A constantly evolving context
Much has been said about artificial intelligence (AI) systems that are at the center of very rich news. Everyone is trying to capitalize on data, whether legally or illegally. Digital security has long aimed to guarantee the availability of the information system, the integrity and confidentiality of the data it transmits and records, while at the same time achieving traceability of the operations it carries out. The famous cybersecurity acronym “DIC or DICT”.
However, attacks are increasing across all sectors and harming organizations and individuals alike. New risks are appearing with increasing persistence: ransomware, malware, social engineering, various frauds including the one said to the president, threats against data, threats against system availability (denial of services attack) and against the Internet, manipulation of information and intrusion, or even attacks against supply chains.
All of this results in criminal offenses such as identity theft, blackmail, fraud, violation of intellectual property rights (forgery), theft and violation of personal data (articles 226-16 to 226-24 of the criminal code), or offenses related to attacks on automated data processing systems (articles 323-1 et seq. of the penal code). Threats are usually related to property. But now there are numerous attacks against hospitals, airports, railway stations or civil or public security services, which can also cause serious harm to people.
Artificial intelligence systems (AIS) new threat targets
AIS are also subject to threats, some of which are more specific, such as poisoning (massive sending of data that could distort results), inference (obtaining inaccessible information through cross-checking) or evasion (changes in the communication of data received that will modify the classification). According to Enisa. “(They) require enormous amounts of data to be properly trained and obtain high-quality data generation, writes the agency in its report. They therefore become a favorite target for cybercriminals because they are very sensitive to data poisoning .” Furthermore, tools are needed to combat AI-generated misinformation.
The uses of the SIA are diverse, and can in particular be integrated into an IS such as a CRM. Furthermore, the interconnections of public and private structural systems generate interdependence of risks that are likely to become systemic.
To find solutions to these new threats, there are two types of security solutions: technical and organizational. To do this, it will be necessary to set up a dedicated team, a security policy, a Deming wheel type method: PDCA or Plan, Do, Check, Act; and these solutions must be associated with appropriate legal solutions that can respond to possible data breaches of the company and its customers (letters, contracts, etc.).
An increasingly sophisticated European legislative framework
Given that the SIA contains personal data, it is imperative to take into account the security obligation, accompanied in particular by significant financial sanctions issued by the competent supervisory authority, as set out in the General Data Protection Regulation of 27 April 2016 (2 or 4 % of turnover or fines) and which imposes limitations on data retention, as well as its integrity and confidentiality.
Since 2013, France has developed a cybersecurity policy for critical entities. In 2016, the European Union followed suit with the NIS (Network & Information Security) directive, which affects public and private organizations. Then the Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures to ensure a high common level of cybersecurity across the Union, “NIS 2” (OJ L 333/80, 27.12. 2022) came to complete the system in order to strengthen it to take into account the generalization of digitalization and multiple interconnections. Its objective is to establish a level of cyber maturity in the 27 EU member states that must incorporate the measures foreseen in their legislation and in force by October 2024 at the latest.
European cybersecurity was complemented by Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (European Union Cybersecurity Agency) and cybersecurity certification of information security technologies and communications. This regulation, applicable since June 2023, aims to reinforce the role of ENISA and define a European cybersecurity certification framework (OJEU L 151/15 of 7 June 2019).
Furthermore, a directive 2022/2557, of 14 December 2022, aims to strengthen the resilience of critical entities, while creating the status of European critical entities; will come into force on October 18, 2024 (OJ L 333/176 of 27/12/2022). According to this text, “resilience” consists of capacity? of an entity? criticism one? to avoid any incident, to protect yourself from it, to react to it, to resist it, to mitigate it, absorb it, um? adapt to it and? recover (art. 2-2). Alongside this directive, a proposal for a regulation, the “Cyber Resilience Law”, is currently being discussed. A specific regulation for the banking sector “DORA” of December 27, 2022, applicable on January 17, 2025, aims to reinforce the operational cyber resilience of actors in this sector.
Regarding Artificial Intelligence, a proposal for a European Regulation on AI of the Parliament and the Council (COM/2021/206 final) was adopted on 14 June 2023 by the European Parliament. The regulation seeks to promote trustworthy AI by establishing harmonized rules and following a risk-based approach; which should allow a classification of the different uses of AI and guarantee its regulation.
The text is expected to be published at the end of 2023 for application in 2025. The “AI Law” provides for transparency obligations, while also integrating the cybersecurity aspects of AI, for example, prohibiting the use of certain high-performance AI solutions. risk. Users will have to follow standards and be subject to compliance assessment.
In the end, we will highlight that AI is used for both the sword and the shield and that the race between attack and defense is just beginning.
Eric A. Capriolilawyer of the Court, doctor of Law
Caprioli & Associateslaw firm member of the JurisDéfi network
Expert opinions are published under the full responsibility of their authors and do not compromise the editorial team in any way.