Federal Cyber Chief Advises Government Agencies to Exercise Caution with AI Implementation
In the realm of federal agencies and government departments, the prospect of utilizing generative artificial intelligence (AI) holds immense promise, with over 1,000 potential use cases identified. However, the U.S. government’s chief of cybersecurity is resolute in advocating for a cautious and measured approach to the adoption of this groundbreaking technology, placing a premium on addressing the associated risks effectively.
Generative AI tools, such as OpenAI’s ChatGPT and Google’s Bard, have garnered substantial attention from both private companies and government bodies for their extraordinary capabilities in sifting through vast datasets and providing conversational responses. Yet, like any technological advancement under government scrutiny, Chris DeRusha, the Federal Chief Information Security Officer at the Office of Management and Budget, stressed the need for circumspection. Speaking at a cybersecurity and risk managers conference hosted by the FAIR Institute, he emphasized the importance of comprehending and mitigating the risks inherent in AI, with the development of federal policies and risk assessment parameters on the horizon.
DeRusha underscored that a federal policy governing the use of generative AI is expected to be released this fall, along with an executive order. He added, “That process is being run out of the West Wing chief of staff’s office, so that’s everything you need to know about priority.”
Federal agencies have drafted numerous proposals for deploying generative AI and other AI forms. For instance, the Department of Energy envisions using AI to create user-friendly interfaces that bridge the gap between its extensive databases and its workforce. Meanwhile, the Department of Homeland Security, home to the Cybersecurity and Infrastructure Security Agency, aims to leverage AI in managing cybersecurity alerts.
To ensure the secure implementation of AI systems, agencies must possess a comprehensive understanding of the data used to train these systems. They must also conduct rigorous security testing to identify vulnerabilities and establish a robust protocol for reporting and addressing any vulnerabilities, as emphasized by Eric Goldstein, the Executive Assistant Director for Cybersecurity at CISA.
In the corporate landscape, cybersecurity executives confront similar challenges. The rapid proliferation of generative AI tools is introducing risks at a pace that often outstrips companies’ ability to adapt. The accessibility of many of these tools for experimentation outside the domain of cybersecurity departments compounds the challenge. Recognizing and managing these risks is pivotal in maximizing the effectiveness of AI tools, according to technology and cybersecurity leaders.
Kurt John, the Chief Security Officer at Expedia Group, expressed his desire to harness generative AI for interpreting data from various sources to gain insights into cybersecurity trends, both within and outside the online travel company.
Beyond vulnerabilities within AI-generated systems, organizations must also grapple with new risks, particularly the potential for cyberattacks targeting networks to compromise AI models or the data they rely on. John stressed the importance of considering the consequences of AI making erroneous decisions.
DeRusha called upon corporate security chiefs to view cybersecurity risks not in isolation but as part of a collective effort to enhance security. He encouraged Chief Information Security Officers to share vulnerabilities they identify, as addressing similar issues elsewhere can collectively bolster the security of companies and government agencies. He emphasized, “We together are managing the nation’s risk.”