Thursday, December 21, 2023

Biden administration takes first step toward writing key AI standards

David Shepardson
Tue, December 19, 2023 

FILE PHOTO: Illustration shows miniature of robot and toy hand


WASHINGTON (Reuters) - The Biden administration said on Tuesday it was taking the first step toward writing key standards and guidance for the safe deployment of generative artificial intelligence and how to test and safeguard systems.

The Commerce Department's National Institute of Standards and Technology (NIST) said it was seeking public input by Feb. 2 for conducting key testing crucial to ensuring the safety of AI systems.

Commerce Secretary Gina Raimondo said the effort was prompted by President Joe Biden's October executive order on AI and aimed at developing "industry standards around AI safety, security, and trust that will enable America to continue leading the world in the responsible development and use of this rapidly evolving technology."

The agency is developing guidelines for evaluating AI, facilitating development of standards and provide testing environments for evaluating AI systems. The request seeks input from AI companies and the public on generative AI risk management and reducing risks of AI-generated misinformation.

Generative AI - which can create text, photos and videos in response to open-ended prompts - in recent months has spurred excitement as well as fears it could make some jobs obsolete, upend elections and potentially overpower humans and catastrophic effects.

Biden's order directed agencies to set standards for that testing and address related chemical, biological, radiological, nuclear, and cybersecurity risks.

NIST is working on setting guidelines for testing, including where so-called "red-teaming" would be most beneficial for AI risk assessment and management and setting best practices for doing so.

External red-teaming has been used for years in cybersecurity to identify new risks, with the term referring to U.S. Cold War simulations where the enemy was termed the "red team."

In August, the first-ever U.S. public assessment "red-teaming" event was held during a major cybersecurity conference and organized by AI Village, SeedAI, Humane Intelligence.

Thousands of participants tried to see if they "could make the systems produce undesirable outputs or otherwise fail, with the goal of better understanding the risks that these systems present," the White House said.

The event "demonstrated how external red-teaming can be an effective tool to identify novel AI risks," it added.

(Reporting by David Shepardson; Editing by Jamie Freed)

A quiet cybersecurity revolution is touching every corner of the economy as U.S., allies ‘pull all the levers’ to face new threats

Eric Noonan
Wed, December 20, 2023

Drew Angerer - Getty Images


On Dec. 15, the Securities and Exchange Commission’s (SEC’s) expanded cybersecurity rules came into effect, requiring public companies to disclose incidents within four business days. That means headline-grabbing breaches–such as the one that affected all Okta customer support system users or the 23andMe hack that included the information of nearly 7 million customers–will have even greater consequences than whatever data was compromised. And the SEC rules are only the tip of the iceberg of changes to regulatory compliance.

With little fanfare and largely unnoticed by the press, institutional investors, or anyone else, the federal government is quietly directing a seismic shift in the economy by mandating stringent cybersecurity compliance across all 16 critical infrastructure sectors.

These sectors include well-known and highly relegated markets such as the defense industrial base, financial services, and energy–regulated by the Department of Defense (DoD), SEC, and Department of Energy (DoE), respectively. However, often overlooked are the subsectors beneath those 16 sectors, which essentially combine to comprise nearly every company and component of our economy, making nearly every business in scope for the emerging cybersecurity compliance regulations flowing down across the federal government at an increasingly rapid pace. The commercial facilities sector, for instance, consists of eight subsectors, including real estate, retail, sports leagues, and entertainment venues. There is no place to hide from cybersecurity regulation and mandatory minimum cybersecurity requirements.
A boon for the industry

While some argue government overreach, it’s clear why these regulations are coming fast and furious. Russia poses a tremendous cyber threat–it even breached the DoE–and intelligence officials have warned of potential threats from China.

This heightened cybersecurity revolution began last year with the White House’s executive order and unfolds as a movement that transcends borders. A dozen nations have aligned with the U.S. cybersecurity efforts, reflecting a collective endeavor toward a fortified global digital economy.

We’re heading toward a burgeoning market for cybersecurity compliance, with the ripple effects resonating through legal corridors as fraudulent cybersecurity claims come under the judicial scanner. Proper security controls will no longer be a choice, but a legal and economic imperative, marking a new epoch of digital resilience and a reinforced economic structure.

This is already required for DoD contractors through the Defense Federal Acquisition Regulation Supplement (DFARS), and soon the Cybersecurity Maturity Model Certification (CMMC) 2.0 program. Within a few years, it’s likely government contractors outside of defense efforts will also be required to meet mandatory minimum cybersecurity requirements as a condition of being awarded any federal contract.

The executive order calls for mandatory baseline standards for all federal contractors to replace the patchwork of inconsistent and unenforced agency-specific policies that exist today. Individual departments and agencies are not waiting for that day to come and are furiously issuing their own regulatory requirements.

We’ve already seen the Transportation Security Administration (TSA) issue new requirements for airport and aircraft operators, the Department of Homeland Security (DHS) act to protect controlled unclassified information (CUI), the Environmental Protection Agency (EPA) aim to safeguard the water sector, and the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
Pulling all the levers

The government is pulling every regulatory lever available to quietly define and enforce mandatory cybersecurity minimums on the entire economy in the same way it mandates seatbelts, airbags, and other safety features in automobiles.

This addressable market expansion doesn’t stop at the border: Canada recently adopted CMMC for its defense industrial base, and Japan will also require government contractors to meet U.S. cybersecurity rules.

The pressure to meet mandatory cybersecurity minimums isn’t just about winning federal contracts. The Department of Justice is actively looking for fraud by using the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. Cases have begun piling up as whistleblower employees come forward to collect large rewards.

Last October, Pennsylvania State University was sued by a former chief information officer (CIO) for allegedly failing to safeguard CUI and falsifying security compliance reports. The case is ongoing, but there’s already precedent. Last July, Aerojet Rocketdyne agreed to pay $9 million to resolve a similar case. More than $2.2 billion was paid out in settlements and judgments in False Claims Act cases last year–and over $1.7 billion was related to the healthcare industry.

To further cement the government’s resolve to put teeth to these regulations, it has begun suing individual companies and employees for defrauding investors by misleading them about cyber vulnerabilities as it did SolarWinds and its former vice president of security, Tim Brown.

Every sector of the economy is under a transformative directive to fortify its digital defenses. Security posture has evolved from a superlative to a crucial factor that affects the bottom line. This isn’t just a policy change–it's a paradigm shift, making cybersecurity compliance a legal imperative because its implications are more far-reaching than ever before.

Eric Noonan served with the United States Marine Corps, Central Intelligence Agency, and is the CEO of CyberSheath.

The U.S.-led digital trade world order is under attack–by the U.S.

The opinions expressed in Fortune.com commentary pieces are solely the views of their authors and do not necessarily reflect the opinions and beliefs of Fortune.

This story was originally featured on Fortune.com

No comments: