Key Points

• The gap between becoming a cybercriminal and becoming a cyber security professional is widening, and AI is significantly lowering entry barriers for attackers—yet defensive careers still require extensive credentials and experience

  
  

• AI is making sophisticated attack methods accessible to less skilled actors, and this has the effect of potentially transforming the threat landscape from highly skilled APT groups to a broader base of AI-assisted attackers

  
  

• To keep up with the pace of AI-enabled threats, the cyber security field needs to fundamentally rethink credentialing and training approaches

Last week, 19-year-old Matthew Lane of Massachusetts agreed to plead guilty to hacking PowerSchool and extorting the company for $2.85 million. This hacking incident affected approximately 60 million students nationwide. Stories like this always make me reflect on my journey in the field of information security.

One morning in August of 2022, I received an email from Niagara University. I was recently accepted into their Information Security and Digital Forensics (ISDF) program, and the message was long and serious. Attached was a mandatory agreement outlining conditions for participation in the program. Because students would be granted access to state-of-the-art cyber security lab environments, we were required to affirm two key commitments: first, that we would only use the cyber tools provided for legitimate academic purposes such as labs, assignments, and projects; and second, that we would never use the skills or tools we acquired to perpetuate cybercrimes.

Needless to say, I was immediately excited to dive into this field. But that excitement was tempered with a sobering realization: the skills we were learning could be dangerous if they fell into the wrong hands.

Regardless of whether the threat actor is a skilled and experienced professional, a script kiddie (a novice hacker with minimal expertise), or a curious, budding cyber security student, the penalties for certain actions, whether malicious or not, can be severe. I still vividly remember an early lesson in my ethical hacking course.

After teaching us how to combine OpenVAS with the Metasploit Framework—two powerful tools often used in penetration testing—our professor paused and admitted plainly: "I've just handed you a gun and taught you how to fire it."

This metaphor stuck with me. It captures the gravity of our responsibility as cyber security professionals and recognizes how rapidly the terrain is shifting under our feet in this new era. This was a phenomenon referred to as the Fourth Industrial Revolution by Klaus Schwab. More specifically, Schwab suggests that we are at the beginning of a revolution that is fundamentally changing the way we live, work, and relate to one another, given the dramatic and rapidly moving technological change that is all around us.

What does the Fourth Industrial Revolution Mean for Hackers?

What sets this revolution apart is the convergence of cyber security with emerging existential threats: Quantum Computing and Artificial Intelligence. While both present profound challenges, they differ in immediacy and accessibility for hackers.

Quantum Computing

• Due to its cost and complexity, it will remain in the hands of elite nations and major corporations—at least initially

• “Q Day,” the term used to describe the day when a working quantum computer will go online, is an immediate danger to asymmetric encryption due to Shor's algorithm and certain hash digests due to Grover’s algorithm. More specifically, [CC1] Shor’s algorithm factors large integers and computes discrete logarithms, which breaks the mathematical foundations for RSA, ECC, and Diffie-Hellman. Grover’s algorithm enhances the speed of searching unsorted databases, reducing the time required for brute-force attacks on hash digests and digital signatures

  
  

• While it is foreseeable that advanced persistent threats (APTs) could be given access to such resources, it is not all doom and gloom. In fact, steps are already being taken in post-quantum cryptography,  such as Quantum key encryption, which is already in use

  
  

• Encryption algorithms have life cycles, and RSA, Diffie-Hellman, and Elliptic Curve are at the end of theirs

Artificial Intelligence

• AI is easily accessible

  
  

• Anyone with a capable GPU can spin up a local AI instance, design a custom graphical user interface, and experiment with various models that are available through platforms like Hugging Face or Ollama

  
  

• Specific LLMs like FraudGPT & WormGPT highlight that LLMs can be explicitly trained for hacking assistance

  
  

• Through prompt injection, AI does not need to be hosted locally to be used maliciously

  
  

• AI is already being deployed in cyber security operations and in defense

  
  

What the foregoing suggests is that one transformative technology will remain in the hands of only a few. AI is prolific and only requires some decent hardware and an internet connection; what’s more, you now have your own teacher who can teach you all about the gun and how to fire it.

AI-Assisted Hacking

The following are features of AI-assisted hacking:

• It increases the speed at which hackers can discover and exploit zero-day (unpatched) vulnerabilities

  
  

• It creates more sophisticated social engineering attacks

  
  

• It can be leveraged on large data sets to connect and identify weaknesses

The End of The Script Kiddie?

The reality is that the skills I learned from my lab experience could easily be replicated with AI. Script Kiddies are known for their minimal knowledge, but now with this tool in their arsenal, the gaps in their technical knowledge can be supplemented. Instead of waiting for their professor to answer a technical question via email, searching for a YouTube tutorial, or accessing hacker chatrooms, AI (when not hallucinating) can provide expertise and assistance instantaneously.

APTs are explicitly designed to bridge the knowledge gaps of each team member and ensure that experts are professionals in their technical domains. However, a lone script kiddie could now supplement those years of knowledge with an LLM tailored to their desires and objectives.

What This Means for the Cyber Security Workforce Shortage

Certainly, society is grappling with economic woes and recession—what was once considered to be a relatively resilient field due to its necessity, cyber security has been negatively impacted in recent years. In fact, according to the 2024 ISC2 Cybersecurity Workforce Study, budget cuts have been identified as the number one reason that new talent is not being trained or hired.  

Cyber Criminal versus Cyber Security Professional: Different Requirements

To be a cyber security professional, one needs to have:

• Three to five years of previous IT or cyber security adjacent experience

• A degree (typically), though this trend is changing

• The CISSP certification (which itself requires five years of experience for full certification)

Other Industry certifications that each cost between $700 – $1400 to write

On the other hand, in order to be a Cyber Criminal, one needs to have:

• A good internet connection

  
  

• A laptop

  
  

• An RTX GPU for a locally hosted AI

At this point, it is unclear whether Matthew Lane used AI when he hacked the company and tried to extort it for $2.85 million. That said, I have to wonder whether the term, "script kiddie", is no longer applicable.