All right, I think we will get started. I'm not sure given that we're running over exactly when we're supposed to get started, but we're just going to run with it. So thank you all for coming. My name is Heather West. I am at Venable and I work with the Alliance for trust in AI. And I am thrilled to be here today to talk about intelligent threats understanding AI's impact on cybersecurity policy. I think, you know, our goal is to talk about how AI is impacting cybersecurity policy and practice, but also what we're seeing out in the world. So there's been a lot of discussion about AI and cybersecurity since the last state of the net. There has been discussion this morning. There's everyone's talking about AI in the hallway. So you know, it is it is where we all need to be and what we're talking about. So today we'll talk about you know, are AI tools, super powering cyber attacks, or AI tools, making it easier to protect people? Can we protect AI from itself? Can we protect it from other attackers? Can we just replace our security team with AI armies? See, that sounds fun. So we'll dive in with our fantastic panel. I'm really excited to be here today. These are my favorite panels where it's just me and a bunch of friends chatting. And a big thanks to the State of the Net team for putting this together.
So today we have Charley Snyder who's the head of security policy at Google. Alissa Starzak is the Vice President and Global Head of Public Policy at Cloudflare. Austin Carson, the founder and president of SeedAI, and Grace Abuhamad, the chief of staff at the National Telecommunications and Information Administration. So let's dive in. There's been... that is the page I just looked at. Um, so we've been talking breathlessly about AI for a year. We all kind of know that AI isn't just chatbots. But apparently, it's working against me. And, and we should just dig in. So Alissa, can you start us off by talking a bit about how AI is used in cybersecurity, big question.
Thanks, Heather. And now I can't complain. Thanks, Heather. And thanks for having me today. By the way, I think the fact that Heather's microphone dropped when she was talking about AI armies may tell you something about what's going on in the world. But no. So, you know, I think the reality of where we are with AI is that AI has been around for a long time. The thing that that is relatively new, and that came out in the past year is the sort of democratization of AI with things like large language models. So when you think about that, you know, practically, it's just changed the world a little bit, not because we haven't had concepts of AI and cybersecurity, but because of who has access and what that then means. So, you know, we've used we I met Cloudflare CloudFlare, if you don't know us, we run a lot very large global network, we sit in front of something like 20% of the world's websites, that is a ton a ton of traffic that runs through our network on a daily basis, the only way we can actually think about managing that is with AI, there's too much there's too much data, there's too many, there are too many sort of mechanisms that have to happen in real time. To do things in a purely automated way, you have to think about applying either machine learning initially, or now AI to it. So what does that mean, in practice, it means you have to have systems that sort of anticipate patterns, and can then adapt in real time. And that's really kind of what AI gets used for in cybersecurity on sort of a traditional basis. Again, the thing that has changed over the course of the past year since the release of Chad GPT is this idea that people can use AI themselves. So think about what that means for an enterprise all of a sudden, right now, every enterprise and while I'm sure we'll talk about this wants to use AI tools. Well, now you have new supply chain attacks, if you're thinking about it from a cybersecurity angle, you have to worry about the cybersecurity of those tools. You have to worry about your employees who think hey, this jack GPT thing is super cool. I can use write all my emails with it. And all of a sudden putting sort of sensitive information into external applications where they're not actually thinking about where that information goes or where it could end up. So the world has changed. Not because AI is necessarily a new thing, but because who has access to it and what that means from a cybersecurity risk standpoint. Thanks.
So, so to build on that, Charley, can you talk a little bit more about about what's changing for cybersecurity?
Yeah, sure. So, you know, I agree with everything Alissa said. You know, I would say to build on it a little bit. You know, what we see as new is, you know, these generally capable As you know, systems that can accept and spit out natural language is one thing that's very new. And putting that very close to the consumer, or enterprise through through UI is rather new. And then increasingly, we're seeing how users start to use that how users start to drive the technology in various directions. So think using it almost like an operating system. This is something people are starting to talk about where you're plugging into this, we're a chatbot has plugins to do various things with other systems, maybe over the Internet, maybe within your network, using it as a development platform. So starting to integrate these capabilities to help write code, help review code, things like that. Obviously, you know, Alyssa touched on some of the risks that come with that, and I have a feeling we're going to we're going to dig in deeper there, I would say for for security on the positive side, at Google. And then the way we think about it for you know, our customers and the Internet more broadly, you know, we're looking at how we can use these capabilities, these things I mentioned, you know, natural language interface, integrating it with other systems, and ways to completely transform our approach to security. And so you can think of security as sort of a lifecycle, there's, there's, you know, detecting threats and vulnerabilities, and there's, there's, you know, discovering vulnerabilities which are, which can be exploitable, then there's writing safer code, there's patching the code that you might that an AI system might find that's vulnerable, then there's kind of, you know, post breach, there's incident response can help responders interact with AI systems to, to help them respond more speedily. You could think of it as a huge lifecycle. And I think we're pretty busy seeing all the different places that these systems can, can fit in. And, and provide value.
