The Challenge Of Cybersecurity At The Cutting Edge

One of the major challenges with cybersecurity is that an organization can never stand still; the moment you think you’ve addressed all the key cybersecurity challenges, a new threat or challenge emerges. In the ever-evolving landscape of cybersecurity, two revolutionary technologies have emerged as game-changers: Artificial Intelligence (AI) and Quantum Computing. While both of these innovations hold immense promise for transformation for how organizations are run and managed, they also bring forth unprecedented and unknown challenges. As the rapid development of AI and quantum computing continues, cybersecurity experts and officials, especially those in charge of protecting and managing critical infrastructure and government functions, find themselves on the frontline of a new digital battleground, tasked with safeguarding sensitive data and systems against increasingly sophisticated threats.

The addition of AI to the mix in cybersecurity is giving both defenders and attackers powerful tools. AI-powered security solutions can rapidly detect and respond to threats, mitigating risks in real-time. However, bad actors can also exploit AI to launch more targeted and nuanced attacks. The use of AI-generated phishing emails and malware is becoming more prevalent, effectively camouflaging cyber threats amidst legitimate communication. The perpetual cat-and-mouse chase between AI-powered defenses and AI-driven attacks puts cybersecurity professionals in a constant race to stay ahead.

Quantum computing is promising for cybersecurity

While still emerging and not as broadly adopted, quantum computing is promising to become a dual-edged sword in the realm of cybersecurity. Quantum computers have the potential to break the cryptographic algorithms that currently underpin much of our digital security. Traditional encryption methods, once considered rock-solid, could crumble in the face of a quantum-powered attack, leaving data and sensitive information vulnerable to exposure. In response, cryptographers are rushing to develop quantum-resistant algorithms that can help ensure data protection remains intact in the quantum era. However, this transition presents its own set of challenges, such as the need to update and retrofit existing infrastructure and systems to accommodate these new cryptographic protocols.

Participating in a recent panel at the GovFuture Forum event in DC in July 2023, four government officials and experts shared a broad range of concerns from their perspective agencies and organizations on how AI and quantum computing are changing the dynamic in their organizations.

Martin Stanley, Strategic Technology Branch Chief, Office of Strategy Policy and Plans at Cybersecurity and Infrastructure Security Agency (CISA), who also serves in a leadership role at the NIST for the AI Risk Management Framework (RMF), shared in the panel that, “In my real job at CISA, we look at these emerging technologies from three perspectives. One, how can it help us get our mission? In many ways, there’s a lot of opportunities there. We also look at it from a second perspective of how those technologies are going to be adopted by our stakeholders. Now, we have to advise them and assist them securely and safely and all those other concerns that folks have in adopting this technology. Then the third area is how does that change the threatscape? How do these emerging technologies enable adversaries? This is probably the highest level, most easy way to describe it. I think what we’re seeing now is there’s a lot of hidden threats and hidden concerns that folks really aren’t able to understand.”

Gerald (Gerry) J Caron III, Chief Information Officer (CIO) of International Trade Administration (ITA) at the Department of Commerce (DOC) adds, “I think you saw a while back the Executive Orders (EOs) that focus the nation’s efforts on cybersecurity. There’s been the zero trust strategy that came out. There’s been some other EOs that have recently come out as well around this. There’s definitely a push from the highest level and it’s not just going down to the IT people. It’s making it an agency priority, which is very different. Usually, it would be something that comes to the agency from OMB and goes to the IT guys and the IT guys would thrash around with it and determine what to do. But now, it’s like making it a priority for the agency heads. It’s not just an IT thing. It’s not just a technology issue. There’s a culture change that’s going to be around changing the way we do business. I like to be inclusive and understand how folks that I support want to work so I can include those in our journey as we go through things like zero trust and any other side of the security efforts.”

“As far as the technology mentioned, quantum, seriously concerns me,” Gerry states. “Because the adversaries, as you said, will be using it. We have to get to a point where I think it’s a strategy. It’s not just checking the box saying ‘I’ve complied with this kind of thing.’ We really need to be strategic, and be more proactive. The discussion about leveraging AI and machine learning, I think it’s really going to be a game changer as we apply it in our monitoring and other operations. I think it’s going to be a big game changer as we mature.”

Asher Kotz, Manager International Business Investment, Israel & Cyber, Fairfax County Economic Development Authority (FCEDA), brings a different perspective speaking from a state and local government level. The challenge for state and local governments around emerging cybersecurity threats is even more significant given the highly distributed nature of the systems and limited resources available to deal with challenges.

Asher shares, “We work very closely with the county system and also on the regional level on protecting and securing critical infrastructure. I think our number one challenge is that we have a very distributed environment, 400 sites around the county. We have schools, we have critical infrastructure, we have about 1.1 million people in the county, even more than 200,000 students. So what the county has been doing every year or maybe every two years is to do a strategic planning, especially when things are changed, for example during the pandemic. 2020 was a big challenge to move to a mass education platform. The need is to collaborate. And I think, overall, we see a great collaboration of national and international knowledge, investment and technology in Northern Virginia.”

Adding to the above feedback, from a US Defense Department perspective, James Palumbo, Naval Facilities Engineering Systems Command Washington Command Information Officer, shares, “As a former Air Force guy I think about things in terms of the ‘OODA’ Loop – Observe, Orient, Decide, Act. The observe part is where I really see AI and ML coming, providing an understanding of what we’re doing, what we need to do from an IT perspective, what the mission priorities are. Take that volume of Intel that’s out there and make it relevant to what we’re trying to do from a mission perspective and what we need to do from an IT perspective in order to support the mission. And then the predominantly human side of that will decide and act. But as you learn, you can turn more of that automating, decide, and act. If you’re comfortable with it, turn it over to the AI/ML piece and those critical strategic aspects of it are still there having that human key decision maker involved in it. So that’s where I see it playing out.”

Additional insights were shared at the GovFuture Forum event in DC around the use of AI and quantum for cybersecurity, and how government agencies at all levels, defense and civilian, are approaching the use of those technologies.

Disclosure: Ronald Schmelzer is an Executive Director at GovFuture.