Cybersecurity Regulation: A Global Overview of Standards and Regional Approaches Influenced by Legal Systems

Antonio Ieranò

Security, Data Protection, Privacy. Comments are on my own unique responsibility 🙂

October 10, 2024

NOTE: this is the second part of the short analisys I have been required,  enjoy :-)

https://www.linkedin.com/embeds/publishingEmbed.html?articleId=9050930498525188000&li_theme=light

Introduction

In today’s increasingly interconnected world, where digital infrastructures underpin critical sectors like healthcare, finance, and energy, robust cybersecurity regulation has become paramount. Cyberattacks are growing in both frequency and sophistication, making it crucial for countries and regions to implement strong cybersecurity frameworks. These frameworks are shaped not only by the evolving nature of cyber threats but also by the underlying legal systems that influence how laws are drafted, interpreted, and enforced.

Legal systems—whether civil (Roman law), common law, or socialist law—play a significant role in shaping regulatory approaches. For instance, the European Union’s civil law tradition results in highly codified and comprehensive cybersecurity regulations, while the United States, operating under common law, tends to develop more flexible, sector-specific laws. China’s socialist legal system, with its focus on state control and data sovereignty, enforces stringent cybersecurity standards.

This article explores widely accepted international cybersecurity standards and region-specific regulations, with a focus on the EU’s evolving cybersecurity landscape, including the NIS2 Directive, DORA, and other key regulations. It also examines how different legal systems impact the implementation of cybersecurity frameworks, particularly in critical sectors like healthcare and finance.

---

Widely Accepted Cybersecurity Standards

International cybersecurity standards serve as the foundation for many national regulations, providing a common language for addressing cybersecurity risks. Several globally accepted frameworks are referenced across industries, helping organisations manage and mitigate cyber threats.

ISO/IEC 27001 – Information Security Management Systems (ISMS)

ISO/IEC 27001 is a widely recognised standard for information security management, offering a systematic approach to protecting sensitive data, managing risks, and ensuring cybersecurity resilience. This standard is particularly relevant for critical sectors such as healthcare and finance, where data protection is paramount.

NIST Cybersecurity Framework (CSF)

The NIST Cybersecurity Framework (CSF), developed by the U.S. National Institute of Standards and Technology (NIST), provides a flexible, risk-based approach to managing cybersecurity risks. It is composed of five core functions: Identify, Protect, Detect, Respond, and Recover. While originally designed for critical infrastructure sectors in the U.S., it has been widely adopted internationally due to its comprehensive approach.

CIS Controls

The Center for Internet Security (CIS) Controls offer practical, action-oriented guidelines for mitigating cyber threats. These controls are used by organisations around the world to align their cybersecurity practices with industry best practices, particularly in sectors that handle sensitive data.

ISO/IEC 27701 – Privacy Information Management

Building on ISO/IEC 27001, ISO/IEC 27701 addresses privacy information management. It helps organisations that must comply with data protection regulations like the General Data Protection Regulation (GDPR) integrate privacy controls into their broader cybersecurity strategies.

---

Cybersecurity Regulations in the European Union (EU)

The European Union has developed one of the most comprehensive and prescriptive cybersecurity frameworks in the world, heavily influenced by its Roman law tradition. The EU’s approach to cybersecurity is codified in several key regulations and directives aimed at harmonising standards across its member states. These regulations are essential for securing critical sectors such as healthcare, finance, energy, and transportation.

NIS2 Directive (2022)

The NIS2 Directive, which updates and replaces the original Network and Information Systems (NIS) Directive of 2016, significantly strengthens cybersecurity requirements across the EU. NIS2 expands the scope of the original directive, covering more sectors and requiring operators of essential services (OES) and digital service providers (DSPs) to implement stronger cybersecurity measures.

Key aspects of the NIS2 Directive include:

• Expanded scope: NIS2 applies to additional sectors beyond the original NIS Directive, including healthcare, energy, transport, banking, and digital infrastructure.
• Stricter incident reporting: Organisations must report significant cybersecurity incidents within 24 hours of detection.
• Enhanced cooperation: The directive encourages greater cooperation between member states, including information sharing and coordination during cyber crises.
• Cybersecurity risk management: NIS2 mandates that organisations adopt advanced cybersecurity measures, conduct regular risk assessments, and ensure that cybersecurity is integrated into their broader business operations.

The European Union Agency for Cybersecurity (ENISA) plays a key role in supporting the implementation of NIS2 by providing guidance, coordinating responses to cross-border incidents, and facilitating cooperation between member states.

