A.I. applications to CyberSecurity: threat or solution?

Της Giulia Zappaterra, LL.M., Technology Lawyer | Intellectual Property & Technology | DLA Piper

Cyber risks in numbers

Cyberattacks and significant cyber incidents are being reported on a weekly (if not daily) basis with consequences both in the private as well as in the public sector. In fact, in accordance with the ForgeRock Consumer Identity Breach Report, breaches have increased dramatically in particular in the healthcare sector which was the most targeted industry in 2019. Also during the Covid-19 pandemic, in light of the significant increase in the number of individuals working remotely, companies are resulting to be highly susceptible to data breaches and cyber attaks.

EU legal approach to cybersecurity: from the NIS Directive to the Cybersecurity Act

In light of the increase of cyber risks, it comes as no surprise that worldwide legislators have taken action. With this regard, the European Union well understood the issue from its very beginning. In fact, the EU founded ENISA (the European Union Agency for Network and Information Security) back in 2004 with the goal to raise “awareness of network and information security and to develop and promote a culture of network and information security in society for the benefit of citizens, consumers, enterprises and public sector organisations in the Union”.

EU mission on cybersecurity was then strengthened in 2013 when the European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, published a cybersecurity strategy representing the UE vision on how to prevent and respond to cyber disruptions and attacks in the coming years. Based on such an approach, on July 6, 2016, the EU Commission adopted the first piece of EU-wide cybersecurity legislation, the EU Network and Information Security directive (Directive (EU) 2016/1148, the “NIS Directive”). Member states responded positively to the NIS Directive, transposing the legislation into national law within June of 2018 (nowadays all EU member states have implemented the NIS Directive).

The goal of the NIS Directive is to set common legal measures and requirements to boost the overall level of cybersecurity in the EU, in particular, ensuring better protection for critical infrastructures.

The EU recognizes that the functioning of specific private IT infrastructure and services is essential to guarantee the public welfare. With this objective the NIS Directive imposes obligations on both operators of essential services (which lists have been identified by each EU member state in specific sectors) as well as digital service providers (including search engines, cloud computing services and online marketplaces), which are required to adopt appropriate technical and organizational measures able to prevent the risks posed to the security of the network and IT system they use, minimizing the risks deriving by cyberattacks. Also, the NIS Directive imposes stringent obligations as per notification of severe incidents to national authorities.

In this context, however, EU legislation needed an enhanced cyber resilience system equipped with a comprehensive set of measures to growth cybersecurity in the EU. With this goal EU Parliament adopted Regulation No. 881/2019, better known as the Cybersecurity Act.

The Cybersecurity Act, which is directly applicable in all EU member states, is complementary to the NIS Directive, and it focuses mainly on two aspects. Firstly, it enhances ENISA’s role and powers, recognizing to the agency a key role in ensuring a high level of network and information security and in assisting EU member states in implementing an efficient national security policy. Secondly, it introduces provisions for the establishment and maintenance of a cybersecurity certification framework at the EU level in order to increase strengthen trust in the digital internal market by guaranteeing transparency of information system products, services, and processes.

In this complex framework does AI have any space?

For instance, a number of researchers have demonstrated that AI can detect and exploit network vulnerabilities that are often overlooked by humans in terms of millisecond so as to launch a targeted attack

In this complex framework – which is also integrated by local provisions as adopted by each of the EU member states – it is interesting to analyze whether AI can be of help or, on the opposite, of detriment to the cyber world.

With the term “Artificial intelligence (AI)” reference is made to the use of IT systems that, further to an analysis of their environment, are able to display an intelligent behavior in order to achieve a specific goal.

In light of the above (quite broad) description, it is clear that AI is an industry that is growing by the minute, having its impacts on the whole society. However, AI can be used not only to enhance the community as a whole, but also for malicious purposes, allowing cyber hackers to commit crimes against any kind of company or organization. For instance, a number of researchers have demonstrated that AI can detect and exploit network vulnerabilities that are often overlooked by humans in terms of millisecond so as to launch a targeted attack. Organizations are therefore finding it increasingly challenging to safeguard their systems against sophisticated and machine-speed attacks, also complying with the obligations on cybersecurity as set by the current EU legal framework.

However, the most effective weapon against technology threats is technology itself. In fact, as cyber-attacks grow, AI can be used to help in staying ahead of threats, also protecting itself. With this regard AI is also increasingly being used to address cyberattacks, allowing entities to enhance their defenses and mitigate cyber risks. Accordingly “AI-enabled cyber security” can be considered as a suitable solution in order for organization to defend their systems against cyberattacks (more so if such attacks are carried out through AI systems).

How to balance cybersecurity obligations and AI?

In this complex environment where AI can be both good or bad, balance can be found through full involvement of organizations. Entities still need to carefully consider pro and cons of the use of AI in the cybersecurity world, also establishing internal policies and procedures for managing cyber risks. In fact the use of AI in the cyber environment should not exclude, at least for the time being, the use of teams of highly skilled security personnel to oversee the implementation of AI tools and, in case of need, to intervene to make critical decisions in case automation cannot resolve a cybersecurity issue.

It is therefore important to adopt incident response schemes able to remediate adverse impacts on the business – also caused by the same AI – and to protect the brand reputation, as well as post-incident remediation plan which can mitigate the impact from any claim or other liabilities.