Anticipating AI-Driven Cyber Threats: A Guide for Cybersecurity Leaders
As business and tech professionals innovate and develop new applications, cybersecurity leaders face the challenge of anticipating and countering AI-driven threats.
AI’s impact on cybersecurity is significant and multifaceted. While AI is increasingly used to predict and mitigate cyberattacks, these applications are also vulnerable to threats. Cybercriminals can exploit the same automation, scale, and speed that make AI attractive. Though not yet mainstream, malicious use of AI is growing, with threats like generative adversarial networks, massive botnets, and automated DDoS attacks presenting new challenges that can adapt and learn to evade detection.
In this evolving landscape, critical questions arise: How can we defend AI systems from attacks? What forms will offensive AI take? What will threat actors’ AI models look like? When should we start pentesting AI, and why? As businesses and governments expand their AI capabilities, how will we protect the vast amounts of data they rely on?
These concerns have led both the US government and the European Union to prioritize cybersecurity in their regulatory frameworks. Although their approaches differ, both seek to develop guidelines and regulations to address the new risk landscape.
US AI Regulatory Approach
The US adopts a decentralized approach to AI regulation, highlighted by states like California developing their own legal guidelines. California’s influence is significant given its status as a tech hub. The US emphasizes innovation and self-regulation, focusing on responsible AI development and deployment through voluntary compliance and industry self-regulation.
For cybersecurity leaders, the US Executive Order mandates the National Institute of Standards and Technology (NIST) to develop standards for red team testing of AI systems. It also requires “the most powerful AI systems” to undergo penetration testing and share results with the government.
The EU’s AI Act
In contrast, the EU’s AI Act adopts a precautionary approach, integrating cybersecurity and data privacy from the outset with mandated standards and enforcement mechanisms. The AI Act requires high-risk AI systems to be designed with security by design and by default, ensuring accuracy, robustness, safety, and cybersecurity throughout their lifecycle. Compliance involves implementing state-of-the-art measures according to specific market segments or application scopes.
For cybersecurity leaders, this means conducting AI risk assessments and adhering to cybersecurity standards. Article 15 of the Act addresses measures to protect against attacks, including data poisoning and model manipulation.
Comparing the Approaches: Key Differences
| Feature | EU AI Act | US Approach |
|---|---|---|
| Overall philosophy | Precautionary, risk-based | Market-driven, innovation-focused |
| Regulations | Specific rules for ‘high-risk’ AI | Broad principles, sectoral guidelines |
| Data privacy | GDPR applies, strict user rights and transparency | No comprehensive federal law, patchwork of state regulations |
| Cybersecurity standards | Mandatory technical standards for high-risk AI | Voluntary best practices, industry standards encouraged |
| Enforcement | Fines, bans, and other sanctions for non-compliance | Agency investigations, potential trade restrictions |
| Transparency | Explainability requirements for high-risk AI | Limited requirements, focus on consumer protection |
| Accountability | Clear liability framework for harm caused by AI | Unclear liability, often falls on users or developers |
Implications for Cybersecurity Leaders
Despite the differing approaches, both the EU and US advocate for a risk-based approach. The overlap and interdependency between AI and cybersecurity necessitate that cybersecurity leaders develop comprehensive AI strategies to ensure privacy, security, and compliance. Key steps include:
- Identifying use cases where AI offers the most benefit.
- Assessing resources needed for successful AI implementation.
- Establishing governance frameworks for managing and securing data.
- Evaluating the impact of AI across the business, including on customers.
Keeping Pace with the AI Threat Landscape
As AI regulations evolve, the US and EU will play crucial roles in setting standards. The rapid pace of change suggests a move towards a global consensus on key challenges and threats. The EU’s GDPR has already influenced global laws, and similar alignment on AI regulations seems likely.
For cybersecurity leaders, staying informed about the technologies and architectures used in their organizations is vital. Over the coming months, the impact of US and EU regulations on AI applications and the evolving AI threat landscape will become clearer.
Ram Movva is the chairman and CEO of Securin Inc. Aviral Verma leads the Research and Threat Intelligence team at Securin.
Source: infoworld.com