General Data Protection Regulation (GDPR)

While the General Data Protection Regulation (GDPR) is primarily focused on data protection, it has significant implications for cybersecurity. GDPR sets out strict requirements for the processing, storing, and securing of personal data, particularly in critical sectors like healthcare and finance. Organisations must implement appropriate technical and organisational measures, such as encryption and pseudonymisation, to safeguard personal data.

A key challenge in applying GDPR within the EU’s civil law system is the regulation’s common law origins. The flexibility inherent in GDPR’s language has led to differing interpretations across member states, requiring ongoing clarification from the European Data Protection Board (EDPB) and national data protection authorities (DPAs). This has created a need for continuous guidance and harmonisation efforts across the EU.

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a groundbreaking regulation aimed at enhancing the cybersecurity resilience of the financial services sector across the EU. DORA focuses on ensuring that financial institutions are equipped to withstand, respond to, and recover from cyberattacks and other operational disruptions.

Key aspects of DORA include:

• Cybersecurity resilience testing: Financial institutions are required to conduct regular cybersecurity resilience tests, including penetration testing and vulnerability assessments.
• Third-party risk management: DORA mandates stringent oversight of third-party service providers, particularly those that supply critical ICT services to financial institutions.
• Incident reporting: Financial institutions must report significant cybersecurity incidents to their national authorities within a strict timeframe.

Cybersecurity Act (2019)

The Cybersecurity Act, enacted in 2019, establishes a European cybersecurity certification framework for ICT products, services, and processes. The goal of the act is to enhance trust and security in digital products and services across the EU. ENISA is responsible for managing the certification process and ensuring that products and services comply with EU cybersecurity standards.

The Cybersecurity Act also enhances ENISA’s role as the EU’s central cybersecurity agency, giving it a stronger mandate to support member states, coordinate responses to large-scale cyber incidents, and provide guidance on implementing cybersecurity regulations.

Payment Services Directive 2 (PSD2)

The Payment Services Directive 2 (PSD2) introduces stringent cybersecurity requirements for the financial sector, particularly regarding online transactions and digital payments. PSD2 mandates strong customer authentication (SCA) for electronic payments and sets cybersecurity standards for third-party payment service providers (TPPs). Financial institutions must ensure that all customer data is protected in compliance with GDPR and other cybersecurity regulations.

---

The Role of Legal Systems in Shaping Cybersecurity Regulation

Different legal systems—whether Roman law (civil law), common law, or socialist law—greatly influence how cybersecurity regulations are structured, interpreted, and enforced. These legal traditions shape the regulatory approaches of regions like the European Union, the United States, and China.

Civil Law Systems (Roman Law)

In civil law systems, such as those in the EU, regulations are codified and prescriptive, with detailed rules that apply uniformly across all jurisdictions. The EU’s legal system, based on Roman law, has led to the development of comprehensive cybersecurity frameworks such as NIS2, DORA, and GDPR. However, the application of GDPR—a regulation rooted in common law principles—has led to challenges in interpretation, as civil law systems typically prefer strict codification over flexibility. This has required ongoing clarifications from EU regulatory bodies like the EDPB and national DPAs.

Common Law Systems

In contrast, common law systems, such as those in the United States, are more flexible and rely on precedent and judicial interpretation. The U.S. cybersecurity landscape is characterised by a patchwork of sector-specific regulations, such as HIPAA for healthcare and GLBA for finance, as well as voluntary frameworks like the NIST Cybersecurity Framework. This flexibility allows for quicker adaptation to emerging cybersecurity threats but can lead to inconsistencies across sectors.

Socialist Legal Systems

China’s socialist legal system prioritises state control and national security. The country’s Cybersecurity Law and Data Security Law impose stringent requirements on data localisation and cybersecurity, particularly for operators of critical infrastructure. The government’s focus on controlling data flows and protecting sensitive information is a central feature of China’s regulatory approach.

---

Cybersecurity Regulation for Critical Sectors

Healthcare Sector

The healthcare sector is highly regulated due to the sensitivity of personal health information (PHI) and the potential life-threatening consequences of cyberattacks on healthcare systems.

• HIPAA (U.S.): The Health Insurance Portability and Accountability Act (HIPAA) requires U.S. healthcare providers and their associates to implement administrative, physical, and technical safeguards to protect electronic personal health information (ePHI).
• GDPR (EU): In the EU, healthcare providers must comply with GDPR when processing health data. GDPR mandates strict security measures, such as encryption and access controls, to ensure that patient data is protected.
• NIS2 Directive (EU): Healthcare providers in the EU are also subject to the NIS2 Directive, which strengthens cybersecurity requirements for operators of essential services (OES), including healthcare organisations. NIS2 mandates incident reporting, regular risk assessments, and the implementation of advanced cybersecurity measures.

