AI Testing and Evaluation: Learnings from cybersecurity

the science and practice of AI testing  forward. In this series, we'll explore   how these insights might help guide the future of  AI development, deployment, and responsible use.

And after our conversation, we'll talk to  Microsoft's Tori Westerhoff, a principal director   on Microsoft’s AI Red Team, about how we should  think about these insights in the context of AI. Hi, Ciaran. Thank you so  much for being here today.

I was a 17-year career government fixer with some  national security experience. So I was asked to go   out and help with the policy response, the media  response, the legal response. But I said, look,   any crisis, even one as big as this, is over  one way or the other in six months. What should   I do long term? And they said, well, we were  thinking of asking you to try to help transform  

our cybersecurity mission. So the National Cyber  Security Centre was born, and I was very proud to   lead it, and all in all, I did it for seven years  from startup to handing it on to somebody else.

of course, you could be at risk of just  straightforward being stolen from. I mean,   you don't want any of them to happen, but  you have to have a hierarchy of harm.  

within the organization will say, “Well,  we could get this capability in.” Well,   the classic question for a leadership team to ask  is, well, what risk and harm will this reduce,   by how much, and what's the cost-benefit  analysis? And we find that really hard. So that's really where testing and assurance  comes in. And also as technology changes so fast,   we have to figure out, well, if we're worried  about post-quantum cryptography, for example,  

what standards does it have to meet? How do you  assess whether it's meeting those standards? So   it's a huge issue in cybersecurity and one that  we're always very conscious of. It’s really hard. Given the scope of cybersecurity, are  there any differences in testing, let's say,   for maybe a small business versus a critical  infrastructure operator? Are there any,   sort of, metrics we can look at in terms  of distinguishing risk or assessment?

nation-state-level cyber defenses. That was never  going to happen, even if they could afford it,   which they couldn't. So you have to  have some differentiation. So again,   you've got assessment frameworks and so forth  where you have to meet higher standards. So   there absolutely has to be that distinction.  Otherwise, you end up in a crazy world of   crippling small businesses with just unmanageable  requirements which they're never going to meet.

But if you say to them, “Look, well, you have to  meet these 14 impossibly high technical standards   before you can even sell to anybody or sell to  the government,” whatever, then you've got a   problem. And I think we've wrestled with that,  and there's no perfect answer. You just have   to try and go to … find the sweet spot between two  ends of a spectrum. And that's going to evolve.   The second point, which in some respects if you've  got the right capabilities is slightly easier but  

still a big call, is around, you know, those newer  and evolving technologies. And here, having, you   know, been a bit sort of gloomy and pessimistic,  here I think is actually an opportunity. So one   of the things we always say in cybersecurity is  that the internet was built and developed without   security in mind. And that was kind of true in the  ’90s and the noughties, as we call them over here. But I think as you move into things like  post-quantum computing, applied use of AI,  

and so on, you can actually set the standards  at the beginning. And that's really good   because it's saying to people that these  are the things that are going to matter in   the post-quantum age. Here's the outline of  the standards you're going to have to meet;   start looking at them. So there's an opportunity  actually to make technology safer by design,   by getting ahead of it. And I  think that's the era we're in now.

And there's quite a lot of convergence between,  you know, the top-level frameworks. And obviously   in the US, you know, the NIST [National Institute  of Standards and Technology] framework is the one   that's most popular for cybersecurity,  but it bears quite a strong resemblance   to the international one, ISO[/IEC] 27001, and  there are others, as well. But fundamentally,   they boil down to kind of five things.  Do a risk assessment; work out what your  

crown jewels are. Protect your perimeter as  best you can. Those are the first two.   The third one then is when your perimeter's  breached, be able to detect it more times   than not. And when you can't do that,  you go to the fourth one, which is,   can you mitigate it? And when all else fails,  how quickly can you recover and manage it?  

I mean, all the standards are expressed  in way more technical language than that,   but fundamentally, if everybody adopted those  five things and operated them in a simple way,   you wouldn't eliminate the harm, but  you would reduce it quite substantially.

We had a fascinating experience when I was  in government back in around 2018 where the   telecom sector, they came to us and they  said, we've got a very good cooperative   relationship with the British government,  but it needs to be put on a proper legal  

footing because you're just asking us nicely to  do expensive things. And in a regulated sector,   if you actually put in some rules—and  please develop them jointly with us;   that's the crucial part—then that will help  because it means that we're not going to our   boards and saying, or our shareholders, and saying  that we should do this, and they're saying, “Well,  

do you have to do it? Are our competitors  doing it?” And if the answer to that is,   yes, we have to, and, yes, our competitors  are doing it, then it tends to be OK.   The harder nut to crack is the smaller business.  And I think there's a real mystery here:   why has nobody cracked a really good and easy  solution for small business? We need to be   careful about this because, you know, you can't  throttle small businesses with onerous regulation.  

