CISA, NCSC Offer a Road Map, Not Rules, in New Secure AI Guidelines

The Guidelines - co-sealed by 23 domestic and international cybersecurity organizations - build on ongoing White House efforts to mitigate AI risk and the secure-by-design philosophy. They provide an outline for building security into AI systems, but stop short of instituting any rules or regulations on the industry, in contrast to the European Union's recent AI Act. AI companies thus now have a guidebook to follow, or disregard, at their discretion. "The industry is finding a lot of innovative ways to adopt AI for good, but also in malicious ways," says Chris Hughes, chief security advisor at Endor Labs and cyber innovation fellow at CISA. "This is a recognition that AI is here to stay, and we've got to try to get ahead of it, to avoid bolting security on later versus building it in now." New Guidelines for AI in US, UK CISA and NCSC broke down their new guidelines into four primary sections. The first section, on secure design, covers potential risks and threat modeling, as well as the potential trade-offs to consider in this initial design phase. Secure development, section two, covers the AI development lifecycle, including concerns with supply chain security, documentation, and asset and technical debt management. Next, the guidelines advise organizations how to deploy securely - avoiding compromise, implementing incident management, and so on. The last section covers all things related to the operation and maintenance of AI-enabled technologies post-deployment, including monitoring, logging, updating, and information sharing. "It's not looking to recreate the wheel," Hughes explains. Instead, "What jumped out to me is the continued dialogue CISA has been having around secure-by-design systems and software. It's continuing the trend, and putting the onus on software suppliers and vendors - something that was emphasized not just by CISA, but also the NCSC.". Regulation: A Lighter or Heavier Touch? In June, the EU overwhelmingly passed the so-called "AI Act," defining new laws aimed at trust and accountability for the AI industry. By contrast, CISA and NCSC have merely provided recommendations for AI developers and the companies that rely on them. "This is just a guideline, just a recommendation. It uses the word 'should' I think 51 times," Hughes emphasizes. For this reason, he admits, they're unlikely to have nearly as much impact as real regulation. "As we know, security does have a cost to it - it can slow things down sometimes, or introduce friction. And when you have incentives like speed to market, and revenue, and things like that on the line, people tend to not do what they're not required to do." Whether that's a bad or good thing is up for debate. "If you come at it from the perspective of security and privacy for consumers and citizens, there's an argument that regulation is better. It's forcing security, caution, governance, and safeguards for privacy and security. But at the same time, there's no denying that compliance and regulatory measures can be cumbersome and bureaucratic, and can kind of box out younger, disruptive companies, having an impact on innovation," Hughes adds. "I hope that some software suppliers will take this and use it as a competitive differentiator."

This Cyber News was published on www.darkreading.com. Publication date: Thu, 30 Nov 2023 20:25:01 +0000


Cyber News related to CISA, NCSC Offer a Road Map, Not Rules, in New Secure AI Guidelines

