Cyber security

Cyber security is one of the biggest challenges of contemporary times. Information and communications technology bring digitisation and connectivity to the products and services widely used by citizens. Many of them use algorithmic solutions and are connected to the internet. At the same time, the level of security and resilience of used devices is not sufficiently built-in, leading to serious gaps and risks to cybersecurity. Cyber-crime industry is exploiting technical shortages and brings serious threats to both individual citizens and society as a whole together with governmental structures. When we add Al dimension to it, we can distinguish three major areas where Al impact on security is particularly visible. First of all, Al could enhance the goals of the security sector with the use of predictive algorithms helping to prevent cybercrimes. Secondly, Al systems may be a target of cyberattacks and there should be a reflection on how it can be protected from attacks. Finally, Al may be a tool of cyber threats and as such,

may be abused for achieving malicious purposes. Policy making processes shall address all these aspects in a way that promotes a user-centric, systemic and pluralistic approach to the problem of cybersecurity and Al-related issues.[1]

The EU law is addressing the cybersecurity with the regulation on the EU Cybersecurity Act. First and major goal of this legal act is to strengthen the position of ENISA (the EU Agency for Network and Information Security), by granting a permanent mandate and empowering it with operational and regulatory competences. ENISA is supposed to increase the cooperation at the EU level, by helping member states with handling cybersecurity incidents. ENISA, in particular, should support member states in developing Al techniques which would help in defence against cyberattacks. From the viewpoint of industry, an important aspect of ENISA’s work is the one related to the cybersecurity certification mechanisms. Introduction of European cybersecurity certification scheme is intended to support trust and security of products and services present at the Digital Single Market. For the Al industry', obtaining such a certification would be just another expression and proof of reliability and trustworthiness, which is multidimensional in its essence, encompassing not only' the ethical dimension but also more utilitarian one. The European cybersecurity certification framework will refer to three assurance levels — basic, substantial and high. Appropriate assurance level will respond to the level of risk associated with the use of the product. Basic level assurance means that products for which such a certificate was issued meet the security requirements evaluated at a level to minimise the known basic risks of cyberattacks and incidents. Once the product obtains the ‘substantial’ assurance, it would mean that it passed highest security tests at a level to minimise the known cybersecurity risks and cyberattacks carried out by' actors with limited skills and resources. The ‘high level’ confirms the conformity with security requirements at a level intended to minimise the risk of state-of-the-art cyberattacks carried out by' entities with significant skills and resources?28 Introduction of such a uniform certification system would prevent from so-called ‘certification shopping’ which exists when there are different levels of requirements’ strictness applied in different member states and undertakings are choosing for certification processes the ones with the softest approach.

  • [1] HLEG Al, 'Policy' and Investment Recommendations’ (n 5) 30-31. 2 See (n 130). 3 See, art. 53 of the regulation 2019/881.
 
Source
< Prev   CONTENTS   Source   Next >