As a CISO (and vCISO), it is critical to maintaining a healthy skepticism and understanding of the latest technologies. Our constituents (clients or end-users) will want to engage in the newest tool or solution, and risk review is usually not on their agenda. They often just want utility- the means to improve their productivity, and the security impact of the tool is tertiary, at best. Our job is to review what is new and apply a risk management perspective. The latest tool of interest? The Generative AI chatbot, ChatGPT.
For those avoiding tech media blogs and articles, ChatGPT is an easy-to-use, AI-based engine (a variant of Generative Pre-trained Transformer 3) that can analyze information such as queries or raw data and produce a potentially meaningful assessment with a human-like response. The opportunity for this tool is immense – automating documentation tasks, gathering detailed research, creating a generative copy (such as essays), among countless other capabilities—just Google "Productivity tips for ChatGPT" for proof. Seriously, you'll be impressed.
But what about security? ChatGPT has defined specific controls for managing the data it obtains, but at the end of the day, it eats whatever you feed it. Simple queries may not impose a more significant threat to privacy than what we should expect from search engines, but ChatGPT (and other AI tools) can do more with more. Want to analyze your code? Create a legal missive? Write a quick essay about the dangers of ChatGPT? Feed the data in and get a result…almost frighteningly quickly. But where did this data go?
The data is now swirling around the belly of ChatGPT- was anything confidential? Did we infringe upon some entity's privacy? Are we comfortable that our new essay is now part of the AI collective? Have we broken any non-disclosure agreements? In the excitement of this new tool, did we think about the data we have provided? In the words of Dr. Ian Malcolm (Jurassic Park), are our users going to be "so preoccupied with whether or not they could, they didn't stop to think if they should"? I suspect as much.
This is a new problem, right? Not really. Other tools exist that create the same issue of data digestion. Mobile apps that allow you to print to your local printer often process the file outside your local network. Want to convert a PDF to Word cheaply? Just upload it to any number of websites, and you'll get a Word document back. Same with OCR- where do the files go when your scribbled notes are converted to text? They're in the deep web now, friend. Is that where you want your data?
As we move forward, companies will need to review their position on generative AI and other processing tools. Once an understanding is established, technical and administrative controls can be developed to meet their needs. NIST, ever the source for readable security guidance, has already published a framework for AI, namely the "Artificial Intelligence Risk Management Framework 1.0", as directed by Congress. This framework can help understand AI risk, determine tolerance, and prioritize integrating these tools into the enterprise. I highly recommend its perusal, and soon. Over 100 million users are on ChatGPT, and one can only wonder what they are feeding it. How many of those users are yours? Probably more than a few.
*None of this text was written by ChatGPT, but for fun, I asked it to write me a poem about the risk of sharing too much personal data, and here is a snippet of what it created:
So let us guard our data with care,
And share only what we wish to share,
For in this world, we must be aware,
That too much information is a risky affair.
I agree, ChatGPT!