Michael S Barr: Deepfakes and the AI arms race in bank cybersecurity
Speech by Mr Michael S Barr, Vice Chair for Supervision of the Board of Governors of the Federal Reserve System, at the Federal Reserve Bank of New York, New York City, 17 April 2025.
The views expressed in this speech are those of the speaker and not the view of the BIS.
Thank you for the opportunity to speak to you today about artificial intelligence (AI) and cybersecurity. In the past, a skilled forger could pass a bad check by replicating a person's signature. Now, advances in AI can do much more damage by replicating a person's entire identity. This technology-known as deepfakes-has the potential to supercharge identity fraud. I've recently spoken about the importance of recognizing both the benefits and the risks of generative AI (Gen AI). Today, I'd like to focus more on the darker side of the technology-specifically how Gen AI has the potential to enable deepfake technology, and what we should be doing now to defend against this risk in finance.
Escalating Threat of Gen-AI Facilitated Cybercrime
Cybercrime is on the rise, and cybercriminals are increasingly turning to Gen AI to facilitate their crimes. Criminal tactics are becoming more sophisticated and available to a broader range of criminals. Estimates of direct and indirect costs of cyber incidents range from 1 to 10 percent of global GDP. Deepfake attacks have seen a twentyfold increase over the last three years.
Cybercrime with deepfakes involves the same cat and mouse game common to sophisticated criminal activity. Both cybercriminals and financial institutions are constantly trying to outdo each other. Criminals develop new attack methods, and companies respond with better defenses. Here, the same technological innovations that enable the bad actors can also help those fighting cybercrime. However, there is an asymmetry-the fraudsters can cast a wide net of approaches and target a wide number of victims, and they only need a small number to be successful. Their marginal cost is generally low, and individual failures matter little. Conversely, companies must undergo a rigorous review and testing process to mount effective cyber defenses and will thus be slower in developing their defenses. A single failure is very costly. As we consider this issue from a policy perspective, we need to take steps to make attacks less likely by raising the cost of the attack to the cybercriminals and lowering the costs of defense to financial institutions and law enforcement.