CISA, NCSC Offer a Road Map, Not Rules, in New Secure AI Guidelines - The Guidelines - co-sealed by 23 domestic and international cybersecurity organizations - build on ongoing White House efforts to mitigate AI risk and the secure-by-design philosophy. They provide an outline for building security into AI systems, but ...
1 year ago Darkreading.com
Bringing Composability to Firewalls with Runtime Protection Rules - Rule control - Customers could not easily write their own firewall rules because of the use of proprietary languages that most teams weren't familiar with unless they received specialized training, or behind walled gardens only accessible by vendor ...
10 months ago Securityboulevard.com
What Are Firewall Rules? Ultimate Guide - Firewall rules are preconfigured, logical computing controls that give a firewall instructions for permitting and blocking network traffic. Network admins must configure firewall rules that protect their data and applications from threat actors. ...
11 months ago Esecurityplanet.com
CISA adds Check Point Quantum Security Gateways and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog - CISA adds Apache Flink flaw to its Known Exploited Vulnerabilities catalog. CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities catalog. CISA adds Google Chrome zero-days to its Known Exploited Vulnerabilities catalog. CISA adds ...
6 months ago Securityaffairs.com
Understanding the New SEC Rules for Disclosing Cybersecurity Incidents - The U.S. Securities and Exchange Commission recently announced its new rules for public companies regarding cybersecurity risk management, strategy, governance, and incident exposure. "Currently, many public companies provide cybersecurity disclosure ...
1 year ago Feeds.dzone.com
CISA pledges to resolve issues with threat sharing system after watchdog report - On Friday, the Department of Homeland Security’s Office of the Inspector General published a report on Automated Indicator Sharing (AIS) — which was used to spread cyber threat intelligence and was mandated as part of a 2015 law. The nation’s ...
2 months ago Therecord.media
NCSC says AI will increase ransomware, cyberthreats - While ransomware activity is already surging, a new National Cyber Security Centre report assessed that the threat will only increase globally over the next year as AI improves phishing and other threat actor techniques. The report is based on an ...
11 months ago Techtarget.com
CISA Has a New Road Map for Handling Weaponized AI - Last month, a 120-page United States executive order laid out the Biden administration's plans to oversee companies that develop artificial intelligence technologies and directives for how the federal government should expand its adoption of AI. At ...
1 year ago Wired.com
What CIRCIA Means for Critical Infrastructure Providers and How Breach and Attack Simulation Can Help - Cyber Defense Magazine - To prepare themselves for future attacks, organizations can utilize BAS to simulate real-world attacks against their security ecosystem, recreating attack scenarios specific to their critical infrastructure sector and function within that sector, ...
2 months ago Cyberdefensemagazine.com
Enabling Threat-Informed Cybersecurity: Evolving CISA's Approach to Cyber Threat Information Sharing - One of CISA's most important and enduring roles is providing timely and actionable cybersecurity information to our partners across the country. Nearly a decade ago, CISA stood up our Automated Indicator Sharing, or AIS, program to widely exchange ...
1 year ago Cisa.gov
Sigma rules for Linux and MacOS ~ VirusTotal Blog - TLDR: VT Crowdsourced Sigma rules will now also match suspicious activity for macOS and Linux binaries, in addition to Windows. We recently discussed how to maximize the value of Sigma rules by easily converting them to YARA Livehunts. At that time ...
1 year ago Blog.virustotal.com
Tell the FCC It Must Clarify Its Rules to Prevent Loopholes That Will Swallow Net Neutrality Whole - The Federal Communications Commission has released draft rules to reinstate net neutrality, with a vote on adopting the rules to come on the 25th of April. The FCC needs to close some loopholes in the draft rules before then. Net neutrality is the ...
8 months ago Eff.org
FAQ: What Is DFARS Compliance and How Does It Work? - Our intention is to offer a comprehensive perspective on DFARS in the context of cybersecurity, its various clauses, and the intricacies of maintaining compliance as these rules constantly shift and change over time. Size doesn't matter - big global ...
11 months ago Securityboulevard.com
Security Agency Rolls Out Protective DNS for Schools - The UK's National Cyber Security Centre has announced the launch of a new offering designed to prevent school users visiting malicious websites. PDNS for Schools is completely free and will be rolled out from now into the coming year, according to ...
1 year ago Infosecurity-magazine.com
5 Ways Exabeam Delivers Better Security Outcomes Than Microsoft Sentinel - Security information and event management is one of the most important tools in the fight against cyberthreats, but not all SIEMs are created equal. Native SIEM solutions can be difficult to customize and maintain, and their advertised "Low or free" ...
1 year ago Exabeam.com
CISA's OT Attack Response Team Understaffed: GAO - The US Government Accountability Office has conducted a study focusing on the operational technology cybersecurity products and services offered by CISA and found that some of the security agency's teams are understaffed. OT environments continue to ...
9 months ago Securityweek.com
What Is a Firewall Policy? Ultimate Guide - A firewall policy is a set of rules and standards designed to control network traffic between an organization's internal network and the internet. There are key components to consider, main types of firewall policies and firewall configurations to be ...
11 months ago Esecurityplanet.com
CISA Seeks Public Comment on Newly Developed Secure Configuration Baselines for Google Workspace - As federal civilian agencies continue to modernize IT enterprises, increased reliance on cloud services, platform services, and external providers has introduced new types of risks. Recent threat activity from groups such as Storm-0558 have ...
1 year ago Cisa.gov
Establishing New Rules for Cyber Warfare - The efforts of the International Committee of the Red Cross to establish rules of engagement to combatants in a cyberwar should be applauded internationally, even if adherence is likely to be limited. The ICRC recently released a set of rules for ...
1 year ago Darkreading.com
Cybersecurity Performance Goals: Assessing How CPGs Help Organizations Reduce Cyber Risk - In October 2022, CISA released the Cybersecurity Performance Goals to help organizations of all sizes and at all levels of cyber maturity become confident in their cybersecurity posture and reduce business risk. Earlier this summer, CISA outlined ...
1 year ago Cisa.gov
CVE-2023-52447 - In the Linux kernel, the following vulnerability has been resolved: bpf: Defer the free of inner map when necessary When updating or deleting an inner map in map array or map htab, the map may still be accessed by non-sleepable program or sleepable ...
10 months ago Tenable.com
CISA confirms compromise of its Ivanti systems - CISA confirmed two of its internal systems were breached by a threat actor that exploited flaws in Ivanti products used by the U.S. cybersecurity agency. Ivanti on Jan. 10 disclosed two zero-day vulnerabilities that were under exploitation by a ...
9 months ago Techtarget.com
Securing Tomorrow: A Recap of CISA's Cyber Resilient 911 Symposium - CISA's Emergency Communications Division spearheaded the Cyber Resilient 911 Program's fourth regional symposium, which included CISA Regions 5 and 7. Among the attendees were state 911 administrators, representatives from 911 centers, IT/cyber ...
7 months ago Cisa.gov
CISA Sells Private Sector on CIRCIA Reporting Rules - RSA CONFERENCE 2024 - San Francisco - The Cybersecurity and Infrastructure Security Administration has tagged an additional 30 days onto the window for the private sector to provide feedback on proposed Cyber Incident Reporting for Critical ...
7 months ago Darkreading.com
Siemens SCALANCE and RUGGEDCOM M-800/S615 Family - As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT ...
1 year ago Cisa.gov

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)