Errors From ChatGPT: Hallucinated Whoppers Rather Than Pedantic Subtleties

Herb Lin
Wednesday, May 31, 2023, 8:53 AM
ChatGPT is generating misinformation about Herb Lin. I should know—I’m Herb Lin.
OpenAI's ChatGPT was released in November 2022. (Alpha Photo, https://flic.kr/p/2obMJEP; CC BY-NC 2.0, https://creativecommons.org/licenses/by-nc/2.0/)

Published by The Lawfare Institute
in Cooperation With
Brookings

It has been widely reported that ChatGPT, a popular artificial intelligence chatbot, sometimes makes things up in response to user inquiries, and that these “hallucinations” (most people would call them lies or misinformation) can be misleading. But it wasn’t until I tried it for myself that I realized the magnitude of the problem. After all, it was possible that the misinformation was minor—perhaps not reliable enough for direct cutting and pasting into a document, but more or less correct. 

Alas, this was not the case. Below I present a direct transcript of my interactions with ChatGPT about a topic I know very well—my professional record as a specialist in cyber policy and security. I have annotated the transcript with my own comments.

Me:
what does herb lin believe about phishing

ChatGPT:
Herb Lin is a well-known cybersecurity expert and researcher who has written extensively on cybersecurity, cybercrime, and cyberwarfare. While I don't have access to his personal beliefs about phishing, I can provide some insights based on his work and public statements.

Based on his research and expertise, it is likely that Herb Lin recognizes phishing as a significant threat to individuals and organizations alike. Phishing attacks are one of the most common and effective methods used by cybercriminals to steal sensitive information, such as login credentials, financial information, and personal data.
In his work, Herb Lin has emphasized the importance of raising awareness about phishing and educating individuals and organizations about how to protect themselves from these types of attacks. He has advocated for the use of strong passwords, two-factor authentication, and other security measures to prevent phishing attacks.
Overall, it is safe to say that Herb Lin takes the issue of phishing seriously and recognizes its potential impact on individuals and organizations. He likely advocates for strong cybersecurity practices and awareness to help prevent and mitigate the impact of phishing attacks.

Me:
provide a reference for Lin's advocacy of strong passwords

ChatGPT:
I'm happy to help. Herb Lin has spoken extensively on the importance of strong passwords as a crucial cybersecurity measure. One example of this can be found in his 2016 testimony before the U.S. House of Representatives Committee on Science, Space, and Technology, where he stated the following:

"Many breaches occur due to the use of weak passwords or the reuse of passwords across multiple systems. Strong passwords that are unique to each system and that are changed frequently can significantly reduce the likelihood of successful breaches."

This statement highlights the importance of using strong passwords and avoiding password reuse as a way to mitigate the risk of cyberattacks. In his testimony, Lin emphasizes that strong passwords are a critical part of a comprehensive cybersecurity strategy that includes other measures such as two-factor authentication, encryption, and employee education and training.

Source: Lin, H. (2016). Statement of Dr. Herbert Lin, Senior Research Scholar for Cyber Policy and Security, Center for International Security and Cooperation, Stanford University. U.S. House of Representatives Committee on Science, Space, and Technology. Hearing on Cybersecurity: What the Federal Government Can Learn from the Private Sector. Washington, DC: Government Publishing Office.

Comment: I never testified to this committee. A hearing with this name did happen on Jan. 8, 2016. But no witness at the hearing mentioned password reuse or site-unique passwords. One witness’s written testimony mentioned the value of strong passwords.

Me:
what is herb lin known for
 
ChatGPT:
Herb Lin is a well-known and respected expert in cybersecurity, cyber policy, and cyber warfare. He has made significant contributions to the field through his research, writing, and advocacy.

Some of Herb Lin's notable accomplishments and contributions include:

Serving as the Chief Scientist for the Computer Science and Telecommunications Board at the National Research Council, where he conducted research on cybersecurity, cryptography, and privacy.

Authoring or co-authoring numerous publications and reports on cybersecurity, cyber warfare, and national security, including the book "Cyber Threats and Nuclear Weapons" and the report "Securing Cyberspace for the 44th Presidency."

Testifying before Congress on multiple occasions regarding cybersecurity issues and policies, including testifying before the Senate Select Committee on Intelligence and the House Committee on Science, Space, and Technology.

