SINGAPORE: A growing but often overlooked cyber risk is emerging as employees turn to unauthorised artificial intelligence (AI) tools to get work done.
“It used to be ‘shadow IT’. People want to get work done, so they install some software that they shouldn't and the company's at risk,” said DEF CON founder Jeff Moss on Wednesday (Apr 29).
“Now, people are installing AI agents … because of the pressure to perform. But what they don't realise a lot of times is, that data you're giving the system goes back up to the manufacturer and is used to train (AI models),” he told CNA’s Singapore Tonight programme.
He warned that this threat of “shadow AI” could expose sensitive corporate data, even as organisations focus on more traditional cyber threats.
Mr Moss was speaking on the second day of the inaugural DEF CON Singapore convention, which aims to grow the ethical hacking community by bringing together hackers and cybersecurity experts to test and challenge systems like police robots and drones.
Originally launched in the United States in 1993, DEF CON has become one of the world’s largest and most influential hacking conventions.
Singapore’s Home Team Science and Technology Agency (HTX) partnered with DEF CON to bring it to Southeast Asia for the first time. It was held alongside the Milipol TechX Summit 2026 at the Sands Expo and Convention Centre.
The Singapore debut drew about 3,000 participants, with around a quarter coming from across the region, including Australia, Vietnam, Thailand and the Philippines, said Mr Moss.
He said organisers were unsure what to expect from the local crowd, but were surprised by the mix.
“We were expecting maybe lots of students, but we also got a lot of career professionals,” he noted.
“It turns out they just had a great time getting their hands on the technology, tearing things apart and getting to play with things that they wouldn't normally have time for.”
CNA Games
Show More Show Less
The event featured “villages” dedicated to different sectors - including maritime and automotive cybersecurity - alongside competitions and hands-on demonstrations designed to expose participants to real-world vulnerabilities.
For example, at the Public Safety Village by HTX, participants attempted to hack an autonomous robotic dog’s network and disrupt communication between the robot and its control app.
Experts said such exposure is critical, especially in niche sectors where cybersecurity expertise remains scarce.
“There are not nearly enough competent maritime security professionals in the world,” said Mr Duncan Woodbury, executive director of the Maritime Hacking Village.
“There are many people who understand traditional enterprise, IT security, but very few people who understand what it really means to hack embedded maritime systems and operational technology.”
He added that this gap presents “a huge amount of opportunity” for those looking to enter the field.
Mr Yeo Lip Khoon, director of HTX’s xCybersecurity unit, said a person or group working on their own will not be able to learn everything due to the fast pace of AI and cybersecurity tech.
“So, it's always good for groups to come together, exchange ideas, cross-pollinate new ideas, and then discover new ways to do things (and) learn,” he added.
A key feature of DEF CON is its long-running “capture the flag” competitions, where teams of hackers attempt to attack and defend systems in a controlled environment.
Mr Moss said such exercises are essential for building real-world skills.
“You can't defend unless you understand how tech works. Your mind makes up these weird scenarios that aren't based on how the bad guys are operating. But if you participate in these, you can see: ‘No, they'll take this step. We have to defend this way’,” he pointed out.
While such cyber threats are global in nature, Mr Moss stressed that organisations need to pay closer attention to how employees are using AI tools informally.
He cited cases where companies inadvertently exposed confidential information by uploading internal documents to AI tools for tasks like translation.
“They're going to go the fastest path and shadow AI is, unfortunately, a new concern,” he said.
As AI adoption accelerates, Mr Moss said organisations must strike a balance between enabling productivity and safeguarding data - or risk creating new vulnerabilities from within.
Continue reading...
“It used to be ‘shadow IT’. People want to get work done, so they install some software that they shouldn't and the company's at risk,” said DEF CON founder Jeff Moss on Wednesday (Apr 29).
“Now, people are installing AI agents … because of the pressure to perform. But what they don't realise a lot of times is, that data you're giving the system goes back up to the manufacturer and is used to train (AI models),” he told CNA’s Singapore Tonight programme.
He warned that this threat of “shadow AI” could expose sensitive corporate data, even as organisations focus on more traditional cyber threats.
Mr Moss was speaking on the second day of the inaugural DEF CON Singapore convention, which aims to grow the ethical hacking community by bringing together hackers and cybersecurity experts to test and challenge systems like police robots and drones.
Originally launched in the United States in 1993, DEF CON has become one of the world’s largest and most influential hacking conventions.
Singapore’s Home Team Science and Technology Agency (HTX) partnered with DEF CON to bring it to Southeast Asia for the first time. It was held alongside the Milipol TechX Summit 2026 at the Sands Expo and Convention Centre.
The Singapore debut drew about 3,000 participants, with around a quarter coming from across the region, including Australia, Vietnam, Thailand and the Philippines, said Mr Moss.
He said organisers were unsure what to expect from the local crowd, but were surprised by the mix.
“We were expecting maybe lots of students, but we also got a lot of career professionals,” he noted.
“It turns out they just had a great time getting their hands on the technology, tearing things apart and getting to play with things that they wouldn't normally have time for.”
CNA Games
Show More Show Less
TALENT GAP
The event featured “villages” dedicated to different sectors - including maritime and automotive cybersecurity - alongside competitions and hands-on demonstrations designed to expose participants to real-world vulnerabilities.
For example, at the Public Safety Village by HTX, participants attempted to hack an autonomous robotic dog’s network and disrupt communication between the robot and its control app.
Experts said such exposure is critical, especially in niche sectors where cybersecurity expertise remains scarce.
“There are not nearly enough competent maritime security professionals in the world,” said Mr Duncan Woodbury, executive director of the Maritime Hacking Village.
“There are many people who understand traditional enterprise, IT security, but very few people who understand what it really means to hack embedded maritime systems and operational technology.”
He added that this gap presents “a huge amount of opportunity” for those looking to enter the field.
Mr Yeo Lip Khoon, director of HTX’s xCybersecurity unit, said a person or group working on their own will not be able to learn everything due to the fast pace of AI and cybersecurity tech.
“So, it's always good for groups to come together, exchange ideas, cross-pollinate new ideas, and then discover new ways to do things (and) learn,” he added.
Related:
ATTACK AND DEFEND
A key feature of DEF CON is its long-running “capture the flag” competitions, where teams of hackers attempt to attack and defend systems in a controlled environment.
Mr Moss said such exercises are essential for building real-world skills.
“You can't defend unless you understand how tech works. Your mind makes up these weird scenarios that aren't based on how the bad guys are operating. But if you participate in these, you can see: ‘No, they'll take this step. We have to defend this way’,” he pointed out.
While such cyber threats are global in nature, Mr Moss stressed that organisations need to pay closer attention to how employees are using AI tools informally.
He cited cases where companies inadvertently exposed confidential information by uploading internal documents to AI tools for tasks like translation.
“They're going to go the fastest path and shadow AI is, unfortunately, a new concern,” he said.
As AI adoption accelerates, Mr Moss said organisations must strike a balance between enabling productivity and safeguarding data - or risk creating new vulnerabilities from within.
Continue reading...