So what I'm hearing from the industry side is AI is everywhere. We're just starting to see it more for the rest of us a little bit. And I do think that that was fairly transformative. And so, Austin, I know that you're taking a bit of a different tack, your red teaming work has really broadened what we're thinking about is potential risks and security risks for AI. Can you tell us a little bit about that?
So I'm gonna just take a hard left on that for fun. So I mean, in listening to everybody talk about the application of AI to cybersecurity, and in thinking about the transition from, like, artificial intelligence as like deep learning, you know, from like, 2012, big deep learning explosion to generative AI to chat GPT, I think you make a very good point that it is closer and closer to the consumer. It's about touching people. But most importantly, in my view, it's about taking kind of the fuzzy math that humans have retained an advantage on until very recently, and moving that into computation. Right? So we've taken we've taken everything that was just like one plus one equals two. And then we've computed all that we can and now we're in the part where we're computing like probabilities, right? If you look at what cybersecurity is, it's the part of computing that already is in the probabilities, it already is in fuzziness, it already is in like unexplained and inexplicable breakages throughout the entire system. And so if you think about what it means to add that extra probability layer is much more effective at stopping things much more effective at doing things. And the failure mode for most cybersecurity issues is human in nature. It's about the spear phishing email. It's about doing something stupid and downloading the wrong app. Right. So that's going to be a huge vulnerability. And that's part of why we have gone towards this like red teaming, big picture approach. Because the only way you're going to capture this, like, massive level of failures that are implicit across any system now that you have this fuzzy math and human interaction with AI is having huge participation. Yeah. And so from our perspective, driving that is like one of the number one things you can do.
Yeah, and we'll talk a little bit more about red teaming later because I think it's so interesting, but But bringing so many people together to see oh, what can I What can I break? What what what doesn't work quite right. You know, that's a traditional approach in cybersecurity, but applied a little bit differently. So Grace, as the relationship between security and AI evolves. The US government and NTA are doing a ton of work on this. I know, like, from my perspective, the Ai yo is like full employment. And and it's a lot of really, really interesting stuff. Can you talk about your work on accountability, and then some of the work on risks and benefits of open? dual use donation models, lots of buzzwords that are kind of terrible government buzzwords.
Yeah. So there's two big initiatives that we're working on in NTIA. One of them is EO related. One of them existed where we started before the EO. I'll talk about the the one that we AI accountability work because that preceded the EO and as a I'm irrelevant to this conversation in the sense that we were looking at when, when Assistant Secretary Davidson came in, one of the big questions we asked is sort of like, how can we help move the field, in, there's a little bit of a link, because we're in the middle of a big broadband deployment across the United States, you might have heard about it. And part of that involves, you know, a long grant program, but we have to be building a movement. For once people are wanting to, you know, once we build the infrastructure, we're gonna have all these people online, we're thinking about the online space differently as it's evolving over time. And as part of that, we were also thinking, Where can we apply those that sort of Internet policy work to other areas that are not just broadband infrastructure, AI policy is one of them. Today's the 10 year anniversary of the release of the NIST cybersecurity framework, it's actually perfect timing in some ways. But there's been a whole decade or more, you can say longer, probably 1520 years of work to build a cybersecurity field and ecosystem businesses that have created that are created specifically to work on cybersecurity, etc. And you can see that evolving with the AI space as well. So part of what we tried to do when we launched our AI accountability work was think about, what do we want the AI accountability ecosystem to look like? And that includes, what do we want? You know, what are we going to need in terms of workforce? What are we going to need in terms of audits across sectors? What are we going to need in terms of access to data or, or not, etc. So that's the report that we started working on a couple of years ago, it's coming out soon. And that sort of the work that we we started doing before the executive order came out. In the executive order there was we were given one specific assignment. And that assignment is to look at the risks and benefits of dual use foundation models with widely accessible model weights. That's, that's a very specific task in the sense that the definition of the dual use foundation model, which is in the executive order, really applies to very large models. And right now, there's only like a handful of them that we really we can think about in that case. And then the question of model weights, again, focuses really specifically on on a type of risk that or it's or a component that we're looking at evaluating, so we have a request for comment coming out soon on that as well. happily take, you know, comments on all aspects, but the task itself is really, really quite narrow. And we can come back to that in a little bit more detail as to why that's the case. But I think you know, and when we're thinking about the cybersecurity risk to AI, there's a lot more that we can be there are a lot more, there's a lot more than we can be thinking about in the immediate term than some of the larger scale risks that the CEO is trying to address is trying to do both large scale, potential risk, and then sort of immediate, and different parts of the government are dressing different pieces. So we have this one task that's quite specific and a little bit more focused on the larger scale risk.
Great, thank you. So let's talk about that a little bit more some of some of the cyber risks that come with this explosion of AI, and particularly the explosion of widely accessible, really interesting AI. Alyssa CloudFlare, you were you were saying sees so much of the Internet, and and all of the interactions that are happening? Can you can you talk about any trends that you can trace to the use of AI?
