Not one to be left behind and to go even farther than Isaac Asimov, The Biden Administration continued their work to “advance and govern the development and use of AI in accordance with eight guiding principles and priorities.” Previously, the administration had met with a number of companies and “Secured Voluntary Commitments from Leading Artificial Intelligence Companies to Manage the Risks Posed by AI.” As many may be dubious of the administration attempts at cybersecurity, the administration is taking major steps with a renewed vigor after the previous administrations dismissive attacks on cybersecurity. Just over 100 days after taking office, the administration was able to release a key executive order in May, 2021 on cybersecurity outlining their plan. As was the case in that plan, much of this is directed at the sprawling areas of government that are not already advanced enough in these areas. Given the potential concerns for misuses, more attention is paid in this EO to government misuse of the technology in national security and justice, but tends to steer clear of any major questions that might arise.

The three key areas of the previous voluntary commitments included Safety, Security and Trust. In the realm of security, the commitment was plain in the fact stating that “Companies have a duty to build systems that put security first. That means safeguarding their models against cyber and insider threats and sharing best practices and standards to prevent misuse, reduce risks to society, and protect national security.” Cybersecurity is not undertaken by those in basements, but is front and center at the forefront of innovation. One might say, defense is finally having a voice after so many years of offense and a constant stream of data breaches.

How is the Order Laid Out?

This executive order is broken down into 13 sections with the bulk of the information coming in section 2 Policy and Principles and then further expounding on those 8 policies from section 4 through section 11. The 8 key policies are as follows:

1. Ensuring the Safety and Security of AI Technology

2. Promoting Innovation and Competition

3. Supporting Workers

4. Advancing Equity and Civil Rights

5. Protecting Consumers, Patients, Passengers, and Students

6. Protecting Privacy

7. Advancing Federal Government Use of AI

8. Strengthening American Leadership Abroad

After laying out the individual overarching policy, each of these major sections sets out in total 84 proclamations ranging from 30 to primarily 540 days from the date of the order.

What does it say about cybersecurity?

Policy wise, the order lumps safety and security together in the first policy. Whereas the first voluntary standards were more explicit, the policy addresses “ biotechnology, cybersecurity, critical infrastructure, and other national security dangers” in a single sentence. Furthermore, it speaks to testing, evaluation and monitoring as opposed to the much stronger language earlier whereby they proclaimed that “Companies have a duty to build systems that put security first”. Given the nature of this document though, the details are yet to be established.

The heart of the order comes in Sec. 4.1: Developing Guidelines, Standards, and Best Practices for AI Safety and Security. In this section, the EO puts the National Institute of Standards and Technology (NIST) in charge within 270 days of establishing guidelines, best practices, for a number of areas including red-teaming! Additionally, the Department of Energy is singled out to develop defensive measures to guard against “nuclear, nonproliferation, biological, chemical, critical infrastructure, and energy-security threats or hazards”. One of the key takeaways over and over again, in this section and others is the reliance on testing as a key safeguard. As we’ve touched on before, Security is Part of Quality. Testing AI is the only way to address “AI systems’ most pressing security risks…while navigating AI’s opacity and complexity”.

In Sec. 4.2, and in keeping with previous executive orders, IaaS providers will be required to report to the Secretary of Commerce “when a foreign person transacts with that United States IaaS Provider to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity (a “training run”)”. It also requires the determination of “set of technical conditions for a large AI model to have potential capabilities that could be used in malicious cyber-enabled activity” and otherwise establishes them in the meantime.

Section 4.3 specifically focuses on “Managing AI in Critical Infrastructure and in Cybersecurity” and starts to really deep dive into protections. The first focus is for the DHS and CISA to develop assessments related to how “deploying AI may make critical infrastructure systems more vulnerable to critical failures, physical attacks, and cyber attacks, and shall consider ways to mitigate these vulnerabilities”. It also directs the Secretary of the Treasury to develop an assessment specifically for financial institutions. Furthermore it directs the Secretary of Homeland Security to develop an “Artificial Intelligence Safety and Security Board as an advisory committee” consisting of government, academia and private sector members.

4.3(b) is the most exciting yet as it directs both the Department of Defense and the DHS to “each develop plans for, conduct, and complete an operational pilot project to identify, develop, test, evaluate, and deploy AI capabilities, such as large-language models, to aid in the discovery and remediation of vulnerabilities in critical United States Government software, systems, and networks.” To say I’m excited that they put defense forward specifically, when for decades cyber has almost exclusively meant offense, would be an understatement.

4.4 ventures into the risks posed by Chemical, Biological, Radiological and Nuclear (CBRN) threats. They call out specifically the threat related to biological weapons. Luckily Politico deep dives into this threat in their attention grabbing headline “The Mad Scientists of AI”.