WASHINGTON — To counteract emerging cyberthreats posed by artificial intelligence, the baseline level of cybersecurity across society must rise — including stronger security practices, improved software quality, faster response to threats, and more effective sharing of cyberthreat intelligence, says a new rapid expert consultation from the National Academies of Sciences, Engineering, and Medicine.

Frontier AI systems are rapidly expanding what is possible for both attackers and defenders, the publication says. In the near term, these advances are likely to favor attackers by reducing the time, expertise, and operational effort required for cyberattacks.

“With investment and collaboration, AI could facilitate a stronger approach to cybersecurity that may shift the advantage to the defenders,” said Giovanni Vigna, director of the AI Institute for Agent-based Cyber Threat Intelligence and Operation (ACTION) at the University of California, Santa Barbara, and co-author of the publication.  “Cybersecurity will need to improve rapidly to meet this challenge.”

Because AI-enabled cyber capabilities are evolving faster than the ability to evaluate and measure them, risk assessment is further complicated for policymakers and practitioners, the publication says. It provides an overview of how advances in AI are reshaping cybersecurity risks and defenses, including examples and policy considerations for decision-makers in the public and private sectors.

Long-term advantage could shift to defenders

Over longer time horizons, AI may enable fundamentally different and more favorable defensive approaches, allowing for a transition from static, episodic defense to continuous ‘defense-in-depth’ — in which vulnerability discovery and patching, threat detection, intelligence generation, incident response, and other functions operate as ongoing, interconnected processes.

“The short-term outlook is concerning, but the longer-term outlook is cautiously optimistic,” said co-author Paul England, independent consultant and former distinguished engineer at Microsoft Research. “The central task for policymakers and practitioners is to shorten the interval between these two regimes — mitigating near-term risks while speeding the deployment of more adaptive, scalable, and resilient defensive capabilities.”

Security teams that are often stretched thin may be able to leverage AI-enabled tools to improve threat detection, identify and remediate vulnerabilities, support incident response, and facilitate threat intelligence sharing across organizations. More broadly, AI may enable cyber defense activities to be conducted with greater speed, scale, and consistency than has previously been possible through human effort alone, the publication says.

Realizing this promise will require investment across technical, architectural, and institutional dimensions, the publication says. Although measures such as restricted access to the most advanced AI models may help buy time for defenders, long-term security will depend less on limiting access to AI capabilities and more on building resilient systems as those capabilities spread globally.

“A key lesson from the broad adoption of the internet in the late 1990s and early 2000s is that incentives are key to developing a robust security ecosystem,” said co-author Nadya T. Bliss, executive director of the Advanced Capabilities for National Security Institute at Arizona State University. “Without incentives that are aligned to security outcomes, security will continue to receive less attention than capability deployment.”

The rapid expert consultation was funded by the Philip and Sima Needleman Family Legacy Fund. The National Academies of Sciences, Engineering, and Medicine are private, nonprofit institutions that provide independent, objective analysis and advice to the nation to solve complex problems and inform public policy decisions related to science, engineering, and medicine. They operate under an 1863 congressional charter to the National Academy of Sciences, signed by President Lincoln.

Contact:
Molly Galvin
Director, Executive Communications
Office of News and Public Information
202-334-2138; email news@nas.edu