The excitement over artificial intelligence may have hit its high point over the last few months so now for many organizations, it’s time to ask the hard questions of how really can they use these capabilities to address key mission needs?

A central theme to those hard questions is understanding both the good and bad of AI, especially as the power of quantum computing comes into play.

As AI becomes more sophisticated, organizations need to recognize the potential security risks, which also become more concerning.

Among the threats agencies need to be aware of include bad actors stealing the AI model, data poisoning and the stealing of valuable and confidential data.

Agencies balance the desire and excitement over AI while also recognizing and mitigating the risks, said Gina Scinta, the deputy chief technology officer and security evangelist at Thales Trusted Cyber Technologies.

“Organizations have to identify who has the authority to access information. You have to put strong authentication, and identity and access management around those AI models to control who can access information. Within the environment itself, you must put access policies around the data and control what type of access they have.  This will help prevent those bad actors from getting into your environment,” Scinta said on the discussion Innovation in Government. “The other challenge is around the ever-growing volume of data because we continue to collect data. AI has to process against large volumes of data to get the answer to the question you’re asking it. Everybody’s concerned with encryption around that and how it affects performance.”

Identity management is foundational

Scinta said if agencies are putting the right access controls around that data then the performance of the AI model shouldn’t be affected.

She said the performance will be user dependent based on their access to the data.

A lot of identity management and access control decisions come back to the agency’s implementation of zero trust principles. For many agencies, the identity management pillar is the one area of zero trust where they are not only able to make a lot of progress on but is foundational to the other four pillars under the zero trust maturity model.

Scinta said data isn’t just a foundational element to zero trust, but also to AI, quantum computing and so many other technology capabilities.

In fact, the growing expectation that quantum computing power to break cryptography will be a reality sooner than expected is putting more pressure on agencies to manage their data in an even more secure way.

“Quantum computers will have the capability to ability to handle very complex AI models. However, they will also have the ability to break today’s cryptography. This means that bad actors could have the ability to decrypt data that’s been encrypted with outdated cryptography,”Scinta said. “That’s why these two conversations go together. Although we may be at the peak of the AI hype cycle, you can’t lose sight of quantum threat. Now that the quantum algorithms have been standardized by the National Institute of Standards and Technology (NIST), which just came out in August, and most of industry had already developed around the pre-standards. So they’re now tweaking those pre- standard algorithms to meet the standard algorithm process so they can get them into the Federal Information Processing Standards (FIPS) certification, which is a very long process.”

Automating cryptography inventories

Scinta said it’s important for vendors to get into the FIPS certification process sooner than later as NIST is backed up with requests. She said the sooner products and services meet the NIST standards, the more prepared agencies and other organizations can be prepared to protect against adversarial threats, who undoubtedly will use quantum computing to break encryption.

The Cybersecurity and Infrastructure Security Agency (CISA) is trying to help agencies prepare for those post-quantum cyber threats.

The Office of Management and Budget and CISA required agencies earlier this year to submit their inventory of public-key cryptography.

Scinta said CISA now is starting to look for automated tools to help agencies discover their public-key cryptography.

“This is going to be a repetitive process and there are tools available in the marketplace today. Thales, for example, works with technology partners that have cryptographic inventory tools that enable customers to identify cryptographic materials across the enterprise. So now the next step is to automate that cryptography inventory so that it makes it easier for you to keep track of your cryptography and then prioritize the high-risk systems need to migrate to the new standard NIST algorithms that came out in August,” she said. “There is a project at NIST’s National Cybersecurity Center of Excellence that we’re working with other project collaborators who have these cryptography inventory tools. We are testing them out at the NCCOE so that they can show the results to the community through artifacts that get published.”

Federal agencies and other organizations can proactively buy products that already have met NIST’s post-quantum cryptography standards.

Scinta said this is an example of how industry is being proactive about this because they want to get their customer ready for whenever the day comes when the current encryption algorithms are broken.

But Scinta said agencies can’t lose sight of the quantum challenges in the hype and excitement over AI. She said it’s important for agencies to understand both the benefits and risks.

“Understanding the good and bad of both AI and Quantum and being able to leverage them together to make your decision making more powerful and effective is important,” she said. “You can’t think about one without thinking about all of them.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.