AI can help track an ever-growing body of vulnerabilities, CISA official says

Artificial intelligence could be a key tool for helping organizations keep track of an ever-expanding catalog of identified software flaws, a top official at the Cybersecurity and Infrastructure Security Agency said Thursday.

CISA sponsors the Common Vulnerabilities and Exposures (CVE) program, which publishes standardized data about known cyber vulnerabilities. The number of vulnerabilities the CVE program published last year rose to 40,000, said Chris Butera, acting deputy executive assistant director of cybersecurity at CISA.

“For any organization to try to track and hash against 40,000 different vulnerabilities within their IT ecosystem, it’s a very complex challenge,” he said at Thursday’s GDIT Emerge event, produced by Scoop News Group. “We can do a lot more with automation, and that’s where maybe AI can help us in the automation pieces.”

CISA’s goals for the CVE program are “more automation, innovation and increasing the quality of the data going into the program,” he said. Earlier this year CISA narrowly averted a lapse in a key contract to administer it.

Butera’s remarks were among several at the event where industry and policymakers opined on how AI can aid cyber defenders, as opposed to fears about how AI might aid hackers looking to exploit the technology.

Daniel Richard, associate deputy director of digital innovation at the Central Intelligence Agency, said that he’s “actually quite bullish and optimistic in how AI can be leveraged in the cyber space.”

It’s especially important as the window shrinks between the discovery of previously unknown vulnerabilities called zero-days and when hackers begin exploiting them.

“There is a lot of opportunity as we gather more telemetry data, more metrics, to be able to leverage AI to identify anomalies much more quickly to be able to react to those threats in a much more proactive way,” he said.

Manny Medrano, director of the office of cybersecurity monitoring and operations at the State Department, said a good role might be treating AI as a “virtual assistant.” But humans have to remain in charge in the end. “You make the final decision,” he said.

It also can play an important role for defenders in sifting through mountains of data, said David Carroll, vice president of cyber capability, engineering and strategy at GDIT.