Financial Sector

The financial sector is a frequent target for cyberattacks due to the volume of sensitive financial data it handles. Financial institutions are subject to strict cybersecurity regulations aimed at protecting consumer information and ensuring the resilience of financial systems.

• GLBA (U.S.): The Gramm-Leach-Bliley Act (GLBA) requires U.S. financial institutions to implement cybersecurity safeguards to protect consumer financial data.
• PSD2 (EU): The EU’s Payment Services Directive 2 (PSD2) mandates strong customer authentication (SCA) for electronic payments and requires financial institutions to implement robust cybersecurity measures.
• DORA (EU): The Digital Operational Resilience Act (DORA) focuses on ensuring the cybersecurity resilience of the financial sector. Financial institutions are required to conduct regular cybersecurity testing, monitor third-party risks, and report incidents.

---

Conclusion

As cyber threats continue to grow in complexity and scale, cybersecurity regulation must evolve to protect critical infrastructure and sensitive data. Global standards like ISO/IEC 27001 and the NIST Cybersecurity Framework provide essential guidelines, while region-specific regulations—such as the EU’s NIS2 Directive, DORA, and GDPR, the U.S. HIPAA and GLBA, and China’s Cybersecurity Law—address the unique risks faced by critical sectors like healthcare and finance.

In the European Union, the challenges of applying common law-inspired regulations like GDPR in a civil law environment have underscored the importance of regulatory bodies like ENISA and the EDPB in providing continuous guidance and harmonising interpretation across member states. As organisations worldwide strive to build cybersecurity resilience, cross-border cooperation, and alignment with both global standards and local regulations will remain key to addressing the evolving cyber threat landscape.

Appendix: principal regulations per geographic area

Here’s a breakdown of specific regulations covered in the article, focusing on cybersecurity and critical services across different regions:

1. European Union (EU)

• General Data Protection Regulation (GDPR): Aimed at protecting personal data and ensuring data security, GDPR sets strict guidelines for data processing, including requirements for encryption, breach reporting, and user consent. It applies across sectors but has specific importance in healthcare and finance, given the sensitivity of personal data.
• NIS2 Directive: Expands the original NIS Directive, increasing the scope to cover more critical sectors such as healthcare, energy, and digital infrastructure. It introduces stricter requirements for incident reporting, cybersecurity risk management, and harmonises cybersecurity standards across member states.
• Digital Operational Resilience Act (DORA): Focused on the financial sector, DORA ensures that financial institutions are equipped to handle cyberattacks and operational disruptions. It mandates continuous testing of cybersecurity resilience, incident reporting, and third-party risk management for critical financial services.
• Cybersecurity Act (2019): Establishes a European cybersecurity certification framework for ICT products, services, and processes, enhancing trust and security in digital products across the EU. ENISA’s role is also expanded under this act to facilitate cross-border cooperation and incident response.

2. United States

• NIST Cybersecurity Framework: A voluntary but widely adopted framework designed to manage and reduce cybersecurity risks. It consists of five core functions (Identify, Protect, Detect, Respond, and Recover) and is frequently referenced by federal agencies and critical infrastructure operators.
• HIPAA (Health Insurance Portability and Accountability Act): Mandates strict protection of personal health information (PHI) in the healthcare sector. It requires healthcare organisations to implement safeguards, encryption, access controls, and regular security assessments.
• GLBA (Gramm-Leach-Bliley Act): Focused on financial institutions, GLBA requires measures to protect consumers’ financial information. It mandates encryption, multi-factor authentication, and data privacy policies for financial institutions.
• FISMA (Federal Information Security Management Act): Governs federal agency information security, requiring agencies to develop, document, and implement information security programs. It is sector-specific but critical for managing the cybersecurity risks of federal agencies.

3. China

• Cybersecurity Law: Imposes strict data localisation and cybersecurity requirements on all sectors, with particular emphasis on critical infrastructure. Companies are required to store data locally, undergo cybersecurity assessments, and ensure government oversight on cross-border data transfers.
• Data Security Law: Regulates the collection, storage, and transfer of data, especially focusing on protecting state interests and critical information infrastructure (CII). Like the Cybersecurity Law, it requires data localisation and security assessments.