You know, I think the funny thing, you know, here we are talking about AI and this sort of world, the new world of AI. You know, honestly, from a cybersecurity standpoint, the biggest risk I think we all face are the sort of pre existing risks. The fact that people don't do sort of basic cybersecurity, the thing that AI does, is actually power that it makes them easier to find it makes vulnerabilities easier to find. It makes something like a phishing email a lot better. So now, you don't see the errors in it. To the very, I think the biggest thing that we're seeing right now is not the really sophisticated, you know, change in model weights, that that might sort of influence something long term. It's very much the sort of basics right, we have to fix the basics. And AI is sort of supercharges everything that we end up worrying about, because it makes it easier to find but the challenge is it makes it easier to find the problems.
Got it. Charley, similar question. I I'm interested in what you're actually seeing the risk being I think, Alyssa, it makes sense to me that all of the things that were vulnerabilities before are still vulnerabilities. What are what is Google saying in terms of malicious AI and attacking AI?
I think at a at a high level. What we've seen so far is you know, it has the potential to lower the barrier to entry to for less skilled adversaries. People who want to do harms online, I think we're very interested in seeing how it can be adapted in the future for for more skilled adversaries as well, but at a high level, you know, Information Operations, we are seeing organizations start to make use of LMS to generate, essentially, you know, inauthentic content and propaganda and the like, I think for the most part, it has been quite ineffective, we don't see it having a huge, huge impact. But I think that's obviously one area where MLMs are well suited to generate content in a specific language that may be more persuasive than, you know, someone who's not, you know, a native language or that speaker would otherwise be in terms of hacking and intrusion operations really quite limited. We see it used in kind of the first stage of an operation. So generally like the social engineering, which again, relies on kind of natural language for persuasion, things like fueling phishing attacks, I think, you know, Alissa made my point for me, I think that at Google, we consider, you know, password phishing, for instance, largely a solved problem. For organizations that are serious about it, it's, it is not a problem organizations should be having in 2024, let alone 2023, or 2022. And for consumer services, you know, multi factor authentication is largely available for free as well. And so I think it's important for us to be like really crisp on the details of are these presenting kind of new threats, or just exploiting old things that we still haven't fixed? I think for the most part, it's in that second category, what we're really interested in are, you know, kind of an open call it to the community, the government's other companies interested to the degree to which adversaries are using it for other parts of their operations, you know, malware development, you know, General Reconnaissance, things like that, you know, the social engineering part is the most visible and again, I don't think we've seen it, being, you know, all that much of a game changer.
Yeah, if I can make one suggestion, what I find in talking, especially to like security researchers, and just kind of observation is that the reason that it's like that is because we have such an insane breadth of old problems, right, like a crazy amount of old problems that we just didn't touch. It's kind of like content on the Internet. It's just a burning pile of trash. And we're slapping MLMs on top of it in hopes that it makes it less trash. And then like not training on the Internet after 2021, because everything after GPT three happened is trash, you know? And so we're trying to like repair who really think, have you checked the Internet since 2021? I think like a fundamental level, what scares me is that you see, like, really normal spear phishing things over and over again. And then you see a website with like, four zero days strung together that remotely takes over everyone's iPhone, that's associated with the weeders, you know, and I really am concerned that pretty much around the table and all of these areas of software, and maybe like society to you know, software must immediately that we haven't addressed, we have like lurking massive vulnerabilities that we're all just kind of chillin on. So we're waiting for everybody to do multifactor authentication, you know, so I don't know exactly what I'm recommending in terms of a policy prescription. But it is kind of why I ended up with this, like mass public participation, because we need like a randomizer. Honestly, like, if you don't care about people care about the randomizer. And we don't have enough compute for simulating it out right now. Right. But in all seriousness, I don't know I kind of encourage everybody that talks about this to at least point out the fact that we in no shape, but at least pointed the fact that we ultimately do have this like lurking super capability for hacking. Even just that, like the most basic levels, even at the metal split level, you know,
Grace, I know NTIA isn't operating Internet infrastructure, but you're kind of the the tech policy hub for the US government. I'm kind of interested what you're hearing, especially as you get ready to release this RFC or like, and talking about accountability, which feels more bread and butter, if we're going to just double down on the pieces that we already know how to do and that we already know, or issues. What kind of concerns are people bringing up for you?
