AI
CISA
Critical infrastructure
News
System Design & Architecture
Threat Landscape

CISA AI Roadmap focuses on managing risk, harnessing opportunities posed by AI to cybersecurity

November 15, 2023
CISA AI Roadmap focuses on managing risk, harnessing opportunities posed by AI to cybersecurity

The U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released its first Roadmap for Artificial Intelligence (AI), adding to the significant DHS and broader whole-of-government effort to ensure the secure development and implementation of AI capabilities. The AI roadmap builds on the agency’s cybersecurity and risk management programs. 

The AI roadmap document serves as a guide for the agency’s AI-related efforts, ensuring both internal coherence as well as alignment with the ‘whole-of-government’ AI strategy. “This roadmap incorporates key CISA-led actions as directed by Executive Order 14110, along with additional actions CISA is leading to promote AI security and support critical infrastructure owners and operators as they navigate the adoption of AI,” it added. 

The roadmap includes CISA’s efforts to promote beneficial uses of AI to enhance cybersecurity capabilities and other aspects of CISA’s mission, protect the nation’s AI systems from cybersecurity threats, and deter malicious actors’ use of AI capabilities to threaten critical infrastructure. 

It assesses the security challenges associated with AI parallel cybersecurity challenges associated with previous generations of software that manufacturers did not build to be secure by design, putting the burden of security on the customer. “Although AI software systems might differ from traditional forms of software, fundamental security practices still apply,” CISA added. 

Critically, manufacturers of AI systems must follow secure-by-design principles, taking ownership of security outcomes for customers, leading product development with radical transparency and accountability, and making secure-by-design a top business priority, according to the CISA AI Roadmap. As the use of AI grows and becomes increasingly incorporated into critical systems, security must be a core requirement and integral to AI system development from the outset and throughout its lifecycle. 

The CISA AI Roadmap release follows U.S. President Biden’s Executive Order that directed the DHS to promote the adoption of AI safety standards globally, protect U.S. networks and critical infrastructure, reduce the risks that AI can be used to create weapons of mass destruction, combat AI-related intellectual property theft, and help the U.S. attract and retain skilled talent, among other missions. 

As part of that effort, CISA’s roadmap outlines five strategic lines of effort for CISA that will drive concrete initiatives and outline CISA’s responsible approach to AI in cybersecurity.

The CISA AI Roadmap charts five lines of effort: 

  • Line of Effort 1: Responsibly use AI to support its mission. CISA will adopt AI-enabled software tools to enhance cyber defense and bolster its critical infrastructure mission. By using AI, CISA is committed to ensuring responsible, ethical, and secure utilization in line with the Constitution and all relevant laws and policies. This includes adherence to federal procurement regulations, privacy protection, and upholding civil rights and liberties.
  • Line of Effort 2: Assess and assure AI systems. CISA will assess and assist secure by design, AI-based software adoption across various stakeholders, including federal civilian government agencies; private sector companies; and state, local, tribal, and territorial (SLTT) governments. Assurance will be established through developing best practices and guidance for secure and resilient AI development and implementation, including developing recommendations for red-teaming of generative AI.
  • Line of Effort 3: Protect critical infrastructure from malicious use of AI. CISA will assess and recommend mitigation of AI threats facing the nation’s critical infrastructure in partnership with other government agencies and industry partners that develop, test, and evaluate AI tools. As part of this effort, CISA will establish JCDC.AI to catalyze focused collaboration around threats, vulnerabilities, and mitigations related to AI systems.
  • Line of Effort 4: Collaborate and communicate on key AI efforts with the interagency, international partners, and the public. CISA will contribute to DHS-led and interagency efforts, including developing policy approaches for the U.S. government’s overall national strategy on cybersecurity and AI and supporting a whole-of-DHS approach on AI-based software policy issues. This also includes coordinating with international partners to advance global AI security best practices and principles. 
  • Line of Effort 5: Expand AI expertise in its workforce. CISA will continue to educate the workforce on AI software systems and techniques, and the agency will continue to actively recruit interns, fellows, and future employees with AI expertise. CISA will ensure that internal training reflects—and recruits understand—the legal, ethical, and policy aspects of AI-based software systems in addition to the technical aspects.

“The Biden-Harris Administration is committed to building a secure and resilient digital ecosystem that promotes innovation and technological progress,” Alejandro N. Mayorkas, secretary of Homeland Security, said in a media statement. “In last month’s Executive Order, the President called on DHS to promote the adoption of AI safety standards globally and help ensure the safe, secure, and responsible use and development of AI. CISA’s roadmap lays out the steps that the agency will take as part of our Department’s broader efforts to both leverage AI and mitigate its risks to our critical infrastructure and cyber defenses.”

“Artificial Intelligence holds immense promise in enhancing our nation’s cybersecurity, but as the most powerful technology of our lifetimes, it also presents enormous risks,” Jen Easterly, CISA director, assessed. “Our Roadmap for AI, focused at the nexus of AI, cyber defense, and critical infrastructure, sets forth an agency-wide plan to promote the beneficial uses of AI to enhance cybersecurity capabilities; ensure AI systems are protected from cyber-based threats; and deter the malicious use of AI capabilities to threaten the critical infrastructure Americans rely on every day.”

The CISA AI roadmap provides objectives for each line of effort that detail how CISA will accomplish these goals and measure its success. “We also include representative outcomes and a notional measurement approach for each line of effort. We are developing more specific measures of effectiveness, which will be defined in our annual operating plans. Of note, identifying appropriate measures of effectiveness and vice measurements of performance is challenging and will require an ongoing effort—with continuous refinements as needed—throughout the life of the plan,” it added.

On its role in securing AI, CISA pointed out that its September 2022 Strategic Plan 2023-2025 is designed to align with the evolving landscape of technology, including AI. Each of CISA’s four strategic goals – strategic defense, risk reduction and resilience, operational collaboration, and agency unification – are directly influenced by and relevant to the advancements in AI.

In conclusion, the CISA AI Roadmap identified that a ‘whole-of-government’ approach is needed to fully harness the benefits and mitigate the risks of AI. “Through the initiatives outlined in this roadmap, CISA strives toward our vision of a nation in which AI systems advance our nation’s cyber defense, where our critical infrastructure is resilient and protected from malicious use of AI, and where AI developers prioritize the security of their products as a core business requirement,” it added.

Earlier this month, the DHS, CISA, and the Federal Emergency Management Agency (FEMA) announced a ‘Shields Ready’ campaign to encourage the critical infrastructure community to focus on strengthening resilience. The campaign complements CISA’s Shields Up campaign, launched last February, and takes a comprehensive approach to preparing critical infrastructure for potential disruptions and enhancing resilience in systems, facilities, and processes.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings