Upcoming Book on AI and Democracy

Read Time:3 Minute, 15 Second

If you’ve been reading my blog, you’ve noticed that I have written a lot about AI and democracy, mostly with my co-author Nathan Sanders. I am pleased to announce that we’re writing a book on the topic.

This isn’t a book about deep fakes, or misinformation. This is a book about what happens when AI writes laws, adjudicates disputes, audits bureaucratic actions, assists in political strategy, and advises citizens on what candidates and issues to support. It’s a book that tries to look into what an AI-assisted democratic system might look like, and then at how to best ensure that we make use of the good parts while avoiding the bad parts.

This is what I talked about in my RSA Conference speech last month, which you can both watch and read. (You can also read earlier attempts at this idea.)

The book will be published by MIT Press sometime in fall 2025, with an open-access digital version available a year after that. (It really can’t be published earlier. Nothing published this year will rise above the noise of the US presidential election, and anything published next spring will have to go to press without knowing the results of that election.)

Right now, the organization of the book is in six parts:

AI-Assisted Politicians
AI-Assisted Legislators
The AI-Assisted Administration
The AI-Assisted Legal System
AI-Assisted Citizens
Getting the Future We Want

It’s too early to share a more detailed table of contents, but I would like help thinking about titles. Below are my current list of brainstorming ideas: both titles and subtitles. Please mix and match, or suggest your own in the comments. No idea is too far afield, because anything can spark more ideas.

Titles:

AI and Democracy
Democracy with AI
Democracy after AI
Democratia ex Machina
Democracy ex Machina
E Pluribus, Machina
Democracy and the Machines
Democracy with Machines
Building Democracy with Machines
Democracy in the Loop
We the People + AI
Artificial Democracy
AI Enhanced Democracy
The State of AI
Citizen AI

Trusting the Bots
Trusting the Computer
Trusting the Machine

The End of the Beginning
Sharing Power
Better Run
Speed, Scale, Scope, and Sophistication
The New Model of Governance
Model Citizen
Artificial Individualism

Subtitles:

How AI Upsets the Power Balances of Democracy
Twenty (or So) Ways AI will Change Democracy
Reimagining Democracy for the Age of AI
Who Wins and Loses
How Democracy Thrives in an AI-Enhanced World
Ensuring that AI Enhances Democracy and Doesn’t Destroy It
How AI Will Change Politics, Legislating, Bureaucracy, Courtrooms, and Citizens
AI’s Transformation of Government, Citizenship, and Everything In-Between
Remaking Democracy, from Voting to Legislating to Waiting in Line
How to Make Democracy Work for People in an AI Future
How AI Will Totally Reshape Democracies and Democratic Institutions
Who Wins and Loses when AI Governs
How to Win and Not Lose With AI as a Partner
AI’s Transformation of Democracy, for Better and for Worse
How AI Can Improve Society and Not Destroy It
How AI Can Improve Society and Not Subvert It
Of the People, for the People, with a Whole lot of AI
How AI Will Reshape Democracy
How the AI Revolution Will Reshape Democracy

Combinations:

Imagining a Thriving Democracy in the Age of AI: How Technology Enhances Democratic Ideals and Nurtures a Society that Serves its People

Making Model Citizens: How to Put AI to Use to Help Democracy
Modeling Citizenship: Who Wins and Who Loses when AI Transforms Democracy
A Model for Government: Democracy with AI, and How to Make it Work for Us

AI of, By, and for the People: How Artificial Intelligence will reshape Democracy
The (AI) Political Revolution: Speed, Scale, Scope, Sophistication, and our Democracy
Speed, Scale, Scope, Sophistication: The AI Democratic Revolution
The Artificial Political Revolution: X Ways AI will Change Democracy…Forever

Read More

A Vulnerability in OpenSSH Could Allow for Remote Code Execution

Read Time:27 Second

A vulnerability has been discovered in OpenSSH, which could allow for remote code execution. OpenSSH is a suite of secure networking utilities based on the SSH protocol and is crucial for secure communication over unsecured networks. It is widely used in enterprise environments for remote server management, secure file transfers, and various DevOps practices. Successful exploitation of this vulnerability could allow for remote code execution in the context of the administrator account. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Read More

Model Extraction from Neural Networks

Read Time:1 Minute, 26 Second

A new paper, “Polynomial Time Cryptanalytic Extraction of Neural Network Models,” by Adi Shamir and others, uses ideas from differential cryptanalysis to extract the weights inside a neural network using specific queries and their results. This is much more theoretical than practical, but it’s a really interesting result.

Abstract:

Billions of dollars and countless GPU hours are currently spent on training Deep Neural Networks (DNNs) for a variety of tasks. Thus, it is essential to determine the difficulty of extracting all the parameters of such neural networks when given access to their black-box implementations. Many versions of this problem have been studied over the last 30 years, and the best current attack on ReLU-based deep neural networks was presented at Crypto’20 by Carlini, Jagielski, and Mironov. It resembles a differential chosen plaintext attack on a cryptosystem, which has a secret key embedded in its black-box implementation and requires a polynomial number of queries but an exponential amount of time (as a function of the number of neurons). In this paper, we improve this attack by developing several new techniques that enable us to extract with arbitrarily high precision all the real-valued parameters of a ReLU-based DNN using a polynomial number of queries and a polynomial amount of time. We demonstrate its practical efficiency by applying it to a full-sized neural network for classifying the CIFAR10 dataset, which has 3072 inputs, 8 hidden layers with 256 neurons each, and about 1.2 million neuronal parameters. An attack following the approach by Carlini et al. requires an exhaustive search over 2^256 possibilities. Our attack replaces this with our new techniques, which require only 30 minutes on a 256-core computer.

Read More

Regulatory Compliance and Ransomware Preparedness

Read Time:5 Minute, 20 Second

Ransomware attacks are a huge problem: in the past five years alone, they have brought about a state of emergency across vast swathes of the United States, threatened to topple the Costa Rican government, and brought Portugal’s largest media conglomerate to its knees. And ransomware attackers show no signs of slowing down: last year, roughly one-third of all data breaches involved ransomware or some other extortion technique.

Preventing and protecting against ransomware attacks has become a global priority, with cybersecurity regulations and frameworks playing an essential role. By outlining, standardizing, and mandating preventative measures, cybersecurity regulations and frameworks ensure that organizations worldwide are prepared to deal with the ransomware threat. Let’s examine them more closely.

Understanding Cybersecurity Regulations

First, we need to understand cybersecurity regulations and what they do. There are far too many cybersecurity regulations for us to cover in this article, so we’ll focus on three of the most important: NIS2, DORA, and HIPAA.

Broadly speaking, cybersecurity regulations are sets of laws, rules, or guidelines enacted by governments or regulatory bodies to protect information systems, networks, and data from cyber threats and attacks. These regulations ensure data and information systems’ confidentiality, integrity, and availability by enforcing specific security practices, controls, and procedures. But let’s look at each of our examples a little more closely:

NIS2 (Network and Information Security Directive 2)

The Network and Information Security Directive 2 (NIS2) is a legislative framework established by the European Union (EU) to enhance member states’ cybersecurity resilience and response capabilities. It builds upon the original NIS Directive to strengthen cybersecurity measures in critical infrastructure sectors, promote cooperation among member states, and hold organizations accountable.

DORA (Digital Operational Resilience Act)

The Digital Operational Resilience Act (DORA) is a regulatory framework that came into force in January 2023. It aims to enhance the financial sector’s digital operational resilience within the EU. DORA’s primary goal is to ensure that financial institutions can withstand, respond to, and recover from all types of ICT (Information and Communication Technology) related disruptions and threats, including ransomware and cyberattacks. The Act complements the NIS2 regulation in the financial services domain.

