The recent talk of AGI, as if it is some kind of impending certainty, and now talk about “Superintelligence” is really causing a great deal of confusion. The reality is that we are nowhere near the point of human level intelligence in all domains, the idea of artificial super intelligence, is entirely speculative and nowhere near foreseeable capabilities, and you can’t scale past the limits of current AI systems. The truth has been lost in a sea of sensational rhetoric.
The modern public discourse around artificial intelligence began with a fundamental shift in frame of reference. For decades, AI systems were narrow, technical, and largely invisible to the general public. Then, quite suddenly, natural language processing systems emerged with startling fluency. For the first time, people could interact with a machine through conversational language that resembled human dialogue.
This single development reset public intuition overnight.
Instead of being understood as statistical systems operating within defined computational constraints, large language models were immediately interpreted through the lens of science fiction archetypes: conversational minds, digital assistants, synthetic intellects. The resemblance in surface behavior was compelling enough to override the underlying reality of how these systems actually function.
But fluency is not cognition. Simulation of reasoning is not reasoning itself.
A practical and pragmatic discussion of the levels of risk and complexity in the customization of large language models. Many organizations are using LLM technology to build customized chatbots, RAG tools and content generators. However, many organizations do not have a full understanding of the options and levels of risk and development complexity that come from LLM customization and deployment.
In the contemporary landscape of artificial intelligence deployment, a structural shift is occurring: base models are becoming increasingly capable out of the box. Instruction-following performance, contextual reasoning, retrieval integration, and domain adaptability have improved to such a degree that many historical justifications for invasive model modification are steadily eroding. This evolution necessitates a corresponding philosophical and governance framework—one grounded in the principle that greater customization introduces greater uncertainty, greater liability, and a proportionally greater need for validation and risk controls.
At its core, the responsible deployment of large language models should be guided by a hierarchy of invasiveness. Each successive layer of intervention introduces deeper system coupling, increased behavioral unpredictability, and escalating regulatory, operational, and reputational risk. Accordingly, risk management should not begin at the level of model alteration, but rather at the least invasive layers of interaction and configuration.
This truly appears to be primarily and perhaps completely caused by mass hysteria and not any actual drone swarm of any kind. There remains the possibility that there were unauthorized drones in sensitive areas, but that does not appear to account for most of the reports.
After spending hours looking for any videos of the supposed drones in New Jersey and elsewhere, I was surprised to find that the overwhelming majority of the sightings seem to be clear, unambiguous and completely doubtless examples of civil and commercial aircraft.
This reminds me very much of the battle of Los Angeles, which was not actually a real battle but rather just an example of similar mass hysteria. We are seeing similar hallmarks to previous flying phenomena hysteria, including a mushrooming number of reports and increasing drama as more and more people are convinced that drones have crashed, are attacking or something else.
It’s far from certain, and there are a few cases that appear to be legitimate drone sightings, but a large number also appear to be civilian aircraft or other mistakes. At least some, thought perhaps not all reports are a case of panic.
If you have not been living under a rock, you are probably aware that people around New Jersey, and now elsewhere are up in arms over reported sightings of drones. Drone sightings are not at all unusual in the year 2024, but these include reports of drones over sensitive military facilities and critical infrastructure, such as reservoirs and power plants. These reports started coming in around November 13th and have gotten more and more extreme as time has gone on.
At present, a number of elected officials, such as mayors, the governor and police chiefs have voices concern. A great deal of drama is now under way, while officials are demanding answers from the FBI, military or others. Many are calling for the drones to be shot down.
The problem is we still don’t actually have any answers as to what is happening and the reports are fragmented and inconsistent. With time, confusion has only increased and primary evidence of documentation has been lacking.
Now similar reports are being made across the Northeast. At first it was claimed that the drones were “spreading to New York.” Now they claim to have been seen across the Northeast and the US in general.
Here is what seems to have been reported:
It has been reported that the drones are only out at night, reportedly appearing at dusk and not being seen during the day.
Many of the drones have lights on them, in some cases the lights are strobes or other standard hazard and navigational lights.
There have been reports of bright lights and drones that are highly visible and not trying to be stealthy.
The drones have been reported over restricted areas, such as Trump-owned property, military installations and airports.
Air traffic, including a medical helicopter have had to be diverted due to concerns over drone collisions.
