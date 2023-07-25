



Late last week, we learned that the White House had pledged commitments from seven big tech companies to announce new voluntary artificial intelligence (AI) guidelines. As part of the effort, the companies said they would report appropriate and inappropriate uses of AI technology. A recent announcement addressed a policy on bias and also showed a strong push for cybersecurity.

Here are five things security professionals should know about the newly announced voluntary initiative agreed by seven tech companies.

Publicly reported AI-powered cyberattacks have not increased significantly. There has been much discussion about using AI technology to aid in the development of malware or assist adversaries in more sophisticated attacks. Despite these rhetoric, not many public reports of this type of cyberattack have been made yet. There have been some reports that deepfake technology is being used for misinformation and fraudulent purposes. These pose a more immediate threat than AI-based malware or cyberattacks. With this in mind, the specific cybersecurity concerns behind these policies may be speculative at this time and focused on future responses. AI companies must balance regulation and innovation. Companies operating in the AI ​​market must ensure they meet the cybersecurity standards outlined by the government in recently released guidelines. On the one hand, governments must recognize that these guidelines may seem stifling to some organizations. Especially companies that are unlikely to have the same cybersecurity controls that banks and other highly regulated sectors adhere to. Companies should prioritize these organizational considerations so that these guidelines do not adversely affect the way development teams work. Securing AI development must become a top priority. The “testing” methodology mentioned by the government in the release may address the internal security of AI developers and the broader societal impact of the technology. There are a number of potential privacy issues that arise from the use of AI technology, especially Large Language Models (LLMs) such as his ChatGPT. On May 23, OpenAI disclosed a ChatGPT vulnerability that erroneously provided access to other users’ conversation titles. This has significant implications for data security for users of these LLMs. More generally, governments may require AI companies to conduct risk assessments in terms of social impact before releasing AI-enabled technology. The industry cannot really guarantee that AI technology will only be used for defensive purposes. LLM seems to have implemented guardrails around prompt content from the early stages of development. This is already apparent to users who have requested information from public LLMs that an attacker could abuse. However, as with any computing system, there are always ways for hackers to circumvent these protections. The classic cat-and-mouse game of identifying and remediating vulnerabilities ensues. Ensuring exclusive defensive use of such technology remains impossible. AI companies need to raise public awareness about validating information coming from the internet. LLM presents an often misinformed authoritative way called hallucinations. As a result, users of these LLMs assume that they have intimate knowledge of the subject matter, even if they are mistaken. LLM users should approach prompt results with a great deal of skepticism and additional verification from alternative sources. Government guidance to users should emphasize this point until results are more reliable.

For voluntary schemes to work, they must create incentives for companies to register. This may take the form of a certificate evidencing compliance with security and cybersecurity measures outlined by the government. Additionally, there must be a way for the public to know which companies are compliant and are considered trusted. At the same time, the guidelines should be proportionate to the risks and scale of the business. For example, SMEs are likely not to have the same resources as large companies, hindering potential innovation and competition. Any system must walk a tightrope. We do not want companies that participate in good faith to compromise on innovation.

That’s why last Friday’s meeting at the White House was a very good first step. Government and industry are doing a lot of work to figure out the details.

James Campbell, Co-Founder and CEO, Cado Security

