Overview
Severity: MEDIUM | Affected: CISA, NCSC | Category: policy
In a landmark policy move, the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre (NCSC) have jointly issued a mandatory 'Secure by Design' framework for all AI systems deployed in critical national infrastructure. The new directive applies to sectors such as energy, finance, transportation, and healthcare. The policy requires developers and operators to conduct continuous, adversarial red-teaming, maintain auditable logs of model behavior, and ensure complete provenance and integrity for training data. Organizations will be required to submit regular AI security compliance reports to a joint oversight body. The goal is to mitigate systemic risks posed by insecure or easily manipulated AI systems that could disrupt essential services. While security experts have lauded the proactive regulation, some industry groups have raised concerns that the stringent requirements could stifle innovation and slow down the adoption of beneficial AI technologies in these key sectors.