Air Force, Coast Guard Talk Data Security Efforts for AI Development

The Air Force and Coast Guard are strengthening defenses against data poisoning and other cybersecurity risks as they scale up artificial intelligence development. Leaders from both services detailed efforts to ensure AI models are built on clean, protected data.

The Air Force is creating a “golden record” of training data that it will use as a secure way to lessen the chances of data poisoning in large scale projects, said Air Force Manpower, Personnel, and Services (A1) CTO Darek Kitlinski at the TechNet Cyber Conference in Baltimore this month.

Kitlinski said the golden record would be protected separately from other training data to ensure AI models are built on the back of clean, useful data.

“We’re now creating a golden record of that data, having that central repository where you can run the models, no matter what silo,” Kitlinski told the audience. “We’re going to put everything under the similar stack so that we can monitor it to ensure that there’s nothing, nobody poisons it or changes things.”

He warned that lax security practices can make AI and the data it relies on vulnerable to threat actors and adversaries, but solutions like a golden record can assure employees that the data they are using is not compromised from biased data sources.

“AI is a great tool. It’s a great practice, it’s a great emerging technology, but we always have to think about it from a secure perspective. Believe it or not, sometimes the things that you mainly think are low priority actually the biggest priority,” Kitlinski said.

He emphasized that data and AI culture has changed, and security of high-quality data is a critical component of artificial intelligence development at the federal level.

The three main pillars of cloud cybersecurity — governance, architecture and risk management — have come to the forefront compared to on-premise cybersecurity and changed the mindset around data protection, Kitlinski said.

“In the past, we would employ all these wonderful tools and have cybersecurity in the back. Now, believe it or not, it’s in the front, it’s a completely different mindset,” Kitlinski said. “Your teams … have to think of cybersecurity continuously. The priority is always cybersecurity, but it’s also the change in culture. Because many times, as you’re dealing with this, you’re dealing with folks that have been doing it on-prem.”

Capt. Daniel Rogers, the Coast Guard’s deputy chief data and AI officer, said his service is protecting data through the creation of “minimally viable teams” that have specific roles in securing data environments. Rogers said smaller teams enable the service to quickly develop and scale tech solutions.

“Once I have a team in each one of these domains, then I can augment those teams. I can add more scientists, I can add more engineers. I can get across more sub-domains. I can answer more questions as I prioritize those overall use cases,” Rogers said.

Rogers added that at an organization as complex as the Coast Guard, the main challenges lie in securing unbiased, complete data sets while balancing the competing mission sets that add complexity to data transformation.

“We’re doing it in this very siloed way because everybody owns their own. The biggest, the most important piece of what we’re trying to do in building the scaffolding, is to make sure that there’s a shared approach,” Rogers said.

Rogers pointed to examples where members of the Coast Guard, in an effort to streamline their workflows, uploaded “terabytes” of data into commercially available ChatGPT. He said that since the Coast Guard was unable to provide in-house tools, employees began to look outside the box and put security on the back burner.

He stated that if security is not built throughout the Coast Guard’s infrastructure beyond IT, employees might continue to take shortcuts that can leave IT systems exposed to threat actors.

“It’s building the rigor around the whole infrastructure. Not only IT infrastructure, but infrastructure to include people, to include security, to include processes. If we don’t get that right, they’re going to do it on their own, and then we’re going to lose,” Rogers said.