Strengthen Software Supply Chain & Governance For Better AI System Cybersecurity

Uploaded on 2024-11-12 in TECHNOLOGY-Key Areas-Artificial Intelligence, FREE TO VIEW

As the range of AI solutions grows within a company so does the AI surface attack area, along with sophisticated AI tools for bad actors to use. Governments, regional legislators and the private sector are taking these threats seriously.

A few months ago at the Aspen Security Forum, a group of leading technology companies launched the Coalition for Secure AI (CoSAI) to address key AI security issues including software supply chain security for AI systems, preparing defenders for a changing security landscape and AI risk governance.

AI security is more important than ever, with the rise in hackers using AI to make their phishing emails and deep fake attacks more sophisticated. 

At the Black Hat security conference a few years ago, Singapore’s Government Technology Agency (GovTech) presented the results of an experiment in which a security team sent simulated spear phishing emails to internal users. More people clicked the links in the AI-generated phishing emails than in the human-written ones, by a significant margin. 

And earlier this year, a finance worker at a multinational firm was tricked into paying $25 million to fraudsters using deepfake technology to pose as the company’s chief financial officer in a video conference call.

As such, the launch of CoSAI is to be welcomed. As noted above, one of the key workstreams it will focus on is software supply chain security for AI systems.  The AI supply chain spans the entire lifecycle of AI systems, from data collection and model training to deployment and maintenance. Due to the complexity and interconnectedness of this ecosystem, vulnerabilities at any stage can affect the entire system. 

AI systems often depend on third-party libraries, frameworks, and components, which, while speeding up development, can introduce potential vulnerabilities. Therefore, it’s crucial to use automated tools to regularly check and address security issues related to these dependencies.

Additionally, the widespread availability of open-source large language models (LLMs) necessitates robust provenance tracking to verify the origin and integrity of models and datasets. Automated security tools should also be used to scan these models and datasets for vulnerabilities and malware. Relatedly, LLMs on-device can offer enhanced data security as compute is performed on the device without needing connection to the cloud.
When looking at closed source, the proprietary nature of the model may provide security through obscurity, making it challenging for malicious actors to exploit vulnerabilities. However, this also implies that identifying and addressing security issues might be a prolonged process. 

With open source, we have security gains from the collaborative efforts of the community. The scrutiny of many eyes on the code facilitates the swift detection and resolution of security vulnerabilities. Nevertheless, the public exposure of the code may reveal potential weaknesses.

CoSAI’s focus on is AI security governance is also timely. For example, this year, the National Institute of Science and Technology published a paper outlining four types of machine learning attacks. These include data poisoning, data abuse, privacy attacks, and evasion attacks against predictive and generative AI systems. 

And the EU’s AI Act also highlights the need for cybersecurity measures to prevent, detect, respond to, resolve and control for attacks trying to manipulate a training data set (data poisoning), or pre-trained components used in training (model poisoning), inputs designed to cause the AI model to make a mistake (adversarial examples or model evasion), and confidentiality attacks or model flaws.

Companies can share their expertise by participating in the regulatory process and through research conducted in cooperation with customers, partners, industry leadership associations and research institutions. Their mutual commitment to innovation requires that AI be secure.

The governance of AI security necessitates specialised resources to address the unique challenges and risks associated with AI. Developing a standard library for risk and control mapping helps in achieving consistent AI security practices across the industry.

Additionally, an AI security maturity assessment checklist and a standardised scoring mechanism would enable organisations to conduct self-assessments of their AI security measures. This process can provide customers with assurance about the security of AI products. This approach parallels the secure software development lifecycle (SDLC) practices already employed by organisations through software assurance maturity model (SAMM) assessments.

Products and solutions can then be used in applications that help organisations comply with HIPAA, PCI-DSS, and GDPR, FIPS-140 validation and Common Criteria on products. Organisations should be looking to leverage their technology partners’ AI enablers, software development kits, APIs and developer tools to build secure, scalable digital services with ease and speed. 

Technology companies can commit to developing secure AI solutions that improve worker productivity and edge deployment by integrating multiple layers of protection and focusing on security that is easy to deploy without hindering performance. 

Much like companies do for cybersecurity and other initiatives that require company-wide coordination, they should continue to evolve AI processes, principles, tools and training while ensuring consistency and compliance through an internal hub-and-spoke governance model. 

Srikrishna ShankavIvelinRadkovaram is  Principal Cyber Security Architect, CTO Office at Zebra Technologies

Image: IvelinRadkov

You Might Also Read:

GenAI Is The Biggest Cyber Security Risk:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« The Human Impact Of Ransomware In Healthcare
Empowering Employees To Prevent Data Leaks »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Information Security Research Group - University of South Wales

Information Security Research Group - University of South Wales

The Information Security Research Group has an international reputation in the areas of network security, computer forensics and threat analysis.

Copper Horse Solutions

Copper Horse Solutions

Copper Horse specialises in mobile and IoT security, engineering solutions throughout the product lifecycle from requirements to product security investigations.

Netteam

Netteam

Netteam designs, implements and services networking solutions for companies of all sizes.

Muninn

Muninn

At Muninn (aka Wehowsky), we specialize in mitigating potential risks within your network, providing one of the leading network detection and response (NDR) solutions on the market.

Pradeo

Pradeo

Pradeo Security offers a complete, automatic and seamless protection to mobile devices and applications, aligned with your organization security policy while preserving business agility.

Trapezoid

Trapezoid

Trapezoid is a cybersecurity company developing Firmware Integrity Management solutions designed to detect unauthorized changes to firmware & BIOS across the entire data center infrastructure.

Zecurion

Zecurion

Zecurion data loss prevention (DLP) solution is an easy-to-use solution for securing confidential data at rest and in motion.

National Centre for Cyber Security (NCCS) - Pakistan

National Centre for Cyber Security (NCCS) - Pakistan

National Centre for Cyber Security (NCCS) undertakes cyber security research and plays a leading role in securing Pakistan’s Cyberspace.

Logic Supply

Logic Supply

Logic Supply is a global industrial PC company focused on hardware for the IoT edge. We design highly-configurable computers engineered for reliability.

HancomWITH

HancomWITH

Hancomwith is an information security company. We provide optimized blockchain solutions in areas including next-generation authentication, security and digital asset transaction.

Evolution Equity Partners

Evolution Equity Partners

Evolution Equity Partners is an international venture capital investor partnering with exceptional entrepreneurs to develop market leading cyber-security and enterprise software companies.

Norma Inc.

Norma Inc.

Norma provides the secured wireless environment (WiFi and Bluetooth) with the unauthorized AP detection, and secures your IoT assets from various threats.

Drawbridge

Drawbridge

Drawbridge is a premier provider of cybersecurity software and solutions to the alternative investment industry.

GM Sectec

GM Sectec

GM Sectec is the world's largest independent Cyber Defense and Fraud Prevention firm laser focused on payment security.

PyNet Labs

PyNet Labs

PyNet Labs is a Training Company serving corporates as well as individuals across the world with ever-changing IT and technology training.

Oz Forensics

Oz Forensics

Oz Forensics is a global leader in preventing biometric and deepfake fraud. It is a developer of facial Liveness detection for Antifraud Biometric Software with high expertise in the Fintech market.