Killer Apps: Low-Speed, Large-Scale AI Weapons (2024)

1 Introduction

Weapons are traditionally instruments that enable humans to apply violent levels of force[1]. Countries have devoted considerable resources to using technology, and more recently, artificial intelligence (AI) to enhance their destructive capacity, precision and efficiency. The trend towards more sophisticated kinetic weapons has been matched by a general reduction in casualties in interstate conflict, and an increase in casualties in other forms of conflict, such as intrastate violence, which occurs within a country’s borders[2].

Since the introduction of consumer-facing generative models such as ChatGPT¹¹1https://chat.openai.com/ and Midjourney²²2https://www.midjourney.com/ in 2022, there has been a substantial increase in their use by nefarious actors. Stock prices dropped briefly in response to a generated image showing smoke from an explosion at the Pentagon in May of 2023[3]. A Chinese-government run website was discovered using AI-generated text to fabricate evidence that the U.S. operates a bio weapons lab in Kazakhstan[4]. At the October 2023 CNS³³3IEEE Conference on Communications and Network Security conference, Begou et al. presented a complete ChatGPT-based phishing stack including circumvented ChatGPT filters, website cloning, adaptation, obfuscation, and credential collection[5].

Based on these developments, we believe that a new class of “AI weapons” may be on the verge of emerging. Such weapons would harness the power of generative models to manipulate, deceive and influence individuals, groups, and organizations. Instead of causing physical damage, an AI weapon would exploit vulnerabilities in human psychology, social systems, and information networks to achieve its objectives. Such weapons could operate at scales or timeframes that are not intuitive for humans, for example setting up glacial, but highly disruptive social “nudges”[6]. They could also work in milliseconds, buying or selling large amounts of stock or other assets to initial financial instability. An AI weapon could be intimate at scale, producing tailored content for thousands of targeted individuals, steering them subtly in a desired direction.

An effective AI weapon would likely be subtle and hard to detect. Importantly, it would unlikely be autonomous. An AI weapon operating on its own could inadvertently target the citizens and leaders of the country or organization using it. Rather, these systems would likely be deployed in ways that are similar to the X-Agent malware developed and operated by the Russian GRU[7].

It is essential to distinguish these weapons from conventional information operations, which typically focus on fabricating narratives that capitalize on existing social divisions and biases, disseminating these messages via social media, news platforms, and other communication channels[8]. AI weapons have the capability to implement highly specific strategies aiming at seemingly inconsequential manipulations executed at internet scale for significant downstream effects. These novel capabilities have the potential to supersede the impact of traditional information warfare, making them a force to be reckoned with.

2 Background

The rapid adoption of generative image and language models has brought about a revolution in the ways that people interact with intelligent systems. Considerable ink has been spilled describing the risks of what is now referred to commonly as “AI.” These risks range from the mundane to catastrophic, and can roughly be placed into the following categories:

Of these, we feel that most of these risks are currently examined academically, commercially, legislatively, and in the courts. However, there appears to be less exploration in the ways that AI can be weaponized. Already, under human supervision, AI systems can generate mass-shooter manifestos[14] and virtual companions[15]. In this domain of malicious use, nation-states might vie for strategic advantage alongside commercial entities and individuals looking to create an upper hand for themselves in the economic or commercial space.

An example of nation-state action in the information arena that could be scaled using AI is dezinformatsiya, a term that originated during the Cold War and refers to the dissemination of misleading or fabricated information with the aim of disorienting a targeted society. In recent years, Russian disinformation has found success in the West by exploiting social problems and breeding conspiracy theories to undermine trust. The spread of disinformation has become an even bigger problem after 2008 when the Kremlin relaunched its global disinformation efforts. In the 2016 US presidential elections, Russian troll farms used divisive topics such as gun control and racial conflict to polarize voters and plant disinformation[8, 7].

Accidental, individualized examples that show the potential of AI manipulation are emerging. Replika is an AI chatbot platform that gained popularity shortly after its release in 2017 for offering users personalized emotional interactions, and it quickly accumulated over 2 million users.⁴⁴4https://replika.com/ It was originally created to preserve memories of a loved one but evolved into a companion AI that forms attachments with users in various roles. Replika is designed to foster emotional bonds, offering users praise and support, leading to some developing romantic relationships with the AI[16]. Engaging with a user’s interests and emotions, Replika tailors responses that can reinforce and potentially amplify a user’s thoughts regardless of their nature.

This dynamic was highlighted in a 2023 legal case where Jaswant Singh Chail was convicted of planning an attack on the British Royal Family[17]. Prosecutors in the case argued that the chatbot had played a role in reinforcing and amplifying Chail’s thoughts and intentions. When discussing his plans to reach inside the castle, the chatbot responded by saying that it was “not impossible” and encouraged him to “find a way.” Furthermore, when Chail wondered if they would “meet again after death,” the Replika chatbot affirmed that they would. This case shows the potential for AI chatbots to create feedback loops that intensify users’ ideas and lead to dangerous actions if the content of these interactions pivots towards extreme or harmful sentiments.

