going to show you a few things. [Music] Now when I look at these these are fantastic, right? This is from Project Lincoln, which is kind of like a sort of inside the Republican party, but opposition to because it happened to be uh LGBTQ plus. And this was one that Trump

posted. Now, I love them both, and I'm going to tell you a little story about this one. Now, Trump did not make the Gaza Riviera video. There were two dudes who were visiting the US and they were doing a demo on some generative AI software at a studio. Took them about eight hours. They made this funny video. They thought it was hilarious. One of them posted it on their social media. Someone from the Trump campaign picked it up and then Trump posted it himself. Now, obviously, nobody checked it because in the middle of the video, this is one of the things that they're very against. I I I think they don't really like bearded belly

dancers. I don't know. Who knows? Maybe they're into it. Um, without even checking the intellectual property, by the way, and Trump loved it. All right. And the Lincoln Project put out uh this one in response. Now, there's a couple of things I want to point out. We'll see the size. These are actually rather low quality. Um, so they cannot uh be full screen. They're grainy. Uh, they morph. And I'm really surprised because the Lincoln project spent about probably a good hundred grand on this particular one. Um, they're good, but this is the maximum that the US can put out. And this is Will it play? Yes. Oh, fantastic. One of these days I'll get uh YouTube uh Prime. Probably

not. Can I skip it? Oh, come on. How do I Thank you. There we go. Yeah, I didn't um sacrifice a VM of a Windows XP machine. So, it's my bad. That's what I usually do. So, on this one, I want to show you how high quality this is. The fact that this is full screen. Now, I won't mention what country this came out of. You can take a guess and I might tell you offstage. This particular video was uh done just after the Zalinsky visit to the Oval Office. Also, thank you, thank you, thank you, and thank you. Um, and they put this together for less than $500. So you see the difference between

what the US has and what Eastern Europe has. It also shows the challenges here dealing with generative AI. The stuff that is coming down here is much more realistic than the stuff that they get in the US. They actually get a lot of slop. It's it's trash. But here, well, it's a bit of a different story. So, two days, [Music] $500. Now, as you might notice, my name is there. Um, what had happened was in addition to not particularly liking what had happened in the Oval Office, they were contacted by an intermediary who wanted uh what was it? uh 50 videos, 30 seconds each, at a cost of $200 plus an extra 50 uh to speed up the process. So, it came

out to around 65 grand total of what they wanted. And they wanted all of these done to clean up the image of MAGA after the disastrous Oval Office visit. And instead, the group came out with what you just saw right? So, I'm a big believer in uh using the same weapons that the enemy uses against us and I like zero days. Um, so, uh, when we think about cyber warfare and how generative AI and other technologies can help speed up these types of things, I went ahead and created a zeroday GPT that has already produced 26 live, used and tested against a fictitious government called Arowacland. Um and uh it is my pride and joy. I'm actually uh been using it

recently for the uh link vulnerability in Windows and mass-producing those. I can also do synthetic vulnerabilities and exploits etc. But it is my pride and joy because airwackland it's been very useful to get a lot of information out of that. Um, so I went ahead and because of my experiences in Arowak land, uh, I started writing a book, How to Hack a Dictatorship with AI. Now, last century during the Second World War, uh, the precursor for the CIA put out a sabotage manual. It's called the OSS Sabotage Manual. It's a little booklet, and you had to be there in person. If you were a forced laborer and you had to work in munitions, uh they would tell you change

the oil in the machinery. Instead of heavy oil, use light. If the light oil, if there's a filter, poke it with your pencil. If it's a uh a room or a building that is fireproof, start shoving trash, making it uh rife for a fire. Uh add to the bureaucracy of management. However, nowadays, if you're inside a dictatorship, that's very dangerous, right? You get caught, you're dead, your family's dead, your pet's dead. Kind of sucks. However, I don't think you need to be there. So, I set up this manual which has been tried, trude, and tested in Arowakland. Uh, and it was produced via AI to be the evilst possible to retake control if you are a person

inside a dictatorship with AI. And one of the reasons why it's quite important is the same techniques that they're using against us, we can flip the switch and use against them. And that came out this morning, by the way. So now that we're moving into the future because the future is here uh one of the things I did last year was publish a paper called it's a very long title uh secrets from the future hacking in a postquantum cryptographic world la and it was inspired by a song. Does anyone know who Mick Frontalot is? Well, I'm gonna tell you. We have hacker genre in the English language. It's fantastic. We have our own music. And he's got this song called

