NSA rolls out security guidance for companies using AI systems

The NSA has rolled out a Cybersecurity Information Sheet (CSI), advising organizations on the best ways to deploy “secure and resilient AI systems.” Companies should ensure they’re implementing “sound security principles” in an organization’s IT environment and its AI systems, which means “robust governance, a well-designed architecture, and secure configurations.”

The guide recommends professionals encrypt sensitive data related to AI, such as “AI model weights, outputs, and logs,” while storing the encryption keys “in a hardware security module (HSM) for later on-demand decryption.”

“I would say that I think that AI doesn’t necessarily create net new problems or challenges. What it does is it amplifies and accelerates challenges that are already there,” Dana Simberkoff, chief risk, privacy, and information security officer at AvePoint—a software company that provides SaaS and offers data management—told IT Brew.

For security professionals, the report wasn’t anything out of the ordinary in terms of mitigation and prevention, but Simberkoff explains that AI may not “may not necessarily have been prioritized.”

AI is “an acceleration of a problem,” she said. “It may create some new problems, but if you have good data governance principles in place, those can largely be mitigated. What it does, though, and what I think the guidance from NSA and in this report does show, is that what many of us in the security and privacy space have been talking about being critical foundational pillars of a good cybersecurity program really are nonnegotiable.”

Among some of its recommendations, the CSI guidance advises teams to create security protections between the IT environment and the AI system, in addition to:

• Hardening “deployment environment configurations”
• Protecting “deployment networks” against threats
• Securing “exposed APIs”
• Continually monitoring model behavior
• Ensuring “user awareness and training”
• Updating and applying patches regularly

NSA spokesperson Iyube L’Bert told IT Brew in an email that AI brings “unprecedented opportunity, but also can present opportunities for malicious activity.”

“With the increase of AI/ML use across the DoD, NSS, and DIB, NSA is uniquely positioned to provide cybersecurity guidance, AI expertise, and advanced threat analysis to support the whole-of-government efforts in conjunction with the private sector to ensure US enduring advantage in AI,” L’Bert said. “AI security is fundamental to that effort.”