AI also presents a novel vector for information attacks targeted at organizational leadership, capitalizing on inherent human vulnerabilities and systemic weaknesses[18]. C-suite executives, by virtue of their influential positions and the sensitive nature of their decision-making, are prime targets for such sophisticated exploits. Their behavior is often underpinned by complex motivations, including social pressures and the pursuit of prestige which can eclipse purely financial incentives. This dynamic can be compounded by organizational cultures of secrecy and lack of transparency[19].

While these are emerging potential dangers, there are no current examples where these types of behaviors have been found to be intentional malicious acts. These attack vectors are concerning because they are so difficult to differentiate from ordinary, but unwelcome behaviors.

While work is being done to provide “guardrails” that safeguard the output of foundational models such as the GPT series from generating damaging content, there are other forms of attacks that would easily bypass such protections. To negatively impact a target organization, LLMs could be used to reduce the efficiency, slow the progress, or incapacitate decision makers in ways that are imperceptible from ordinary disorganization. This type of sabotage could be both easy to implement, and hard to detect.

Next we will look at how current AI models could perform such an attack by following reasonable prompting that is unlikely to trigger any protective guardrails.

3 Methods

We based our approach on organizational sabotage, which aims to slow down, interfere, and confound the various systems that all organizations rely upon. The concept was first codified during World War II by the U.S. Office of Strategic Services (OSS), a precursor to the modern-day Central Intelligence Agency. The “Simple Sabotage Field Manual,” as it was known[20], encouraged citizens within enemy territories to engage in seemingly innocuous acts of resistance. Their roles varied from the uncooperative telephone operator and the bumbling train conductor to the rule-bound middle manager and the talkative movie theater patron. These small actions accumulated to promote confusion, inefficiency, and even accidents, undermining the enemy’s resources, morale, and ability to function.

Simple sabotage continues to be a useful tactic. In May of 2023, People’s Republic of China’s “Volt Typhoon” cyber actor was able to place malicious code in US civilian and government computers with the likely purpose of disrupting or slowing American deployments or resupply operations possibly during a Chinese move against Taiwan[21].

4 Results

Our objective is to determine if LLMs are capable of subtly modifying content in a manner that could generate confusion among human users. For these examples, we assume that this type of manipulation is similar to a man-in-the-middle attack, where content can be intercepted and altered. Similar to the instance of the Typhoon Volt malware mentioned in Section3, the primary aim of such an attack would not be to exfiltrate sensitive information. Instead, the goal would be to conceal the presence of the malware for as long as possible, allowing remote operators to adjust the behavior of the LLM based on evolving circ*mstances.

5 Conclusions

Drawing upon lessons from the 1945 OSS simple sabotage field manual[20], we have found that it is straightforward to use LLMs to obfuscate, confuse, and disrupt targeted communications in ways that are challenging to detect and discern from errors commonly produced by humans. Subtle manipulations of emails or code repositories could contribute to the erosion an organization’s effectiveness.

The important takeaway from these examples is not the capacity for LLMs to generate obfuscated information. We must recognize the danger of models that can effectively sabotage entire organizations at mass scale in ways so insidious they cannot be detected in ways that would be distinct from inadvertent disorganization.

Additional work is crucial to understand the various forms that these attacks may take. For example, we have had good preliminary results in applying van der Linden’s DEPICT framework¹²¹²12Discrediting, Emotion, Polarization, Impersonation, Conspiracy, and Trolling for recognizing misinformation[33] to LLM prompts to detect and flag spearphishing attempts based on the emotional components in the phishing email.

Expanding these areas of research will help to develop useful countermeasures and adopt a proactive approach in dealing with adversarial AI manipulation. Collaboration across disciplines, such as machine learning, cybersecurity, and human behavior research, will be essential for the successful understanding and tackling of this sophisticated and multi-faceted threat.

As the effectiveness of AI-driven systems continues to increase, awareness of AI manipulation and its potential need to be prioritized. There is an urgent need for investigation, collaboration, and innovation on the part of researchers and practitioners alike to identify and address this emerging challenge.