At the same time, we're not brilliant, I  think, in any part of the world at using   the normal corporate governance rules to try and  get people to figure out how to do cybersecurity. There are initiatives there that are not  the sort of pretty heavy stick that you   might have to take to a critical function,  but they could help. But that is a hard nut   to crack. And I look around the world,  and, you know, I think if this was easy,  

somebody would have figured it out by now.  I think most of the developed economies   around the world really struggle with  cybersecurity for smaller businesses.

with a purpose. I think sometimes, and I  understand the human instinct to do this,   particularly in governments and big business,  they think you need to get around a table   and work out some grand strategy to fix  everything, and the scale of the … not just   the problem but the scale of the whole  technology is just too big to do that. So pick a bit of the problem. Find some  ways of doing it. Don't over-lawyer it.  

[LAUGHTER] I think sometimes people get very  nervous. Oh, well, is this our role? You know,   should we be doing this, that, and the other?  Well, you know, sometimes certainly in this   country, you think, well, who's actually  going to sue you over this, you know? So   I wouldn't over-programmatize it. Just get  stuck practically into solving some problems.

amoral. It just didn't have values. It just had  bottom line, and, you know, its job essentially   was to provide employment and revenue then for  the government to spend on good things that people   cared about. And when I got into cybersecurity and  people said, look, you need to develop relations   with this cybersecurity company, often in the US,  actually. I thought, well, what's in it for them? And, sure, sometimes you were paying them for  specific services, but other times, there was a  

real public spiritedness about this. There was  a realization that if you tried to delineate   public-private boundaries, that it wouldn't really  work. It was a shared risk. And you could analyze   where the boundaries fell or you could actually  go on and do something about it together. So   I was genuinely surprised at the allyship from  the cybersecurity sector. Absolutely, I really,   really was. And I think it's a really positive  part of certainly the UK cybersecurity ecosystem.

but what does it actually mean when you do it?  What bits that you know in your heart of hearts   are really important to the defense of your  organization that may not be covered by this   and just go and do those anyway. Because  sure it helps, but it's not everything.

within chat interfaces that are enabled by  AI. And also, kind of, this, like, metaphor   for understanding how to find soft spots in the  way that you see human heuristics show up, too.   And so I think that was actually my personal “in”  to getting hooked into AI red teaming generally.

But my experience in national security and I'd  also say working through the AR/VR/metaverse   space at the time where I was in it helped  me balance both how our impact is framed,   how we're thinking about critical industries, how  we're really trying to push our understanding of   where security of AI can help people the most.  And also do it in a really breakneck speed in   an industry that's evolving all of the time,  that's really pushing you to always be at the  

bleeding edge of your understanding. So I draw  a lot of the energy and the mission criticality   and the speed from those experiences  as we're shaping up how we approach it.

AI hackers. And we are supposed to take the  theories and methods and new research and   harness it to find examples of vulnerabilities  or soft spots in products to enable product   teams to harden those soft spots before anything  actually reaches someone who wants to use it. So if we're the indicator light,  we are also not the full workup,   right. I see that as measurement and  evals. And we also are not the mechanic,  

which is that product development team that's  creating mitigations. It's platform-security   folks who are creating mitigations at scale. And  there's a really great throughput of insights from   those groups back into our area where we love to  inform about them, but we also love to add on to,   how do we break the next thing,  right? So it's a continuous cycle. And part of that is just being really creative and  thinking outside of a traditional cybersecurity  

box. And part of that is also really thinking  about how we pull in research—we have a research   function within our AI Red Team—and  how we automate and scale. This year,   we've pulled a lot of those assets and  insights into the Azure [AI] Foundry AI   Red Teaming Agent. And so folks can  now access a lot of our mechanisms   through that. So you can get a little taste of  what we do day to day in the AI Red Teaming Agent.

So in our space, we really focus on novel  harm categories. We are pushing bleeding edge,   and we also are pushing iterative and, like,  contextually based red teaming in product   dev. So outside of those hundred that we've done,  there's a community [LAUGHS] through the entire,   again, multistage life cycle of a product that  is really trying to push the cost of attacking  

those AI systems higher and higher with all  of the expertise they bring. So we may be,   like, the experts in AI hacking in that  line, but there are also so many partners   in the Microsoft ecosystem who are thinking  about their market context or they really,   really know the people who love their  products. How are they using it?

