With national defense and private sector cybersecurity tied together more than ever before, CISOs desire more dialogue with the federal government about what a productive cybersecurity partnership looks like. Recently, USCYBERCOM became a combatant command while various federal agencies are indicating shifts in developing a more offensive security posture in cyberspace to align with traditional military capabilities. Given such shifts, partnerships with the private sector are becoming more critical.
In addition, AI is not only changing the cybersecurity landscape but also affecting national cybersecurity policy—leaving CISOs curious about how current and upcoming AI-related legislation and regulations may affect how they protect their companies. AI has the capability to both help national security and the protection of private companies—but this revolutionary technology also creates a threat as hostile actors wield it as a weapon.
These issues were all discussed at the most recent Midwest Regional CISO Policy Roundtable (hosted by NTSC Board Member Duaine Styles, CISO of Globe Life) that featured two presentations:
National Security Cyber Trends
While covering some of the same subject matter as his presentation at the Northeast CISO Policy Roundtable, Lieutenant General (ret.) Kevin McLaughlin also addressed recent developments such as USCYBERCOM becoming a combatant command. That elevated status gives USCYBERCOM more authority and flexibility in helping the private sector protect itself against cyberattacks. This is especially important for critical infrastructure (85 percent owned by the private sector), an industry that many cybersecurity experts point out contains significant security vulnerabilities.
Emphasizing how partnerships with the private sector can enhance national security, CISOs of critical infrastructure companies (including from the oil and gas industry) were especially interested in how USCYBERCOM’s efforts toward cyber deterrence would specifically help them. Also, attendees discussed how potential legislation imposed on critical infrastructure companies may potentially override their own efforts to propose meaningful policy. Critical infrastructure is now routinely talked about in Washington D.C. in terms of keeping the nation secure. Legislation without much input from critical infrastructure companies may not serve these companies well.
AI and Cybersecurity Policy Concerns
Dr. White talked about how CISOs already leverage AI for important activities such as malware detection, malicious IP blocking, and website classification. He asked attendees about how they were using AI techniques in some capacity—referencing specific areas such as next-gen endpoint protection systems and anti-malware software that benefit from AI and machine learning.
AI concerns have also emerged around bias (racial, gender, etc.), personal privacy, algorithmic transparency, and adversaries using AI as a weapon. To curb potential problems early, CISOs discussed the importance of developing cybersecurity policies about the use of AI—both through national legislation and internal company policies that promote a culture of security.
However, this is a sensitive area. The White House recently announced the creation of the Select Committee on Artificial Intelligence—a committee that will help explore and define AI opportunities, priorities, and issues while promoting less regulation around this technology. Responding to competitive pressures from China, the White House is also influenced by tech companies that want AI to remain relatively unregulated to encourage innovation.
This hands-off approach is counter to some lawmakers and consumer groups who feel that AI needs regulation. But other than a few bills that focus on AI in cars, proposed legislation in 2018 has not been very aggressive. Consumer groups are concerned about privacy and security, but many lawmakers and businesses feel these concerns are addressed under existing laws and regulations.
Despite a lack of enthusiasm for legislation and regulation, experts are still tracking various long-term AI issues that need addressing. An AI Now Report from 2017 addresses areas such as:
Overall, the NTSC Midwest Regional CISO Policy Roundtable furthered some important dialogue among the CISO community, federal government representatives, and academic experts. As USCYBERCOM grows more assured with its new elevated status and agencies such as DHS more proactively reach out to the private sector with the mission of repairing burned bridges, CISOs need to stay in dialogue with the federal government to find out ways to best partner. United efforts between the public and private sector help with national security.
Additionally, as AI grows more ubiquitous, CISOs need to remain at the forefront of any dialogue around proposed laws, policies, and regulations that may help or hinder this technology’s development—especially when it’s used to enhance cybersecurity. Like how USCYBERCOM found itself in a reactive state against aggressive adversaries, CISOs do not want AI regulations inhibiting the way companies protect themselves against aggressive international threat actors using AI as an advantage.
(Left to right: Dr. Gregory White, The University of Texas at San Antonio; Patrick Gaul, NTSC; Duaine Styles, CISO, Globe Life; Emily Heath, CISO, United Airlines; Kimberly Steele, NTSC)
The National Technology Security Coalition (NTSC) provides a platform for CISOs to advocate for beneficial legislative and regulatory cybersecurity policies. Interested in adding your voice to the national cybersecurity dialogue as a CISO, sponsor, or contributing expert? Check out our events calendar for upcoming roundtables, learn more about the NTSC, and contact us about ways you can contribute.