NSA and partners issue guidance for securing AI
The National Security Agency (NSA), UK National Cyber Security Centre (NCSC-UK), U.S Cybersecurity and Infrastructure Security Agency (CISA), and other partners have released “Guidelines for Secure AI System Development,” a Cybersecurity Information Sheet (CSI), NSA announced November 27.
The agencies are releasing the report to help developers, providers, and systems owners develop, deploy, and operate secure Artificial Intelligence (AI) systems, including those used in National Security Systems (NSS), by the Department of Defense (DoD), and by the Defense Industrial Base (DIB).
“We wish we could rewind time and bake security into the start of the internet. We have that opportunity today with AI. We need to seize the chance,” said Rob Joyce, NSA cybersecurity director.
According to the CSI, AI systems are subject to security vulnerabilities that need to be considered alongside standard cyber threats. For example, AI systems are vulnerable to “adversarial machine learning” (AML) attacks, which exploit fundamental vulnerabilities in machine learning (ML) systems, including hardware, software, workflows, and supply chains. Prompt injection and training data poisoning are examples of AML attacks that could enable malicious cyber actors to compromise an ML model’s classification or regression performance, perform unauthorized actions, or extract sensitive information.
The CSI indicates that secure by design principles are applicable to AI systems. Providers of AI components should implement security controls by design and default within their ML models, pipelines, and systems. Accordingly, the CSI focuses on four key areas of AI system development: secure design, secure development, secure deployment, and secure operation.
The UK National Cyber Security Centre (NCSC-UK) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) co-authored the CSI with NSA and other partners.
The authoring agencies advise that this CSI does not replace general cybersecurity best practices and risk management programs. Recommendations in the CSI should be considered in conjunction with established cybersecurity, risk management, and incident response best practices.
Your competitors read IC News each day. Shouldn’t you? Learn more about our subscription options, and keep up with every move in the IC contracting space.