The concerns aren't the concerns aren't that different than the ones that we've heard about over many years, right? People are still concerned about privacy. And whether or not they're going to have some sort of consumer empowerment over their data or protections around their data. And its use. We're still hearing a lot about, of course about competition and access and what that means in this space, what it means to I mean, at the bigger, bigger philosophical level, like what democratization really means, and for whom we Focus on the US primarily. But we do have a lot of international cooperation that we have to build out and think about in this context. And I was at Silicon Flatirons, a few weeks ago, or listen, last week, I can't remember. And one of the panelists talked about, you know, how these systems are being deployed in Southeast Asia and African, there isn't really enough of an ecosystem there to even think about sort of one, whether people will be able to really use these tools for all the wonderful benefits that we talked about here, but then also have any sense of control or protection over the information? How those three so big questions like that, right. But then, and then practically, even just with for us, you know, what does it mean for our ecosystem in the US competition with companies in the United States? How how we're going to develop sort of a strong research community and attract researchers from around the world to work on AI systems here. And then, more recently, than I think, in the past, more than other NTI issues that we've worked on, we've heard a lot more about harassment, and questions about gender harassment, apparent, you know, I read a report that something like 75% of women in the world now consider, consider how much online hate they're gonna get before running for office, or considering any kind of public facing role. And so as much as we're trying to encourage people to be more active in public life, or more active in all kinds of things, we also don't really realize some of the impacts that people are facing online. Same thing with, you know, in the past couple of months, Arab American hatred, or that sort of ramping, and rising anti semitism, again, huge problem. So, so big questions like that we have an initiative right now that we're working on with kids online health and safety, and that we're co leading a task force with HHS. And that's, you know, a whole different stream of work. But again, the AI impacts are there to a lot of young children, children, teenagers using systems thinking about, you know, as they're developing, and not really sort of conscious of yet of how much some of these algorithms are affecting their mental health and well being a development. So some of these issues are not new or not unique to AI, but they're very much at the center of some of the work that we're doing on tech policy and into
about it. I think that's a resounding round of it's the same issues that we've been talking about here for years, faster, but faster, faster, is bigger, more more accessible, and it also writes poems about my dog.
Does it make you it makes you miss the Nigerian prince? I'm clear like that. No,
no, I would actually say that this is like the hyper version of the Nigerian prince because the Nigerian prince is a self selection device. It's written really crappy, because it supposed to identify people dumb enough to fall for it. Now you have eight tiers of Nigerian prince tune towards like, the bottom eight tiers of Prince Charming. That's what I'm saying. You're like a very realistic like Facebook avatar and Instagrams dreams and all this stuff. Like, we're falling into hyper version of what we were already doing before. And I think to this idea of like, the kids don't know how much they're being manipulated, y'all we know way less than the kids. We were raised on this, like, absolutely bullshit idea that we were immaculate and like and manipulatable, like, individually responsible entities, right. And so we sit around on the Internet all day as like adults acting like we know how to filter information. But that is a hilarious lie. And so I think if anybody actually needs to be like, humbled about what we know, it's kind of us. You know what I mean? Like the kids are alright, guys, we're kind of fucked. Yeah.
There's some truth to that, I think. I think it's actually I don't I don't know who else watched the Super Bowl last night. But the number of times, the group of folks in my living room pointed at the TV and said, is that AI? Like it was non trivial. There was at least 10 times and you're like, there SpongeBob sitting up there. And the commentator, booth and someone's like, is that AI? And they're like, No, SpongeBob is really the what? So, so we're talking about, like, kind of the history of some of these discussions before AI was the buzzword. We're talking about how this this kind of harkens back to all of the problems that we've thought about deeply. One of the things that this makes me think of is, is the discussions about open source, and how democratization of tools and security really has been a part of this discussion for decades. And I'm a big open source fan. But the AI piece of this puzzle kind of changes the discussion a little bit. How are you all thinking about defending and something that's so widely available and powerful and turbocharged,
open question. Start My RFC for me. Yeah,
I mean, my main thing is I like how Grace downplay that she has like the most important tasks like we have this like little thing about like dual use foundation models that have publicly available model weights. I was like, Oh, you mean, whether or not the foundational technology we have is available for people to play with? Yeah, it's a small, but I mean, like whether or not the model weights are available is pretty critical from every level, right? Like there is no aspect of this technology that is not fairly equivalently dual use. And what that means is it cuts exactly as positively as it does negatively. It's exactly as helpful as it could be harmful, right. And so like, I think encryption is kind of the best analog that most of us know and deal with, right? When NTIA and everybody else has done playing with encryption. People like lived and died over encryption effectively, like Bruce Schneier was like, I can solve this, I can ship this book with printed out encryption overseas. So there's kind of this hilarious thing where we think we're going to stop open source distribution of like model waits for like research like that in mass without there being like a really good widely agreed upon idea. But I don't know, Bruce and I are gonna print those out and mail them across the ocean. So it's like, we still have to cope with the fact that software is inherently free, right. And that means we have to create like ecosystems and kind of movements and networks and platforms that are designed to support like a more positive overall movement of the ecosystem. But also, in general, like increasing kind of like the validation of the value proposition of open source, you know, the value prop of open source is that it makes things safer and more secure, and the whole community can work on it, and you can fork it off into like, a better version of it can become standard. So I think like, if having model weights on the Internet makes that happen, we'll probably not really have as much of a problem with model weights being available, because we will continuously demonstrate that it's like cyber Pearl Harbor, will always talk about how the model is being there to destroy the world, but they'll never destroy the world. Right? If somehow we screw that up in a way I don't understand or don't anticipate, then we'll have cyber Pearl Harbor like Oh, damn, we knew is going to happen eventually. So I think Grace has like one of the hardest tasks like, do we take this technology that half the people in the world pretenders God, and like, put it on the Internet, so that you can not guess what it does? Or do we not put it there? So we're just guessing what it does from now on?