Secrets from the Future. Now, it was written about classical computers. But the line that I enjoy using is you can't hide secrets from the future with math. You think you can try, but in the future they'll laugh at your half-ass schemes and algorithms and math to avoid cryptographic attack. So, we always have to think forward. But now we have something coming down the line and it's called quantum computing. And although we are not where all of the tech dystopian novels and movies uh have put us, we still have to look at the issue because uh we are investing massively. Uh Amsterdam is going to get a quantum computer that uh the European Union paid 50 million euro

for. So I'll have access to that. uh and I already have an access to a variety of them and I'm just going to uh not not go too too deep tech but to show you some of the things that we're also modeling. So when we talk about what is the difference between uh the smartphone in your pocket and a quantum computer uh they have very different applications even when quantum computing is uh mature. You're going to be doing your your word documents your whatever documents on a classic computer. Um, but quantum computing will most likely be used at least at this time for simulations and solving problems that classical computers cannot. And of course, we're still in

this how do we hold cubits? What is entanglement? Is there a cat? Did a cat ever exist? Who knows? Uh, with superposition. And when you think of superp position, um, one of the things you can imagine is two singers located anywhere in the world that when one hits a note, the other is entangled and tied and hits the other note and is in harmony. And that's one of the easier ways that I can think of as well as uh, multitasking uh, and doing harmonious operations anywhere. and some of the algorithms that can pose a challenge to current encryption. Right now, there's shores and there's grovers and we have this idea that we have information and it's kept private and

it's encrypted. But imagine if you had the master key to get into all of that. Now, back in the day, I'm sure you've heard heard of this country called the Soviet Union, right? So one of the reasons why it went bankrupt was there was a supercomputer race between the east and the west and the supercomputer promised like quantum computing to be so good it would crack all current encryption. So the US broadcast that they were way more ahead in the supercomputing race that they actually were. So the Soviet Union ended up spending almost 20% of their GDP on supercomputing and it was one of the reasons why they went bankrupt. And here we are again. It's like disco. This

stuff comes back just with a different name. Yay. Um, so I did up a timeline and this is kind of what I imagine the timeline is going to look for uh, quantum computing and how we should plan. Now, one of the things I do want to stress is we have to kind of prepare. Nobody cares about expired credit card numbers, but you might want to keep your shopping data, especially if you bought a sexy time toy, right? That's the private part. So if we know that these types of things are coming then we have to start using uh algorithms that are quantum resistant. Now earlier this year NIST finally came out with the finalist uh

for uh quantum resistant algorithms. Unfortunately that was delayed due to politics because the US likes to shut down governments. So uh when politics come into play it actually slows down innovation and technology. So I do imagine looking at history and disco that there will be an arms [Music] race. Another issue that we have to look at is harvest now decrypt later. Now this is something that may have heard the guy Edward Snowden had mentioned that is the mass collection of data which can then be stored and decrypted later when you have a powerful enough [Music] computer. But here we are when we know that things are going to be an issue we again have to prepare because it's already going

on. Has anyone heard of BGP routing or rerouting and manipulation? Right? That's one of the reasons why it [Music] occurs. So, I created an attack framework. Uh I was inspired by Trump, so I put called it the Quebeca because I figured, you know, why not? He puts his name on everything. And these are some of the things that we're looking at. And there's now been uh two papers uh that uh have also described uh part of this attack framework and you can see the entire paper on my research gate. I I like to open publicly so people will actually read my workh but I'll never get a private island. Oh well I I need to be a cyber

criminal. So um I used to actually work here. This is where I worked in space command and at the time that was the data collection facility for the National Security Agency. It's now moved to Utah. So I I do know a few things about this topic. So the day before yesterday, I was giving the keynote at Cambridge University, which I was very pleased about because I had never given a keynote at Cambridge and I felt very posh. And I was describing uh sovereignty with encryption, timing, and navigation. and I want to point out a few things that uh were a bit disturbing. Earlier this year, the UK government decided to sign a humongous cloud deal with big US tech companies.

And because of that they started shifting their certificate servers from their own government authority to US big tech. So does anyone know or heard of GCHQ and the code breakers? Yeah, right. They use Amazon and also a bunch of subdomains which is a little weird. Um there the other almost keynote uh Jeff man, he was the chap that ran the tailored access unit at the NSA. Him and I spoke about this over signal and he laughed because basically he said it would be a bit of an embarrassment if the NSA suddenly used a big company from a foreign entity on their website or any of their subdomains, right? uh because you don't know what else is

encrypted. Uh you are trusting a lot and you're trusting a government website and the reputation with a foreign entity in a foreign government. Uh SIS is MI6. MI6 is the forward- facing intelligence apparatus of the United Kingdom. And they switched over to Digiert on the 15th of March of this year. Digicert is owned by an investor group located in uh Utah, right next door to the large NSA collection facility. And the CEO of Digiert, uh Thomas Bravo, gave 921,825 to the Trump campaign last year. Would you feel comfortable in that situation? Raise your hand. It's in UK, right? This is the king of England. The royal family decided to also switch on the 16th of March and

