The White House released its National Cybersecurity Strategy Implementation Plan this week, a multi-year plan for how the Biden administration plans to execute its cybersecurity strategy. Overall, both the strategy and the implementation plan reflect a cohesive effort to enhance cybersecurity in the United States. However, there is one glaring problem: the strategy is virtually silent on the impact that artificial intelligence (AI) will have on cybersecurity.
The National Cybersecurity Strategy, released in March 2023, describes the Biden administration’s vision for improving cybersecurity across the digital ecosystem. The strategy is aspirational and forward-looking, covering a plethora of issues, such as critical infrastructure, ransomware, cyber workforce, and secure supply chains, and it proposes closer collaboration and coordination between public and private sector stakeholders. But despite its comprehensive approach to cybersecurity, it scarcely mentions AI.
Indeed, there are only five mentions of AI in the entire 35-page strategy, and each of these is trivial. The first mention is used as an example of how “software and systems are growing more complex.” The second is in reference to other administration efforts to “secure next-generation technologies.” And the last three references are in the context of how “revolutionary change in our technology landscape” necessitates more investment in cybersecurity. In these latter cases, AI is just one of many technologies listed, including industrial control systems, cloud, encryption, data analytics, biotechnology, microelectronics, quantum computing, and clean energy technologies. Unfortunately, the implementation plan released this week overlooks AI even more. In its 57 pages of detailed initiatives, there is not a single mention of AI.
This omission is a gross oversight because AI should be at the forefront of the national cybersecurity strategy given all its potential uses. Not only are there immediate applications of AI tools, such as to better detect malware, network and system intrusions, and fraud, but there are also many emerging applications of generative AI that a national strategy should consider, such as using generative AI to write more secure code, scan for vulnerabilities, provide cybersecurity training, and automate workflows for cybersecurity professionals. While the private sector may pursue some of this on its own, such as commercializing some of these tools, the government should also have a substantial role in research funding and coordination, training dataset development, and threat monitoring.
In the short term, attackers are likely to quickly adopt AI tools for nefarious purposes. For example, cybercriminals have already begun selling tools like WormGPT, a ChatGPT clone tailored for conducting illegal online activities like writing malware or phishing campaigns. The silver lining is that while AI might make it easier to conduct attacks, it will also make it easier to defend against them. For example, OpenAI Codex, a version of OpenAI’s GPT-3 model that has been fine-tuned for writing code, can be used to scan and repair vulnerabilities in software code. Many organizations, especially ones that traditionally lack sufficient cybersecurity resources like small businesses, local governments, and public schools, are unlikely to move nearly as quickly as the attackers to boost their defenses against this new threat. It may not be possible to eliminate this window where attackers will likely have the advantage, but the government should at least try to minimize it.
Unfortunately, the Biden administration has been primarily focused on the risks of AI, and how to mitigate those risks, rather than on how to accelerate the adoption and deployment of this technology. Safe and secure AI is important, but at least equally important is using AI to make other IT systems as secure as possible. Given the growing importance of AI, the White House should issue an addendum to the National Cybersecurity Strategy before the end of the year outlining its vision, and the steps it plans to take, to use AI to improve cyber resilience.
Image credits: Midjourney