4. United Kingdom

• NIS Regulations: Following Brexit, the UK implemented its own version of the NIS Directive, which focuses on the protection of critical infrastructure, including healthcare and financial services. The regulations include incident reporting and cybersecurity risk management.
• UK GDPR: Mirroring the EU GDPR, the UK GDPR ensures data protection standards remain high post-Brexit, focusing on protecting sensitive personal data across sectors, including healthcare and finance.
• FCA Guidelines (Financial Conduct Authority): Financial institutions in the UK are required to follow FCA cybersecurity guidelines, ensuring resilience against cyber threats through continuous monitoring, incident reporting, and strict cybersecurity controls.

5. Singapore

• Cybersecurity Act: Requires operators of critical information infrastructure (CII) to comply with stringent cybersecurity measures. These include incident reporting and regular risk assessments to prevent and mitigate cyber threats.
• MAS TRM Guidelines (Monetary Authority of Singapore): Focused on the financial sector, these guidelines require financial institutions to implement robust cybersecurity measures, including vulnerability assessments, penetration testing, and encryption of sensitive data.

6. Japan

• Cybersecurity Basic Act: Establishes guidelines for securing critical infrastructure and promoting collaboration between the public and private sectors. It mandates that companies in critical sectors adopt cybersecurity measures and report cyber incidents.
• FSA (Financial Services Agency) Regulations: Focuses on cybersecurity in the financial services sector, requiring firms to implement robust risk management practices, encrypt financial data, and perform continuous cybersecurity resilience testing.

#CybersecurityRegulation #NIS2Directive #DORARegulation #ISO27001 #GDPRCompliance #CyberResilience #HealthcareCybersecurity #FinancialCybersecurity #ENISA #DataProtection #NISTFramework #CybersecurityStandards

Regulation of Generative AI Across Global Jurisdictions: A Comparative Analysis

Antonio Ieranò

Security, Data Protection, Privacy. Comments are on my own unique responsibility 🙂

October 10, 2024

NOTE: I wrote this because of a specific request, hoping that could be useful for a more larger audience.

Introduction

The regulation of generative Artificial Intelligence (GenAI) represents a significant and increasingly complex issue in the global technological landscape. With the rapid advancement of AI technologies, particularly in the field of generative models, regional differences in regulatory frameworks are becoming more pronounced. The European Union (EU), the United States (U.S.), and China, as three of the leading powers in AI, have adopted divergent approaches to regulating AI development and deployment. These differences reflect the unique legal traditions, regulatory philosophies, and policy priorities of each region.

This article will explore these different regulatory strategies in detail, offering a comparative analysis of the strengths and weaknesses of each. Additionally, it will examine the underlying legal systems in the EU, U.S., and China, alongside emerging frameworks in other countries such as Canada, the United Kingdom, Singapore, and Japan. Furthermore, this paper will consider the implications for global AI governance, the need for international cooperation, and the role of both industry-led and government initiatives. The discussion will highlight the necessity of balancing innovation with the protection of privacy, user rights, and societal well-being in the development of GenAI.

---

Legal Systems Overview

The regulatory approaches to generative AI in different regions are heavily influenced by their underlying legal systems. This section provides an overview of these legal systems and their impact on the regulation of AI technologies.

European Union (EU) – Roman Law Tradition

The European Union’s legal framework is founded upon the Roman law tradition, which emphasizes the codification of laws and the establishment of comprehensive regulatory systems. The EU’s regulatory approach is characterised by its prescriptive nature, with laws being uniformly applied across member states. This system prioritises the protection of individual rights, particularly in the areas of data privacy and security.

The General Data Protection Regulation (GDPR), adopted in 2018, is a prime example of the EU’s strict regulatory approach. GDPR is one of the most comprehensive data privacy regulations globally, focusing on safeguarding individuals’ data and ensuring transparency in how personal data is processed. It requires companies to obtain explicit consent from users for data collection, to anonymise data where possible, and to report data breaches promptly. While GDPR has set a global standard for privacy regulation, its strict requirements have been criticised for potentially stifling innovation and placing a heavy compliance burden on businesses, especially startups.

• General Data Protection Regulation (GDPR):
• Official text (English): GDPR Full Text
• Official text (French): Règlement général sur la protection des données (RGPD)

United States (U.S.) – Common Law Tradition

In contrast, the United States operates under a common law system, where legal precedents established through court rulings play a central role in shaping laws and regulations. This system offers greater flexibility and allows for a more reactive approach to regulation. In the context of AI, the U.S. has traditionally favoured a permissive regulatory environment, prioritising technological innovation and leadership in global AI development.

