NSA Best Practices for Deploying Secure and Resilient AI Systems

Written By Rafah Knight

‼️National Security Agency has released “Best Practices for Deploying Secure and Resilient AI Systems” in conjunction with key cybersecurity agencies such as the National Cyber Security Centre.

Below are some of my key takeaways:

  1. 𝐒𝐜𝐨𝐩𝐞: The term “AI system(s)" in the context of this document refers to machine learning-based systems.

  2. 𝐂𝐨𝐥𝐥𝐚𝐛𝐨𝐫𝐚𝐭𝐢𝐯𝐞 𝐄𝐟𝐟𝐨𝐫𝐭: The document below was born out of a collaborative effort across multi-agencies to improve AI system(s) security.

  3. 𝐀𝐈 𝐒𝐲𝐬𝐭𝐞𝐦 𝐂𝐨𝐦𝐩𝐥𝐞𝐱𝐢𝐭𝐲: Secure AI deployment rests on the complexity of the system(s), resource availability, and infrastructure.

  4. 𝐂𝐨𝐧𝐭𝐢𝐧𝐮𝐨𝐮𝐬 𝐀𝐝𝐚𝐩𝐭𝐚𝐭𝐢𝐨𝐧: Cybersecurity measures must evolve continuously to ensure emerging AI risks are addressed.

  5. 𝐓𝐚𝐢𝐥𝐨𝐫𝐞𝐝 𝐁𝐞𝐬𝐭 𝐏𝐫𝐚𝐜𝐭𝐢𝐜𝐞𝐬: The guidelines set out in the document below are intended for organisations deploying externally developed AI system(s).

  6. 𝐀𝐝𝐚𝐩𝐭𝐚𝐛𝐢𝐥𝐢𝐭𝐲: The best practices set out in this document require amendments based on the threat profile(s).

  7. 𝐕𝐚𝐥𝐮𝐞 𝐚𝐧𝐝 𝐑𝐢𝐬𝐤𝐬: AI system(s) and tool(s) are key targets for cyber threats. Defensive cybersecurity initiatives will be key in securing AI system(s) and tool(s).

  8. 𝐀𝐥𝐢𝐠𝐧𝐦𝐞𝐧𝐭 𝐰𝐢𝐭𝐡 𝐒𝐭𝐚𝐧𝐝𝐚𝐫𝐝𝐬: The cybersecurity practices set out in this document align with established cybersecurity frameworks.

  9. 𝐒𝐞𝐜𝐮𝐫𝐞 𝐃𝐞𝐩𝐥𝐨𝐲𝐦𝐞𝐧𝐭: Governance, architecture, and configurations are key for ensuring secure AI deployment.

  10. 𝐓𝐡𝐫𝐞𝐚𝐭 𝐌𝐨𝐝𝐞𝐥𝐥𝐢𝐧𝐠: Cybersecurity practices must embed AI threat modelling in the pre-deployment and deployment phase.

  11. 𝐂𝐨𝐧𝐭𝐫𝐚𝐜𝐭𝐮𝐚𝐥 𝐂𝐨𝐧𝐬𝐢𝐝𝐞𝐫𝐚𝐭𝐢𝐨𝐧𝐬: Cybersecurity must be a factor in contracts with AI system developers.

  12. 𝐌𝐮𝐥𝐭𝐢𝐝𝐢𝐬𝐜𝐢𝐩𝐥𝐢𝐧𝐚𝐫𝐲 𝐂𝐨𝐥𝐥𝐚𝐛𝐨𝐫𝐚𝐭𝐢𝐨𝐧: Multi-disciplinary collaboration is crucial for effectively addressing cybersecurity risks.

  13. 𝐃𝐚𝐭𝐚 𝐏𝐫𝐨𝐭𝐞𝐜𝐭𝐢𝐨𝐧: Encryption, authentication, and access controls are crucial in protecting data held in AI system(s).

  14. 𝐂𝐨𝐧𝐭𝐢𝐧𝐮𝐨𝐮𝐬 𝐌𝐨𝐧𝐢𝐭𝐨𝐫𝐢𝐧𝐠: Continuous monitoring and detection are necessary for mapping and identifying cybersecurity threats.

  15. 𝐓𝐡𝐨𝐫𝐨𝐮𝐠𝐡 𝐕𝐚𝐥𝐢𝐝𝐚𝐭𝐢𝐨𝐧: Models must undergo thorough testing and validation pre-deployment and post-deployment.

  16. 𝐀𝐏𝐈 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲: It is crucial to ensure APIs are secure.

  17. 𝐀𝐜𝐜𝐞𝐬𝐬 𝐂𝐨𝐧𝐭𝐫𝐨𝐥𝐬 𝐚𝐧𝐝 𝐓𝐫𝐚𝐢𝐧𝐢𝐧𝐠: Ensuring access controls, audits, and training are rolled out across the organisation is crucial to operate securely.

The full guide can be found here.

Rafah Knight
Previous

World Economic Forum Cybersecurity Insights
Next

HAI Index Report