In recent developments, the global AI landscape has seen figures like Sam Altman taking on a prominent role, potentially influencing the regulatory aspects of AI development. This shift in focus towards regulatory capture has raised questions about the stance of organizations like OpenAI on open-sourced AI. However, this article goes beyond the realm of AI development to delve into the critical issues surrounding AI security and standardization.
In the rapidly evolving cyber threat environment, where automation and AI systems are at the forefront, it is crucial to emphasize the role of security automation capabilities. Consider the simple act of checking and responding to emails in today’s world, and you’ll uncover the intricate layers of AI and automation involved in securing this everyday activity.
Organizations of significant size and complexity are increasingly reliant on security automation systems to enforce their cybersecurity policies effectively. Yet, amidst this reliance on automation, there’s a crucial aspect often overlooked—the realm of cybersecurity “metapolicies.” These metapolicies encompass automated threat data exchange mechanisms, attribution conventions, and knowledge management systems. They collectively contribute to what is often termed “active defense” or “proactive cybersecurity.”
Surprisingly, national cybersecurity policies frequently lack explicit references to these metapolicies. They tend to be implicitly incorporated into national implementations through influence and imitation rather than formal or strategic deliberations.
These security automation metapolicies hold immense importance in the context of AI governance and security because AI systems, whether purely digital or cyber-physical, exist within the broader cybersecurity and strategic framework. Hence, the question arises whether retrofitting existing automation metapolicies is suitable for shaping the future of AI.
The need for unified cybersecurity metapolicies
One significant trend is the integration of security practices from the software-on-wheels domain into various complex automotive systems. This extends from fully digitized tanks, promising decreased crew size and increased lethality, to standards for automated fleet security management and drone transportation systems. This evolution has given rise to vehicle Security Operations Centers (SOCs) that operate along the lines of cybersecurity SOCs, utilizing similar data exchange mechanisms and security automation implementations. However, blindly retrofitting existing means into the emerging threat landscape is far from adequate.
For instance, most cybersecurity threat data exchanges rely on the Traffic Light Protocol (TLP), primarily serving as an information classification system. However, the execution of TLP and any encryption mechanisms to restrict distribution are often left to the discretion of security automation system designers. This highlights the need for finer controls over data sharing with automated systems and ensuring compliance.
Another example of inconsistent metapolicies can be seen in the recent proliferation of language generation systems and conversational AI agents. Not all conversational agents are large neural networks like ChatGPT; many have operated for decades as rule-based, task-specific language generation programs. Bridging the gap between legacy IT infrastructure and emerging AI automation paradigms presents challenges for organizations undergoing digital transformation.