The California Consumer Privacy Act (CCPA) is one of the most significant state-level privacy laws in the U.S., enacted to provide consumers with greater control over their personal data. However, the U.S. lacks a unified federal framework for AI regulation, which has led to a fragmented regulatory landscape where different states implement varying levels of protection.

• California Consumer Privacy Act (CCPA):

Official text (English): CCPA Full Text

China – Socialist Legal Tradition

China’s legal system represents a hybrid model that combines elements of civil law with socialist legal principles, allowing for strong state intervention in regulatory affairs. The Chinese government has been proactive in promoting AI development while maintaining strict control over data privacy and security, particularly where national interests are concerned.

The Personal Information Protection Law (PIPL), which came into effect in 2021, sets out comprehensive rules for how personal data should be collected, stored, and transferred. Like the GDPR, PIPL requires explicit consent for data collection and imposes heavy penalties for non-compliance. However, the Chinese framework is distinguished by its focus on state interests, with data localisation requirements ensuring that sensitive data remains within Chinese borders. The Cybersecurity Law further bolsters this framework, reinforcing state control over data security in critical sectors.

• Personal Information Protection Law (PIPL):
• Official text (Chinese): 个人信息保护法全文
• Official text (English): PIPL Full Text
• Cybersecurity Law:
• Official text (Chinese): 中华人民共和国网络安全法

---

Regulatory Approaches to Generative AI

Each of the major players in AI regulation—the EU, U.S., and China—has developed distinct approaches to regulating generative AI. These approaches are shaped not only by their legal systems but also by their broader political and economic priorities.

European Union (EU)

The EU has taken a leadership role in the global regulation of AI, seeking to set standards that ensure both the ethical use of AI technologies and the protection of user rights. The AI Act, currently in the proposal stage, aims to introduce a comprehensive legal framework that classifies AI systems based on their potential risks to society. High-risk AI systems, such as those used in healthcare or law enforcement, will be subject to stringent regulatory requirements, including transparency, explainability, and human oversight.

While the EU’s regulatory model prioritises user protection and ethical considerations, there are concerns that its prescriptive nature may hinder innovation. The compliance costs associated with meeting the requirements of the AI Act could place a significant burden on companies, particularly smaller startups, potentially slowing down the development of innovative AI solutions in the region.

United States (U.S.)

The U.S. approach to AI regulation is largely driven by a desire to foster innovation and maintain its leadership in AI development. The National AI Initiative Act of 2020 is a key piece of legislation aimed at promoting AI research and development, ensuring that AI systems are both ethical and aligned with societal values. However, unlike the EU, the U.S. has yet to introduce a comprehensive federal framework for AI regulation.

Much of the U.S. regulatory environment is shaped by state-level initiatives, such as the CCPA, and by voluntary industry guidelines. Major tech companies, including Google and Microsoft, have established internal AI ethics boards and developed frameworks to ensure that their AI systems are transparent and accountable. While this decentralised approach allows for rapid technological development, it also raises concerns about the lack of uniform protections for consumers.

China

China’s regulatory approach to AI is underpinned by its emphasis on state control and national security. The PIPL and Cybersecurity Law form the core of China’s regulatory framework for AI, ensuring that personal data is protected and that AI systems align with state interests. The Chinese government has also implemented additional regulations targeting specific industries, such as finance and healthcare, to ensure that AI technologies in these sectors are used responsibly.

Unlike the EU and U.S., where AI regulation is often focused on protecting individual rights, China’s regulatory model prioritises state security and control over data flows. While this has allowed China to rapidly advance its AI capabilities, it has also raised concerns about the potential for state surveillance and the erosion of individual privacy rights.

---

Examples from Other Jurisdictions: Canada, UK, Singapore, and Japan

Beyond the EU, U.S., and China, other countries are also playing important roles in shaping the regulatory landscape for GenAI. Countries like Canada, the United Kingdom (UK), Singapore, and Japan have adopted distinct approaches to AI regulation, each reflecting their unique legal systems and policy priorities.

Canada

Canada has been a leader in AI ethics and governance, particularly in the public sector. The Directive on Automated Decision-Making, introduced in 2019, is one of the first regulatory frameworks in the world specifically addressing the use of AI in government decision-making. The Directive ensures that AI systems used by the government are transparent, fair, and accountable, and includes provisions for human oversight and the prevention of bias.

Canada has also been active in promoting responsible AI development at the international level, playing a key role in the development of global AI governance frameworks through organisations like the OECD.

