New Program at U.S. NIST: Managing Cybersecurity and Privacy Risks in the Age of AI

Washington DC, September 19, 2024

The rapid proliferation of Artificial Intelligence (AI) promises significant value for industry, consumers, and broader society, but as with many technologies, new risks from these advancements in AI must be managed to realize it’s full potential. The NIST AI Risk Management Framework (AI RMF) was developed to manage the benefits and risks to individuals, organizations, and society associated with AI and covers a wide range of risk ranging from safety to lack of transparency and accountability. For those of us at NIST working in cybersecurity, privacy and AI, a key concern is how advancements in the broad adoption of AI may impact current cybersecurity and privacy risks, risk management approaches and how these risk management approaches relate to each other at the enterprise level.

With respect to privacy, AI creates new re-identification risks, not only because of its analytic power across disparate datasets, but also because of potential data leakage from model training. AI’s predictive capabilities could also reveal greater insights about people as well as amplify behavioral tracking and surveillance. On the positive side, the analytic scope and broad reach of AI could be used to power personal privacy assistants that could help people better manage their privacy preferences across their online activities.

AI will create new opportunities and challenges to cybersecurity such as AI enabled cyber threats, use of AI to improve cybersecurity tools and capabilities, and ensuring AI systems are protected from traditional and emerging cybersecurity threats. Using AI for improving cybersecurity threat hunting, for example, could increase detection rates but might also increase the number of false positives. As a result, cybersecurity practitioners and other personnel may need different cybersecurity skills, and highlights the importance of ensuring that any solution is explainable and interpretable. Furthermore, as business units across an organization incorporate AI technology in their solutions, there will be a need to better understand the dependencies on data across the organization. Those responsible for managing cybersecurity risks may need to reevaluate the relative importance of data assets, update data asset inventory, and account for new threats and risks. Finally, AI-enabled threats such as an adversaries use of an AI voice generator might require an organization to update yearly anti-phishing training.

All of this highlights the critical need for standards, guidelines, tools, and practices to improve the management of cybersecurity and privacy in the age of AI, ensure the responsible adoption of AI for cybersecurity and privacy protection purposes, and identify important actions organizations must take to adapt their defensive response to AI-enabled offensive techniques. To meet this need and ensure a sustained focus on these important topics, NIST is establishing a program for the cybersecurity and privacy of AI and the use of AI for cybersecurity and privacy.

The program will build on existing NIST expertise, research and publications such as:

The Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile (NIST SP 218A);
Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations (NIST AI 100-2);
Enabling privacy in the age of AI: Draft Guidelines for Evaluating Differential Privacy Guarantees (NIST SP 800-226);
Recent introduction of Security of AI as a Competency Area as part of the NICE Workforce Framework for Cybersecurity (NICE Framework);
Tools such as Dioptra – a test platform that aims to facilitate evaluations of machine learning algorithms, including cybersecurity, under a diverse set of conditions.
A PETs Testbed which provides the capability to investigate privacy-enhancing technologies (PETs) and their respective suitability for specific use cases, including protecting machine learning models from privacy attacks.

The program aims to understand how advancements in AI may affect cybersecurity and privacy risks, identify needed adaptations for existing frameworks and guidance, and fill gaps in existing resources. The program will work with stakeholders across industry, government, and academia, and will play a leading role in U.S. and international efforts to secure the AI ecosystem. The program will coordinate with other NIST programs, federal agencies, and commercial entities as needed to ensure a holistic approach to addressing AI-related cybersecurity and privacy challenges and opportunities.

This program working through the NCCOE is kicking off a project to develop a community profile to adapt existing frameworks, starting with the Cybersecurity Framework, as well as understanding impacts to other frameworks such as the Privacy Framework, the AI Risk Management Framework and NICE Framework. This effort builds on other community profiles developed for other use cases and technologies. The AI community profile will start with a focus on managing three sources of AI related cybersecurity and privacy risks:

Cybersecurity and privacy risks that arise from the use of AI by organizations, including securing AI systems, components, and machine learning infrastructures, and minimizing data leakage.
Determining how to defend against AI-enabled attacks.
Assisting organizations in the use of AI with their cyber defense activities and using AI to improve privacy protections.

We look forward to dialogue and collaboration on how to advance the program and help the cybersecurity and privacy community as they embrace the ubiquitous development and use of AI. Stay tuned tuned and visit the new program website for more information. Please send any feedback or questions to AICyber@nist.gov.

About the author

Katerina Megas

Kat leads the NIST Cybersecurity for the Internet of Things (IoT) Program at the US. National Institute of Standards and Technology (NIST), focused on advancing and accelerating the development and application of research, standards, guidelines, and technologies necessary to improve the security and privacy of ecosystem of connected devices. As the Program Manager she coordinates across the agency on all things related to cybersecurity of the IoT as well as leads a number of projects, including the NIST response on IoT for EO 13800, EO 14028 and the IoT Cybersecurity Improvement Act of 2020. Before joining NIST, Kat worked in the private sector for 25 years leading organizations in the development and execution of their IT strategies.

Check Your Wallet? How Mobile Driver’s Licenses are Changing Online Transactions

May 22, 2024

Can you recall the last time you opened a bank account? It’s likely you walked into a local bank branch and spoke to a representative who asked for your driver

Journey into the Immersive Frontier: Preliminary NIST Research on Cybersecurity and Privacy Standards for Immersive Technologies

January 11, 2024

Words like “metaverse” and “augmented reality” may conjure up thoughts of friends in headsets wielding virtual sabers or folks roaming the streets at night in

Picking Up the Framework’s Pace Internationally

October 10, 2019

Promoting international alignment and engaging with the international community has been an increasingly important focus for the Cybersecurity Framework effort.

Source – U.S. NIST

Cookie	Duration	Description
__stripe_mid		This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
__stripe_sid		This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
_abck		This cookie is used to detect and defend when a client attempt to replay a cookie.This cookie manages the interaction with online bots and takes the appropriate actions.
_wpfuuid		This cookie is used by the WPForms WordPress plugin. The cookie is used to allows the paid version of the plugin to connect entries by the same user and is used for some additional features like the Form Abandonment addon.
ASP.NET_SessionId		Issued by Microsoft's ASP.NET Application, this cookie stores session data during a user's website visit.
AWSALBCORS		This cookie is managed by Amazon Web Services and is used for load balancing.
bm_sz		This cookie is set by the provider Akamai Bot Manager. This cookie is used to manage the interaction with the online bots. It also helps in fraud preventions
cookielawinfo-checbox-analytics		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional		The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary		This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
elementor		This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
JSESSIONID		Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy		The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga		The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_4L7PKQPHHV		This cookie is installed by Google Analytics.
_ga_T50H0MNN9J		This cookie is installed by Google Analytics.
_gat_gtag_UA_12289088_5		Set by Google to distinguish users.
_gcl_au		Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid		Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
_mcid		No description available.
_swa_u		This cookie is set by the provider Sitewit.com. This cookie is used for statistical report and analysis.
ak_bmsc		No description available.
AWSALB		AWSALB is a cookie generated by the Application load balancer in the Amazon Web Services. It works slightly different from AWSELB.
ec_store_chameleon_font		No description available.
FCCDCF		No description available.
issuem_lp		No description available.
lp_us_his		No description
m		No description available.

New Program at U.S. NIST: Managing Cybersecurity and Privacy Risks in the Age of AI

About the author

Related posts

INSIGHT EU MONITORING