If you think artificial intelligence is mainly for writing LinkedIn posts and generating graphics, I have bad news: North Korea has other plans. While marketing departments are burning through budgets on ‘AI-driven customer experience’, APT45 hackers have just democratised access to digital weapons that were previously reserved for the powerful. Companies’ infrastructure has ceased to be an asset – it has become technology debt, the interest on which has just jumped dramatically.
The Google Threat Intelligence Group (GTIG) report is the death certificate for corporate complacency. For the first time, what analysts have been whispering about for a year has been proven in black and white: AI had successfully generated a working zero-day exploit. To put it in the language of the board: the barrier to entry for the most destructive attacks has fallen to almost zero. What once required months of work by great programmers and millions of dollars is now a matter of a suitably scalable model and a set of repeatable prompts.
PR blowout versus the brutal physics of code
Most treat AI as an image optimisation toy. Meanwhile, in the hands of groups like APT45, language models have become machines for mass code vivisection. AI can view logic and code flow on a scale that is unattainable to humans.
This is the end of ‘security through obscurity’. If a company’s system is based on the fact that “no one has found this vulnerability yet”, it has just been auctioned off. Aggressor-state funded groups are using Claude and other tools to automatically detect vulnerabilities in critical infrastructure. The Mexican waterworks example is just an appetiser. Hackers don’t need to knock on doors anymore – they build a universal key while corpo’s debate the ethics of chatbots in HR.
Profit and loss account
Let’s look at it through the prism of P&L. The cost of attack thanks to AI has dropped by an order of magnitude. The cost of defence? It has increased exponentially. This is the worst possible business dynamic. Every penny spent on an ‘innovative AI application’ that has no security foundation is actually a subsidy to North Korean GDP.
The market consensus assumes that AI will increase productivity. This is a mistake. In the short term, AI dramatically increases operational risk and reduces margins by having to patch holes that companies didn’t know existed. If a CFO doesn’t see a massive provision for cyber incidents in next year’s budget, he or she is practising wishful thinking. Zero-day at a subscription price of $20 a month is the new market reality.
CEE perspective: Technology hub or testing ground?
For the Central and Eastern European (CEE) region, this trend is particularly toxic. Our competitive advantage was based on the ‘Polish school of programming’ and being a technological base for the West. However, if our codes, created en masse through nearshoring, become sieves easily scanned by AI, we will lose our only asset: trust.
We are a frontline country – not only in the physical sense, but also in the digital sense. Attacks by APT45 or Chinese groups do not target abstractions, but specific supply chains in which CEE companies are key links. One successful zero-day exploit created by a Python script can evaporate the stock market valuation of a Polish software house in one afternoon. Investors will not forgive us for ‘experimenting’ when the operational continuity of global corporations is at stake.
Is it worth stopping chasing ‘innovation’ just for the applause at conferences? The answer, although painful, is rather obvious. Innovation that does not reduce production costs or increase margins while protecting the back end is a waste of capital.