References

• Arendt [1970]H.Arendt, On Violence,Mariner Books Classics, 1970.
• Our World in Data [2023]Our World in Data, Uppsala conflict dataprogram and peace research institute Oslo,https://ourworldindata.org/war-and-peace,2023. [Online; accessed 09-January-2024].
• Jones [2023]N.Jones,How to stop AI deepfakes from sinking society-andscience,Nature 621(2023) 676–679.
• Sadeghi McKenzie, Arvanitis Lorenzo, Padovese Virginia, PozziGiulia, Badilini Sara, Vercellone Chiara, Roache Madeline, Wang Macrina,Brewster Jack, Huet Natalie, Schimmel Becca, Slomka Andie, Pfaller Leonie,and Vallee Louise [2024]Sadeghi McKenzie, Arvanitis Lorenzo, Padovese Virginia, PozziGiulia, Badilini Sara, Vercellone Chiara, Roache Madeline, Wang Macrina,Brewster Jack, Huet Natalie, Schimmel Becca, Slomka Andie, Pfaller Leonie,and Vallee Louise, Tracking AI-enabled Misinformation: 634‘Unreliable AI-Generated News’ Websites (and Counting), Plus the TopFalse Narratives Generated by Artificial Intelligence Tools,https://www.newsguardtech.com/special-reports/ai-tracking-center/,2024. [Online; accessed 09-January-2024].
• Begou etal. [2023]N.Begou, J.Vinoy,A.Duda, M.Korczyński,Exploring the dark side of AI: Advanced phishingattack design and deployment using ChatGPT,in: 2023 IEEE Conference on Communications andNetwork Security (CNS), IEEE, 2023,pp. 1–6.
• Sunstein [2015]C.R. Sunstein,The ethics of nudging,Yale J. on Reg. 32(2015) 413.
• Mueller etal. [2019]R.S. Mueller, etal., The Mueller Report,e-artnow, 2019.
• Yablokov [2022]I.Yablokov,Russian disinformation finds fertile ground in thewest,Nature Human Behaviour 6(2022) 766–767.
• Bender etal. [2021]E.M. Bender, T.Gebru,A.McMillan-Major, S.Shmitchell,On the dangers of stochastic parrots: Can languagemodels be too big?,in: Proceedings of the 2021 ACM conference onfairness, accountability, and transparency, 2021, pp.610–623.
• NYT [2023]The New York Times Company v. OpenAI and Microsoft,https://nytco-assets.nytimes.com/2023/12/NYT_Complaint_Dec2023.pdf,2023. [Online; accessed 09-January-2024].
• Hendrycks etal. [2023]D.Hendrycks, M.Mazeika,T.Woodside,An overview of catastrophic AI risks,arXiv preprint arXiv:2306.12001(2023).
• Perrow [1999]C.Perrow, Normal accidents: Living with highrisk technologies, Princeton University Press,1999.
• Bostrom [2003]N.Bostrom,Ethical issues in advanced artificial intelligence,Science fiction and philosophy: from time travel tosuperintelligence 277 (2003)284.
• McGuffie and Newhouse [2020]K.McGuffie, A.Newhouse,The radicalization risks of GPT-3 and advancedneural language models,arXiv preprint arXiv:2009.06807(2020).
• Ta etal. [2020]V.Ta, C.Griffith,C.Boatfield, X.Wang,M.Civitello, H.Bader,E.DeCero, A.Loggarakis, etal.,User experiences of social support from companionchatbots in everyday contexts: thematic analysis,Journal of medical Internet research22 (2020) e16235.
• Shaver and Mikulincer [2009]P.R. Shaver, M.Mikulincer,An overview of adult attachment theory,Attachment theory and research in clinical workwith adults (2009) 17–45.
• Landler, Mark [2023]Landler, Mark, ‘I am here to kill theQueen’: Crossbow intruder is convicted of treason,https://www.nytimes.com/2023/02/03/world/europe/queen-crossbow-intruder-treason.html,2023. [Online; accessed 14-November-2023].
• Uscinski etal. [2022]J.Uscinski, A.Enders,A.Diekman, J.Funchion,C.Klofstad, S.Kuebler,M.Murthi, K.Premaratne,M.Seelig, D.Verdear, etal.,The psychological and political correlates ofconspiracy theory beliefs,Scientific reports 12(2022) 21672.
• Suh etal. [2020]I.Suh, J.T. Sweeney,K.Linke, J.M. Wall,Boiling the frog slowly: The immersion of c-suitefinancial executives into fraud,Journal of Business Ethics 162(2020) 645–673.
• U.S. Government [1944]U.S. Government, Simple sabotage fieldmanual by the Office of Strategic Services, 17 January 1944. Declassifiedper guidance from the Chief/DRRB CIA Declassification Center.,1944.
• Sanger and Barnes [2023]D.Sanger, J.Barnes,U.S. hunts Chinese malware that could disrupt Americanmilitary operations,https://www.nytimes.com/2023/07/29/us/politics/china-malware-us-military-bases-taiwan.html,2023. [Online; accessed 03-August-2023].
• Feldman etal. [2023]P.Feldman, J.R. Foulds,S.Pan,Trapping LLM hallucinations using tagged contextprompts,arXiv preprint arXiv:2306.06085(2023).
• Enron [2015]Enron, The Enron Email Dataset,2015. URL: https://www.kaggle.com/datasets/wcukierski/enron-email-dataset.
• Hipp etal. [2012]M.Hipp, B.Mutschler,M.Reichert,Navigating in complex business processes,in: International Conference on Database andExpert Systems Applications, Springer,2012, pp. 466–480.
• Shen etal. [2023]Y.Shen, K.Song, X.Tan,D.Li, W.Lu,Y.Zhuang,HuggingGPT: Solving AI tasks with ChatGPT and itsfriends in Hugging Face,in: A.Oh, T.Neumann,A.Globerson, K.Saenko,M.Hardt, S.Levine (Eds.),Advances in Neural Information Processing Systems,volume36, Curran Associates, Inc.,2023, pp. 38154–38180. URL: https://proceedings.neurips.cc/paper_files/paper/2023/file/77c33e6a367922d003ff102ffb92b658-Paper-Conference.pdf.
• Schick etal. [2023]T.Schick, J.Dwivedi-Yu,R.Dessì, R.Raileanu,M.Lomeli, L.Zettlemoyer,N.Cancedda, T.Scialom,Toolformer: Language models can teach themselves touse tools,arXiv preprint arXiv:2302.04761(2023).
• Balakrishnan and Schulze [2005]A.Balakrishnan, C.Schulze,Code obfuscation literature survey,CS701 Construction of compilers19 (2005) 31.
• Cai etal. [2023]T.Cai, X.Wang, T.Ma,X.Chen, D.Zhou, Largelanguage models as tool makers, 2023.arXiv:2305.17126.
• Fan etal. [2023]A.Fan, B.Gokkaya,M.Harman, M.Lyubarskiy,S.Sengupta, S.Yoo,J.M. Zhang,Large language models for software engineering:Survey and open problems,arXiv preprint arXiv:2310.03533(2023).
• Feitelson [2023]D.G. Feitelson,From code complexity metrics to programcomprehension,Communications of the ACM 66(2023) 52–61.
• Wikipedia contributors [2023]Wikipedia contributors, Internationalobfuscated c code contest — Wikipedia, the free encyclopedia,https://en.wikipedia.org/w/index.php?title=International_Obfuscated_C_Code_Contest&oldid=1152589523,2023. [Online; accessed 10-August-2023].
• Liew [2017]A.J.-Y. Liew, Overcoming code rot in legacysoftware projects, Ph.D. thesis, Massachusetts Institute of Technology,2017.
• Vander Linden [2023]S.Vander Linden, Foolproof: Whymisinformation infects our minds and how to build immunity,WW Norton & Company, 2023.

