Responses to Maryland SB0818 and SB0981

Earlier this spring, cybersecurity interns Victor Leke and Aniya Stanford worked with Will Smith to develop written responses to two bills proposed by Maryland State Senator Katie Hester. SB0818 aims to provide parameters for the use of Artificial Intelligence within the Maryland government, while SB0981 lays out funds and resources for cybersecurity throughout the state government and the public school system. Their responses are included here.

Maryland’s SB0818 Bill

The Maryland SB0818 legislation, also known as the Artificial Intelligence Governance Act of 2024, emphasizes fairness and equity as it highlights that state agencies must consider the potential for AI systems to pose harmful biases and that steps should be taken to mitigate these risks. This bill also focuses on individuals’ privacy rights in AI use. The interpretation of the bill demonstrates a committed effort to explore ways AI can improve state services. In evaluating this legislation against National standards, it’s important to explore The National Institute of Standards and Technology (NIST) AI RMF 1.0 and the White House Blueprint of the AI Bill of Rights, which are frameworks with principles to guide the design, use and deployment of AI systems.

 

While the bill does not explicitly mention NIST standards, it does share some common themes with NIST’s approach to AI governance. NIST Provides comprehensive guidelines to “increase the trustworthiness of AI systems, and to help foster the responsible design, development, deployment, and use of AI systems over time,” (NIST RMF 1.0), which aligns with the bill’s focus on ensuring “the responsible, ethical, beneficial, and trustworthy use of artificial intelligence in State government” (Maryland SB0818 Senate Bill). The bill requires each unit of the State government to conduct inventories and assessments of AI systems they use or plan to use. This mirrors industry best practices for assessing AI deployments.

 

The legislation prohibits using AI systems that violate ethical principles or pose significant risks to human rights, public safety, or the environment; this aligns with responsible AI practices advocated by industry experts. Establishing the Governor’s Artificial Intelligence Subcabinet demonstrates a commitment to coordinated AI governance, consistent with industry recommendations for cross-functional collaboration.

 

The SB0818 Maryland bill principles align with the White House Blueprint for an AI Bill of Rights. Both address algorithmic discrimination protections, recognizing the need to mitigate biases and prevent discriminatory outcomes. Secondly, they prioritize data privacy, safeguarding individuals’ rights in AI use. Lastly, they encourage human alternatives, consideration, and fallback, emphasizing human oversight and ethical options in AI deployment.

 

Implementations to strengthen Maryland’s SB0818 AI Bill:

1. Deep Fakes in Political Campaigns:

1. • National Standard: The Federal Election Committee has begun efforts to regulate AI-generated deep fakes in political ads.
   • Implementation in Maryland Legislation:
     • Just as the nation and Maryland are currently making efforts to regulate AI-generated deep fakes in political ads, this Maryland bill could address the use of AI-generated deep fakes in political ads by requiring disclosure when AI-generated content is used in political campaigns to prevent misinformation and manipulation in Maryland elections.
     • By requiring disclosure when altered images or audio are used in campaign materials, Maryland aligns with national efforts to regulate AI in political contexts¹.

2. Anti-Discrimination Measures:

1. • National Standard: Some states, like New York and Illinois, regulate AI in employment decisions.
   • Implementation in Maryland Legislation:
     •  As more states like Maryland are moving forward with using AI in employment, this bill should explicitly address safe AI use in hiring, promotions, and employee evaluations in Maryland’s labor force.
     • The bill could place emphasis on the Prohibition of discriminatory AI algorithms in state agencies and workforce.

3. Education and Workforce Development:
   • National Standard: The National AI Research Resource Task Force Act focuses on AI workforce development.
   • Implementation in Maryland Legislation:

• As there are national efforts to focus on AI in workforce development, Maryland could take an extra step forward by allocating resources for AI education and training programs in this bill.
• Maryland could build an AI-ready workforce by fostering partnerships with local schools, universities and industries in bilateral collaboration, as proposed by the SB0818 bill.

 

Maryland’s SB 0981 Bill

Our interpretation of SB0981 aims to aid local cybersecurity readiness. It strives to mandate the adoption of multifactor authentication, endpoint detection and response, and network security measures, primarily within local school systems. Additionally, it covers important cybersecurity principles such as vulnerability assessment and remediation, which aligns with FISMA. By incorporating Maryland’s cybersecurity practices and state resources, NIST, and FISMA, this initiative seeks to strengthen local cybersecurity defenses and mitigate potential cyber risk.

 

We agree that implementing multifactor authentication (MFA) is critical for reducing the risk of unauthorized access, a principle emphasized by FISMA, NIST and Maryland’s cybersecurity guidelines. It is essential for the local school system to implement multifactor authentications for all employees to protect the information of our most vulnerable assets – our children. As stated in Maryland cybersecurity guidelines, “users, devices, and other assets are authenticated (e.g., single factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).” NIST also provides security recommendations for implementing MFA through various publications to help ensure that organizations adhere to cybersecurity best practices. By following NIST and Maryland’s cybersecurity guidelines, organizations can reduce the risk of unauthorized access incidents and strengthen their overall cybersecurity posture.

 

We agree that Endpoint Detection and Response (EDR) is vital for cybersecurity monitoring, and rapid response to threats on individual devices within a network is paramount to the protection of the state’s end-users. Guidance provided within NIST and frameworks like the National Information Assurance Partnership (NIAP) support the identification of controls and tools to support this effort, such as, “In line with security control SI-4, EDR solutions plays a crucial role in detecting anomalous or potentially malicious activities on endpoints. These solutions are essential in responding to security incidents by providing real-time alerts and automated responses.” This is also supported within nationally recognized controls in support of FISMA.

 

For example, Maryland’s cybersecurity guidelines state that, “Local governments must report the discovery or detection of various indicators of compromise, including techniques and software like those described in the MITRE ATT&CK Framework,” which helps to ensure that endpoint detection capabilities are used to identify and mitigate potential threats. NIST also provides guidance for endpoint detection and response, outlined in various special publications, and complements network-based detection, aiding compliance with security standards. Following these practices could help local school systems with endpoint detection and response on system-owned devices accessed by employees. In summary, the incorporation of established guidelines would set a baseline in support of this effort.

 

We agree that network monitoring is essential for cybersecurity, providing continuous oversight of network traffic to detect and mitigate potential threats and vulnerabilities in real time. Network monitoring would help ensure awareness of local systems and support concurrent assurance and network integrity. Maryland’s cybersecurity guidelines state, “The network is monitored to detect potential cybersecurity events,” to ensure there aren’t any suspicious activities or threats. NIST also provides guidance emphasizing the importance of continuous monitoring as a fundamental component of cybersecurity programs. NIST publications regarding network monitoring offer extensive guidance and stress the significance of constant monitoring for maintaining situational awareness and mitigating cybersecurity risks effectively. Following NIST and Maryland’s cybersecurity guidelines could help reduce the risk of potential threats and vulnerabilities within a network in real time.

 

Adhering to cybersecurity practices outlined by NIST, FISMA and Maryland’s Cybersecurity guidelines can significantly enhance cybersecurity readiness. By implementing recommended measures such as MFA, EDR, and network monitoring, local entities can secure their systems against cyber threats, mitigate risk, respond effectively to incidents, and uphold confidentiality.