Today, technological advancement happens rapidly, and many organizations look to leverage the latest
tech to secure a competitive advantage. The issue is that deploying new systems and solutions typically
comes with risk. Artificial intelligence (AI) systems are increasingly integral to organizational operations,
making them prime targets for cyber threats.
Recognizing this vulnerability, the National Security Agency (NSA) has issued new guidance aimed at
fortifying the deployment and maintenance of AI systems against malicious cyber actors.
The Growing Importance of AI Security
AI systems are not just tools but central frameworks within which modern businesses operate. Their
rapid deployment has made them valuable for efficiency and innovation but also attractive to
cybercriminals. The NSA highlights that these systems are under threat for different reasons than many
other organizational assets. Traditionally, companies focused on hardware, software, and networks that
handle sensitive information and intellectual property. However, AI systems create a new opportunity
for cyber attackers, as the systems are leverageable for malicious purposes.
Ultimately, such threats necessitate robust security measures, adapted not only to traditional IT
frameworks but also to the unique challenges posed by AI technologies.
Comprehensive Defense Strategies
The guidance underscores the importance of a multi-layered defense strategy, incorporating both
specific AI security measures and broader IT security practices. It advocates for securing the deployment
environment, continuously protecting the AI system, and maintaining stringent operational security.
These practices are aligned with the cross-sector Cybersecurity Performance Goals (CPGs) developed by
the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and
Technology (NIST), which provide foundational security practices to counter prevalent cyber threats.
Best Practices for Secure Deployment
Securing the Deployment Environment
The NSA stresses that AI systems should be deployed within secure and robust IT infrastructures.
Organizations are urged to ensure that their IT environments, where AI systems are hosted, adhere to
strict security protocols, including strong governance, secure architecture, and comprehensive risk
management strategies. This includes the management of deployment environment governance,
ensuring a well-designed architecture, and applying hardened configurations.
As a foundation, understanding an organization’s risk level is paramount, as that allows the company to
determine if the AI solution fits within risk tolerance limits. Assessing the broader environment and
identifying security boundaries – as well as how the AI system fits into the larger picture – is similarly
crucial.
Continuous Protection and Operational Security
As with other security areas, continuous vigilance is crucial when integrating AI systems into an
organization’s technology environment. The NSA recommends regular updates and patches to AI
systems, stringent access controls, and robust monitoring to detect and respond to potential security
incidents swiftly. It also emphasizes the importance of protecting sensitive AI components like model
weights, training data, and logs through encryption and access control mechanisms.
Before deploying AI solutions, inspecting models prior to introducing them into the broader tech system
is similarly crucial. That creates opportunities to identify malicious code before deployment, ensuring
model validity and security. When possible, use AI-specific scanners and automate threat detection,
analysis, and response as a means of enhancing IT security efficiency.
Collaboration and Culture of Security
Promoting a collaborative security culture within organizations is also vital to the equation. This involves
integration between data science, infrastructure, and cybersecurity teams to address security concerns
effectively.
The NSA advises fostering environments where risks are openly discussed and addressed in a timely
manner, ensuring that all stakeholders understand their roles and responsibilities in maintaining AI
security. Offering training to bolster user awareness is similarly wise, allowing every employee to play a
critical role in safeguarding internal solutions, systems, and data.
Emphasizing Vendor and Third-Party Security
Given the complex supply chains involved in developing and deploying AI systems, the NSA guide also
covers the necessity of securing external components. Organizations are encouraged to scrutinize the
security practices of third-party vendors and service providers, particularly those supplying AI models or
components, to ensure they meet organizational security standards.
Ultimately, the NSA's guidance on securely deploying AI systems provides a comprehensive framework
aimed at mitigating the risks associated with AI technologies. By implementing these robust security
measures, organizations can protect their AI investments from sophisticated cyber threats, ensuring that
their operations remain secure and resilient in the face of evolving challenges.
This guidance serves not only as a set of recommendations but as a call to action for proactive security
management in the deployment of AI systems. As AI becomes more commonplace in the world of
business, staying ahead of the curve is essential, making any steps today worthwhile as they lead to a
more secure tomorrow.
