It’s interesting to watch California wrestle with the idea of regulating AI development and require those developers act responsibly, when pretty much no one requires the rest of IT to act in a specific manner.
It starts off like this,
22603.
(a) Before a developer initially trains a covered model, the developer shall do all of the following:
(1) Implement administrative, technical, and physical cybersecurity protections to prevent unauthorized access to, misuse of, or unsafe post-training modifications of, the covered model and all covered model derivatives controlled by the developer that are appropriate in light of the risks associated with the covered model, including from advanced persistent threats or other sophisticated actors.
(2) Implement the capability to promptly enact a full shutdown.
(3) Implement a written and separate safety and security protocol that does all of the following:
(A) If a developer complies with the safety and security protocol, provides reasonable assurance that the developer will not produce a covered model or covered model derivative that poses an unreasonable risk of causing or enabling a critical harm.
(B) States compliance requirements in an objective manner and with sufficient detail and specificity to allow the developer or a third party to readily ascertain whether the requirements of the safety and security protocol have been followed.
and it continues for several pages. There are a lot of arguments currently going on over this bill as it makes its way through the legislature. But none that I’ve seen mention one very glaring assumption. The law would only apply to AI models costing great than 100 million, as if no small-scale AI could possibly cause harm.
The small harm
We have the same problem in our end of the industry, don’t we? CISA, NIST, MITRE, ISO, FIPS and all of the rest of the alphabet soup acronyms out there all target critical infrastructure, government contracts, and large enterprise (to a lesser extent) and ignore cybersecurity in small business (except for CISA’s mixed bag of toothless suggestions). Yet cybersecurity in small business is exactly where most of the problem is and the least of the effort is applied.
That leaves a gaping hole for an organization like ours to fill. By recreating our industry with ethics forward (read ours), accreditation (Help us form it), and a shunning of those who act otherwise we can solve this problem. It’s the real problem.
Here are a few alarming statistics
- Small businesses receive the highest rate of targeted malicious emails
- One-third of small businesses with 50 or fewer employees rely on free, consumer-grade cybersecurity solutions
- 20% of small businesses have implemented multi-factor authentication
- Only 17% of small businesses encrypt data
- 51% of small businesses have no cybersecurity measures in place at all
- 47% of businesses with fewer than 50 employees have no cybersecurity budget
- 64% of all small businesses are not familiar with cyber insurance
- 27% of small businesses with no cybersecurity protections at all collect customers’ credit card info
- Employees of small businesses experience 350% more social engineering attacks than those at larger enterprises
Yet we haven’t built a strong foundation from which our industry can stand. Instead, we want to rely upon the wringing of hands and shrugging to shoulders at those that haven’t talked to their clients about the important of cyber insurance or implementing MFA. The worst they get is a social media meme carefully generic enough not to point out who the snake oil salesman is.
If you’re not a member, Join today
Ref: 35 Alarming Small Business Cybersecurity Statistics for 2024 | StrongDM, Today’s Law As Amended – SB-1047 Safe and Secure Innovation for Frontier Artificial Intelligence Models Act. (ca.gov)
Responses