Existing transatlantic cooperation and frameworks offer great potential to address rising threats in AI and cybersecurity, but joint solutions will require interoperable frameworks, common data standards, and the involvement of a broader network of actors to address these challenges effectively, according to panelists at a webinar hosted on April 22 by the Center for Data Innovation.
The scale of challenges to AI-systems’ security requires global cooperation, said Eline Chivot, senior policy analyst at the Center for Data Innovation. As the United States, Canada, the EU and other like-minded countries share values and economic interests, they could take the lead for more effective joint initiatives in this domain.
Panelists agreed that although the transatlantic relationship provides a strong basis to deal with cybersecurity, AI and cybersecurity remain a policy and operational field in development. This does provide an opportunity to build security policy frameworks collaboratively and coherently, so as to scale them up more easily than in other domains where regulations already exist and are harder to harmonize. Dr. José Marie Griffiths, president of Dakota State University, referred to recent work by the U.S. National Security Council on AI as an illustration of the growing recognition of the need to further cultivate transatlantic ties in this area. In particular, the Council recommends the United States and allied governments create a national security point of contact for government-wide AI collaboration, and to conduct an assessment of each ally’s strengths in AI.
Yet government-led solutions are not effective enough to tackle issues AI and cybersecurity intersect, argued Cameron Kerry, distinguished visiting fellow in governance studies at the Brookings Institution. Cybersecurity and AI require a move from a state-led approach towards more integrated structures involving multiple actors, such as private sector organizations, civil society, and academic partners. Florian Pennings, cybersecurity policy manager for EU government affairs at Microsoft, added that the EU already has existing cooperation models, frameworks, and regulations such as the NIS directive, and an organization such as the European Union Agency for Cybersecurity (ENISA) can play a role in certification. Transatlantic allies could leverage these tools to identify public-private collaboration opportunities—which would be beneficial to companies that can share expertise and information globally while contributing to security.
According to Jan Havranek, policy advisor at the policy planning unit of the office of the Secretary General at NATO, the North Atlantic Alliance can contribute to a transatlantic framework based on shared values, accountability, and transparency. The contribution of NATO on AI and data for international standard setting is inevitable to inform capability development processes, for instance for military missions, as shown with its cooperation with the EU on military mobility. NATO can support a multistakeholder approach that offers opportunities to involve companies, such as through its industrial advisory group, its Cooperative Cyber Defence Centre of Excellence (CCDCOE), as well as exercises, cyber ranges (virtual environments for training), intelligence sharing, and by creating an environment trustworthy for all parties.
Another consensus among panelists was that in an increasingly dynamic environment, the best approach transatlantic partners should pursue is one based on the combination of stakeholder-generated and top-down decision-making—”a middle-out” approach, in Dr. Griffiths’ words—which would open up the architecture of public policy making. Top-down data security requirements and baseline obligations make sense in cybersecurity, but a more extensive application and development of standards necessarily involves a multifaceted, iterative decision-making process that includes business interests as well. A “middle-out” approach could enhance the understanding by public and private organizations of the capabilities, limitations and potential of the AI systems that they are increasingly adopting, in turn leading to better decision-making.
When discussing the potential of a transatlantic data space, panelists agreed that data sharing agreements, common standards for interoperability, testing, evaluation, and the verification and validation of AI-enabled systems are critical. Yet the lack of interoperability remains problematic. Pennings and Dr. Griffiths emphasized that there needs to be a classification system—a “taxonomy”—for AI and cyber threats, and greater communication about best practices for data sharing across sectors to ensure a common understanding of these issues among all allies. For instance, piloting data trusts can be effective. In addition to standards, documentation is critical as well to clarify which information is being shared.
The transatlantic cooperation on data spaces could challenge the rise of China as an AI superpower. Kerry mentioned that China has created its own data space, and intends to maintain that in ways that represent a threat to transatlantic common values. While China’s advantage lies in its troves of data, transatlantic allies can compete by developing mechanisms through which data can be shared securely and responsibly.
Today’s digital innovation economy requires policies, regulations, and standards that encourage innovation—and not stifle it. Fluidity and adaptiveness of transatlantic frameworks will become ever more important moving forward.