Comment: Although I have testified four times since coming to Stanford in 2015, I have never in my life testified to either of these committees. ChatGPT did not pick up any references to my real testimony.

Teaching cybersecurity and cyber policy at universities such as Stanford, UC Berkeley, and Johns Hopkins.

Comment: I have lectured on cybersecurity and policy at UC Berkeley, but never taught there. I never had a speaking engagement or teaching post of any sort at Hopkins.

Overall, Herb Lin is known for his expertise and leadership in the field of cybersecurity and for his efforts to advance cybersecurity policies and practices at the national level.
Me:
what does Lin believe about DEI issues

ChatGPT:
Herb Lin has been an advocate for diversity, equity, and inclusion (DEI) in the technology sector and the cybersecurity community. He has written and spoken about the importance of diversity in building a more robust and effective cybersecurity workforce.

Lin has emphasized that diversity in the cybersecurity workforce is critical to addressing the complex and evolving nature of cybersecurity threats. In a 2018 article, he wrote that "a diverse workforce helps us think about problems differently, come up with new solutions, and approach the world in a more nuanced way." He has also argued that a lack of diversity can lead to blind spots and groupthink, which can make it harder to identify and respond to cyber threats.

Comment: Though I believe this statement, and I would have happily said it, I never did. I never wrote an article in 2018 (or in any other year) that even touched on these points.

Lin has also called for greater inclusion of women, minorities, and underrepresented groups in the cybersecurity community. In a 2016 testimony before the Senate Select Committee on Intelligence, he emphasized the need to "recruit and retain a diverse workforce in cybersecurity" and called for greater efforts to reach out to underrepresented groups.

Comment: I never testified to this committee. The particular quoted phrase does not appear anywhere in a Google search. Also, I later asked for a citation for this alleged 2016 testimony—see below.

Overall, Herb Lin is a strong proponent of DEI in the technology and cybersecurity fields. He has emphasized that diversity and inclusion are critical to building a more effective and resilient cybersecurity workforce and to addressing the complex and evolving nature of cybersecurity threats.

Comment: I am, but I have never written or spoken about it. 

Me:
what is the 2018 article mentioned above

ChatGPT:
I apologize for any confusion in my previous response. As an AI language model, I do not have access to Herb Lin's entire body of work, and I did not provide a specific citation for the 2018 article in question.

Comment: Here ChatGPT implicitly acknowledges that there is no 2018 article, but only after being queried on it.

However, Herb Lin has written and spoken extensively about the importance of diversity, equity, and inclusion in the cybersecurity field, and he has emphasized the need to build a more diverse and inclusive workforce. One example of this can be found in a 2017 article he co-authored with Greg Shannon, titled "Why Diversity Matters in Cybersecurity."

In this article, Lin and Shannon argue that a lack of diversity in the cybersecurity field can lead to blind spots and groupthink, which can make it harder to identify and respond to cyber threats. They emphasize the need for greater diversity in the cybersecurity workforce, including more women, minorities, and individuals with non-traditional backgrounds.

The article also highlights some of the challenges in achieving greater diversity in cybersecurity, such as unconscious bias and a lack of awareness about career opportunities in the field. Lin and Shannon call for greater efforts to address these challenges and to build a more diverse and inclusive cybersecurity community.

Source: Lin, H., & Shannon, G. (2017). Why Diversity Matters in Cybersecurity. IEEE Security & Privacy, 15(6), 6-9.

Comment: This article is entirely fictional, and it does not exist. IEEE Security & Privacy is a real journal, with a genuine web presence, and it is possible to look up the table of contents for Volume 15, Number 6, pages 6-9. The result is that at the referenced pages there is no article at all! Nowhere in the table of contents for Volume 15 does the word “diversity” occur. Moreover, I have never collaborated on a written work with Greg Shannon, though I have been connected to him on LinkedIn for many years.

Me:
what is the citation for the 2016 testimony

ChatGPT:
Herb Lin testified before the Senate Select Committee on Intelligence in 2016 on the topic of cybersecurity threats to America's infrastructure. During his testimony, he also addressed the issue of diversity in the cybersecurity workforce and the need to recruit and retain a more diverse set of cybersecurity professionals.
The citation for Herb Lin's testimony is as follows:
Lin, H. S. (2016). Statement for the Record, Worldwide Cyber Threats to America's Critical Infrastructure (S. Hrg. 114-804). Senate Select Committee on Intelligence, United States Senate, 9 February 2016.

