CISA, NCSC Offer a Road Map, Not Rules, in New Secure AI Guidelines

  /     /     /  
Publicated : 23/11/2024   Category : security


CISA, NCSC Offer a Road Map, Not Rules, in New Secure AI Guidelines


US and UK authorities issued new recommendations for companies that build and rely on AI, but they stop short of laying down the law.



On Sunday, the US Cybersecurity and Infrastructure Security Agency (CISA) and the UKs National Cyber Security Centre released new
Guidelines for Secure AI System Development
.
The Guidelines — co-sealed by 23 domestic and international cybersecurity organizations — build on ongoing
White House efforts to mitigate AI risk
and
the secure-by-design philosophy
. They provide an outline for building security into AI systems, but stop short of instituting any rules or regulations on the industry, in contrast to
the European Unions recent AI Act
. AI companies thus now have a guidebook to follow, or disregard, at their discretion.
The industry is finding a lot of innovative ways to adopt AI for good, but also in malicious ways, says Chris Hughes, chief security advisor at Endor Labs and cyber innovation fellow at CISA. This is a recognition that AI is here to stay, and weve got to try to get ahead of it, to avoid bolting security on later versus building it in now.
CISA and NCSC broke down their new guidelines into four primary sections.
The first section, on secure design, covers potential risks and threat modeling, as well as the potential trade-offs to consider in this initial design phase.
Secure development, section two, covers the AI development lifecycle, including concerns with supply chain security, documentation, and asset and technical debt management.
Next, the guidelines advise organizations how to deploy securely — avoiding compromise, implementing incident management, and so on.
The last section covers all things related to the operation and maintenance of AI-enabled technologies post-deployment, including monitoring, logging, updating, and information sharing.
Its not looking to recreate the wheel, Hughes explains. Instead, what jumped out to me is the continued dialogue CISA has been having around secure-by-design systems and software. Its continuing the trend, and putting the onus on software suppliers and vendors — something that was emphasized not just by CISA, but also the NCSC.
In June, the EU overwhelmingly passed the so-called AI Act, defining new laws aimed at trust and accountability for the AI industry.
By contrast, CISA and NCSC have merely provided recommendations for AI developers and the companies that rely on them.
This is just a guideline, just a recommendation. It uses the word should I think 51 times, Hughes emphasizes.
For this reason, he admits, theyre unlikely to have nearly as much impact as real regulation. As we know, security does have a cost to it — it can slow things down sometimes, or introduce friction. And when you have incentives like speed to market, and revenue, and things like that on the line, people tend to not do what theyre not required to do.
But whether thats a bad or good thing is up for debate. If you come at it from the perspective of security and privacy for consumers and citizens, theres an argument that regulation is better. Its forcing security, caution, governance, and safeguards for privacy and security. But at the same time, theres no denying that compliance and regulatory measures can be cumbersome and bureaucratic, and can kind of box out younger, disruptive companies, having an impact on innovation, Hughes adds. I hope that some software suppliers will take this and use it as a competitive differentiator.

Last News

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security

▸ Fully committed to the future world of technology. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
CISA, NCSC Offer a Road Map, Not Rules, in New Secure AI Guidelines