Security for AI: EU moves to protect AI
Welcome to the maiden edition of Cyberinfo with Dr. Ireti. Learn about the new AI Act, NIST 2.0, and growth opportunities in the cybersecurity industry.
There’s no shortage of things to discuss in cybersecurity, but arguably the most eye-catching one is the novel Artificial Intelligence (AI) Act the European Parliament released in March 2023.
A short background story about the AI Act
Organizations use AI tools to improve their security landscape through advanced threat detection and the containment of “never seen before” (or zero-day) attacks in double-quick time.
The AI growth, however, isn't without hiccups. The first concern is that AI tools are a double-edged sword. While organizations rightly use AI tools for protection, cybercriminals also use them to create malicious software and fine-tune their social engineering craft. A prime example is the “AI call” (technically called vishing) that triggered the MGM Resorts breach in September 2023.
Besides the MGM breach, concerns about data privacy and ethics with AI tools are growing. The uneasiness reached a new zenith in March 2024, when the CTO of OpenAI (the company responsible for ChatGPT) refused to clarify the source of “publicly available data” used to train Soria, OpenAI’s new text-to-video technology.
Mira Murati (OpenAI CTO) was unwilling to state the “publicly available data” source used to train Soria. Watch the conversation here:
Previously, in March 2023, ChatGPT infamously allowed unauthorized users to view the conversations of others. Sam Altman (OpenAI CEO) attributed the security lapse to a “bug in an open source library.” Both scenarios involving OpenAI highlight the security and privacy issues with AI tools.
Given these documented issues, AI isn't just for security; it must also be secured. The dying need for security set the scene for the new AI Act in the European Union (EU).
Security for AI: EU makes the first move
The Act is a first-of-its-kind legal framework to improve the safety and fundamental rights of people and businesses using AI in the EU. The EU says the new regulation follows a risk-based approach in which AI monitoring depends on the criticality of the industry of use. The layman's interpretation is that the AI tools used in critical infrastructure, like the transport sector, require strict adherence to the EU’s predetermined rules.
The EU AI Office believes the new regulation will create an environment where AI technologies respect human dignity, rights, and trust. Although the Act was launched in March 2023, it'll likely become official in May or June.
Quote of the month
Recently, CyBlack asked cyber friends to share a random cybersecurity fact on their X (formerly Twitter) handle. That fun activity birthed this quote, which perfectly explains the mindset of social engineers (and cybercriminals in general).
“Thinking is the enemy of a social engineer. The aim of the social engineer is to make you take a decision without thinking. The more you think about the actions you want to take the more likely you’ll realise you’re being manipulated.”
NIST 2.0 is out and it’s for all organizations
For the first time in a decade, the National Institute of Standards and Technology (NIST) updated its Cybersecurity Framework (CSF) in February 2024.
The Framework Core in the old release had five functions (Identify, Protect, Detect, Respond, and Recover), providing a high-level approach to risk management in an organization.
However, the latest version (NIST CSF 2.0) introduced Govern into the CSF core besides the five functions. “Govern” explains how organizations develop the appropriate risk management strategy tailored to their context, the communication and monitoring of the established risk policy, and its expected outcomes.
Here’s how NIST explains the new Govern Function in NIST CSF 2.0:
The Learning Corner (TLC)
Cybersecurity is a hard nut to crack, but I plan to make it as easy as flipping a switch. TLC is the arena for free resources to boost your cybersecurity journey.
For April, check out the Commonwealth Bank project that provides a hands-on approach to analyzing cyber trends and incidents. Join the project here.
Lastly, join Cyber Bracketology for a fun way to learn about cybersecurity here.