US senators seek federal response on security of critical infrastructure amid AI advancements

Two U.S. senators call upon the White House to provide updates on efforts to reduce artificial intelligence’s potential threat to the nation’s cyber infrastructure. As ‘cutting-edge’ AI models develop rapidly, the growth in generative AI (artificial intelligence) raises important questions about preserving software security and resilience.

Senators John Hickenlooper and Thom Tillis wrote a letter last week to acting National Cyber Director (NCD) Kemba Walden containing questions on how defenders of critical infrastructure leverage AI to secure their systems. Since the public release of accessible open-source large language models, the senators also ask if there has been any increase in cybercrime activity that can be attributed to these fine-tuned AI models. 

The senators also mention that the National Institute of Standards and Technology (NIST) released the AI Risk Management Framework providing comprehensive guidance for developing and deploying advanced AI systems safely. Also, the recently released “update to the National Cybersecurity Strategy outlines a whole-of-government approach to secure our critical infrastructure at home and disrupt would-be cyberattackers in their tracks,” they added.

“Cybersecurity professionals have a long history of using tools and techniques supported by AI to prevent, and respond to, malicious cyber activity. AI can help organizations produce key data insights to support network traffic analysis and intrusion detection operations,” according to the letter. 

Other use cases allow defenders to sift through unknown software to identify and remove malware or filter out phishing messages before they reach their intended targets, the letter said. “Protecting our nation’s cyber infrastructure requires leveraging all tools at our disposal, including applying AI techniques to improve cybersecurity defenses in organizations of all sizes and technical capacity.”

The senators flag that the advancements in generative AI have raised new cybersecurity opportunities for both defenders and attackers. “Frontier models are pushing the limits of computational power at scale and have the ability to process, translate between, and generate both natural languages and coding languages. Companies are already offering services to help individuals write code quickly and efficiently without introducing common vulnerabilities.” 

They added that “our country will benefit enormously from broadening the technical skills across our workforce by making software development more accessible and secure. However, bad actors can also leverage generative AI technology to accelerate their attempts to undermine established cybersecurity protections. As a result, attackers could profit by stealing money, data, and intellectual property from everyday Americans and the small businesses that power our economy.”

The senators are calling upon the Office of the National Cyber Director (ONCD) to respond regarding how defenders of critical infrastructure are utilizing AI to enhance the security of their systems. They also seek answers on how generative AI can help achieve the goals set out by the Cybersecurity and Infrastructure Security Administration (CISA) joint guidance for manufacturers to produce software that is secure-by-design and -default. They further look into how AI-enabled cybersecurity products and features make small businesses more resilient to cyberattacks.

Since the public release of accessible open-source large language models, the senators also sought a response on whether there has been an increase in cybercrime activity that can be attributed to fine-tuned AI models. 

They also ask for recommendations for private and public industries that may fall victim to adversarial AI-enabled cyberattacks. They also seek responses on how ONCD is tracking AI-enabled cyber attacks by foreign adversaries or non-state actors, and whether there are certain industries that are being targeted more than others. They also look into whether the ONCD is preparing any strategic plans for state and local governments to help prevent AI-enabled cyberattacks. 

Apart from addressing how the new National Cybersecurity Strategy addresses risks posed by these models, the senators also ask the ONCD to provide responses on whether additions or changes are needed to keep pace with this rapidly developing technology. They also look into how the National Cyber Workforce and Education Strategy will help build a cyber workforce capable of building and maintaining secure systems and what additional resources or policies will we need to achieve that goal. 

The senators also seek a response from the ONCD on the steps that developers can take during the training, testing, and deployment phases of a product’s lifecycle to prevent AI systems from facilitating attacks exploiting cybersecurity vulnerabilities. Furthermore, the letter addresses whether the federal government is developing partnerships with industry, academia, and state/local governments to ensure coordination on resilient cybersecurity defenses in the era of generative AI. 

In April, Subcommittee Chair Hickenlooper and Ranking Member Blackburn sent a letter to leading technology companies encouraging the implementation of the AI Risk Management Framework (AI RMF) published by the NIST. 

In June, Hickenlooper met with the chair of the Federal Trade Commission to discuss proper guardrails for artificial intelligence.

Forescout Technologies outlined in June how AI-assisted attacks are coming to target OT (operational technology) and unmanaged devices. The shift comes as hackers are exploiting publicly available proof-of-concept (PoCs), increasing the versatility and potentially the damage of existing malicious code, though it still takes some time and effort from threat actors. These developments demonstrate how generative AI can be used to improve productivity, while also being deployed for nefarious purposes.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.