AI Cybersecurity Readiness Metric

The GCSCC has received funding from the UK Government for the creation of an Artificial Intelligence (AI) Cybersecurity Readiness Metric. This new metric will be useful for nations and organisations seeking to rapidly assess their current state of capability to withstand AI cybersecurity risks, and to identify corresponding priorities for cybersecurity capacity enhancement. 

Nations are increasingly concerned with the growing use of and dependence upon AI, and what this might mean for the cyber-resilience of their critical infrastructures, businesses and society more widely. The impact of AI on national and international cyber-resilience is likely to require specific capabilities in, and across, all dimensions of cybersecurity capacity. 

There is growing evidence of the ways in which such advanced machine-learning technologies might add potency to cyber-attacks and cyber-harm and the cybersecurity community is also researching how defensive controls might also be enhanced to protect systems generally from such an advanced threat. However, a known gap in cybersecurity capability is how to specifically defend AI assets where they are being used (e.g., inside critical infrastructures, control systems, and business more widely). We know that the AI systems themselves will be targeted, and yet there are no specialised controls for detecting compromised systems, nor means to predict how such risk will propagate through supply-chains and society, and the potential harms that might arise in consequence. It is clear that nations will need to develop insight into their current and future positions, and specifically the risks that they face. Such insights will indicate capability gaps and requirements for cybersecurity capacity-building. The GCSCC believes that there is merit in research into and the creation of an AI Cybersecurity Readiness Metric.

The GCSCC has over ten years of experience in benchmarking national cybersecurity capacity, and in researching what effective capacity-building looks like. The new metric will complement and interface with the Cybersecurity Capacity Maturity Model for Nations (CMM) a flagship output of the Centre for benchmarking national cybersecurity capacity that has now been used by over 90 countries around the world, and its use continues to grow. The CMM is uniquely both broad and deep in its understanding of what constitutes national (and supra-national) cybersecurity capacity – spanning five Dimensions: Policy and Strategy; Culture and Society; Knowledge and Capabilities; Legal and Regulatory Frameworks; Standards and Technologies. 

The development of this new metric will be done in a transparent and inclusive process and the GCSCC will seek advice from users and AI system and service creators in various sectors and from across the international community to ensure the new metric’s global relevance and its applicability in different geographical settings.

If you are interested in this research and would like to participate in the consultation process, please contact cybercapacity@cs.ox.ac.uk