I think it might be worth before we start talking about these, the likelihood, the probability of the cyber Pearl Harbor, which we can ask AI about will have its own version, but it's worth sort of stepping back and thinking what AI is and does and what the different pieces are of AI because you have, you know, a lot of the emphasis, the public discussion has been around training models, right? So how much compute power? Do you need to train a model? Um, you know, there aren't that many entities with that much computing power, what does that look like a small number of, you know, a very small number of companies that actually have that kind of computing power. But if you think about sort of what the stages are of AI, you have the training of the model, but then you also have the questions of deployment and then building on it. So and the, the, the open source, the, the, the weight of the model, right, so what goes out there, we, we don't train at CloudFlare, we don't train our own models for things that are sort of generally available. But we do what's called AI inference. So the, the notion that you can put a model on our edge and do something that's close to an end user, which also requires a lot of actually networking power, right? Because you need if you want to do an AI decision that's close to a user, you need a big network to do that, typically, or you need to do it on a device. And so there are all these questions that come up about how you would actually go about democratizing AI, what it means for software to be open, right? It's not, they're not just it's not just a given the way software might be, it can't run on everything, it has to train on something bigger, it has to run on a bigger network. And so we've been trying to do a lot of thinking about what that means. Because there are all sorts of different stages that you could potentially regulate. Or that you could potentially sort of think about risks on. Do you think about the risks on the training? Do you think about the risks on the deployment? When you get to a model? Do you think about the model weights? And so really kind of being thoughtful about what that looks like? And thinking about deployment, I think matters and will matter in the ultimate outcome, which hopefully is not cyber.
Let me let me clarify something one of the cyber Pearl Harbor thing is mostly a riff on like, a lot of people say that open source model is being in line, isn't it? Cuz like bioterrorism and all these things, it's like, you can logically extrapolate out how that could be the case, we can also logically extrapolate out how Russia should have turned off our power grid like a decade ago. You know what I mean? And I think that's where we're coming from. But just to clarify, like open source model weights available on the Internet right now, GPT four and Chet GPT live behind an API wall. There's a bunch of magic that happens behind there that you don't see and who knows exactly what it is. But it seems like you're putting a query into one model, and it spits it out, but there are like the open source versions of this which are like you may have heard somebody talk about like Ms. Shah or you may have heard of course of llama two which is Facebook's model, which like proliferated out into the universe and made open source language models effectively exist. I'm sorry, still If you're here, and like the ability to see them means that you can calculate The math, you can understand much more this black box, this explainability, you can at least do the math version of it. If you can't like, like reverse engineer with the math means to words, you can lose math it, right. So like one key experiment that shows you why this matters, right is that I think it was Stanford, probably God knows. But they had, they were using like llama too. And they were using open AI. And they did like 10,000 or 20,000 conversations. So like, asked a thing and got a response. And you know, the study like, well, we could look at the my how the, like how the input went through the model weights and how like, lights up the little thing plink goes in here, we want to visualize it. And we could see that its internal state was actually what it said it was doing, it wasn't lying to us or making stuff up with GPT. For I mean, we kind of got to guess seems like it's not lying to us. So there's this thing where like, if you're concerned about what AI is actually doing, on one hand, you want to be able to see the model weights for yourself, so you can kind of know what it's doing. On the other hand, if you can see how the engine runs, you can like, make a most powerful engine. So people are trying to like kind of hide how the engine works, you can decide if that's good or bad.
But the one point I meant on open sources, there's really just the need for a holistic approach to governance here, the difference between or or policy approaches to closed source are directly linked to what we're going to see an open source policy approaches to regulating models above a certain compute threshold is going to have direct impact on what folks are doing to develop models below that threshold. And so, you know, for me, it's it's very important, as we're, you know, I think the horses kind of left the barn a little sooner on, you know, we think compute above this, you know, threshold requires XY and Z, I think that has probably directly led to folks investing more in developing models below that threshold. And I think Ditto with with access to open source. If, for instance, let's just take the positive view, if organizations cannot easily adopt, you know, closed proprietary source models for any particular reason, they're going to invest more in open source, and that's where we're going to see experimentation. So when you look at attackers doing that, you have to look at, you know, attacker access to proprietary and so that, you know, gets into things like you know, know, your customer rules and things like that, that's going to directly drive the market for for experimentation with open source models. And I think it's just important that we keep that keep that in mind and have that kind of balanced approach.
