It’s a matter of time before artificial intelligence (AI) is included as a domain in the Essential 8. But first, some background. The Essential 8 is the Australian Cyber Security Centre’s (ACSC) advisory/guide for Australian organisations to follow (sometimes a requirement, others just a recommendation) to best protect their systems. One of the domains within the E8 is “Macros”. More specifically, to control who can use macros in an organisation – and why. And prevent everyone else from using them. Personally, I don’t see any valid reason to allow them. The argument I hear is that a) the HR or Finance team need them, or B) a legacy application needs them. Both are resolvable. But I digress.
Macros are essentially about automation. Automation is a valid domain to replace macros with (within the E8) but it hasn’t happened. But more vitally, AI is a candidate for replacing macros in the E8. Here’s why.
AI comes with its vulnerabilities and threats just like other domains within the E8, including macros. But AI could encompass macros and general automation (such as Ansible and Terraform). AI as a domain title isn’t the most encompassing domain title, but the expansion of the E8 to include AI seems entirely sensible.
As of now, the E8 domains look as follows:
- Application Control
- Patch Applications
- ==> Configure Microsoft Office Macro Settings <==
- User Application Hardening
- Restrict Administrative Privileges
- Patch Operating Systems
- Multi-Factor Authentication
- Regular Backups
Replacing the “Configure Microsoft Office Macro Settings” with “Artificial Intelligence and Automation” would be a reasonable upgrade. Macros could easily and reasonably fit into that domain.
The E8 is based on risk which is “informed” but the title and intent of this article isn’t to change immediately. It’s to change eventually. With the rapid advancements of AI and additionally its rapid adoption, it makes sense to factor this change in sooner rather than later.