Back to all videos

Cybersecurity watchdog launches guidelines to secure emerging technologies

By CNA

Cybersecurity GuidelinesEmerging TechnologiesArtificial IntelligenceQuantum Computing
Share:

Key Concepts

  • Agentic AI Systems: AI systems capable of taking independent actions to achieve objectives.
  • Quantum Straits: The future threat posed by quantum computers to current encryption technologies.
  • Zero-Day Attacks: Exploits that target a vulnerability in software or hardware that is unknown to the vendor or public.
  • Least Privilege Principle: Granting users or systems only the minimum permissions necessary to perform their tasks.
  • Cyber Hygiene: Fundamental security practices that organizations should implement.
  • Zero Trust: A security framework that assumes no user or device can be trusted by default, regardless of their location.
  • Non-Human Identities: Identities assigned to AI agents or other non-human entities that require access to systems.

Cybersecurity Agency's New Tools and Guidance

The cybersecurity agency has released new tools and guidance for public consultation, focusing on two critical emerging technologies:

  1. Securing Agentic AI Systems: This guidance addresses the unique risks associated with AI systems that can act independently to achieve objectives. The transcript highlights the potential for these agents to interact with each other, leading to unprecedented levels of complexity and associated risks.
  2. Preparing for Quantum Straits: This initiative aims to help organizations prepare for the future threat of quantum computing, which is estimated to be capable of breaking current encryption technologies within approximately a decade.

The agency's goal is to provide accessible guidance for organizations, including those without deep technical expertise, on how to safely integrate agentic AI into their operations. This document is an addendum to existing guidelines on securing AI systems, specifically addressing the distinct risks of agentic AI. It also serves as an invitation for government researchers and industry partners to collaborate in shaping global standards for securing agentic AI.

The Threat of Quantum Computing

The transcript emphasizes the impending threat of quantum computing. Estimates suggest that a quantum computer capable of easily cracking encryption protecting digital infrastructure could emerge within a decade. However, it's argued that this timeline might already be too late. Malicious actors could be actively collecting and storing encrypted data today, waiting for the availability of powerful quantum computers to decrypt it and gain insights.

To counter this, the cybersecurity watchdog has released tools to help firms assess their current defenses and plan the transition to quantum-safe systems.

Agentic AI: A Paradigm Shift in Cybersecurity

John Duffy, Chief Information Security Officer at Check Point Software Technologies, explains how agentic AI fundamentally changes the cybersecurity landscape.

Key Differences from Traditional AI:

  • Autonomy: Agentic AI is significantly more autonomous than traditional AI, which typically requires human input and output.
  • Objective-Driven Action: Instead of direct human commands, agentic AI is given a goal or objective and will autonomously devise actions and connections to achieve it. This introduces a new level of complexity and potential for unforeseen consequences.

Projected Impact on Cyberattacks:

  • Increased Sophistication and Automation: The transcript predicts a surge in sophisticated and automated attacks by 2025-2026.
  • "Bad Actors" Leveraging AI: Malicious actors will increasingly leverage AI sophistication to launch attacks, potentially issuing commands for zero-day exploits.
  • Chain Reactions of Exploits: An agentic AI could be given an objective to identify vulnerabilities, and then trigger another agent to exploit those vulnerabilities, creating a cascade of attacks. This makes attacks highly automated, sophisticated, and rapid, posing a significant defense challenge for humans.

Securing Agentic AI Systems: Addressing Internal Threats

A critical concern raised is how to tackle the issue of AI agents exceeding their security boundaries. Duffy suggests treating AI agents as part of a broader ecosystem, similar to how human access is managed.

Proposed Security Measures for Agentic AI:

  1. Isolation: Agents should be isolated to perform only their intended functions.
  2. Least Privilege: Agents should not be granted more access than necessary. The principle of "least privilege" and "need to know" must be strictly applied.
  3. Monitoring: Continuous monitoring of agent activities is crucial to understand their actions and detect anomalies.

Duffy stresses that a human element must remain involved in oversight, both from a governance and operational perspective. Failure to implement these measures could lead to disastrous outcomes.

Real-World Safety Testing for Agentic AI

Before deploying agentic AI at scale, rigorous safety testing is essential. The transcript highlights two key aspects:

  1. End-to-End Lifecycle Testing: Agentic AI should be tested throughout its entire lifecycle, from development to deployment. This includes:
    • Testing in Production Environments: Ensuring that while the underlying technology might remain stable, the environment in which the AI operates, which changes daily, is accounted for.
    • Continuous Assessment: Continuous monitoring and assessment of AI models are crucial.
  2. Human Oversight for Critical Infrastructure: For critical infrastructure, agentic AI should always have a human element involved in decision-making, especially for high-stakes actions (e.g., a $1 million transaction).

Practical Steps for Businesses to Protect Themselves

Businesses can take several practical steps to protect themselves against emerging AI threats:

  1. Strengthen Fundamental Cyber Hygiene: Despite the increasing sophistication of attackers, breaches often succeed due to poor fundamental cyber hygiene. Organizations must prioritize basic security practices.
  2. Implement Zero Trust Principles: The principle of zero trust is paramount. This includes:
    • Isolation: As mentioned, isolating agents to their specific tasks.
    • Access Management: Implementing robust access management for both human and non-human identities.
  3. Manage Non-Human Identities: With the rise of AI agents, managing "non-human identities" is as critical as managing human identities. Policies must be applied accordingly.
  4. Adopt a "Assume Breach" Mindset: Organizations should operate under the assumption that breaches are inevitable. This requires designing playbooks and response strategies that account for compromised agents and systems.

John Duffy concludes by emphasizing that while the landscape is evolving, a combination of continuous market assessment, robust development practices, and a strong focus on fundamental security principles will be key to navigating the challenges posed by agentic AI.

Chat with this Video

AI-Powered

Hi! I can answer questions about this video "Cybersecurity watchdog launches guidelines to secure emerging technologies". What would you like to know?

Chat is based on the transcript of this video and may not be 100% accurate.

Related Videos

Ready to summarize another video?

Summarize YouTube Video