And just add one. So if a few points to move, as already said the I mean, we were we joke about it here, but we can't take the risk of a cyber Pearl Harbor lightly in government. Right. So. But so But the other piece here is that you mentioned Mr. Powell, for example, right? The the executive order defines or in that definition of dual use foundation model, there's sort of three key pieces to the definition. So longer definition, but there's three key pieces, one of them is that the model has to have more than 10s of billions of parameters. So they're very large in that definition. Right? They have to be applicable across a wide range of contexts. So they're not like you, you know, like a facial facial recognition system wouldn't be applicable here. Right? Mr. All wouldn't be applicable, because Mr. Hall's only 7 billion parameters. So, so there's and then and then the third piece is that you have to be the models would be posing a serious risk to national security, public health, some combination of sort of a large risk that could be anticipated there, there's information to indicate that there could be so in this case, right, there's a lot of sort of nervousness, and understandably so about what it means to have access or not to model weights. But in this particular task, we're really looking at a very specific set of, of types of models, right, very specific type of model. And that does create the incentives that you were talking about, Charlie, we're now you see, there's a ton of movement in the space to build smaller models, models that use less compute, because of access to compute issues, right. And because of sort of the anticipated or the, the sort of indication or the theory behind some of how anyone would read or interpret the actions in the EU. You think in part, I don't want to give NTA too much credit. But maybe the reason why NTI was assigned to this particular task is because, you know, within the US government, we have an across sort of tech policy, history here. We have a reputation of really thinking hard about what it means to make sure that there's access to systems open access. Oh, In software, etc, we released a report last year on mobile app ecosystem competition. That wasn't a very popular report with with two particular companies, but it was an important question to ask. And I think a lot of people hadn't really thought about that question about whether or not we needed to have more than two app developers in for mobile app technology. So, you know, we're looking at all the options are on the table, we're looking at everything. We're hoping that this RFC will yield lots of plentiful comments. And we're taking the report seriously, it's due in July. So you know, the sooner we get the RCO, the sooner we get the report the comments in faster, we can get that report out. I will say it's been very impressive to watch people actually hit the deadlines in the EO is moving fast. Oh,
yeah. And there's no if anyone saw the EO came out with a, they came out with a 90 day update. Last week, I think it was January 26. One of the tasks in there was for the nine critical infrastructure agencies to do risk assessments of the risks posed by AI systems. And those were all complete. So that's really sort of that's the beginning of also understanding within the government in the federal government, what we think of risk of the different risks of these systems and how we're going to be thinking about them. Next to you. Thank
you. So so to shift a little bit here, Charlie, I know Google spends a lot of time thinking about how to secure Google. But you're also spending a lot of time thinking about developers and customers that are building their own products, services, infrastructure, can AI tools help the ecosystem?
Very nice question. Thank you for that.
I mean, it's mildly leading.
We're long term optimist about this technology. And, you know, I think when we look at, you know, kind of adversarial dynamics online, I think we hope, AI will, at worst, have a neutral impact, and at best to have a positive impact for people. And I think there's kind of two main kind of drivers where we think that could be the case. You know, one, I think, to a point that Austin made earlier, so many of the breaches, we see, in fact, I would argue probably every single breach that we we've ever seen, comes down to humans inability to deal with complexity, I think, the online ecosystem, both, you know, the amount of network services and products, as well as the complexity of software itself has just gotten too complex to handle. So whether that's for a developer or sysadmin, or you know, a user just trying to manage their exploding inbox, basically, every breach in the world comes down to that, and the eyes ability to, you know, reason and learn rapidly and at scale offers a lot of potential to address that kind of root cause of so many of so many breaches. And then the other and related to that is, you know, we've started talking a lot and I think we need more research to play this out, but kind of AI being the great equalizer, and, you know, kind of emerging research that LLM can help, you know, skilled professionals a little bit, but it helps unskilled professionals a lot. And when I look at like attackers versus defenders online, you know, I think attackers by their nature maintain at least a tiny bit of capability and intent, even if we would call them very low skilled, there's plenty of organizations that don't have a single IT professional don't have a single cybersecurity professional. And I think if we can incorporate this technology in a smart way, which is not to say like everyone should buy, like a new, you know, our new fangled AI product, but embed it in kind of the ecosystem through the widely used platforms and services and systems everybody uses, I think it could have this great leveling ability and take care of this kind of low hanging fruit. So, you know, of course, you know, Google, we have both, you know, consumer business as well as enterprises. And we're absolutely, you know, starting to see how AI can help these organizations both make making it into the consumer platforms to help them and that's kind of something we've been doing for for a very long time and in places like Gmail, but then also offering kind of technology to organizations, whether that's to, you know, help them manage threats, better write more secure code, and what have you. And the last thing I would say on you know, a reason I'm an optimist here is because I think attackers have a lot of advantages online right now. One advantage I do think the defensive community has is data. I think they've always had it. So you know, the cybersecurity companies, big tech companies. They've always had kind of access to better data sets. Stan attackers, the problem has been dealing with and managing that data. And now that we have this ability to turn data into models into software to help organizations, as long as we can keep developing that technology to aid organizations for defensive purposes, I think that can be really beneficial for the for the ecosystem.