• Directive on Automated Decision-Making:
• Official text (English): Canada’s Directive on Automated Decision-Making

United Kingdom (UK)

The United Kingdom has taken a proactive stance on AI regulation, with the establishment of the Centre for Data Ethics and Innovation (CDEI) and the introduction of the UK National AI Strategy. The CDEI provides guidance on the ethical use of AI, focusing on issues such as data privacy, bias, and transparency. The UK’s approach to AI regulation is more flexible than that of the EU, seeking to strike a balance between promoting innovation and ensuring ethical AI use.

The UK National AI Strategy, published in 2021, outlines the government’s vision for making the UK a global leader in AI. The strategy emphasises the importance of developing ethical AI systems that promote fairness and transparency while encouraging investment in AI research and innovation.

• UK National AI Strategy:
• Official text (English): UK National AI Strategy

Singapore

Singapore is rapidly emerging as a hub for AI innovation and governance. The government has introduced the Model AI Governance Framework, a voluntary framework that provides businesses with guidance on the responsible use of AI. The framework focuses on ensuring that AI systems are transparent, explainable, and accountable, and encourages companies to adopt best practices in data management and user protection.

Singapore’s regulatory approach is designed to support innovation while ensuring that AI technologies are used ethically. The government has also established the AI Ethics and Governance Body of Knowledge, a comprehensive resource for companies seeking to implement ethical AI systems.

• Model AI Governance Framework:
• Official text (English): Model AI Governance Framework

Japan

Japan has adopted a unique approach to AI regulation, aligning its AI strategy with the broader concept of Society 5.0, a vision for a super-smart society that integrates AI into various aspects of daily life to address societal challenges such as an aging population. Japan’s regulatory framework focuses on promoting the use of AI for societal benefit while ensuring that AI technologies are developed and used in an ethical and transparent manner.

The AI Strategy 2021, published by the Japanese government, outlines the country’s approach to AI governance, with a particular emphasis on addressing the ethical challenges posed by AI and ensuring that AI systems are aligned with human values.

• AI Strategy 2021: Official text (Japanese): 人工知能技術戦略2021

---

Implications for Global Governance and International Cooperation

The diverse approaches to GenAI regulation adopted by the EU, U.S., China, and other countries raise important questions about the future of global AI governance. The rapid pace of AI development, combined with the transnational nature of AI technologies, underscores the need for international cooperation in the development of regulatory frameworks.

International Organisations

Organisations such as the Organisation for Economic Co-operation and Development (OECD) and United Nations Educational, Scientific and Cultural Organization (UNESCO) have played a key role in promoting global AI governance. The OECD’s AI Principles, adopted by over 40 countries, provide a framework for responsible AI development, focusing on fairness, transparency, and accountability. UNESCO’s Recommendation on the Ethics of Artificial Intelligence further promotes the ethical use of AI, encouraging countries to align their AI policies with human rights and ethical principles.

• OECD AI Principles:
• Official text (English): AI principles | OECD

Industry Initiatives

In addition to government-led efforts, industry initiatives such as the Partnership on AI and the World Economic Forum’s Global AI Action Alliance (GAIA) have emerged as important platforms for promoting responsible AI development. These initiatives bring together companies, governments, and civil society organisations to address the ethical challenges posed by AI and to promote best practices in AI governance.

---

Conclusion

The regulation of generative AI represents a multifaceted challenge that requires balancing the need for innovation with the protection of privacy, user rights, and societal well-being. The EU, U.S., China, and other key players have each adopted distinct regulatory approaches, shaped by their unique legal systems and policy priorities. While the EU has taken a strong stance on user protection and transparency, the U.S. focuses on promoting innovation, and China emphasises state control and data sovereignty.

As AI technologies continue to evolve, there is a growing need for greater international cooperation and the development of global standards for AI governance. International organisations and industry-led initiatives have made significant progress in promoting responsible AI development, but achieving a unified global approach will require sustained collaboration between governments, industry, and civil society. The future of AI regulation will depend on the ability of these stakeholders to work together to ensure that AI technologies are developed and used in a manner that is ethical, transparent, and aligned with the broader interests of society.

Appendix A: Other Approaches in Asia, Africa, and the Middle East

Asia

Several Asian countries are increasingly focusing on the regulation of AI. In South Korea, for instance, the government has introduced the AI National Strategy, which outlines the country’s goals for AI development while ensuring that AI technologies are used responsibly. South Korea is particularly focused on AI in sectors such as healthcare and education.

