The European Parliament has taken a major step towards the regulation of artificial intelligence (AI) by adopting its negotiating position on the Artificial Intelligence Act. This move brings the EU one step closer to becoming the first nation to have legislation specifically focused on the regulation of AI.
The position adopted by the European Parliament provides crucial insights into what the final measure could look like. One of the key developments is the expansion of the initial list of AI processes deemed to have an unacceptable risk level. This now includes real-time remote biometric identification systems in public areas, biometric systems that categorize sensitive characteristics like race or religion, predictive policing systems, emotion recognition systems in schools or workplaces, and untargeted scraping of facial images. The inclusion of these processes reflects the European Parliament’s commitment to protecting privacy and ensuring the responsible use of AI technologies.
Furthermore, the European Parliament’s position stipulates that AI foundation models must mitigate potential risks to health, safety, or fundamental rights before their release. This requirement exemplifies the emphasis on accountability and responsible AI development. Additionally, generative AI systems will be subject to transparency requirements, which will ensure that content produced by these systems is clearly labeled as AI-generated. This transparency measure aims to prevent the dissemination of misinformation or manipulated content without proper disclosure.
The position adopted by the European Parliament also recognizes the importance of research activities and open-source AI components. It proposes allowing exemptions for these activities and components, acknowledging the positive contributions they make to AI development and innovation.
To ensure effective implementation and oversight of the AI Act, the European Parliament calls for the establishment of at least one regulatory body in each EU member state. These regulatory bodies would be responsible for supervising and testing AI products before they are offered to the public. This decentralized approach aims to ensure that AI technologies are evaluated and monitored at a local level, taking into account specific national contexts and challenges.
The AI Act is expected to go into effect by the beginning of 2024, signaling the EU’s commitment to addressing the opportunities and challenges associated with AI in a timely manner. By being the first to adopt comprehensive AI legislation, the EU aims to set a global standard for the responsible, ethical, and accountable development and use of AI technologies.
In parallel with these developments in the EU, the US Cybersecurity and Infrastructure Security Agency (CISA) and MITRE have released this year’s list of the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses. The list, developed by the Homeland Security Systems Engineering and Development Institute, ranks software weaknesses based on their impact, severity, and frequency.
CISA emphasizes that these weaknesses can lead to serious vulnerabilities in software, enabling attackers to take control of systems, steal data, or disrupt applications. Developers are urged to review the list and consider the mitigations that should be implemented to address these weaknesses.
While the release of such lists is appreciated by industry experts, Jeff Williams, co-founder and CTO at Contrast Security, raises concerns about the methodology and impact of these compilations. Williams notes that the dataset used for the CWE-Top-25 list only includes 7,466 vulnerabilities, whereas other lists, like the OWASP Top Ten, incorporate vulnerabilities from over 500,000 applications and APIs. He suggests that this limited dataset may introduce biases that favor certain types of vulnerabilities over others.
Moreover, Williams highlights that these vulnerability lists have been in existence for over 20 years, yet the average number and types of vulnerabilities in software have not significantly changed during this time. He questions whether these lists have inadvertently created a ceiling that stifles efforts to improve the industry, rather than serving as a floor that defines a minimal standard of security.
In conclusion, the European Parliament’s adoption of its negotiating position on the AI Act marks a significant milestone in the regulation of AI in the EU. The Act’s provisions reflect the EU’s commitment to responsible AI development, privacy protection, and transparency in AI systems. Meanwhile, the release of the CWE Top 25 Most Dangerous Software Weaknesses serves as a reminder of the ongoing challenges in software security and the need for continued vigilance in addressing vulnerabilities.