Main Logo Expert commentary on tech and security

Balancing security, innovation, and regulation in cyber threat (artificial) intelligence

Omree Wechsler 4 March 2025
Share On:
The integration of AI in cyber threat intelligence has increased both efficiency and privacy concerns. How can the EU manage these benefits and risks?
Main Top Image
Image: ev/Unsplash

In the last decade, cyber threat intelligence (CTI) has become an essential component of modern, proactive cybersecurity approaches. It allows organisations to anticipate and identify threats and mitigate their potential impacts in advance. A proactive approach to cyber threats from the EU should prevent them from materialising into incidents.

As in other industries, generative artificial intelligence (GenAI) is being increasingly incorporated into CTI, shifting how cybersecurity professionals investigate threat-related data to mitigate risks. 

CTI revolves around collecting, analysing, and parsing large troves of data to uncover and predict threats. GenAI is excellent at rapidly sorting and contextualising data, saving human teams time and providing near real-time responses to threats. In this regard, GenAI could be used to sift through massive data leaks to identify risks, such as individuals offering to sell access to organisational networks or exploits to vulnerabilities. 

On the attackers’ side, state-sponsored hacking groups and cybercriminals are already employing GenAI, and specifically large language models (LLMs) such as ChatGPT, for social engineering and disinformation. Where mainstream AI tools fall short, ‘dark LLMs,’ malicious adaptations of ChatGPT like FraudGPT and WormGPT, fill in the gaps.

Legal challenges for cyber threat (artificial) intelligence

While both defenders and attackers utilise AI, legal restrictions on data collection and sharing, such as the EU’s General Data Protection Regulation (GDPR), may inhibit organisations seeking to adopt AI-driven CTI solutions. This will be an advantage for actors unhindered by legal concerns.

Over the years, experts have repeatedly argued that CTI collection, analysis, and distribution are lawful under GDPR even if it includes personal and identifying information, such as names, email addresses, and IP addresses. Article 6 of the GDPR requires ‘legitimate interests’ for processing personal data, and CTI is a legitimate reason. GDPR recitals 47, 49 and 50 support processing personal data for fraud prevention, ensuring information and network security, and indicating possible acts or threats to public security. 

However, to legally collect and share CTI data, organisations must follow the principles stated in Article 5 as well. This would mean ensuring that the data collected is relevant, limited to what is necessary, and not used for other purposes.

Using GenAI for CTI could complicate the manner and extent to which the principles in Article 5 are addressed. For example, GenAI models, such as ChatGPT and Gemini, can create misleading, inaccurate, or imagined outputs, a phenomenon known as ‘hallucinations’. These hallucinations could produce incorrect or harmful intelligence, such as false positives, resulting in false alerts, or false negatives, missing actual threats. 

Secondly, from a privacy and GDPR point of view, hallucinations could cause a GenAI-driven CTI solution to further expose personal information that was not supposed to be revealed. It could also collect more data than necessary, or present inaccurate or irrelevant information. These risks are compounded by AI’s lack of transparency and explainability, which makes it difficult for users to trust and validate information produced by the system. 

The lack of transparency or traceability could also lead to legal challenges if an AI-powered CTI solution accurately identifies a finding that could be misinterpreted by human analysts. 

For example, an AI model could flag customer data that was exposed on the Dark Web without explaining how it reached the conclusion that the data is relevant and accurate. A human analyst could then wrongly assume the alert was a false positive and fail to report the leak and notify the authorities, resulting in penalties and legal actions.

Lastly, the GDPR has a decentralised enforcement model, which allows national data protection authorities to interpret the GDPR requirements and prosecute violations independently. This has led to inconsistencies regarding enforcement and compliance. Uneven enforcement and the above-mentioned risks may create legal uncertainties, eroding trust and hindering the adoption of AI-powered CTI solutions in Europe.

The AI Act: new regulation, new challenges

The GDPR is not the only EU regulation that would govern AI-powered CTI solutions. The EU AI Act divides AI products into different risk categories – unacceptable, high, limited and minimal – based on safety, ethics, and trustworthiness. 

AI-driven CTI solutions would likely fall under the high-risk category, which has strict obligations, such as maintaining high-quality training datasets, ensuring results are accurate, and providing transparency, model robustness, and security. 

Maintaining both accuracy and high transparency could be challenging due to the trade-off that exists between complex models, which offer high accuracy but are difficult to interpret, and simpler models, which are easier to understand but less accurate. 

Although research is underway on developing more transparent and explainable AI models, some, like neural networks and LLMs, are so complex, with billions of parameters, that they are very difficult to interpret. 

Clarification and balance

Managing these risks requires the EU, and institutions like the European Data Protection Board, to establish clear safety and privacy guidelines for the use of GenAI in the cybersecurity sector. Such guidelines should clarify how organisations and vendors use and develop GenAI-driven cybersecurity products to meet regulatory requirements and how to balance between potentially conflicting features. 

These guidelines could, for example, instruct organisations on how to recognise and treat GenAI hallucinations, what legal protections they may have in cases of false negatives, or what to do if an AI-powered solution has accidentally revealed personal information.

Sharing case studies, risk scenarios, and mitigations with the public and the industry would allow European users and vendors to operate in a more stable and predictable environment. This would also encourage both innovation and adoption of next-generation security technologies. 

A more predictable regulatory environment could also focus on creating a shared responsibility model, akin to the one used in cloud services, to divide legal responsibility between the end user, the CTI solution vendor, and the AI model developer.

Emphasising clarity would ensure more consistent enforcement and help vendors tailor their products to European end users. Establishing common baseline interpretations of these guidelines for national regulators would go some way to establishing common ground. This would encourage European organisations to adopt next-generation cybersecurity solutions and give them an edge over their opponents in the cyber-AI race.  

avatar
Omree Wechsler

Related

Featured image
Binding Edge
How AI can help fulfil the promises of Europe’s Cyber Resilience Act
Christopher Covino 14 February 2025
Read more arrow
Featured image
Binding Edge
What does Trump 2.0 mean for UK tech ambitions?
Pia Hüsch / Natasha Buckley 14 January 2025
Read more arrow
Featured image
Binding Edge
Dalits battle caste-based cyber insecurity every day
Anubha Gupta 21 November 2023
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.