HIPAA (Health Insurance Portability and Accountability Act)

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law enacted in 1996 to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. HIPAA sets the standard for protecting sensitive patient data, and organizations dealing with protected health information (PHI) must ensure that they put in place and follow all necessary physical, network, and process security measures to comply.

How do Regulations Improve Ransomware Readiness?

Now that we better understand each regulation, we can explore how they improve ransomware readiness. Again, we won’t have time to explore each regulation’s provisions in their entirety, so we’ll pick out some of the most important.

NIS2

NIS2 has several provisions that improve relevant organizations’ resilience to ransomware attacks. For example:

Risk Management: NIS2 mandates that organizations implement robust risk management practices, including conducting regular risk assessments and deploying advanced security controls.

Supply Chain Management: NIS2 compliance reduces the risk of ransomware attacks spreading through supply chains. Under NIS2, organizations must ensure that their suppliers and service providers adhere to stringent cybersecurity practices to prevent ransomware from spreading.

Information Sharing: NIS2 requires member states to contribute to and cooperate with the Cyber Crisis Liaison Organizations Network (EU-CyCLONe), which shares threat intelligence and best practices with other member states.

Dora

DORA Here are some examples of the DORA provisions that ensure organizations improve their ransomware preparedness:

Comprehensive ICT Risk Management:

● DORA requires financial entities to conduct thorough risk assessments to identify vulnerabilities that ransomware attackers could exploit. They must implement robust risk management frameworks to mitigate these risks effectively.

● Financial institutions must deploy advanced security controls and technologies, such as firewalls, intrusion detection systems, and endpoint protection, to prevent ransomware attacks.

Incident Detection and Response:

● DORA mandates the implementation of monitoring and detection mechanisms to identify ransomware and other cyber threats promptly.

● Relevant organizations must have detailed incident response plans in place. These plans should outline procedures for containing, mitigating, and recovering from ransomware attacks, ensuring minimal disruption to operations.

Regular Testing:

● DORA requires regular testing of digital operational resilience, including penetration testing and scenario-based testing. These tests help financial institutions prepare for and effectively respond to ransomware attacks.

HIPAA

HIPAA, however, has a focus on security standards and safeguards to improve ransomware readiness, including:

Administrative Safeguards – Policies and procedures for managing the selection, development, implementation, and maintenance of security measures to protect electronic protected health information (ePHI). Examples include:

Security Awareness and Training – Regular training for employees on recognizing and responding to ransomware threats.

Incident Response Plans – Procedures for responding to security incidents, including ransomware attacks.

Technical Safeguards – Technology and policies to protect ePHI and control access to it. Examples include:

● Access Controls – Ensuring only authorized personnel can access ePHI; this includes unique user IDs, emergency access procedures, and automatic logoff.

● Encryption – Encrypting ePHI to protect data at rest and in transit from unauthorized access is crucial for preventing ransomware attackers from accessing and exfiltrating sensitive information.

How to Ensure Compliance and Enhance Ransomware Preparedness

While we have covered some specific examples from each regulation, it’s important to keep in mind that they share many of the same provisions: By implementing a few basic cybersecurity measures, you can set your organization on the path to compliance with a wide range of regulations and dramatically improve your ransomware preparedness.

For example, it’s essential to conduct regular risk assessments and implement risk management strategies to identify and remediate vulnerabilities. Similarly, most regulations require incident response plans, security awareness training, continuous monitoring, and technical measures such as advanced anti-ransomware solutions, encryption, and multi-factor authentication.

But most importantly, you must recognize that threats and regulations are constantly evolving. As such, it’s essential to regularly review and update security policies and procedures to ensure you’re protected from emerging ransomware threats and comply with changing regulations.

In conclusion, achieving regulatory compliance is a great first step to protecting against ransomware. While it’s always advisable to go above and beyond regulatory requirements, regulations such as NIS2, DORA, and HIPAA are valuable guidelines for implementing an effective cybersecurity program. Try not to think of cybersecurity regulations as cumbersome rules you must follow; think of them instead as a free resource to help you protect your organization. 

Read More