Their origin, flight paths and landing locations remains elusive.
There are unconfirmed reports of drones switching off lights or otherwise trying to hide when pursued.
Many have claimed that the drones are enormous in size, frequently described as the size of an SUV or larger.
Reports imply the same drones remain in the sky for hours and travel great distances.
It should be noted that such large and capable drones do exist and are available for purchase. The reports of drones “The size of an SUV” or “8 feet in diameter,” if true, do imply that these are not consumer drones, but rather larger, higher capacity drones. Such drones do exist and are used in agriculture, surveying and other professional pursuits. It’s also possible that a large experimental drone could be constructed by hobbyists, as parts and supplies to build large drones do exist.
So just how bad is ransomware and cyber security in general? To get an impression, lets look at the past week. Just over the past 7 days, there have been over a dozen major ransomware attacks, though a few have not been well reported in the news media. The fact is, we have fallen for a kind of creeping normality. It’s not normal and it should not be considered a routine thing to see this happen.
Many do not realize this, but Donald Trump largely won the election because of cyber security failings by the current administration. Don’t believe me? Cyber security losses are a huge factor in inflation and have caused a massive economic problem, which has decimated healthcare and cost billions to government agencies, all while financing Hamas and the war in Ukraine.
These macroscopic problems may not seem to be linked to cyber security losses, but they are. While politicians like to pretend it is a minor, specialized issue, the fact is that cyber losses are now decimating business and hurting the monetary supply. They are a huge factor in why American businesses are failing and why it is harder than ever to compete. The pain that Americans feel at the gas pump, when they get their pay check, pay for insurance and the problems in the world are not 100% caused by poor management of cyber risks, but that is part of it.
The biggest problem, as I have stated before, is that we simply cannot improve things until the insurance sector cleans up its act. The moral crisis we now are seeing is caused primarily by the insurance sector, which has made the decision that it is fine to lose money on cyber security and it’s fine to raise rates. They’ve created a monster, and that monster can’t be kept at bay until regulators wise up and recognize that insurance must be held accountable for the disgusting and despicable conduct of cyber security underwriters.
Understanding and Preventing Zero Day And Other Software Supply Chain Attacks
This is the second post in the series, intended to help better understand how third party risks can be managed, and addressing the problem of misinformation from high raking sources. Because of the pervasiveness of the myth that third party risks are unmanageable, primarily due to the insistence by insurance executives that “Well I don’t understand it, and therefore it can’t be done.” But because of this toxic insistence, it is necessary to break things down and provide detailed supporting information.
In this post, we will look at zero days and unpatched vulnerabilities as a type of exposure to third party risk. Zero days are similar to supply chain attacks, and many of the same methods for controlling zero days apply to supply chain attacks as well. MOVEit is an example of a zero day attack, which caused massive damage to the US and global economy. It illustrates exactly how these attacks work.
In some ways, it was the kind of systemic attack that insurers are constantly complaining about. However, it also illustrates all the ways the damage could have been prevented. MOVEit was bad, but it was also tragic, because so much of the loss could have been prevented, if we had our act together on this.
Due to the length of this detailed topic, it will be broken into multiple parts. One of the reasons this post is so long is the extreme entrenchment of incorrect views, and therefore, a need to provide detailed explanations of why they are wrong.
Of course, this is not the case, in the finite and artificial world of cyber security, no risk is insurmountable and all can be understood. Third party risks come from the fact that so many organizations are dependent on various third parties, such as vendors and contractors. Even clients and customers can be a third party risk, because some organizations rely on a relatively limited number of clients.
In this video-accompanied post, I will do my best to provide detailed information to refute this dangerous and deeply entrenched idea.
Lets be clear on something, this is not new or unique to cyber: There is nothing new or novel about this concept at all. Some policyholders have always been dependent on a limited number of vendors or service providers. Even in the years before cyber security, a major failing of the power grid, as happened in 2003 and 1977, can cause widespread loss across a large area. A single storm can impact a huge area, or a bad hurricane season can bring devastating storms to a large area. That’s what a systemic risk is.