Elva How are you thinking about protecting your own AI systems? Yeah,
you know, I think. So this gets into a little bit of the open source, you know, we use some of our own systems for, for AI, so for protection of others. So if you think about what we do, we offer essentially a set of cybersecurity services that sit on top of a lot of entities infrastructure. So like you going into your internal networks, it might be going to your website, a lot of things that sort of sit on top, but the things that we can use AI for, we can actually start looking for patterns of exploits, essentially. So imagine, now you have a vulnerability, everybody knows about it fine. Everyone, you people go at the vulnerability that same way, that's really easy. That's not AI, right. That's just the basic rule, you know, what you're doing. Now think about, if you think about that same set of, of mechanisms of going in, and you start seeing it in an area, that's an unknown vulnerability, that has a way of teaching, if a system can identify those patterns, it can actually find a new vulnerability potentially, that you might have not even known could be exploited. And that's a world where AI has a huge potential long term benefit, where you can actually block something that is a vulnerability before you even knew its vulnerability. And that's huge, right? Or think about, think about, you know, phishing, emails, business email compromised, right? That this sort of concept, you can do the same thing, we're talking about improvements of a phishing email. But the AI systems going the other way, where you're not just looking for, you know, sort of very well known fish kids, but you're looking for sort of probability that this actually might be malicious. And, you know, going to Austin's point about what AI is ultimately is and saying, Hey, if it's more than a certain probability, there's going to be additional checks on it. Those are huge potential developments that have both the consumer benefits and the enterprise benefits in the long run. And to Charlie's point, I think they are democratizing, right? They're easily available to everyone potentially, you could have a small business that doesn't have an IT. And it as somebody who's who, who even runs their IT staff that can actually get access to them potentially. So there's some huge long term cybersecurity benefits, I think, in for for AI. But we have to figure out how we harness them. Well. The other thing I would add just on the the sort of long term benefits, you know, we often talk about sort of insecure code and vulnerabilities like, the reality of having an AI system helps you write more secure code, doesn't mean it's writing it and you trust it wholesale. But the ability of it to do the first cut at it is huge. You can you know, we were talking to sort of very senior cybersecurity researchers, they're like, we're not going to have this problem, we're not going to have insecure code and a few years because AI is going to it's going to identify and help us cure those vulnerabilities. And again, those are just long term potential benefits. I think that we see, that's not quite the same as protecting our own but no, yeah,
yeah. So there's two things that I think will be really cool to hear interesting, like the classic cat and mouse game, you know, like, they find it one ability to fix vulnerability, we anticipate when we fix it, it's going to change into kind of like a different two sided thing of like, who can think about the wackier thing to have aI use and who can think of the way for AI to like, fuzz through all your existing code and fix everything I know, Google just released a report about going through repairing like 17% a part of your codebase using a fuzzer. Like those black swan events were kind of talking about or like what if people finally exploit any of our abilities at scale? This is our opportunity to jump in and use these tools to do what to your point humans could never ever do. Right? And then start having your cybersecurity professionals who are going through and like fixing your your spear phishing email thing if you're at a regular normal corporation, or like, you know, fixing your massive back and most sophisticated ML model ever for Spamfilter Google, right. And instead, there's also like some really creative people who were like, Okay, well, the next spear phishing email is going to be something from your mom about your sister's birthday and something about your dog and they're going to try to extract all the information that's normally used to form your passwords, and then cobble them together into a pet you know, I mean, they're gonna spy deftly definitely more creative interesting people than me out here. Fishing madlibs Yeah, you know, like, whatever. Just like there's kind of like a wacky job that should exist in the world now called like, the trying a bunch of stuff guy, you know, or it's just like, every company that's like kind of wacky mad scientists like Google X, but just kind of like a I don't know what if we just made it do this and they just try it out. And that's weird that that is probably going to happen soon. Or maybe we just have you. That's the only one we need like that. Oh, no, I just made a terrible
it is it is going to be super interesting, by the way as we start to see like multimodal attacks where you're combining like text and audio and image and things like that in ways that I think AI systems might expect, but I don't think humans would. That's
the fun of being a prompt engineer right now. Right? I mean, that's basically that job in a lot of ways.
I mean, you're, you're testing the model for any kind of, you know, see what I can. Prompt and small, it's a small piece of it. That's true, but it's a I think that's one
piece, the Rube Goldberg machine. Yeah.
Yeah, if I can.
All right, I want to do one more question for everybody. And then we'll open the room to q&a. My suspicion is, there's lots of good questions in this room. And this is a big one. And it's also might count as doing Grace's homework. What do we not like? What do we know? We don't know. What do we need more information about to do this well, and to think about AI and cybersecurity in a helpful, productive way that really helps us, protect ourselves, protect the AI and use AI for all of the purposes that we really are excited about, while we minimize the risk.
