Singapore ― SICW 2023 ― Generative artificial intelligence makers should take security into account as the latest technology could pose a significant threat worldwide, the head of the United States cybersecurity agency said Tuesday.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an updated guideline on software security on October 17, titled “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.” Jen Easterly, the director of CISA, explained its key aspects for the first time during the 8th Singapore International Cyber Week (SICW) held at Marina Bay Sands Expo & Convention Centre the same day.
Easterly stressed to an international audience the importance of applying security practices to generative AI products, stating that AI is the “most powerful technology and the most powerful weapon” in the present era. This latest report seeks to mitigate the imminent threat posed by unsecured AI by recommending that fundamental security principles be applied to AI software systems and models. This statement expands on the recommendations made in the original report, released in April of this year in conjunction with the members of the intelligence-sharing alliance Five Eyes, Germany, and the Netherlands.
The head of the CISA added that the new guideline aims to incorporate cyber responsibility at all levels. Easterly strongly criticized what she sees as current malpractice in the process of implementing cyber risk management: information security companies wrongly blaming and unfairly firing information technology workers for failures not their fault. “The days of delegating cyber risk to the infotech people, your chief information officer, your chief information security officer, and then firing the poor CISO when you have a breach:, those days have to be over,” asserted the director. “Leaders have to embrace and manage cyber risks as good governance.”
Easterly commented on the role of the private sector, stating that their engagement is critical to the success of the U.S. and their international partners’ endeavors to build a secure and resilient technology ecosystem for all. The latest document was published in conjunction with the Czech Republic, Israel, Singapore, Korea, Norway, Japan, and CSIRT’s American Network. The director noted that although the CISA exists to protect the critical infrastructure that Americans rely upon, most entities responsible for cyber and infrastructure security are privately owned and operated companies. Hence, they play a critical role in the building up of the greater global cybersecurity ecosystem.
“If we don’t add value, be transparent, and be responsive to our private sector colleagues, we will inevitably fail in whatever mission we are trying to achieve,” said Easterly. “At the end of the day, the secure by design effort is not government versus tech. This is about how do we incentivize and catalyze a secure by design revolution with tech.”