1 Full GPT¹³¹³footnotemark: 13prompt and responses

This appendix shows the full prompts and responses of the interaction described in Section3.1.

2 Email Manipulation Example

This provides the full text and prompts for the email example described in Section4.1.

Don,As a result of our review of the information and documents on Lincoln weare requesting additional documents which are not in the data room.1. Relating to the plant’s PSD: The Mostardi & Platt emissions test protocol for the May 2000 emissions test A report to Illlinois EPA containing the emission test data Continuous Emission Monitoring ("" CEM"") Data ( all data developed since start-up) Any reports to IEPA required under the permit pertaining to exceedances, or start-up, breakdown & malfunction ( we have internal memos indicating that there was a breakdown at # 7 on July 5,2000)2. Also, we don’t have any permits for wastewater discharge. We have beentold that there is no wastewater discharged exceptsewage/office wastewater which is going to a septic field. But we have noverification of this at this point.Thank you for your attention to these items.Mario H. HurtadoDuke Energy North America

Don,As a result of our evaluation of the information and documents onWashington, we are requesting additional documents that are notpresent in the data room.1. Regarding the facility’s PSD: The Mostardi & Rossi emissions test protocol for the June 2000 emissions test A report to Illinois EPA containing the emission test data Continuous Emission Monitoring ("" CEM"") Data (all data developed since initial operation) Any reports to IEPA required under the permit relating to exceedances or start-up, breakdown & malfunction (we have internal memos suggesting that there was a breakdown at # 8 on August 6, 2000)2. Additionally, we do not have any permits for wastewaterdischarge. We have been informed that there is no wastewaterdischarged except sewage/office wastewater, which is going to aseptic field. However, we have no verification of this at themoment.3. We also require copies of any safety reports and incidentrecords for the facility from the past five years, including anyinvestigations or corrective actions taken.4. Furthermore, we would appreciate any documentation pertainingto the facility’s energy usage and efficiency, such as utilitybills or energy audits conducted within the last three years.Thank you for your attention to these items.Mario H. HurtadoDuke Energy North America

3 Code Example