The AI Act as a Shield for the EU Cyberspace

The war in Ukraine has sparked global attention because of the physical harm that affected Ukrainian civilians and cities. European media focused on the impact of tanks, ballistic missiles, military convoys, drones, and fighter jets that the Russian Federation deployed on Ukrainian territory.  Nevertheless, if Europe believes these to be the overarching menaces to European security, we might have missed a much wider scope of threats that are already affecting us directly. Along with what it called a “special military operation”, Russia launched a range of Distributed Denial of Services (DDoS) attacks on Ukraine, which are cyberattacks that disrupt the normal functioning of a server or network. DDOS aimed at introducing malware into Ukraine’s banking system, government-related websites, civilian infrastructure, and spreading disinformation. NATO and EU Member States sent dozens of teams of experts in cybersecurity to help respond to such non-conventional attacks by Russian hackers. Moreover, some 300,000 volunteers from all over the world have joined Ukraine’s IT Army, sponsored by the Ukrainian defence ministry. Unfortunately, these efforts might not be enough if you consider the quantity of data available in cyberspace. 

A key term that increasingly appears in the debate about cybersecurity is ‘granularity’ – the level, or scale, of precision and detail of a given data structure. At first glance, data does not provide any strategically valuable insight, however, if combined with other data structures it can reveal very sensitive information. For example, in the U.S. some police officers were able to find out in a few minutes who were the individuals attacking Capitol Hill on January 6 last year or to identify those who participated in riots after George Floyd was killed. It was done by aggregating facial recognition from billions of pictures, allowing them to identify and track the individuals they were looking for. Alternatively, in 2017, an Australian hacker decided to amuse himself by posting information on social media that revealed the activities of secret U.S. military bases in Afghanistan. The same person released personal data of individuals working in a French base in Niger, and an Italian one in Djibouti. 

This aggregation of relevant data structures is explained by the ‘mosaic theory’. It establishes that when apparently meaningless parcels of data are selectively merged, a single coherent piece of information can be derived from it. This data is readily collected not only through our phones and computers, but also from smart-watches, -refrigerators, -showers, -cars, -bikes, -lamps, -toilets, -speakers, etc. The Internet of Things (IoT) is an awesome tool as it enables physical objects with sensors and processing ability to exchange data with each other on the Internet, thus enhancing the ability of those products to mutually help each other in order to better satisfy our needs. But the IoT still allows our geopolitical rivals, such as Russia, to be aware of where we are, how we are behaving, and for how long. If Russians would manage to merge huge amounts of EU citizens’ personal data, they could draw very precise conclusions about us, Europeans. They are already observing our social media contents, our search engine tendencies, our pictures, and our apps. By combining all this information into a single mosaic, they are going to improve their ability to design strategies to harm us with DDoS and disinformation campaigns.

Now, this is no longer possible since the European Parliament and Council found a consensus on the Artificial Intelligence Act. This piece of legislation, which is the first-ever regulatory framework for AI technologies, is primarily related to data protection and harmonisation of the AI market between the Member States. Firstly, it establishes what kind of personal (granular) data can be collected from consumers, how and where it can be processed, and with whom and for what purposes it can be shared. Secondly, it harmonises the regulatory framework concerning the use of algorithms, previously decided by the Member States, in products that include AI technology. What needs to be stressed with this long introduction to cybersecurity, however, is that the AI Act completely avoids addressing AI’s importance in cybersecurity. The legal basis that was used by the Commission to propose the AI Act is Art. 114 of the Treaty on the Functioning of the EU (TFEU). This Treaty provision is the most widely used legal basis since it relates to the functioning of the internal market, which prevents market-oriented legislation from being interpreted in light of the current geopolitical situation. 

No matter how market-oriented this legislation might be, the AI Act inevitably and unintentionally assumes a geopolitical value. It limits foreign actors’ ability to access EU citizens’ data, which restrains their success in carrying out DDoS and disinformation campaigns. The comparative advantage in cyber warfare is represented by the amount of data available to one actor relative to the amount available to all other actors: the more parcels you have, the better you can be at obtaining a ‘mosaic’ that gives you a strategic advantage over the others. If hackers can architect their attacks on a smaller amount of data, the impact of their actions will be lessened, since they will be able to target individuals, firms and governments less precisely and on less relevant fronts. Therefore, by limiting the amount of data that stems from products that involve AI technology (especially in the IoT), the AI Act protects us from being attacked in an effective manner, ultimately preventing the EU’s Internet infrastructure from suffering major disruptions. 

Summing up, the lessons that can be derived from the impact of the AI Act on geopolitics and on European cybersecurity are twofold:

1. Privacy is not just individual liberty and a right that EU citizens enjoy in the form of a legal principle, but is also a tool to be used to prevent foreign actors from acquiring precise ‘mosaics’ about EU citizens’ behaviour. Data protection must be relevant not only in an economic and commercial context, where firms are prevented from using data to extensively target customers, engage in unfair competition, and use algorithms in a discriminatory and unethical manner. It is also a security tool to prevent our geopolitical rivals from acquiring too much strategic advantage over the EU itself. The AI Act will make things much harder for Russian hackers to attack our IoT network and algorithms (through DDoS), or to use our data entailed in it in order to obtain clearer mosaics about us.

2. Art. 114 TFEU is a legal basis that can be used for purposes related to the functioning of the internal market, such as competition, regulation, and safety, but it can be intelligently used in order to pass legislation that would have geopolitical significance, as the AI Act turned out to do. The EU’s Common Foreign and Security Policy (CFSP) and Common Security and Defence Policy (CSDP) tend to be shortcomings in relation to the EU’s security needs, and are often adopting the lowest common denominators of all Member States: such policy areas are strictly intergovernmental and anyone can veto EU action. Both the EU and NATO have been cohesive in responding to Russia’s aggression on Ukraine, but is this likely to last forever? Some geopolitical issues, such as cybersecurity, can be solved by regulating relevant parts of the market. Therefore, it is better to avoid the legal framework of CFSP and CDSP, and to bring legislation under the scope of consumer protection and the internal market (Art. 114 TFEU); where the bargaining power is more distributed, negotiations are smoother, and legislation is more likely to be adopted. 

The EU has the largest market in the world, which gives it immense regulatory power. Decisions related to products and services taken by the EU are likely to have repercussions in many other jurisdictions because they import our regulatory standards through market forces. Even if the EU seems reluctant and divided when it comes to geopolitics, it does not mean that it is unable to affect geopolitics and the global security architecture through its market power. The AI Act shows how the EU, by simply regulating its internal market, can (in some sectors) affect the distribution of power in international geopolitical conflicts, and defend itself from actors that want to disrupt our European sovereignty.