Cybersecurity of Frontier AI Models: A Regulatory Review

By Deric Cheng, Elliot Mckernon, Convergence Analysis @ 2024-04-25T14:51 (+9)

This article is part of a series of ~10 posts comprising a 2024 State of the AI Regulatory Landscape Review, conducted by the Governance Recommendations Research Program at Convergence Analysis. Each post will cover a specific domain of AI governance (e.g. incident reportingsafety evals, model registries, etc.). We’ll provide an overview of existing regulations, focusing on the US, EU, and China as the leading governmental bodies currently developing AI legislation. Additionally, we’ll discuss the relevant context behind each domain and conduct a short analysis.

This series is intended to be a primer for policymakers, researchers, and individuals seeking to develop a high-level overview of the current AI governance space. We’ll publish individual posts on our website and release a comprehensive report at the end of this series.

What cybersecurity issues arise from the development of frontier AI models?

One of the primary issues that has caught the attention of regulators is the protection of the intellectual property and sensitive data associated with frontier AI models (otherwise named as “dual-use foundational models” by US legislation and “general-purpose AI” (“GPAI”) by EU legislation). 

In particular, legislators are concerned that as frontier AI models increase their capabilities, unregulated access to the underlying code or abilities of these models will result in dangerous outcomes. For example, current AI models are susceptible to easily distributing information hazards, such as the instructions to develop homemade weapons or techniques to commit crimes. As a result, they’re typically trained during a fine-tuning phase to reject such requests. Bypassing the cybersecurity of such models could result in the removal of such fine-tuning, allowing dangerous requests. Other cybersecurity risks include sharing sensitive user data, or leaking proprietary ML architectural decisions with direct competitors & geopolitical adversaries (e.g. Chinese organizations, in the case of the US). 

Currently, the leading frontier AI models meet the following conditions, which are often collectively referred to as “closed-source” development: 

In contrast, open-source AI models typically share some combination of their training data, model code, and completed model weights for public and commercial use. 

Unlike open-source models, which are freely available and lack cybersecurity protections by design, proprietary or closed-source models have stringent measures to safeguard such sensitive information. Preventing the theft or leakage of this information is critically important to the AI labs that develop these models, as it constitutes their competitive advantage and intellectual property. 

What cybersecurity issues are AI labs concerned about? 

Specifically, AI labs are concerned about preventing the following: 

With effective security practices, it’s generally accepted that it is feasible for AI labs to prevent these forms of information being leaked. Similar practices are currently used in all major tech corporations today to prevent their existing codebases and private user data from data breaches. Nevertheless, given the complexity of cybersecurity and the numerous potential targets, it is highly likely that a prominent AI lab will fall victim to a data breach involving a frontier AI model in the near future.

What cybersecurity issues are regulators concerned about? 

Regulators are similarly concerned about effective cybersecurity for the same domains, albeit with different motivations: 

  1. Leaking such data could benefit the R&D of geopolitical adversaries. In particular, the US government is highly invested in limiting the rate of AI development of Chinese organizations - leaking such data would counter these interests. 
  2. Leaking such data could allow third-parties to develop unregulated access to potentially dangerous frontier AI models. Currently, governments have well established methods to control closed-source models run by AI labs, by regulating the labs themselves. If access to the source code of these frontier models were more widely distributed, regulators would lose their ability to control the usage and distribution of these models. 

Due to these interests, regulators are generally as invested in the cybersecurity of frontier AI models as the labs themselves are. Their incentives are well aligned in the case of cybersecurity for frontier models. However, in practice regulators have by and large left specific cybersecurity decisions up to independent parties, preferring to more broadly create requirements such as a “primary responsibility for information security” or “resilien[ce] against attack from third-parties”. Their enforcement of legislation such as the GDPR has been inconsistent and patchy

What are current regulatory policies around cybersecurity for AI models?

China

China maintains a complex, detailed, and thorough set of data privacy requirements developed over the past two decades via legislation such as the PRC Cybersecurity Law, the PRC Data Security Law, and the PRC Personal Information Protection Law. Together, they constitute strong protections mandating the confidential treatment and encryption of personal data stored by Chinese corporations. Additionally, the PRC Cybersecurity Law has requirements regarding data localization that mandate that the user data of Chinese citizens be stored on servers in mainland China, ensuring that the Chinese government has more direct methods to access and control the usage of this data. All of these laws apply to data collected from users of LLM models in China. 