And then when you bubble out, you also  have industry and government who are   working together to push towards the most  secure AI implementation for people, right?   And I think our team in particular, we feel  really grateful to be part of the big AI safety   and security ecosystem at Microsoft and also to  be able to contribute to the industry writ large.

And I think that AI security and safety can learn  a lot of lessons of how to bring clarity and   transparency across the industry to push universal  understanding of where the threats really are. So frameworks coming out of NIST, coming out of  MITRE that help us have a universal language that   inform governance, I think, are really important  because it brings clarity irrespective of where   you are looking into AI security, irrespective  of your company size, what you're working on. It  

means you all understand, “Hey, we are really  worried about this fundamental impact.” And   I think cybersecurity has done a really good job  of driving towards impact as their organizational   vector. And I am starting to see that in the AI  space, too, where we're trying to really clarify   terms and threats. And you see it in updates of  those frameworks, as well, that I really love.

So I think that the innovation is in  transparency to folks who are really   innovating and doing the work so  we all have a shared language,   and from that, it really creates communal  goals across security instead of a lot of   people being worried about the same thing  and talking about it in a different way.

Part of my answer is that we still care  about the highest-impact things. And so   irrespective of the iteration, which  is really fascinating and I love,   I still think that our team drives to say, “OK,  what is that critical vulnerability that is   going to affect people in the largest ways, and  can we battle test to see if that can occur?”

So in some ways, the task is always the same.  I think in the ways that we change our testing,   we customize a lot to the access  to systems and data and also   people's trust almost as different variables  that could affect the impact, right. So a good example is if we're thinking  through agentic frameworks that have   access to functions and tools and  preferential ability to act on data,   it's really different to spaces where  that action may not be feasible,  

right. And so I think the tailoring of the way  to get to that impact is hyper-custom every time   we start an engagement. And part of it is very  thesis driven and almost mechanizing empathy.

You almost need to really focus on how people  could use, or misuse, in such a way that you   can emulate it before to a really great signal  to product development, to say this is truly   what people could do and we want to deliver  the highest-impact scenarios so you can solve   for those and also solve the underlying patterns,  actually, that could contribute to maybe that one  

piece of evidence but also all the related pieces  of evidence. So singular drive but like hyper-,   hyper-customization to what that piece  of tech could do and has access to.

knowing what those capabilities are really  going to bring. And then I think tactically,   AIRT is really pushing on how we create new  research methodologies. How are we investing in,   kind of, these longer-term iterations  of red teaming? So we're really excited   about pushing out those insights in  an experimental and longer-term way.

I think another element is a little bit of  that evolution of how industry standards   and frameworks are updating to the AI moment and  really articulating where AI is either furthering   adversarial ability to create those harms or  threats or identifying where AI has a net new   harm. And I think that demystifies a little  bit about what we talked about in terms of the   lessons learned, that fundamentally, a lot of the  things that we talk about are traditional security  

vulnerabilities, and we are standing on kind of  that cybersecurity shoulder. And I'm starting   to see those updates translate in spaces that  are already considered trustworthy and kind of   the basis on which not only  cybersecurity folks build their   work but also business decision-makers  make decisions on those frameworks. So to me, integration of AI into  those frameworks by those same  

standards means that we're evolving  security to include AI. We aren't   creating an entirely new industry  of AI security and that, I think,   really helps anchor people in the really solid  foundation that we have in cybersecurity anyways. I think there's also some work around how  the cyber, like, defenses will actually   benefit from AI. So we think a lot about  threats because that's our job. But the  

other side of cybersecurity is offense.  And I'm seeing a ton of people come out   with frameworks and methodologies,  especially in the research space,   on how defensive networks are going to be  benefited from things like agentic systems. Generally speaking, I think the best practice  is to realize that we're fundamentally still   talking about the same impacts, and we can use  the same avenues, conversations, and frameworks.  

We just really want them to be crisply updated  with that understanding of AI applications.

those areas were moving earlier. So I think  that speed and the idea of conversations and   not always having the perfect answer but  really trying to be transparent with what   everyone does know is kind of a communal  energy in the communities, at least,   where we're playing. [LAUGHS] So I am pretty  biased but at least the spaces where we are.

love to get maybe some quick thoughts from you,  just 30-second answers here. I'll start with one. Which headline-grabbing AI threat  do you think is mostly hot air?