On October 24, 2024, the Biden Administration issued a National Security Memorandum (NSM) on Artificial Intelligence (AI) to address the significant implications of AI related to national security and foreign policy in the near future. The NSM directs the U.S. Government to implement concrete and impactful steps to (1) ensure that the United States leads the world’s development of safe, secure, and trustworthy AI; (2) Harness cutting-edge AI technologies to advance the U.S. Government’s national security mission; and (3) advance international consensus and governance around AI.1 This is but one example of how governments around the world—and even individual states within the US—are proposing and enacting legislation to regulate Cybersecurity.
In a recent blog post, Cybersecurity expert Ravi Das shared examples of government attempts to protect citizens from the dangers posed by AI (and specifically Generative AI) and why those efforts often fail. He then proposes how to stem the tide by acting now, adjusting the regulations as the aspects and reach of AI unfold over time.
One thing that I have written about extensively are the data privacy laws that not only the United States has enacted, but also other nations. While the intention of them is to give consumers the right to know what is happening with their datasets, but to also make sure that the companies that are the stewards have deployed more than enough controls to make sure that the datasets are as protected as possible.
While this is of course a huge step forward, there is just one huge problem: There is no uniformity amongst them. Take for example our own 50 states. Because of this lack of centralization, each one of them is producing their own version of a data privacy law.
So, if a business were to conduct financial transactions with customers in all of the states, are they bound to each one? This is a very murky area in which there are no clear-cut answers, and unfortunately, it will not be so for a long time to come.
Now, as Generative AI is coming into the fold of our society, it appears that each state now is producing their laws in an effort to protect consumers and their datasets, in the very same manner as they have approached data privacy laws.
One such example of this is California. A number of years ago, they passed the CCPA. Now, they have produced their own Generative AI bill, which was designed to do the following:
- Create a comprehensive regulatory framework to govern the use of Generative AI, in all foreseeable aspects.
- Create a set of standards and best practices to ensure that the datasets the models use are not prone to security breaches.
This became known officially as Senate Bill 1047. But believe it or not, the governor of California, Gavin Newsom, rejected the passage of this bill. Why did he do this, you might be asking? Well, here are his direct words:
“While well-intentioned, SB-1047 does not take into account whether an AI system is deployed in high-risk environments or involves critical decision-making or the use of sensitive data,” Newsom wrote. “Instead, the bill applies stringent standards to even the most basic functions — so long as a large system deploys it. I do not believe this is the best approach to protecting the public from real threats posed by the technology.”2
Here are other reasons why he rejected this bill:
- The emphasis of it was purely on large scale Generative AI models. There also needs to be a focus on more specialized models, which serve different purposes.
- The bill appeared to be too stringent to the governor. His reason for this was that it could stifle innovation and ideas. To counter this, he proposed that a much more flexible approach needs to be taken, and that each model should be taken into account on a case-by-case basis.
- The bill did not address the deployment of Generative AI in those environments that are deemed to be of high risk.
As a result of this, the following pieces of advice were offered for consideration:
- Create a joint task force that includes a representative sample who will be involved in this process. This will include people all the way from consumers to the private sector, to academia, and all levels of both the state and federal governments.
- The focus of Generative AI should not be on the size and the resources that the models use, but rather, there needs to be a huge emphasis on the risks that are borne from using AI to begin with.
- Implement a process where any passed legislation on Generative AI can be updated as the technology evolves and advances. Of course, as we know from the efforts in doing this for Cybersecurity, this is very tall order to fill. In other words, the passage of any updates simply will not keep up with the pace of the rapid advances being made in Generative AI.
- It is highly recommended that any new bill that is presented to the governor for signing be modeled after the bill that the European Union (EU) recently passed. This is known as the “EU Artificial Intelligence Act” and is actually highly regarded as a comprehensive approach to regulating Generative AI. More details about this can be found here.
My thoughts on this:
This is bill that was rejected by the governor of California was officially known as the “Safe and Secure Innovation for Frontier Artificial Intelligence Models Act.” Many people supported the passage of this bill (even Elon Musk), but there was also a fair share that rejected it as well. It has been viewed as a good step forward, but of course, a lot of work still needs to be done on, as I have eluded to previously.
The bottom line is that creating any kind of regulatory bill on Generative AI is going to be very complicated. For example, it is not just a few segments of American society that are impacted by Generative AI. Rather it is the entire population and almost every business.
Also, there are too many unknowns and variables that are involved in the actual creation of a Generative AI model, and the list here will just keep on growing.
On a very macro level, my thinking is that we simply need to have a Department of Cybersecurity created, in the very same manner that the Department of Homeland Security was right after 9/11. But we should not wait for a disaster to happen in Generative AI in order for this to happen. The federal government needs to act now in order to start this effort.
Under this newly created department, Generative AI would also fit into here as well. This will not only lead to a centralization of the data privacy laws, but it will also lead to the same result for Generative AI. Apart from this, we need to start simple first.
Let us draft a bill that details a framework for all aspects of AI, such as Computer Vision, Natural Language Processing, Large Language Models, Neural Networks, Machine Learning, etc. The bottom line here is that Generative AI is not a field all in its own world. It includes all of these aspects. What impacts one area will have a cascading effort on the other as well. Then over time, updates should be added to this framework, which although will take a very long time to accomplish, I am a huge proponent of it.
Sources/References:
1. Memorandum on Advancing the United States’ Leadership in Artificial Intelligence; Harnessing Artificial Intelligence to Fulfill National Security Objectives; and Fostering the Safety, Security, and Trustworthiness of Artificial Intelligence, WhiteHouse.gov, October 24, 2024.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.
Visit his website at mltechnologies.io