China’s existing AI-specific regulations largely mirror the data privacy policies laid out in previous legislation, and often refer directly to such legislation for specific requirements. In particular, they extend data privacy requirements to the training data collected by Chinese organizations. However, they do not introduce any specific requirements for the cybersecurity of frontier AI models, such as properly securing model weights or codebases. 

China’s Deep Synthesis Provisions include the following: 

China’s Interim Generative AI Measures include the following: 

The EU

The EU has a comprehensive data privacy and security law that applies to all organizations operating in the EU or handling the personal data of EU citizens: the General Data Protection Regulation (GDPR). Passed in 2018, it does not contain language specific to AI systems, but provides a strong base of privacy requirements for collecting user data, such as mandatory disclosures, purpose limitations, security, and rights to access one’s personal data.

The EU AI Act includes some cybersecurity requirements for organizations running “high-risk AI systems” or “general purpose AI models with systemic risk”. It generally identifies specific attack vectors that organizations should protect against, but provides little to no specificity about how an organization might protect against these attack vectors or what level of security is required.

Sections discussing cybersecurity for AI models include: 

The US

Compared to the EU and China, the US Executive Order on AI places the greatest priority on the cybersecurity of frontier AI models (beyond data privacy requirements), in accordance with the US’ developing interest in limiting Chinese access to US technologies. It is developing specific reporting requirements regarding cybersecurity for companies developing dual-use foundation models, and has requests for reports out to various agencies to investigate AI model cybersecurity implications across a number of domains.

Specific regulatory text in the Executive Order includes: 

  1. Companies developing dual-use foundation models must provide information on physical and cybersecurity protections for the model training process, model weights, and the result of any read-team testing for model security
  2. Directs the Secretary of Commerce to define the technical conditions for which models would be subject to the reporting requirements in 4.2(a). Until defined, this applies to any model trained using 
    1. Over 1026 integer/floating-point operations per second (FLOP/s)
    2. Over 1023 FLOPs if using primarily biological sequence data
    3. Any computing cluster with data center networking of over 100 Gbit/s and a maximum computing capacity of 1020 FLOPs for training AI.

The US does not have a comprehensive data privacy law similar to the GDPR or the PRC Personal Information Protection Law, nor a comprehensive cybersecurity law similar to the PRC Cybersecurity Law.

Convergence’s Analysis

User data of frontier AI models, and some forms of training data will continue to fall under the jurisdiction of existing data privacy laws.

Cybersecurity requirements beyond user privacy are likely to be targeted at a small group of leading AI labs. 

Frontier AI labs already have strong incentives to enforce the protection of their closed-source AI models. It’s unlikely that mandatory legislation will meaningfully impact their cybersecurity efforts.

Governments have historically been poor at enforcing data privacy requirements, and are mostly constrained to requiring reporting or reactively fining organizations after an incident occurs.


SummaryBot @ 2024-04-25T15:10 (+1)

Executive summary: Cybersecurity of frontier AI models is a key concern for AI labs and regulators, with a focus on protecting user data, model weights, codebases, and training data from leaks that could enable misuse or accelerate competition.

Key points:

  1. AI labs are concerned about leaks of user data (violating privacy laws), model weights (enabling uncontrolled model use), codebases (revealing IP to competitors), and training data (accelerating competitor capabilities).
  2. Regulators share these concerns and want to prevent leaks that could benefit adversaries or allow unregulated access to potentially dangerous AI models.
  3. China and the EU have strong data privacy laws (e.g. GDPR) that apply to user data from AI models. The US is developing reporting requirements on cybersecurity measures for leading AI labs.
  4. Cybersecurity requirements beyond data privacy are likely to target a small group of top AI labs, which already have strong incentives and capabilities to protect their IP.
  5. Governments have historically struggled to consistently enforce data privacy laws, and the complexity of AI model security poses additional challenges. However, having fewer organizations to track may aid enforcement.

 

 

This comment was auto-generated by the EA Forum Team. Feel free to point out issues with this summary by replying to the comment, and contact us if you have feedback.