Alston & Bird Privacy, Cyber & Data Strategy Blog

CISA and JCDC Conduct First-Ever Public-Private AI Security Incident Tabletop Exercise

By and

On June 13, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) collaborated with the Joint Cyber Defense Collaborative (JCDC) to hold the federal government’s first tabletop exercise for “AI security incidents.  JCDC led the exercise and, true to JCDC’s public-private partnership model, included over 50 participants from various government agencies and private-sector companies.

For those interested, CISA has published the tabletop scenario it used to drill how an “AI security incident” may be experienced.  Fact patterns of potential interest include:

  • How phishing campaigns may appear if ‘powered by’ AI components;
  • How an “AI-specific” attack strategy might appear, such as by socially engineering an employee to download a malicious generative AI model into the company’s environment; and
  • How information-sharing between the public and private sector may work when AI is involved in a significant attack.

The tabletop exercise is a step towards a CISA/JCDC goal of creating a “AI Security Incident Collaboration Playbook,” which is intended to institutionalize operational collaboration in AI security incident scenarios among government, industry, and international partners.  JCDC intends to publish a draft of this Playbook, then host a second public-private tabletop to validate it; anticipated participants include AI companies, critical infrastructure providers who are integrating AI into operational environments, and government actors.

The Playbook’s information-sharing framework is likely to be of significant interest to industry.  For many companies, there may be sensitivity about sharing AI incident information in a way that might identify a company, its proprietary AI deployments, or the fact of a novel AI attack, in a way that can be identified by other industry participants.  Appropriate confidentiality and compartmentalization may be key to encouraging the types of information sharing that can provide industry-wide benefits.

Alston & Bird is closely following developments impacting response to AI security incidents.  For more information contact Kim Peretti or Dan Felz.

LinkedIn
Headshot of Dan Felz

About Daniel Felz

Dan’s clients receive operations-ready management of their complex privacy, security, and technology issues, as well as seamless interactions with stakeholders. Fluent in German with a U.S. litigation background, Dan helps companies of all sizes across industries and jurisdictions resolve data-related matters at the local, national, and international levels.

[Read Bio]

Avatar photo

About Kim Peretti

A former DOJ cybercrime prosecutor and former director of PwC's cyber forensics group, Kim delivers top of the line cyber risk management and information security counsel to her clients. As co-leader of our Privacy, Cyber & Data Strategy Team, Kim is recognized by select publications and is frequently quoted by the media.

[Read Bio]

Share to...
BufferCopyFlipboardHacker NewsLineLinkedInMessengerMixPinterestPocketPrintRedditSMSTelegramTumblrVKWhatsAppXingYummly