When cybersecurity expert Jeff Greene was asked at NRF’s recent Retail Law Summit what should be at the top of the checklist for in-house attorneys in charge of cyber compliance this year, his answer was clear.

“It’s AI,” he said without hesitation. “It’s the No. 1 issue that companies face.”

Greene, an attorney who previously headed the cybersecurity division at the federal Cybersecurity and Infrastructure Security Agency and was chief of cyber response at the White House National Security Council during the Biden administration, is now co-founder of the security consulting firm Civira Partners. He was the keynote speaker during a session on security and threats to retail data moderated by NRF Chief Administrative Officer and General Counsel Stephanie Martz.

“There are so many angles to it,” Greene said of issues involving artificial intelligence that need to be addressed. “How you’re using it … how your vendors are using it, what they’re doing with your data, what your policies are.”

A key question, he said, is “has AI helped the attackers or the defenders?”

AI boosts attacks, defenses

AI has fixed the poor grammar that was once the hallmark of a phishing email trying to trick the recipient into clicking on a malicious link, Green said. It has also led to “spear phishing,” which weaves in subjects like hobbies or favorite sports to make a phishing email look like it’s coming from someone the recipient knows. And it filters out people with the same name to be sure the message is reaching the right target.

On the other hand, the scale and speed that make it easy for AI to run a “brute force” attack to discover passwords also make it easy to use AI to block such attacks, he said. And with large companies facing more cyberattacks than any security center can handle, artificial intelligence is a “classic force multiplier” that can block millions of low-level attacks while identifying the handful of top-level incidents that need human attention.

Some things, however, stay the same.

“The basics we had to do before AI are still the basics we have to do now,” Greene said, ranging from employee training to multifactor authentication to firewalls and more. “AI is going to make that easier, but you still need to be involved.”

Martz said retail companies don’t hold data on critical infrastructure that might be sought by large-scale, nation-state attackers like China or Russia, but that they do hold sensitive customer data, intellectual property and competitive data. Greene said that means it is still important for retailers to use robust “cyber hygiene” to protect “insecure edge” devices and technology such as cell phones, routers and firewalls, along with other steps

Greene said he is supportive of employee training on cybersecurity whether AI is involved in threats or not. Despite some studies that say training is only 10% effective, “that’s still a fairly significant dent,” especially considering that training requires a “fairly limited” investment of time and money, he said.

Retail legal departments should work closely with cybersecurity teams to place clear conditions on vendors and contractors, including bans on the use of personal devices and limiting the use of sensitive data to a controlled workspace, he said.

Whether it’s a phishing email or a ransomware attack, Greene said companies need to realize “almost all cyberattacks, whether from nation states or criminal gangs, rely on fear — it is as much psychology as it is technology.” He urges clients, “Don’t be afraid to look dumb” when faced with uncertain cybersecurity situations and to be sure to ask for help. Executives faced with an email saying, “You must pay this now!” need to have “the comfort level to question [that] and say, ‘Should we really be doing this?’”

The implications of AI in retail

As the government works to address cybersecurity, businesses should not expect an expansion of most area of cybersecurity regulation under the Trump administration, Greene said. But they are likely to see less outreach from CISA, the government’s lead cybersecurity agency.

CISA has traditionally worked closely with the private sector, alerting retailers and other companies when the agency identifies a cyber threat that might affect them. But with one-third of its staff lost under cutbacks to the federal payroll, “CISA has lost capacity. There’s no way around that,” Greene said.

Nonetheless, “there are still a lot of very mission-focused, skilled people” at CISA and the new head of Greene’s former division is “very focused on security and security first,” he said.

Greene’s session was one of several at the Retail Law Summit that focused on the implications of artificial intelligence.

“This year in particular, it was so clear to us that AI and AI-related issues were really front and center for all of the lawyers who work in retail every day,” Martz said. There is a need “for lawyers to understand how to foster innovation” made possible by AI “but at the same time to be able to identify risk quickly and respond to it.”