Cybersecurity blind spot: AI’s inherent vulnerabilities

 

Connecting state and local government leaders

Artificial intelligence systems’ need for access to many large datasets often doesn’t align with current cybersecurity fundamentals and implementations.

Cybersecurity is commonly regarded as the biggest strategic challenge confronting the United States. Recent headlines only confirm this trend, as every day seems to bring with it the announcement of a new vulnerability, hack or breach. Since 2013, the U.S. intelligence community has ranked cybersecurity as the No. 1 threat facing the nation in each of its annual global threat assessments. Only in 2021 at the height of a global pandemic did cybersecurity lose its top spot.

However, there is one major fault with the commonly accepted wisdom about cybersecurity: It has a blind spot. 

More specifically, traditional cybersecurity measures all too frequently fail to account for data science methodologies and the vulnerabilities that are unique to artificial intelligence systems. The policies being developed and deployed to secure software systems do not account for data science activities and the AI systems they give rise to, namely the user’s or system’s need for access to many large datasets in a manner that often doesn’t align with current cybersecurity fundamentals and implementations. This means that just as emerging technologies like AI and data analytics are gaining traction -- motivating policy after policy championing its benefits -- today’s software security practices are fundamentally blind to the challenges they create. This is because the new technologies require and receive unfettered access to the underlying data and rely on trusted data and high-quality data to ensure resulting algorithms and data science products are accurate.

We cannot simultaneously have both more AI and more security -- at least not without significantly adjusting how we approach securing software and data.

The Biden administration’s recently released Executive Order on Improving the Nation’s Cybersecurity is an ambitious and thoughtful attempt at addressing this paradox. However, it contains significant gaps that mirror the ways in which data science’s impact on cybersecurity is often overlooked. Ultimately, we need to help the right hand of cybersecurity develop a better understanding of what the left hand of data science is doing.

Embracing zero trust 

How can agencies maintain security in an environment plagued by threat actors? One prominent answer is to embrace a zero trust model -- a concept at the heart of the executive order -- which requires assuming breaches in nearly all scenarios.

Exactly what this means in practice is clear in the environment of traditional software and controls: implementing risk-based access controls, ensuring that least-privilege access is implemented by default and embedding resiliency requirements into network architectures to minimize single points of failure.

However, the problem is that none of this accounts for data science, which requires continuous access to data. It’s rare that data scientists even know all the data required at the beginning of any one analytics project. Instead, they frequently require access to all the available data to deliver a model that sufficiently solves the problem at hand.

So how does zero trust fit into this environment, where users building AI systems actively require access to voluminous amounts of data? The simple answer is that it does not. The more complicated answer is that zero trust works for applications and production-ready AI models but not for training AI.

A new kind of supply chain

The idea that software systems suffer from a supply chain issue is also common wisdom. These systems are complex, and it can be easy to hide or obscure vulnerabilities within this complexity. This is, at least in part, why the executive order so forcefully emphasizes the importance of supply chain management, both the physical hardware and the software running on it. 

However, the problem is again one of mismatch. Efforts to focus on the software security do not apply to data science environments, which are predicated on access to data that in turn forms the foundation for AI code. Whereas humans painstakingly program software line-by-line in traditional systems, AI is largely “programmed” by the data it is trained upon, creating new cybersecurity vulnerabilities and challenges.

What, then, can be done about these types of security issues? The answer, like so many other things in the world of AI, is to focus on the data. Knowing where the data came from, how it has been accessed and by whom and tracking access in real-time are the only long-term ways to monitor for and address these evolving vulnerabilities. To ensure that both software and AI are secure, organizations must add efforts to track data to the already complicated supply chain.

A new kind of scale -- and urgency

Perhaps most importantly as AI becomes adopted more widely, I believe that cybersecurity vulnerabilities are likely to grow in proportion to a system’s underlying code base. As we move to a world in which data itself is the code, these vulnerabilities will scale in proportion to the data the AI systems is trained upon, meaning threats will grow exponentially in proportion to the code required in the system. Based simply on the growing volume of data we generate as we deploy more AI, we are simultaneously creating an ever-expanding attack surface.

The good news is that this new AI-driven world will give rise to boundless opportunities for innovation. The intelligence community will know more about adversaries in as close to real time as possible. The armed forces will benefit from a new type of strategic intelligence, which will reshape battlefield boundaries and enhance their speed of response. However, this future is also likely to be afflicted with insecurities that are destined to grow at rates faster than human comprehension allows. 

To take cybersecurity seriously, agencies must understand and address how AI creates and exacerbates these vulnerabilities. The same goes for strategic investments in AI. The long-term success of the nation’s cybersecurity policies will rest on how accurately they apply to the world of AI. 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.