Submit your essay to the AI-Cybersecurity Essay Prize Competition by January 2, 2025.
The AI-Cybersecurity Essay Prize Competition
Read more
Main Logo Expert commentary on tech and security

Brave new(ish) world, brave new(ish) approach

Irfan Hemani 15 February 2024
Share On:
Irfan Hemani, deputy director for UK secure tech policy, explains the philosophy behind the UK’s secure-by-design approach to emerging technology regulation
Main Top Image
Image created with the assistance of Dall-E 2

Those who thought that when Artificial Intelligence (AI) came of age, its doomsday scenarios would be akin to The Terminator or West World are as disappointed as those who thought future technology would be more hoverboards and less interactive washing machines. As subtle as the changes and impact this has on our society seem now, the emergence of publicly available generative AI will change our lives and work. With these changes, this technology has introduced tangible challenges to individuals, companies, communities, and governments to address. These groups must work together to address these challenges if we have any hope of building technology safely and securely into our society. 

In the past six months, governments, companies and civil society have jointly begun proactively managing some of these emerging risks. This marks a significant shift from the traditional approach of retrofitting safety and security features after problems arise. Arguably, this shift, the involvement of certain actors and the extent of immediate action are new. This is a very welcome improvement on previous iterations of technology advancement. However, many of the measures necessary to secure current technologies are built upon tried and tested developments in areas like 5G, IoT (Internet of Things), digital services, and supply chains.

These emerging technologies, including AI, can change the world for good. They can improve inclusion and participation in society and the economy, increase economic growth, and keep communities in touch. They have the power to address the world’s most pressing issues, ranging from climate change and governance to food production and healthcare. Because of this enormous potential, we must ensure that the risks are managed and mitigated, that privacy is protected, and that public concerns are publicly and genuinely addressed. 

As new classes of technology emerge and develop, we should build security into their design before they are plugged in, switched on, downloaded, and embedded into systems and networks, and, as a result, directly into our daily lives. In the past, technology has become part of our lives without our explicit knowledge or control. That’s not necessarily bad if that technology can be relied on and is secure. 

For example, how many people realised when uploading pictures to Facebook in the 2000s that these were physically being held on cloud computing infrastructure, and the security, rights and governance around that infrastructure were unknowable to most users? Where we have assurances of the security and reliability of the technologies being used, this needn’t cause anxiety. But where customers are unsure of security arrangements, operators of tech services are unclear themselves about how data is stored and secured and how digital services are delivered; customers and Governments will rightly be worried about the use of innovative technologies in our daily lives. This worry will grow as technologies become more advanced and sophisticated and less understandable to non-experts.  Only where we are confident that technologies are secure by design will the broad coalition of economic and social actors be able to support their uptake unequivocally.

Market expectations and choice

Trust in technology is necessary for the economy to embrace data and digital improvements fully. In the UK, 28% of people do not trust that companies will safeguard their data from hackers. Consumers often have no control over which service providers they use or what happens to their data. Even if they did, market differentiation around security is limited.

The same goes for businesses. A third of UK companies suffered a cyber breach last year, rising to two-thirds for large companies. Only 13% of companies have a grip on the cyber risks from their supply chain. This is concerning, given the high level of interconnectedness among digital systems that power our world. 

We all rely on services where the provenance and management are outsourced beyond our immediate control. Outsourcing technology, and by definition, much of its security, can be effective. Most people lack the technical knowledge to secure sophisticated technology well, and it is unreasonable to expect them to do so. Qualified and competent experts can manage risks for them. But it is hard for consumers to make choices that include security when they have no visibility and little choice over their supply chain, the security practices of companies, and the risks they face as a result. A better-secured supply chain–and therefore better-designed technology within it–would remove this uncertainty and reduce this risk. 

If the last three years of devastating supply chain disruptions and cyber attacks on critical infrastructure have taught cyber policymakers and incident responders anything, it is that not having assurance over the cyber risks in your supply chain is no longer an option. And yet alternative options are not available. As a customer of a digital service provider, you can, in many scenarios, only hope that your provider is doing the right thing.

The UK is an unashamedly pro-digital country. Government has a role in encouraging businesses to make the most of digital technologies–to improve productivity, open new possibilities, and encourage growth. But in encouraging companies to adopt new technologies, government must also ensure that companies provide a minimum level of security.  At the same time, creating disproportionate security requirements where these are not needed risks undermining growth and innovation and with it, undermines our ability to improve how we do things.

Secure by design

We have advocated for a secure-by-design approach to emerging technologies in the UK. That does not mean every piece of technology is ‘unhackable.’ But it does mean proportionate steps should be taken to harden technologies to cyber attacks. 

We started with connected consumer devices. From April 29, 2024, connected devices sold on the consumer market must have three of the thirteen foundational security requirements listed in the ETSI EN 303645 standard developed in the European Telecommunications Standards Institute for Consumer Internet of Things devices. We have recently released a guide outlining the security requirements for apps and AI systems and will do the same for other technologies when necessary. 

These requirements are proportionate to the risk and have been worked up with a multi-stakeholder audience, including companies that will implement them, security researchers, and civil society. When possible, they are based on existing practices and would be acceptable to an international audience, which is important given how international the tech sector is. Where necessary and proportionate, and when the risk is great enough to require it but industry has not adopted the guidance, these can become mandatory through laws. But laws are expensive to make and maintain, both for government and for industry; therefore, they should not be used as a first response but sparingly and only when required. 

An international approach

It is difficult to use regulation to achieve outcomes for digital policy in our global, interconnected digital market. Companies selling to the UK or US are not exclusively based there. While every national market may enforce regulations and policies in their unique way–as they should–they should all be pointing to the same standards and practices. Otherwise, we are inhibiting innovation, creating a compliance burden, and failing to achieve the security outcomes we want. This regulatory burden will lead companies to ask, “How do I demonstrate compliance?” rather than “How do I make this secure”?

With the emergence of product security regulation in the UK, US, EU, Singapore and other jurisdictions, we are seeing a recognition of a basic set of standards at the centre of these regulatory regimes. Specifically, ETSI 303645 for IoT devices forms the basis of policy for IoT in multiple jurisdictions. Government, companies, and the security community welcome that.

The UK’s November 2023 AI summit was an important starting point for developing a shared understanding of risk and the process of setting baseline cyber security standards for AI. The next step for the cyber security world is to articulate that shared understanding of what good practices look like for AI cyber security. The same will be true of yet-to-come technology advancements. 

New technologies will change the world. The market’s confidence and genuine corporate efforts to build security into the design of the products and services will be an essential part of ensuring that happens well. This will require governments to reach across market borders to incentivise the right outcomes.

avatar
Irfan Hemani

Related

Featured image
Binding Edge
Responsible AI principles in an ‘apolitical’ industry
Cat Easdon 29 October 2024
Read more arrow
Featured image
Binding Edge
War in space is not what you think
Benjamin Charlton 25 January 2024
Read more arrow
Featured image
Binding Edge
Reading between the lies: using leak sites to analyse ransomware trends
Janina Inauen / Max Smeets 1 November 2024
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.