Federal Chief Information and Security Officer (CISO) Chris DeRusha said today that as the Federal government is making real progress on cybersecurity, his “cup is actually half empty” when it comes to the security of AI.
However, at the same time, DeRusha said that the United States has to “go full bore in learning how to use this technology” in order to keep up with our adversaries who are doing the same.
“I’m in the security field, so the cup is actually half empty if anyone was wondering,” DeRusha said today at the Google Public Sector Summit, presented by Scoop News Group. “I think I worry about a lot of [AI].”
“Some of it’s just kind of unintentional misuse,” he explained, adding, “I think that for Federal agencies, it’s so exciting and the benefits are so positive that we have the potential to kind of want to trust the data too much, trust the outcomes too much. And then we’re going to potentially create bias, make bad decisions – we’re very concerned about the equity play here.”
Another area that worries DeRusha is the spread of disinformation and misinformation through AI, as well as the ability to engineer code faster – which he said can be “both a positive and negative.”
The Federal CISO said that the Biden administration is committed to the responsible use of AI and generative AI, and the AI executive order (EO) that is coming out this fall “will be the initial step” to meet this moment.
Shortly following the EO, DeRusha said that the White House is also focused on providing guidance to Federal agencies on the responsible use of AI.
The White House will put that guidance out for public comment because while DeRusha said that his team has “a draft policy,” it also needs to “get feedback from everybody” – both from Federal agencies and the private sector.
“As far as procurement, look, that is something that we’re actually actively discussing and will be a part of that conversation,” DeRusha added.
“At the end of the day, government technology is vetted through various risk and control review processes – everyone’s familiar with the FedRAMP program. How do we ensure that we have an agile way of assessing the appropriate tools for government use and government-regulated data types, and we can’t not do that,” he said. “We understand everybody’s wanting to jump into the latest tools, but some of these companies aren’t fully vetted yet, they’re new entrants, and we have to ensure that we’re responsibly protecting Federal data.”
During the same session, Caitlin Clarke – who is the senior director of cyber and emerging technology in the Executive Office of the President – said that the best way to ensure the Federal government is protecting its data is with hands-on practice.
“I think we need to do a lot more hands-on keyboard exercises,” Clarke said. “We do a lot of tabletop exercises … where we talk about how we have that plan, we have that policy, but how many times have we actually put it into place and had red versus blue and determined whether or not that plan is actually effective? Do we have the staff for this type of incident? Can we practice that shift change? If we do a tabletop that’s two hours long, we’re not hitting some of these key issues that we have.”
“We need to do more hands-on keyboard exercises,” she reiterated. “This is a full-scale exercise where we not only talk about our policies, but we actually put them into practice.”
Clarke concluded that these exercises must be done in partnership with industry “so that we are both moving together towards the same objective.”