Comment: On Feb. 9, 2016, the Senate Select Committee on Intelligence did conduct a hearing on “Current and Projected National Security Threats to the United States.” The witnesses were James Clapper, then-director of national intelligence, who was accompanied by John Brennan (Director, Central Intelligence Agency); Lt. Gen. Vincent Stewart (Director, Defense Intelligence Agency); James Comey (Director, Federal Bureau of Investigation); and Adm. Michael Rogers (Director, National Security Agency). Clapper did present a document entitled “Worldwide Threat Assessment of the US Intelligence Community,” and this document did mention cyber. Sen. Roy Blunt (R.-Mo.) did ask a question for the record about the cyber workforce: “With regard to science, technology, engineering, and mathematics (STEM) disciplines, what are we doing to identify and nurture STEM talent earlier and attract those people to the IC in general, and to the NSA in particular?”

But nowhere in the hearing transcript does the word “diversity” appear. A Google search reveals no mention of the word sequence “Worldwide Cyber Threats to America's Critical Infrastructure,” let alone anything written by me with that title. And needless to say, I did not testify at this hearing. Note also that S. Hrg. 114-804 does refer to a real Senate hearing—one on “Exploring Current Practices in Cosmetic Development and Safety,” on Sept. 22, 2016, for the Senate Committee on Health, Education, Labor, and Pensions. 

It is anyone’s guess as to how ChatGPT generated the entirely fictitious title “Worldwide Cyber Threats to America’s Critical Infrastructure,” but it is obviously some conflation of my own work and the Senate Intelligence Committee’s hearing materials and transcript.

I find this short exercise with ChatGPT quite alarming. Everything that ChatGPT says about me is plausible at least to some extent. Indeed, it correctly attributes my views on password security and DEI regarding the cyber workforce. It did so well that I had to ask myself, “Wait a moment—did I ever testify as it reported?” Even though it came close enough to hitting the mark that I had to check, the bottom line is I never said or wrote any of those things, and yet it completely made up references to papers it said I had written and to testimony it said I had given. 

 If even I had a bit of trouble determining if ChatGPT was making accurate statements about me, what would anyone else have thought? Anyone, even people with some familiarity with my work, could have read the ChatGPT transcript and believed it in its entirety, because it’s entirely plausible. The made-up citations add tremendously to the transcript’s credibility. To identify the falsehoods in the transcript, someone would have had to have a reason to request a citation, and then to track down the actual citation online (to discover it was made up). 

Are the errors that ChatGPT makes generally small ones? No. It’s not like ChatGPT got the year wrong for an article I wrote. Rather, it made up things from whole cloth. Those aren’t small errors—those are whoppers.

None of this is to argue that students or other people should never use ChatGPT. I’d be happy to use what ChatGPT attributes to me as a starting point for a paper that I would write (although I’m sure I could say it better than it does). If I ever write a paper about the need for diversity in cybersecurity, I’ll be sure to use ChatGPT’sresponses as one point of departure. But for claims that so-and-so wrote X or said Y, we will all need to develop a “by default” skeptical attitude toward specific factual claims made by ChatGPT.

Good luck to us all in the brave new world. 


Dr. Herb Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University. His research interests relate broadly to policy-related dimensions of cybersecurity and cyberspace, and he is particularly interested in and knowledgeable about the use of offensive operations in cyberspace, especially as instruments of national policy. In addition to his positions at Stanford University, he is Chief Scientist, Emeritus for the Computer Science and Telecommunications Board, National Research Council (NRC) of the National Academies, where he served from 1990 through 2014 as study director of major projects on public policy and information technology, and Adjunct Senior Research Scholar and Senior Fellow in Cybersecurity (not in residence) at the Saltzman Institute for War and Peace Studies in the School for International and Public Affairs at Columbia University. Prior to his NRC service, he was a professional staff member and staff scientist for the House Armed Services Committee (1986-1990), where his portfolio included defense policy and arms control issues. He received his doctorate in physics from MIT.

Subscribe to Lawfare