Cyber & IT Supervisory Forum - Additional Resources

A multilayer framework for good cybersecurity practices for AI June 2023

1. INTRODUCTION

In recent years, AI systems and related technologies (e.g., robots, biometrics, surveillance cameras, IoTs, drones) have been increasingly deployed and used by all economic sectors (e.g., health, energy, telecom, financial) in their daily business activities. However, to unveil the full business potential of AI – and also to serve European values and the democratic rights of Europeans – adequate level of cybersecurity and privacy need to be ensured in these systems. EU is already working on the necessary legal cybersecurity instruments to protect the AI developments towards serving EU citizens and has invested highly in the trustworthiness of AI through Horizon 2020, Horizon Europe and the Digital Europe Programme. At the same time, the majority of Member States (MS) have put in place national AI strategies where the NCAs play a crucial role in the effort to build innovative human-centric AI ICT products in Europe. Various standards are being developed by numerous bodies – such as the European Telecommunications Standards Institute (ETSI), the European Committee for Standardization, the International Organization for Standardization (ISO), the National Institute for Standards and Technology (NIST), the Institute of Electrical and Electronics Engineers (IEEE) and the Open Web Application Security Project – along with recommendations and white papers by cybersecurity organisations – such as ENISA, the European Union Agency for Law Enforcement Cooperation, the European Defence Agency, the European Cyber Security Organisation and the Centre for European Policy Studies (CEPS) – and international bodies such as the OECD and the UN. These provide policy and technical measures (design principles, integration platforms, test cases), practices and further research needed to secure AI products (e.g., software, hardware, systems, services) and ensure their human-centric design. Numerous existing traditional cybersecurity practices and solutions (methodologies, tools, recommendations) can be used to guide AI stakeholders in undertaking appropriate traditional controls. These good practices are presented in different documents which address various layers of the ICT environments (e.g., physical, network, informatics, data, services) that host AI products, making it difficult for the AI stakeholders to determine the ones appropriate for their environment. Furthermore, the dynamic nature of AI imposes some open issues and additional cybersecurity measures required in undertaking additional effective measures. Additional cybersecurity practices are also needed when AI products target a specific economic sector (e.g. health, energy, automotive) to meet sectoral security requirements. Finally, further research activities are needed to enforce the resilience and security of the AI-based products.

1.1. AIMS AND OBJECTIVES The objectives of this study are:

• to develop a framework for AI good cybersecurity practices (FAICP) necessary for securing the ICT infrastructures and the hosted AI, taking into account the AI life cycle which goes beyond ML (from system concept to decommissioning) and all elements of the AI supply chain, associated actors, processes and technologies; • to collect information from EU NCAs about the national cybersecurity requirements for AI and how compliance with these requirements is monitored and enforced nationally; • to identify challenges and gaps in the existing cybersecurity practices for AI that will help AI stakeholders from all sectors bring trustworthiness to their AI-related operations and business. 1.2. BENEFITS AND BENEFICIARIES The target beneficiaries of this study are as follows. • AI stakeholders. Designers, developers, integrators, manufacturers, operators, service providers, supply chain business partners, auditors, legislators, policymakers and professional users. • National authorities. Authorities, agencies and competence centres for monitoring and assessing cybersecurity or AI activities.

4