India, as another major player in Asia, has adopted a somewhat different approach. While India does not yet have comprehensive AI legislation, the government has launched the National AI Strategy, which emphasizes the need for AI technologies to align with India’s development goals, including addressing issues such as poverty, education, and healthcare.

Africa

Africa presents a unique case in the global AI regulatory landscape. Many countries on the continent are still in the early stages of AI development, but several have begun to explore the potential of AI in addressing pressing social and economic challenges. Rwanda has been a leader in AI innovation in Africa, establishing the Centre of Excellence in AI and Internet of Things (IoT) to drive AI research and development.

Other African nations such as Kenya, Ghana, and South Africa are beginning to explore the regulation of AI. These countries are focusing on how AI can be harnessed to address issues such as healthcare access, education, and economic inequality.

Middle East

In the Middle East, countries such as the United Arab Emirates (UAE) and Saudi Arabia have positioned themselves as leaders in AI development and governance. The UAE, for example, was the first country in the world to appoint a Minister of State for Artificial Intelligence, and it has developed a national AI strategy that aims to make the UAE a global leader in AI by 2031.

Similarly, Saudi Arabia is investing heavily in AI, with its Vision 2030 plan outlining the country’s ambitions to become a leader in AI and other emerging technologies. The Saudi government has established several initiatives aimed at promoting AI research and development, while also ensuring that AI systems are aligned with ethical principles.

Appendix B: Company Approaches to Generative AI (GenAI)

The role of private sector companies in shaping the development and governance of generative AI (GenAI) cannot be overstated. With AI technologies rapidly evolving, tech giants and emerging companies are playing a central role not only in advancing AI capabilities but also in establishing self-regulatory frameworks and ethical guidelines to ensure the responsible use of AI. This appendix outlines the approaches adopted by several major companies in the GenAI space, focusing on their internal governance structures, AI ethics initiatives, and strategies for addressing the ethical, legal, and social implications of AI.

1. Google (Alphabet Inc.)

Google, through its parent company Alphabet, has been at the forefront of AI development, particularly in the realm of machine learning and generative AI technologies such as Google DeepMind and Google Bard. Recognizing the potential ethical concerns surrounding AI, Google has established clear principles and guidelines to govern the development and deployment of its AI systems.

Key Elements of Google’s AI Approach:

• AI Principles: Google introduced a set of AI principles in 2018, which guide the ethical development and deployment of AI. These principles include ensuring AI is socially beneficial, avoiding harmful applications, and fostering accountability and privacy. Google has explicitly stated that its AI should not be used for harmful purposes such as surveillance, weapons development, or violations of human rights.
• Explainability and Fairness: Google emphasizes the importance of making AI systems explainable and transparent to users. This includes ensuring that AI decisions can be understood and audited to prevent bias or unfair outcomes, especially in areas like healthcare, hiring, and finance.
• AI Ethics Board: Google formed an internal AI ethics advisory board to review high-impact projects, ensuring that the company adheres to its own AI principles. Although the board has faced some controversies, Google continues to refine its approach to ethical AI governance.

2. Microsoft

Microsoft has become a significant player in generative AI, particularly through its collaboration with OpenAI and the integration of AI capabilities into its products like Azure AI, Microsoft 365, and GitHub Copilot. Microsoft has taken a proactive stance on AI ethics, focusing on developing trustworthy and inclusive AI systems.

Key Elements of Microsoft’s AI Approach:

• Responsible AI Principles: Microsoft’s AI ethics framework is built around six principles: fairness, reliability, privacy, security, inclusiveness, transparency, and accountability. These principles are applied across all its AI projects, with a particular focus on preventing bias and ensuring the responsible use of AI in sensitive domains like criminal justice and healthcare.
• Office of Responsible AI: Microsoft established an Office of Responsible AI to oversee the company’s AI initiatives. This office sets company-wide policies, conducts risk assessments, and ensures that AI projects adhere to Microsoft’s ethical standards.
• AI for Good Initiatives: Microsoft is actively involved in several global initiatives aimed at using AI for positive social impact. Its AI for Good program focuses on projects that address global challenges such as climate change, accessibility for people with disabilities, and humanitarian crises.

3. OpenAI

OpenAI, the developer of advanced generative models such as GPT-3 and DALL·E, is committed to ensuring that AI benefits humanity as a whole. OpenAI’s unique structure as a capped-profit organization allows it to prioritize ethical considerations while advancing state-of-the-art AI research.

