In the cybersecurity ecosystem, there are always new developments that amplify risk. Technology advancements do much to build cyber preparedness and resilience, but they also bring new threats to the landscape. That’s where we are with cybersecurity for AI and quantum computing.
These hot topics are at such a high level that the federal government has made them a priority. AI’s role in cybersecurity is a more familiar topic, as we’ve already seen its impact as a tool for cyber professionals and hackers. The emergence of ChatGPT has been embraced for its benefits and denounced for its application in phishing and malware attacks.
Let’s review what the government agencies are saying and what it means for any cybersecurity team.
The Future of Cybersecurity for AI
Cybersecurity and Infrastructure Security Agency (CISA) alerted AI software makers to build security within systems from the beginning.
The proliferation of AI into applications that your employees use every day — automation, spam filtering, analysis, etc. — means the threat landscape has expanded.
This framework is already a practice in software development — DevSecOps, which emphasizes the need to be secure by design. Security should be part of the entire lifecycle. This aligns with guidance issued by CISA earlier this year.
As your organization adopts more AI across the enterprise, it has implications for your team and those you are combatting. Most things in technology have a double-edged sword, as the application defines it as being good or bad.
The story about quantum computing is less known but equally important.
Government Groups Issue Directives and Publish Quantum Factsheet
In August, three government agencies delivered an urgent message about these concerns. They urged organizations to create a roadmap to be ready for quantum computers to be able to break encryption, one of the biggest shields we have against data breaches.
CISA, the National Security Agency (NSA), and the National Institute of Standards and Technology (NIST) published a quantum factsheet as a resource to help with migration to post-quantum cryptography.
At the heart of it is being proactive about developing capabilities to secure critical data and infrastructure so that cybercriminals cannot compromise them with quantum computers.
The key component to achieving this is to replace or update public-key algorithms currently used in encryption. To do this, the factsheet recommends:
- Creating an inventory of quantum-vulnerability technology and assets
- Discussing this roadmap with vendors and partners
- Examining supply chains and how they are dependent upon quantum-vulnerable technology
- Testing and integrating planning with vendors
Many cite this factsheet as a precursor to NIST’s expected publication of post-quantum cryptographic standards in 2024.
The current administration also released a national standard document in May.
Key Points from the National Standards Strategy for Critical and Emerging Technology
The standards publication highlights the areas they should apply, including AI, machine learning, infrastructure, and quantum information technology. It lists four objectives:
- Investing: Increasing R&D funding and supporting defined standards to address risk, security, and resilience.
- Participation: Fostering cooperation between private and public sectors by removing and preventing barriers to private sector participation in standards development, improving communication between stakeholders, and working with like-minded nations.
- Workforce: Investing in education and training professionals to carry out this work by empowering the new standards workforce and increasing opportunities; this objective is timely and needed due to the cybersecurity talent gap.
- Integrity and inclusion: Working with committed parties to promote integrity in global standards by deepening standards cooperation with allies to support governance and enabling broader representation in standards development.
What Do These New Threats and Guidance Mean for Organizations?
Those in the software industry aren’t the only ones to heed this information. It applies to any company, big and small. Everyone’s a target, and most businesses use AI and encryption as cybersecurity tools.
These are very big-picture goals defined by the U.S. government, but they have context in what you’re doing as a cyber leader. Investments in standards and making them more accessible assist you in integrating them into your work. Improving opportunities and attracting more people to the field keeps the workforce growing, and we all benefit by being united against cybercrime.
Applying these to your cybersecurity framework isn’t something that happens overnight. The first thing to consider is the roots of your security culture and who is on your team. Are they ready and willing to adapt to new threats coming from AI and quantum computing? Can they shift their mindset to encompass all these dramatic changes?
As much as those in the field embrace and rely on technology, it always comes back to the people behind it. There is an emphasis on these in all the new government guidance and standards. It’s the best place to start to really achieve proactive cybersecurity.
