In the last two years, more than 200 papers have been written on how Machine Learning (ML) can fail because of adversarial attacks on the algorithms and data; this number balloons if we were to incorporate non-adversarial failure modes. The spate of papers has made it difficult for ML practitioners, let alone engineers, lawyers and policymakers, to keep up with the attacks against and defenses of ML systems. However, as these systems become more pervasive, the need to understand how they fail, whether by the hand of an adversary or due to the inherent design of a system, will only become more pressing. The purpose of this document is to jointly tabulate both the of these failure modes in a single place.
Understanding this threat becomes important as more cyber-security functions, especially security operations, become dependent on machine learning algorithms.
It certainly seems that way on the surface.
In October 2018, NIST, collaborating with public and private stakeholders, started drafting its privacy framework. The framework is intended to serve as a guide for chief information security officers (CISOs), chief privacy officers (CPOs) and other internal privacy stakeholders and is geared toward helping them improve their organizational privacy posture. Like the NIST Cybersecurity Framework introduced in 2014, organizations that choose to comply with the privacy framework can do so voluntarily.
It is expected that the framework will be presented in language that can be understood by both privacy and security professionals, as well as executives and other business stakeholders who may have no expertise in privacy, and that’s a very good thing. The roles of the CISO and CPO are evolving to have complementary concerns, which means they must work more closely together, especially when it comes to privacy and personal data protection. Technical professionals and legal professionals speak in very different language in their day-to-day lives, so when it comes to implementing an effective privacy program, everyone had better be speaking the same language to establish a common understanding of what needs to get done.
NIST has been working quickly. A request for information (RFI) to gather input and guide the development of the framework wrapped up in January, and the outline of the NIST Privacy Framework was drafted and shared in March.
This is a welcome move from NIST. I hope that information security and privacy officers embrace the framework. I also hope that the federal government issues strong privacy legislation, similar to the GDPR, that is congruent with the United State constitution. We, the people, need some relief form the wonton collection and leverage of personal information.