The White House’s National Cybersecurity Strategy Implementation Plan, released July 13, is a bold step toward building trust in today’s software-defined and AI-driven world. Americans deserve the full benefits and potential of a secure digital future. The key to realizing this potential is public policy with concrete implementation, like the Biden administration action, to address vulnerabilities in our nation’s infrastructure.
We live in a world that depends on software and artificial intelligence for virtually every aspect of our lives, a trend will which only continue at a hockey stick growth curve. While these technologies have increased productivity and prosperity, many question whether they also have ushered in systemic vulnerabilities to our digitally defined lives.
Understanding and Mitigating Cybersecurity Threats
According to the World Economic Forum’s Global Risk Report 2023, the threat of widespread cybercrime and vulnerabilities in our digital ecosystem are among the most severe risks facing our businesses, governments, and people. And world leaders at last week’s NATO Summit warned that the malicious use of emerging and disruptive technologies in cyberspace could lead NATO to invoke Article 5 of the Washington Treaty, triggering a collective NATO response.
Moreover, a recent KPMG survey reports that cybersecurity risk is the top concern for people when it comes to potential risks posed by AI. While AI drives a multitude of transactions and decisions we make every day – from banking to web searches, to navigating traffic and securing our phones – the same KPMG survey indicated that only 24 percent of Americans say they trust AI.
A recent BlackBerry-commissioned survey of global IT decision makers found a similar trust gap. It revealed that the majority of IT leaders surveyed believe there will be a successful cyberattack enabled by Generative AI applications such as ChatGPT within the year. Researchers already have demonstrated how Generative AI applications can create malicious code. Other recent reports found that AI contributed to the 50 percent surge in phishing campaigns last year.
The Biden Administration has taken positive steps in this direction. The White House’s May 2021 Executive Order on Improving the Nation’s Cybersecurity set in motion efforts to enhance software supply chain security, promote Zero Trust cybersecurity solutions, and elevate cybersecurity standards for federal and critical infrastructure entities. NIST’s AI Risk Management Framework released this January, focuses on improving how industry and government can incorporate trustworthiness into the design, development, use and evaluation of AI products, services and systems.
In April, the Cybersecurity and Infrastructure Security Agency’s (CISA) “secure-by-design” principles represent critical steps toward encouraging software manufacturers to consider addressing security threats and vulnerabilities throughout the full lifecycle of their products. And most recently, the White House’s National Cybersecurity Strategy Implementation Plan emphasizes the importance of “reward[ing] the owners and operators of critical infrastructure who invest in proactive measures to prevent and mitigate the effects of cyber incidents.”
Staying Ahead of An Ever-Changing Threat Landscape
But with the full scope and scale of cyberattacks against America ever-mounting and difficult to quantify, there is always more to be done to stay ahead of the ever-changing threat landscape. Additional actions policymakers and industry can take now to build a more resilient and secure digital ecosystem include:
— Leverage predictive AI as cybersecurity’s great equalizer. As the attack surface for cybersecurity threats grows at lightning speed, we are witnessing a rapid uptick in AI hearings this Congress as Members on both sides of the aisle seek to understand AI and how it can be used – both good and bad. Threat actors deploy tens of thousands of unique malicious samples per day, while using AI applications to create malicious code and more effectively hide their payloads. Predictive AI tools can automate risk mitigation and early detection. They are able to analyze vast amounts of information and behavior across multiple domains to proactively protect against threats – before they cause harm.
— Improve software supply chain security by improving U.S. government software security. Our government’s security, and the information it has on Americans, is paramount to the nation’s safety. Federal cybersecurity procurement decisions must consider the quality, security and resilience of products, and not default to lowest cost. Security of our nation’s federal agencies cannot be commoditized. The Biden Administration articulated this need for best-in-class cybersecurity in its June 2023 Cyber Priorities for the Fiscal Year 25 Budget, where the White House directed federal agencies to invest in “durable, long-term solutions that are secure by design.”
— Bolster public-private cybersecurity collaboration. In testimony before Congress earlier this year, CISA’s Director stated that “securing our nation’s critical infrastructure is a shared responsibility requiring not just a whole-of-government, but a whole-of-nation approach.” In many respects, this lack of shared pubic-private visibility drives America’s public and private shared vulnerability. CISA’s Joint Cyber Defense Collaborative (JCDC) could help bridge this gap, if strategically utilized to its full potential. Case in point: The Log4j vulnerability, which gave hackers the ability to remotely control millions of vulnerable machines. CISA leveraged JCDC public and private entities to act collaboratively to contain this vulnerability. More public-private collaboration – more often – is essential, including coordinated security risk assessments of critical supply chains and joint playbooks in the event of a large cyberattack.
Safeguarding the Future
In short, government is moving in the right direction with cybersecurity action-oriented policies like the new National Cybersecurity Implementation Plan and drumbeat of bipartisan Congressional hearings on AI education – all of which should be commended. To further ensure that America is in the strongest position to protect the nation from malicious cyber actors, we should harness the power of predictive AI, prioritize best-in-class security in software procurement, and increase public-private collaboration around threat intel.
Marjorie Dickman is Chief Government Affairs and Public Policy Officer at BlackBerry, a global cybersecurity software and services company.