Light Dark
May 30, 2024 By Jonathan Reed 3 min read
News

Last year, Executive Order 14110 (Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence) stated that “Artificial intelligence (AI) holds extraordinary potential for both promise and peril.” In response to this reality, the United States Department of Homeland Security (DHS) recently released guidelines to help critical infrastructure owners and operators develop AI security and safety.

The DHS guidelines stem from insights gained from CISA’s cross-sector analysis of AI risk assessments completed by Sector Risk Management Agencies (SRMAs) and relevant independent regulatory agencies. DHS drew upon this analysis, as well as input from existing U.S. government policy, to develop specific safety and security guidelines to mitigate AI risks to critical infrastructure.

“Based on CISA’s expertise as National Coordinator for critical infrastructure security and resilience, DHS’ Guidelines are the agency’s first-of-its-kind cross-sector analysis of AI-specific risks to critical infrastructure sectors and will serve as a key tool to help owners and operators mitigate AI risk,” said CISA Director Jen Easterly in a statement.

Cross-sector AI security threats

The guidelines in the DHS document highlight three categories of system-level AI risk, which CISA developed in its cross-sector AI risk analysis. The categories include:

  1. Attacks using AI: Refers to the use of AI to automate, enhance, plan or scale physical or cyberattacks against critical infrastructure. Common attack vectors include AI-enabled cyber compromises, automated physical attacks and AI-enabled social engineering.
  2. Attacks targeting AI systems: Focuses on attacks that target AI systems supporting critical infrastructure. Common attack vectors include adversarial manipulation of AI algorithms, evasion attacks and interruption of service attacks.
  3. Failures in AI design and implementation: Refers to problems in the planning, structure, implementation, execution or maintenance of an AI tool or system. This can lead to malfunctions or other unintended consequences that affect critical infrastructure operations. Common failures include autonomy, brittleness and inscrutability.
Learn more on AI cybersecurity

The DHS guidelines’ four core functions

The new DHS guidelines also incorporate the NIST AI Risk Management Framework (AI RMF), including four key functions that help organizations address the risks of AI systems:

  • Govern: This function supports setting up policies, processes and procedures to anticipate, identify and manage the benefits and risks of AI during the entire AI lifecycle. It follows a “secure by design” philosophy, prioritizing safety and security when building organizational structures.
  • Map: This establishes a foundational context to evaluate and mitigate AI risks. This includes an inventory of all current or proposed AI use cases. Mapping begins with documenting context-specific and sector-specific AI risks, including attacks using AI, attacks on AI and AI design and implementation failures.
  • Measure: Refers to repeatable methods and metrics for measuring and monitoring AI risks and impacts. Critical infrastructure can develop its own context-specific testing, evaluation, verification and validation (TEVV) processes to inform usage and AI risk management decisions. Measuring should include continuous testing of AI systems for errors or vulnerabilities, including both cybersecurity and compliance vulnerabilities.
  • Manage: Defines risk management controls and best practices to increase the benefits of AI systems while decreasing the likelihood of harm. This mandates regularly allocating resources and applying mitigations, as outlined by governing processes, to mapped and measured AI risks.

Strengthening AI cybersecurity

In a flurry of activity to establish national AI cybersecurity solutions, the new DHS AI guidelines coincide with CISA being named the National Coordinator for Critical Infrastructure Security and Resilience.

Furthermore, the DHS has recently named a new Artificial Intelligence Safety and Security Board. The Board will develop AI security recommendations for critical infrastructure organizations such as transportation, pipeline and power grid operators and internet service providers. Meanwhile, the NIST GenAI program aims to create generative AI benchmarks to address the sticky issue of whether content is human- or AI-generated.

All these efforts are crucial as the nation fortifies its cyber defenses in the age of AI.

 |  |  |  |  | 
Jonathan Reed
Freelance Technology Writer

More from News
September 4, 2024

3,000 “ghost accounts” on GitHub spreading malware

3 min read - In the past, cyber criminals directly distributed malware on GitHub using encrypted scripting code or malicious executables. But now threat actors are turning to a new tactic to spread malware: creating ghost accounts. A highly effective malware campaign Check Point Research recently exposed a new distribution-as-a-service (DaaS) network, referred to as the Stargazers Ghost Network, that has been spreading malware on GitHub for at least a year. Because the accounts perform typical activities as well, users did not realize that…

August 30, 2024

Warren Buffett’s warning highlights growing risk of cyber insurance losses

3 min read - The United States cyber insurance industry continues to see strong profits, according to Fitch Ratings. Average premium increases, meanwhile, have moderated over the last three years: While 2021 saw a 34% jump in premium pricing and costs rose 15% in 2022, increases were under 1% in 2023.As noted by the Fitch Ratings report, "segment underwriting profitability at current levels is unsustainable as cyber insurance pricing is likely to remain flat or down going forward." While this is good news for…

August 28, 2024

New CISA guidance for organizations adopting Single Sign-On

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) recently conducted a comprehensive study of various small and medium-sized businesses to help identify common challenges and opportunities associated with Single Sign-On (SSO) adoption. SSO has garnered considerable chatter across several industries, especially regarding its ability to improve security while extending a certain level of convenience to employees using this protocol. However, it hasn’t yet been widely adopted as a best practice standard. Some businesses rave about SSO's security benefits, while others are…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature