Forthcoming NIST profile to address growing AI-cyber challenges

BlackJack3D/Getty Images

Featured eBooks
Workforce Tech
Read Now

Customer Experience

Read Now

Identity in Government

Read Now
Insights & Reports
Trust under attack
Presented By Human
Download Now
The Essential Guide to Security Information and Event Management (SIEM)
Presented By Splunk | Carahsoft
Download Now
David DiMolfetta By David DiMolfetta,
Cybersecurity Reporter, Nextgov/FCW

By David DiMolfetta

|

The Cyber AI Profile, currently in development, could help firms better prepare for hackers that use AI tools to enhance their cyberattacks, a top NIST official said at the RSAC Conference.

SAN FRANCISCO — Cybersecurity executives are struggling to navigate cyber threats fueled by AI, according to a top National Institute of Standards and Technology official, but an upcoming agency framework to help organizations manage AI-related cyber risks could help.

NIST is developing the Cyber AI Profile based on its landmark Cybersecurity Framework, with a planned release sometime within the next six months, according to Kat Megas, the agency’s cybersecurity, privacy and AI program manager.

Megas, speaking Monday at the RSAC Conference in San Francisco, said critical infrastructure owners and operators are already using AI tools for systems planning, incident response, cyber event detection and other cases. But no clear taxonomy exists between the AI community and cybersecurity practitioners, she said, noting that the dynamic “makes it very difficult as we start talking about the intersection” of risks presented in both areas. 

In a presentation focused on making a case for the Cyber AI Profile, she argued it could help organizations better manage the cybersecurity impacts of AI by focusing on risk reduction, defense strategies and improved privacy.

Cybersecurity and intelligence officials have argued that AI systems are augmenting the cyber threat landscape, enabling new attack methods like deepfakes and enhanced phishing, while also providing tools to better detect and defend against those threats.

Large language models have also helped enhance certain cyberattack methods, Megas said. Foreign adversaries, for instance, are able to craft more realistic-sounding phishing messages, or use an AI chatbot to scan computer code for vulnerabilities and craft exploits.

NIST already released a concept paper and held an initial public workshop, where practitioners were surveyed about the AI-cyber landscape, she noted. The scientific standards agency is now developing a public draft based on workshop input and additional research. 

Once complete, that draft will be released for public comment, with the possibility of a second workshop depending on feedback, which could lead to either a second draft or finalization. A potential Cyber AI Profile would tie AI-specific risks and considerations to existing cybersecurity goals, helping organizations strengthen defenses, counter AI-driven threats and map efforts to relevant laws and standards, according to the presentation.

“So as you can see, it is not new, and I’m sure you’re all hearing this, but we are at a watershed moment where everybody’s talking about how artificial intelligence is helping both the defenders as well as the attackers,” Megas said. “Depending on who you talk to these days, you know the pendulum seems to swing as to who is benefiting more from the advent and advancements in artificial intelligence.”

NEXT STORY: FBI asks public for tips about Salt Typhoon telecom hacks