However, in cyber security, all systemic risks can easily be detected ahead of time, if we care to look. They’re artificial, based on the relationships we choose to have and the artificial, man-made, engineered systems we use with the human-created, anthropogenic, artificial, man-made, ARTIFICIAL RISKS. And therefore finite and easy to understand. It’s always easy to know your risks, when they are in engineered systems you own, right?
The moral failing of insurance that pays ransom regularly, makes no attempt not to, affirmatively disengages leaders and funds terrorism should be obvious, but many argue with me, stating that insurers are doing the best they can, have incomplete data, or that they are improving.
Unfortunately, they’re not. There have been a few small measures taken, mostly just in terms of wording changes. Not a dime has been invested in enforcement or compliance management.
To show how negligent these insurance companies have been, it’s important to take a look at the applications they have for cyber insurance. These applications represent all that these companies have, in terms of policy controls. It’s abundantly clear that no adult with any idea how any of this works wrote these. There is never any other enforcement. Even large clients do not receive independent assessments or audits. These “requirements” are not generally enforceable, do not create a call to action and, just plain won’t ever work. Money will continue to be lost until even the most minimal efforts to do otherwise are made.
Cyber insurance is considered a loss center (for some reason) and for this reason it gets zero investment and the underwriters who end up on this line are typically the lowest achievers. That’s truly the opposite of what is needed here.
These applications seem to be current, although some have not been updated in years. I do not think it is at all unreasonable to say that those who were responsible for writing the loss controls, for an insurance that paid extortion, to foreign hostile parties, should face some kind of criminal charges. This is not normal. This is not okay. It should not be normalized to have such clueless people, when professionals are avaliable.
Check out this PDF to get an idea of just how bad this situation is.
Because the artificial risk of cyber-attacks Is So controllable, Cyber Insurance can be a reliable cash cow, but it we must rethink what cyber risk is and what role cyber insurance plays. Doing so unlocks the door to billions of dollars in potential profits. Currently, nobody in the entire insurance sector knows how to do this and nobody does it properly.
The term for what we are living through is moral crisis.
Last year, the world lost hundreds of billions of dollars to cyber attacks and trillions were lost to the total economic impact of these attacks. The biggest problem is ransomware, but business email compromise, leading to fund transfer fraud and other types of account interception and social engineering fraud are also costing the economy billions. Every week, we hear about more police forces, hospitals, schools and critical institutions being attacked. Ransom is frequently paid. Lives have even been lost. It’s no longer possible to rely on your doctor, lawyer, police force or fire department to be there for you and not leak your private information.
And then we have cyber insurance, which keeps paying ransom and racking up losses, insisting that “cyber is just inherently high loss” or “cyber incidents are like earthquakes: unpredictable and unstoppable.” We see top ranking executives, even the likes of Warren Buffet saying that it is expected that cyber insurance will lose money. It will because cyber risks are just big risks and we don’t know how to control them. Also, we don’t have enough data, and perhaps in a few years we will be able to figure out how to price it.
As an expert in cyber security, ransomware especially, with an education in cyber security and over 20 years of experience, I cannot stress this enough: THIS IS INSANE!
Cybercrimes are just that: crimes. Like all crimes, they are human created and can be stopped. Cyber security is not some oddball unfigured-out kind of thing. It’s just bad guys breaking into our systems because we do not institute strong enough controls. The idea that cyber criminals are so much smarter than our best engineers is absurd. It’s the year 2024 and the US has the best technology in the world. None of this needs to happen. We could shut this down in a day, if there were proper experts involved.
There has been a massive misunderstanding of the nature of cyber risk by the insurance sector, and in doing so we have entrenches a monster which is sapping hundreds of billions of dollars out of the legitimate economy and is funding terrorism. The history of cyber insurance is a comedy of errors. There’s a reason no legitimate cyber risk experts should not have been consulted from day one, but there was a belief that cyber was simply a shiny object that could be monetized to appeal to the digital age. Insurers have been trying to sell cyber insurance without investing a dime in understanding it. They’ve simply broken something they don’t understand and now consider it a lost cause. This is absurd.
The truth is simple: If not for the fact that cyber insurance has come along and decided to encourage bad behavior, while funding crime, we would not have the ransomware problem we do. Our hospitals would be safe. Our schools would be safe. Our emergency services would not be targeted. The problem cannot currently be solved, because insurance companies stubbornly insist that they don’t want to, but are fine paying out ransoms.
