“They are increasingly using AI tools to build their codes for cyberattacks,” said William Akoto, assistant professor of international politics at Fordham, adding that every new AI feature added to platforms like ChatGPT makes hackers’ work easier and leaves corporations and government agencies vulnerable. “It’s lowering the bar on these attacks.”

President Joe Biden said the “warp speed” at which this technology is advancing prompted him Monday to sign an executive order using the Defense Production Act to steer how companies develop AI so they can make a profit without risking public safety.

Akoto, who studies the international dynamics of cyberattacks, said the executive order is a step in the right direction.

“Presently, the U.S. lags behind global counterparts such as the E.U., U.K., and China in establishing definitive guidelines for AI’s evolution and application,” he said. “So this directive is a much-needed measure in bridging that gap. It is comprehensive, clarifying the U.S. government’s perspective on AI’s potential to drive economic growth and enhance national security.”

The president’s wide-ranging order in part requires AI developers to share safety test results with the government and to follow safety standards that will be created by the National Institute of Standards and Technology. Biden said this is the first step in government regulation of the AI industry in the U.S, a field he said  needs to be governed because of its enormous potential for both promising and dangerous ramifications.

But despite its noble intentions, Akoto said, “The practical implementation of these measures will present significant challenges, both for federal oversight bodies and the technology sector. A critical issue is the misalignment between the economic and market forces currently influencing AI technology firms and the Biden administration’s aspirations for cautious, well-evaluated, and transparent AI development. Without realigning these incentives with the administration’s objectives, tangible, positive outcomes from this executive order will remain elusive.”

Ultimately, the effectiveness of this initiative will hinge on how robust enforcement will be to ensure AI technology companies’ compliance, Akoto said.

“The title of this panel is ‘Critical Infrastructure Vulnerability: Real or Imagined?’” said Foye. “Spoiler alert: the answer is it’s real. It’s really serious, deadly serious.”

Foye said the vulnerability is an issue for every organization in the country—small, medium, and large. He said his own experience heading up the Port Authority of New York and New Jersey exposed him to the dangers and he continues to deal with them at the MTA.

He asked panelists what is the likelihood that some part of the nation’s critical infrastructure will be hacked in the next 36 months and the public will be denied access to electricity, public transit, water, or even their bank accounts.

“One hundred percent,” said Robert Galvin, chief technology officer of Port Authority of New York and New Jersey.

Jargon Must Go

Donna Dodson, Ph.D., chief cybersecurity advisor of the National Institute of Standards and Technology, stressed the need for tech experts to articulate the risks to the various sectors that they serve in language that they understand. She said it falls to those in the scientific and public infrastructure settings to begin to break silos and start speaking in layman’s terms so everyone can comprehend current threats, she said.

“We all have to get better, not cyber people talk to cyber people using 120 acronyms,” she said, noting that every agency, city hall, statehouse, and infrastructure agency uses its own set of letters that mean something to them alone. “If we’re really going to work with these organizations then we need to understand their use of terms, words, and jargons.”

She recalled a recent conversation with her own team about the Internet of things in a medical setting. A tech veteran, she said that when she heard the acronym ‘PAC,’ she assumed it meant Physical Access Control, when in actuality her team was talking about Picture Archive and Communication Systems (PACS) in radiology.

“It’s important to understand the environment and not force cyber to talk cyber and have everyone’s eyes glaze over,” she said.

Michael R. Singer, AVP of technology security at AT&T, agreed that in the process of designing resilience into tech systems “it’s important to be in touch on the human side. You need to continue to invest in your management capabilities.”

Glory, Not Money, as Motive

Gavin noted that the motivations to attack public sector infrastructure is rarely the same as in the commercial sector, where the primary motivator is money.

“In the public sphere it’s not data, but to make a name yourself, it’s ‘I’d love to be able to take over a train or the signage over the George Washington Bridge,’” he said.

He added the tech community could learn a lot from the engineering disciplines, which have been working together for hundreds of years.

“We have to come together as two different disciplines,” he said.

Cooperation is Key

Ben Miller, VP of threat operations at Dragos, concurred. He said that while most of the focus has been on the architecture behind systems to strengthen and fend off attacks, of equal importance is the staff that monitors the system through operational technology (OT). He said such defense cannot be shouldered by IT teams alone, it must include OT engineers who understand how the respective systems work, whether its water supplies or electrical grids.

“The fact that people think of technology in terms of smartphones and the computer at their desk is a real problem for us,” he said. “The plumbers, the electricians, the facility managers, all the people who are out doing work in industrial control systems don’t think of them as computers.”

He said OT systems can be hacked and that can shut down the facilities. Until OT engineers think of their systems as computers, then efforts to warn of cyber dangers fall flat. And, he said, the only way for IT people really understand what is going on is to go out become familiar with the work of OT.

Miller concurred and reiterated Dodson’s point on communication, particularly in educating the general public in terms they can understand. He cited the scientific community’s concerted effort to educate the public about the dangers of global warming as a model for the cybersecurity industry.

‘It Isn’t Magic’

“They [the scientists]embarked on a campaign; we need a similar effort in terms of tech, we need to teach everyone a little bit in terms they can understand,” he said. “For too long there’s been a guy in a black turtleneck sweater standing up saying ‘It is magic.’ It isn’t magic. It’s protocols, engineering, software, and hardware that’s all it is.”