they're using Google. And I thought it was very funny because I live in the Netherlands and the king of the Netherlands, their website and the royal family uses our Dutch official encryption certificates because many countries have their own certifying authority. However, the king of England does not. Oh, and also funny story. My uh late nana um she was actually given the keys to Warwick Castle by the then crown prince, now king, King Charles. So when we attended, we were not allowed to take pictures. We could only wait for the official press pictures. When we got them back, I noticed one big thing. Someone had actually altered his ears to make them look smaller. I still have the picture. So down here,

does anyone know what DAR.bg is? Hey, look. They're with the king of England. Yay. And this is the logo for hacker 1. Uh GCHQ runs the National Cyber Security Center. And let's say you happen to find a flaw in a nuclear power plant and somebody plugs something in and you find it on the internet and you want to tell them, hey, you know, this uh nuclear power plant called Cofield, which I've been to because I used to be a a lecturer for GCHQ and for their nuclear apparatus, um I want to report this in a safe way because you don't want uh bad entity to get that information. Of course, spy agencies are looking at the inbox of where you

disclose vulnerabilities. So, GCHQ in their infinite wisdom decided, we're going to use Hacker 1. Now, this is what I told Cambridge. The UK and the US are currently embroiled in a quiet little trade war over tariffs and pressure from the US to kill the collections of specific taxes from US big tech companies. But in a strange twist of digital diplomacy, UK's GCHQ's national cyber security center relies solely on a USbased bug bounty platform. Hacker 1, the only method of reporting critical vulnerabilities. And if you find that uncomfortable, I do because it's going straight to Washington DC. Has anyone heard of the Patriot Act? The more patriotic it sounds, the worse it is. Uh so that was set up uh

basically to be able to get data from any US company. Uh if they do a request, they cannot tell anyone and they go to a secret court. And so here are all these vulnerabilities on critical infrastructure in the UK during a trade war going straight to the United States. Is that a great idea? Amazing. That's right. That's right. So, uh, yeah, I feel so responsible. Um, now when we talk about encryption, my favorite topic, uh, we need this thing called time and positioning, but especially time. Uh, the UK used to set the time. It was called GMT from Green Witch Meantime. They decided, I don't know why, to instead use the US Naval Academy. And why is that important?

Well, time can be a kill switch. So, if you want to do stock trading timestamps on the Swift network, you need accurate time. If somebody else owns the time during a trade war, and I've seen this happen before, yeah, it could be a problem. Missile launches, C2 systems, critical infrastructure power grid, you name it. And many system times also go to US big tech companies. So, in a case years ago, um there was a deharmonization of the EU power grid due to politics between two countries that don't always get along. And it was only discovered 2 years later because uh these system clocks on things like regular appliances were drifting and it uh partially deharmonized the grid because of

it. Now when you're dealing with tight interoperability for critical infrastructure, you also need time. But would you trust getting your time from a server in China? Right. I wouldn't. Um, now out in the news they had mentioned Italy was concerned that the F35 might have a kill switch. So I also have an aviation background and after 2022 I happen to be with a very exclusive aviation group and uh they had stolen Russia did 600 jets. So they called me in to ask how could we ground them? And I told them the time of the encryption certificate because when you fire up the plane, the flight computer, it syncs and there's a variety of different parts that are also synced and

those also use certificates and if it doesn't all sync, then your plane doesn't start. Now, we decided not to do it because we could not guarantee that if we did that type of attack to ground those aircraft that they would actually be on the ground. Obviously, we did not want to kill somebody up in the air. So, that's the type of kill switch you can actually have on an aircraft, not just turning it off. So, no time, no encryption, and no positioning. And it's kind of important to do that. So, I didn't want to give you a huge amount of references, but you can look up a variety of this stuff also on my research

gate. And lastly, I do have a bit of a call for [Music] action. I would love to hear your thoughts on what's going on right now here in Bulgaria because I know what's going on in other areas, but I would love to see samples as well of any of the generative AI when it deals with misinformation, etc. uh that you all are seeing. Another thing is take a look at your certificates. Do you actually need a certificate from Google? Can you get a certificate from an EU ally when you go to renew? Now, important thing to consider is what kind of attacks could big US tech do on these certificates? And there's a variety of

them. As well as with timing, they can add latency. they can cut it off. They can say that there is maintenance maintenance. So, you never know. And lastly, after my keynote the day before yesterday at Cambridge, they have decided to convene a special interest group and they want international collaboration from EU allies to discuss the issues between timing, positioning, uh, encryption and cyber security. So, if you would like to participate, please contact me and I will be out there to discuss these issues. So, thank you very much everybody. Um, I don't have these new books out yet because I've been traveling all over the place. Um, but one will be on my academic paper and one

will be how to have fun and hack a dictatorship with AI. And hopefully it will give you a lot of ideas of how we can turn it around and use the weapons that they use against us against them. So thank you very much everyone for the technical portion. [Applause] [Music]