HR 3919 Introduced – Securing AI
Back in June, Rep LaHood (R,IL) introduced HR 3919, the Advanced AI Security Readiness Act. The bill would require the National Security Agency (NSA) to develop strategies to defend covered AI technologies from technology theft by threat actors. No new funding is authorized by this bill.
Definitions
Subsection 2(g) provides the definitions of five key terms used in the bill. Two technical definitions of interest here are:
AI Security Playbook
Subsection 2(b) establishes the elements that would be included in the ‘AI Security Playbook’ strategies:
Identification of potential vulnerabilities in advanced AI data centers and among advanced AI developers capable of producing covered AI technologies, with a focus on cybersecurity risks and other security challenges,
Identification of components or information that, if accessed by threat actors, would meaningfully contribute to progress made by the actor with respect to developing covered AI technologies,
Strategies to detect, prevent, and respond to cyber threats by threat actors targeting covered AI technologies,
Identification of the levels of security that would require substantial involvement by the United States Government in the development or oversight of highly advanced AI systems,
Analysis of how the United States Government would be involved to achieve the levels of security identified above.
Subsection 2(f) clarifies that the requirement to identify levels of security described above does not authorize or require any regulatory or enforcement action by the United States Government.
The Playbook would be published in an unclassified version for possible dissemination to the private sector. A classified annex would be prepared that would include detailed methodologies and intelligence assessments.
Moving Forward
LaHood and two of his three cosponsors {Rep Gottheimer (D, NJ) and Rep Krishnamoorthi (D, IL)} are members of the House Intelligence Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. I suspect that there will be some level of bipartisan support for the bill in Committee. The specific lack of regulatory authority and no spending authorization removes much of what could cause concern from Republicans. Still, I am not sure that there would be sufficient bipartisan support to allow the bill to be considered in the full House under the suspension of the rules process.
Commentary
With AI, or more accurately machine learning applications, starting to be used in process control systems, security of those systems will become increasingly important. In this session’s political environment, it is clear that any attempts to regulate that security, but the development of this Playbook should be a good starting point for developing AI cybersecurity requirements in a future, less regulatorily constrained, Congress.
While it is obvious that an unclassified version of the Playbook is necessary for public distribution, I am disappointed that this legislation does not contain specific requirements that the NSA develop process for sharing of the classified portions of the Playbook, particularly the intelligence assessments, with critical infrastructure organizations. I would add a paragraph (3) to subsection 2(c):
“(c) NSA shall develop processes and procedures to share elements of the classified annex with critical infrastructure, as that term is defined in 42 USC 5195c(e).”