Guidelines For AI Systems Development

On 26th November, the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) jointly released Guidelines for Secure AI System Development. 

These guidelines mark the direction that the industry and its regulators are moving toward and reflect a best practice that entities within the AI supply chain should adhere to, for the benefit and protection of the end user.

However, for a lot of entities in the space, this is going to mean increased workload to implement Secure Design, Development, and Deployment practices into their workflows.

Fresh Challenges For Developers

Ensuring best practice often involves changing the way we work, which is always a challenge in an already rapidly evolving space. That’s why it is vital to establish a tone at the top to ensure the message of “Security First” permeates the teams that are responsible for developing AI systems. Once the tone is set, and there is sufficient awareness, it is time to implement best practice into the development lifecycle. Begin by assessing the risks associated with AI models used compared to the minimum functionality that is required for the application. This is a key step that likely represents a shift in the current mindset for many developers.

Enabling transparency, a characteristic encouraged by the CISA and NCSC alike, is also key. This means sharing information on known vulnerabilities – and general risks associated with the use of AI – for the benefit of the entire industry and its users. This information might take the form of SBOMs or internal policies governing the manner in which vulnerabilities should be disclosed. Consider the technical knowledge of many end-users of AI applications: there is a need to tailor the language appropriately to the audience to ensure they can make well-informed decisions about how they interact and input data into AI applications.

Supply Chain Challenges 

It is also worth noting that the AI supply chain can be very complex, and delineating who is responsible for what becomes increasingly unclear when white-labelled AI services are used to create a product that end users will input sensitive information into. The guidelines suggest all entities within the supply chain of an AI application should assess the risks arising from their specific activities and mitigate them. Where such risks cannot be effectively mitigated by an entity in the supply chain, that entity should inform users further down the supply chain of the residual risk that they are going to be shouldering as a result and advise them on how to use their component of the end product in a secure manner.

Relieving The Burden On Users

As with all best practice guidelines, there is an end-goal in sight. As stated by the NCSC and CISA, these guidelines reflect a further opportunity to shift the burden of insecure development practices away from the end user. Doing so ultimately increases trust in the industry. Given there is still a large portion of the population that is hesitant or sceptical about AI, increasing confidence and dispelling myths by way of secure development and radical transparency will serve to benefit the industry as a whole.

The guidelines also acknowledge that the types of sensitive information that AI supply chains are becoming the custodians of will increase their value as a target for a malicious attack.

Adopting guidelines like these is an opportunity to start bolstering the defences against such attacks, by ensuring AI products are Secure by Default. The cost of not doing so being significant loss of revenue and reputational damage, and potential harm to the end users of such systems.

Where Next For Government Oversight?

These guidelines are the first of their kind, and definitely won’t be the last. Whether your view of an “AI-enabled” future is Utopian or Dystopian, it’s not unreasonable to think AI tools will become an everyday part of our economy and society in future.

As of right now, AI tools and techniques are something of black box to the vast majority of the population. Combine this with the rate of growth in AI this year alone, and it’s clear that there is a responsibility on the part of global regulators to implement requirements that AI companies must adhere to in order to protect the end user and enable them to make informed decisions about how they interact with AI tools.

Over time as more regulatory frameworks are created around AI, it should result in an ecosystem that protects consumers while also allowing AI to continue growing and yielding benefits to end users in a controlled manner.

Martin Davies is Audit Alliance Manager at Drata 

Image: Mohamed_hassan

You Might Also Read:

Bletchley Declaration On Artificial Intelligence Gets International Support:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Unified Patient Data Platform For British Healthcare
USA & Britain Accuse Russia Of Hacking »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

SolarWinds

SolarWinds

SolarWinds as a worldwide leader in solutions for network and IT service management, application performance, and managed services.

Advanced Software Products Group (ASPG)

Advanced Software Products Group (ASPG)

ASPG offers a wide range of innovative mainframe software solutions for Data Security, Access Management, System Management and CICS productivity.

Salient CRGT

Salient CRGT

Salient CRGT is a leading provider of health, data analytics, cloud, agile software development, mobility, cyber security, and infrastructure solutions.

Teramind

Teramind

Teramind provides a user-centric security approach to monitor employee behavior in order to identify suspicious activity, detect possible threats, monitor efficiency, and ensure industry compliance.

Statice

Statice

Statice develops state-of-the-art data privacy technology that helps companies double-down on data-driven innovation while safeguarding the privacy of individuals.

Telecommunications & Digital Government Regulatory Authority (TDRA) - UAE

Telecommunications & Digital Government Regulatory Authority (TDRA) - UAE

TDRA focuses on regulating the telecommunications sector and enabling government entities in the field of smart transformation. It is responsible for the overall digital infrastructure in the UAE.

Rogers Cybersecure Catalyst

Rogers Cybersecure Catalyst

Rogers Cybersecure Catalyst helps Canadians and Canadian companies seize the opportunities and tackle the challenges of cybersecurity.

Venari Security

Venari Security

Venari is an award-winning cybersecurity SaaS provider that has developed an ETA (Encrypted Traffic Analysis) platform which fundamentally changes the way encrypted traffic is analysed.

Birch Cline Cybersecurity

Birch Cline Cybersecurity

Birch Cline specializes in helping Local Government and Education agencies, as well as mid-market organizations, build and maintain successful cybersecurity programs.

ThreatDefence

ThreatDefence

ThreatDefence provides innovative SIEM, SOC-as-a-Service, and proactive cyber defence solutions to MSP’s and Enterprises.

Techmentum

Techmentum

At Techmentum, our mission is to utilize technology to help companies succeed. Our expertise includes fully managed IT services, cybersecurity, cloud, and custom technology solutions.

Smarsh

Smarsh

Smarsh products are designed for user-friendly, efficient compliance. From archiving, supervision, and discovery to cybersecurity – Smarsh has you covered.

Eclypses

Eclypses

Eclypses has a disrupting cyber technology, offering organizations an advanced data security solution called MicroToken Exchange (MTE).

Cybersecurity Elastic Laboratory (CEL)

Cybersecurity Elastic Laboratory (CEL)

CEL specialize in providing top-tier services in vulnerability diagnosis and penetration testing, offering a comprehensive suite of solutions to mitigate cyber risks.

CyberMass

CyberMass

CyberMass provides Cyber Advisory/Consulting, Professional and Managed Services offering complete cybersecurity as a service protection to businesses.

Digital Technologies Group (DTG)

Digital Technologies Group (DTG)

DTG are a digital transformation company helping process organisations embrace smarter manufacturing through the adoption of industry 4.0 technologies and solutions.