![](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/05\/18083057\/ai-government-regulation-featured.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Eugene Kaspersky| Date: Thu, 18 May 2023 13:22:44 +0000<\/strong><\/p>\n I’m a bit tired by now of all the AI news, but I guess I’ll have to put up with it a bit longer, for it’s sure to continue to be talked about non-stop for at least another year or two. Not that AI will then stop developing, of course; it’s just that journalists, bloggers, TikTokers, Tweeters and other talking heads out there will eventually tire of the topic. But for now their zeal is fueled not only by the tech giants, but governments as well: the UK’s planning on introducing three-way AI regulation<\/a>; China’s put draft AI legislation up for a public debate<\/a>; the U.S. is calling for “algorithmic accountability<\/a>“; the EU is discussing but not yet passing draft laws<\/a> on AI, and so on and so forth. Lots of plans for the future, but, to date, the creation and use of AI systems haven’t been limited in any way whatsoever; however, it looks like that’s going to change soon.<\/p>\n Plainly a debatable matter is, of course, the following: do we need government regulation of AI at all? If we do \u2014 why, and what should it look like?<\/p>\n What is artificial intelligence? (No) thanks to marketing departments, the term’s been used for lots of things \u2014 from the cutting-edge generative models like GPT-4<\/a>, to the simplest machine-learning systems, including some that have been around for decades. Remember \u04229<\/a> on push-button cellphones? Heard about automatic spam and malicious file classification<\/a>? Do you check out film recommendations on Netflix? All of those familiar technologies are based on machine learning (ML) algorithms, aka “AI”.<\/p>\n Here at Kaspersky, we’ve been using such technologies in our products for close on 20 years, always preferring to modestly refer to them as “machine learning” \u2014 if only because “artificial intelligence” seems to call to most everyone’s mind things like talking supercomputers<\/a> on spaceships<\/a> and other stuff<\/a> straight out of science fiction<\/a>. However, such talking-thinking computers and droids need to be fully capable of human-like thinking \u2014 to command artificial general intelligence<\/a> (AGI) or artificial superintelligence<\/a> (ASI), yet neither AGI nor ASI have been invented yet, and will hardly be so in the foreseeable future.<\/p>\n Anyway, if all the AI types are measured with the same yardstick and fully regulated, the whole IT industry and many related ones aren’t going to fare well at all. For example, if we (Kaspersky) will ever be required to get the consent from all our training-set “authors”, we, as an information security company, will find ourselves up against the wall. We learn from malware and spam, and feed the knowledge gained into our machine learning, while their authors tend to prefer to withhold their contact data (who knew?!). Moreover, considering that data has been collected and our algorithms have been trained for nearly 20 years now \u2014 \u00a0quite how far into the past would we be expected to go?<\/p>\n Therefore, it’s essential for lawmakers to listen, not to marketing folks, but to machine-learning\/AI industry experts and discuss potential regulation in a specific and focused manner: for example, possibly using multi-function systems trained on large volumes of open data, or high responsibility and risk level decision-making systems.<\/p>\n And new AI applications will necessitate frequent revisions of regulations as they arise.<\/p>\n To be honest, I don’t believe in a superintelligence-assisted Judgement Day within the next hundred years. But I do believe in a whole bunch of headaches from thoughtless use of the computer black box.<\/p>\n As a reminder to those who haven’t read our articles on both the splendor and misery of machine learning<\/a>, there are three main issues regarding any AI:<\/p>\n Thus, anything at all could happen: from malicious misuse of AI, to unthinking compliance with AI decisions. Graphic real-life examples<\/a>: fatal autopilot errors<\/a>, deepfakes (1<\/a>, 2<\/a>, 3<\/a>) by now habitual in memes and even the news, a silly error in school teacher contracting<\/a>, the police apprehending a shoplifter but the wrong one<\/a>, and a misogynous AI recruiting tool<\/a>. Besides, any AI can be attacked with the help of custom-made hostile data samples: vehicles can be tricked using stickers<\/a>, one can extract personal information<\/a> from GPT-3, and anti-virus or EDR can be deceived<\/a> too. And by the way, attacks on combat-drone AI<\/a> described in science fiction don’t appear all that far-fetched any more.<\/p>\n In a nutshell, the use of AI hasn’t given rise to any truly massive problems yet, but there is clearly a lot of potential for them. Therefore, the priorities of regulation should be clear:<\/p>\n The objective of regulation should be to compel users and AI vendors to take care not to increase the risks of the mentioned negative things happening. And the more serious the risk, the more actively it should be compelled.<\/p>\n There’s another concern often aired regarding AI: the need for observance of moral and ethical norms, and to cater to psychological comfort, so to say. To this end,\u00a0we see warnings given so folks know that they’re viewing\u00a0a non-existent (AI-drawn) object or communicating with a robot and not a human, and also notices informing that copyright was respected during AI training<\/a>, and so on. And why? So lawmakers and AI vendors aren’t targeted by angry mobs! And this is a very real concern in some parts of the world (recall protests against Uber<\/a>, for instance).<\/p>\n The simplest way to regulate AI would to prohibit everything, but it looks like this approach isn’t on the table yet. And anyway it’s not much easier to prohibit AI than it is computers. Therefore, all reasonable regulation attempts should follow the principle of “the greater the risk, the stricter the requirements”.<\/p>\n The machine-learning models that are used for something rather trivial \u2014 like retail buyer recommendations \u2014 can go unregulated, but the more sophisticated the model \u2014 or the more sensitive the application area \u2014 the more drastic can be the requirements for system vendors and users. For example:<\/p>\n The last measure appears excessively strict, but only until you learn about incidents in which AI messed up treatment priorities<\/a> for acute asthma and pneumonia patients and tried to send them home instead of to an intensive care unit.<\/p>\n The enforcement measures may range from fines for violations of AI rules (along the lines of European penalties for GDPR violations) to licensing of AI-related activities and criminal sanctions for breaches of legislation (as proposed in China).<\/p>\n Below represent my own personal opinions \u2014 but they’re based on 30 years of active pursuit of advanced technological development in the cybersecurity industry: from machine learning to “secure-by-design” systems.<\/p>\n First, we do need regulation. Without it, AI will end up resembling highways without traffic rules. Or, more relevantly, resembling the online personal data collection situation in the late 2000s, when nearly everyone would collect all they could lay their hands on. Above all, regulation promotes self-discipline in the market players.<\/p>\n Second, we need to maximize international harmonization and cooperation in regulation \u2014 the same way as with technical standards in mobile communications, the internet and so on. Sounds utopian given the modern geopolitical reality, but that doesn’t make it any less desirable.<\/p>\n Third, regulation needn’t be too strict: it would be short-sighted to strangle a dynamic young industry like this one with overregulation. That said, we need a mechanism for frequent revisions of the rules to stay abreast of technology and market developments.<\/p>\n Fourth, the rules, risk levels, and levels of protection measures should be defined in consultation with a great many relevantly-experienced experts.<\/p>\n Fifth, we don’t have to wait ten years. I’ve been banging on about the serious risks inherent in the Internet of Things and about vulnerabilities in industrial equipment for over a decade already, while documents like the EU Cyber Resilience Act<\/a> first appeared (as drafts!) only last year.<\/p>\n But that’s all for now folks! And well done to those of your who’ve read this to the end \u2014 thank you all! And here’s to an interesting \u2013 safe \u2013 AI-enhanced future!…<\/p>\nWhat to regulate<\/h2>\n
Why regulate?<\/h2>\n
\n
\n
How to regulate<\/h2>\n
\n
But what’s the right way?<\/h2>\n