PHILADELPHIA — U.S. Army officials are considering asking companies to give them an inside look at the artificial intelligence algorithms they use to better understand their provenance and potential cybersecurity weak spots.
The nascent AI “bill of materials” effort would be similar to existing software bill of materials practices, or SBOMs, the comprehensive lists of ingredients and dependencies that make up software, according to Young Bang, the principal deputy assistant secretary of the Army for acquisition, logistics and technology.
Such disclosures are championed by the National Telecommunications and Information Administration, Cybersecurity and Infrastructure Security Agency and other organizations.
“We’re toying with the notion of an AI BOM. And that’s because, really, we’re looking at things from a risk perspective,” Bang told reporters on the sidelines of Technical Exchange Meeting X, a defense industry conference held May 24-25 in Philadelphia. “Just like we’re securing our supply chain — semiconductors, components, subcomponents — we’re also thinking about that from a digital perspective. So we’re looking at software, data and AI.”
Bang and others met with AI companies during the conference to gather feedback on the potential requirements. He did not share insights from the private get-together.
The Pentagon is investing in AI, machine learning and autonomy as leaders demand quicker decision-making, longer and more-remote intelligence collection and a reduction of human risk on increasingly high-tech battlefields. The Defense Department in 2021 established its Chief Digital and AI Office, whose executives have since said high-quality data is foundational to all its pursuits.
More than 685 AI-related projects are underway at the department, according to the Government Accountability Office, a federal watchdog, with at least 232 being handled by the Army. A peek under the algorithm hood, Bang said, is more about ruling out “risk like Trojans, triggers, poison data sets, or prompting of unintentional outcomes,” and less about reverse engineering and exposing sensitive intellectual property.
“I just want to make sure we’re explicit about this: It’s not to get at vendor IP. It’s really about, how do we manage the cyber risks and the vulnerabilities?” he said. “We’re thinking about how do we work with industry.”
Colin Demarest is a reporter at C4ISRNET, where he covers military networks, cyber and IT. Colin previously covered the Department of Energy and its National Nuclear Security Administration — namely Cold War cleanup and nuclear weapons development — for a daily newspaper in South Carolina. Colin is also an award-winning photographer.