You know, like everything we've never been able to use computers on before now. All of that. Like, honestly, if you want to ask what we don't know, it's like an absurd, unthinkable, like, like Eldritch Horror amount, to be honest. It's kind of crazy that we're all just going with that as the fact actually the NIST risk management framework, original panels still kind of haunt me, because they had this moment of validation panel where they have like Kathy Baxter and some other people, they're just like, oh, we can validate this thing and that thing, and then the moderator said, What about large language models? I like those, and all of them laughed. And just like, of course not, that would be crazy to say that we can validate one of these, and then everybody laughs and we all move on. And then like, replace computers with these, you know, we're really it's not even that it's better than that replace computers with these operating what used to be a, you know, is like a whole system that we don't understand at all. So I think there's something that's like, like we have really unlocked on, like, very exciting technology in a very powerful new age of computation and like, human extension of the world, but at the same time, we have opened infinite, unexplored space, right. And there's like a very deep need and opportunity when that, right like, it's not just like a scary thing. And if anything, it's kind of like the grand new age of exploration or something, you know, if we can actually view it that way. Otherwise, it's horrific, we don't know. But it's like, this isn't a reason for everybody to have a job. Figuring out what happens when we open up fuzzy math in the world for computers.
fuzzy math is fun. So
I'll answer one that like, I'm not sure it's a it's exactly answer your question, but something that I think is potential, but like we don't know, if we could ever get there, which is good. You know, AI systems help drive towards formal methods for software. So providing mathematical proofs that a piece of software is secure, would just be like, in a millisecond, completely transformative to software security. Right now, I don't think LLM 's are well suited to that. But could future other forms of AI technology get us there? I think it would be really exciting, really cool.
That'd be amazing.
I think I'm gonna go a different direction. I think gray sort of touched on this, I think there's a personnel issue that we have to think about a little bit too, you know, engineers think in terms of math, right? We're now talking to in terms of probabilities, you know, non deterministic, that means you don't know what the outcome is. That's not how an engineer normally thinks. It's got to be thinking about the question of risks actually requires an entirely different way of thinking when you get into AI models. And I'm not sure we've quite figured out how to actually do the education around that, or trying to sort of teach people how to work with AI models. And so I think, practically, there's a lot of work to be done in making sure people actually understand what they're talking about and understand how to work with an AI model.
Great. I was just gonna say thank you. I mean, I spent most of my life doing other people's homework. So I just did it. This is great. Thank you.
Well, and you have a very formal mechanism to tell us what you want to know. So. All right, so I know that we have a microphone. Anyone have any questions for the panel? I see prime.
Thanks. And thanks for a very interesting panel. So the question I have is around the 2023 Biden National Cybersecurity strategy and the emphasis that is very important there on cybersecurity software liability and just curious for your, the panel's thoughts in whichever direction you want to take on, where that's going, how it's going to intersect with the, you know, sort of the problems we've been talking about and the potential to patch at scale, and particularly how it could provide a floor for thinking about God rails in the open source space particularly.
I'm happy to jump in. I mean, I think we've been kind of dancing around this for a while, I think something that's been a little frustrating for me to watch is someone who's been in the security community a long time in the AI community less so is we've gotten to this point in kind of general software in general security, that there is this recognition that, you know, the vendors of widely use software and products need to be responsible, and it's not, you know, a fait accompli, that breaches need to happen, like there's very well known, you know, software engineering practices that can can actually stop most breaches. And, you know, we need to move to a place where, you know, when that's not happening, these vendors should be should be called out. And what's been hard to watch is, during the AI explosion, we've kind of, you know, not that the kind of, you know, longer tail existential risks that kind of far out stuff, not that we don't need to worry about that. But I think the balance is just gone, they're, you know, swung so hard in that direction, that we've kind of forgotten about the basics that, you know, models seem really cool, but it's really just software and models is one part of a very big stack, usually. And if attackers want to do harm, they can target any parts of that stack, and are going to choose, you know, the shortest path to reach their objective. And so, as we're building out this, you know, AI industry, and there's such a kind of an explosion there, I think it is really important that we're not just perpetuating the current dynamics into the future. But like, we've learned how to do this, we've gotten before AI, we actually have gotten to this kind of consensus that like, we need to do better. And here's how we can do better. Just because we're going to market doesn't mean we should forget those things like that should be table stakes, that everyone's doing that before we put products to market. You know, in terms of how that, you know, liability debate, the national cyber strategy is gonna evolve, you know, I think, who's to say, but I do hope that that kind of central insight that, you know, when there's breaches, we shouldn't always just immediately blame the end user, we should look at actually the upstream software. You know, I hope that that perpetuates, and today I era
so and I'll tag that with one thing. When we did the DEF CON generative AI red team, it became incredibly apparent to me how important and useful it is for the hacker community and security like research community, to a lesser extent, normally cybersecurity community, but definitely the first to to team up with AI research and AI implementation because the mindset of this like, kind of inevitable, unknowable failure, and then like a real process is designed to approach and understand and defend against that is, it's going to be so important because people are going to be stuck in this mindset of like, well, how do we stop all the bad stuff from happening? It's like bad news. It's all the Internet software, obviously, you can't? Well, I
mean, we've been talking about how democratized it is, and the non deterministic nature and all of these, all of these aspects make this even more challenging than some of the other discussions around liability. And I do think it's, it's an ongoing discussion, I am getting the signal that we are going to wrap up. So thank you all. I suspect that we will all be around and happy to chat. And I hope you have a lovely