Guidelines For AI Systems Development

Uploaded on 2023-12-08 in TECHNOLOGY-Key Areas-Artificial Intelligence, FREE TO VIEW

On 26th November, the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) jointly released Guidelines for Secure AI System Development. 

These guidelines mark the direction that the industry and its regulators are moving toward and reflect a best practice that entities within the AI supply chain should adhere to, for the benefit and protection of the end user.

However, for a lot of entities in the space, this is going to mean increased workload to implement Secure Design, Development, and Deployment practices into their workflows.

Fresh Challenges For Developers

Ensuring best practice often involves changing the way we work, which is always a challenge in an already rapidly evolving space. That’s why it is vital to establish a tone at the top to ensure the message of “Security First” permeates the teams that are responsible for developing AI systems. Once the tone is set, and there is sufficient awareness, it is time to implement best practice into the development lifecycle. Begin by assessing the risks associated with AI models used compared to the minimum functionality that is required for the application. This is a key step that likely represents a shift in the current mindset for many developers.

Enabling transparency, a characteristic encouraged by the CISA and NCSC alike, is also key. This means sharing information on known vulnerabilities – and general risks associated with the use of AI – for the benefit of the entire industry and its users. This information might take the form of SBOMs or internal policies governing the manner in which vulnerabilities should be disclosed. Consider the technical knowledge of many end-users of AI applications: there is a need to tailor the language appropriately to the audience to ensure they can make well-informed decisions about how they interact and input data into AI applications.

Supply Chain Challenges 

It is also worth noting that the AI supply chain can be very complex, and delineating who is responsible for what becomes increasingly unclear when white-labelled AI services are used to create a product that end users will input sensitive information into. The guidelines suggest all entities within the supply chain of an AI application should assess the risks arising from their specific activities and mitigate them. Where such risks cannot be effectively mitigated by an entity in the supply chain, that entity should inform users further down the supply chain of the residual risk that they are going to be shouldering as a result and advise them on how to use their component of the end product in a secure manner.

Relieving The Burden On Users

As with all best practice guidelines, there is an end-goal in sight. As stated by the NCSC and CISA, these guidelines reflect a further opportunity to shift the burden of insecure development practices away from the end user. Doing so ultimately increases trust in the industry. Given there is still a large portion of the population that is hesitant or sceptical about AI, increasing confidence and dispelling myths by way of secure development and radical transparency will serve to benefit the industry as a whole.

The guidelines also acknowledge that the types of sensitive information that AI supply chains are becoming the custodians of will increase their value as a target for a malicious attack.

Adopting guidelines like these is an opportunity to start bolstering the defences against such attacks, by ensuring AI products are Secure by Default. The cost of not doing so being significant loss of revenue and reputational damage, and potential harm to the end users of such systems.

Where Next For Government Oversight?

These guidelines are the first of their kind, and definitely won’t be the last. Whether your view of an “AI-enabled” future is Utopian or Dystopian, it’s not unreasonable to think AI tools will become an everyday part of our economy and society in future.

As of right now, AI tools and techniques are something of black box to the vast majority of the population. Combine this with the rate of growth in AI this year alone, and it’s clear that there is a responsibility on the part of global regulators to implement requirements that AI companies must adhere to in order to protect the end user and enable them to make informed decisions about how they interact with AI tools.

Over time as more regulatory frameworks are created around AI, it should result in an ecosystem that protects consumers while also allowing AI to continue growing and yielding benefits to end users in a controlled manner.

Martin Davies is Audit Alliance Manager at Drata 

Image: Mohamed_hassan

You Might Also Read:

Bletchley Declaration On Artificial Intelligence Gets International Support:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Unified Patient Data Platform For British Healthcare
USA & Britain Accuse Russia Of Hacking »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ASIS International

ASIS International

ASIS International is a global community of security practitioners with a role in the protection of assets - people, property, and/or information.

Pervade Software

Pervade Software

Pervade Software is a global provider of dedicated compliance tracking software with monitoring & reporting capabilities.

BlueVoyant

BlueVoyant

BlueVoyant helps organizations to meet increasingly sophisticated cyber attack techniques head-on with real-time threat intelligence and managed security services.

Proficio

Proficio

Proficio is a world-class Managed Security Service Provider providing managed detection and response solutions, 24×7 security monitoring and advanced data breach prevention services worldwide.

TCDI

TCDI

TCDI specializes in computer forensics, eDiscovery and cybersecurity services.

Riddle&Code

Riddle&Code

Riddle&Code is a product-led services company specializing in onboarding industries to Web3. The team's mission is to provide a trusted connection between the digital and physical worlds.

AttackIQ

AttackIQ

AttackIQ delivers continuous validation of your enterprise security program so you can strengthen your security posture and your response capabilities.

Global Cyber Security Capacity Centre (GCSCC) - Oxford University

Global Cyber Security Capacity Centre (GCSCC) - Oxford University

GCSCC's work is focused on developing a framework for understanding what works, what doesn’t work and why – across all areas of cybersecurity capacity.

Magna5

Magna5

Magna5 is a managed IT service provider focusing in network and server monitoring, backup and disaster recovery, cybersecurity, help desk and SD-WAN.

Ipstack

Ipstack

Ipstack offers one of the leading IP to geolocation APIs and global IP database services worldwide. Protect your site and web application by detecting proxies, crawlers or tor users at first glance.

Secrutiny

Secrutiny

Scrutiny's core services include Cyber Maturity, Cyber Risk Analyser, Cyber Controls, Incident Response, SOC, Cyber Recovery and Assurance Testing.

McAfee

McAfee

McAfee is a worldwide leader in online protection. We’re focused on protecting people, not devices. Our solutions adapt to our customers’ needs and empower them to confidently experience life online.

Mobilicom

Mobilicom

Mobilicom is an end-to-end provider of cybersecurity and smart solutions for drones, robotics & autonomous platforms.

Cycurion

Cycurion

Cycurion is a global leading provider of Network Communications and Information Technology Security Solutions.

Zyber 365

Zyber 365

Zyber 365 are providing a robust, decentralized, and cyber-secured operating system which adheres to the fundamental principles of environmental sustainability.

Arsen Cybersecurity

Arsen Cybersecurity

Arsen is a French cybersecurity startup, dedicated to enhancing human behaviors in cybersecurity.