Key Elements of OpenAI’s AI Approach:

• AI Alignment: OpenAI’s mission is to ensure that artificial general intelligence (AGI), when it is eventually developed, is aligned with human values and that its benefits are broadly shared. OpenAI’s work on AI alignment aims to address the risks of unintended consequences from increasingly powerful AI systems.
• Transparency and Research Sharing: OpenAI has adopted a model of research transparency, regularly publishing its findings to advance global understanding of AI capabilities and risks. This transparency is balanced with concerns about the potential misuse of AI technology, particularly in the case of models like GPT-3, which can generate highly convincing but false information.
• Ethical AI Deployment: OpenAI has implemented usage policies that limit how its models can be used. This includes restricting use cases in areas such as political manipulation, disinformation, and generating abusive content. OpenAI works with partners and licensees to ensure compliance with these policies.

4. Amazon Web Services (AWS)

Amazon’s AI initiatives, driven primarily through its AWS cloud platform, have positioned the company as a leading provider of AI services and infrastructure. AWS offers a broad range of machine learning tools, including services for generative AI applications like Amazon Polly and Amazon Lex.

Key Elements of Amazon’s AI Approach:

• Focus on AI Safety and Security: AWS emphasizes the security and reliability of its AI services, providing customers with tools to ensure that AI systems are both robust and safe. AWS’s AI/ML services are designed to include built-in security features that protect data privacy and integrity.
• Ethical AI Development: Amazon has faced criticism in the past for its facial recognition technology, Rekognition, particularly regarding its use by law enforcement. In response, Amazon implemented a one-year moratorium on police use of Rekognition and has increased its focus on ensuring that its AI tools are not used in ways that could violate civil liberties or perpetuate bias.
• Diversity and Inclusion: Amazon is committed to promoting diversity in AI development, ensuring that its models and datasets are representative of the diverse populations they serve. The company has launched several initiatives aimed at reducing bias in AI and promoting inclusivity in AI-based decision-making systems.

5. IBM

IBM has been a leader in AI for decades, particularly through its IBM Watson platform, which offers advanced natural language processing and machine learning capabilities. IBM’s approach to AI is deeply rooted in ethical considerations and responsible AI practices.

Key Elements of IBM’s AI Approach:

• AI Ethics Pledge: IBM was one of the first major tech companies to publicly pledge to use AI responsibly. IBM’s AI ethics framework emphasizes the importance of trust and transparency in AI development, ensuring that AI systems are explainable, fair, and free from bias.
• Explainable AI (XAI): IBM has invested heavily in explainable AI, developing tools that allow users to understand how AI models make decisions. This is particularly important in fields such as healthcare and finance, where trust in AI decision-making is critical.
• AI for Social Good: IBM’s AI for Social Good initiative focuses on leveraging AI to address global challenges such as climate change, disease management, and disaster response. IBM Watson has been used to assist researchers in developing new treatments for diseases and to support efforts to combat climate change through data-driven insights.

General Conclusion and Call to Action

The regulation of generative AI (GenAI) represents one of the most pressing challenges in the modern technological landscape. Across global jurisdictions, varying legal systems and policy priorities have shaped the development of distinct regulatory frameworks in regions such as the European Union, the United States, and China. While the EU has focused on robust citizen protections and transparency through frameworks like the GDPR and the AI Act, the U.S. has prioritised flexibility and innovation, allowing the private sector to lead with self-regulatory practices. In contrast, China’s state-driven approach reflects its focus on national security and data sovereignty.

In addition to these regional differences, emerging economies and key players such as Canada, the United Kingdom, Singapore, and Japan are also contributing to global AI governance. Their approaches emphasise ethics, transparency, and responsible development, illustrating the increasing global recognition of the need to regulate AI in a way that balances innovation with ethical considerations. At the company level, technology giants like Google, Microsoft, OpenAI, Amazon, and IBM are setting their own standards for ethical AI, with internal governance structures and principles designed to ensure accountability, fairness, and inclusiveness in AI development.

While these various efforts are commendable, they underscore the need for greater international cooperation. AI is a transnational technology, and its societal impact transcends borders. As the deployment of AI continues to grow, there is an urgent need for a harmonised approach to regulation that addresses the risks and opportunities AI presents across all regions and industries.

Call to Action

It is imperative for governments, international organisations, and the private sector to collaborate more closely in the development of global standards for generative AI regulation. A unified framework that incorporates ethical principles, accountability, and transparency can mitigate the risks associated with AI technologies while fostering innovation. Policymakers should prioritise creating adaptable regulatory environments that protect individual rights, prevent biases, and promote data privacy without stifling technological progress.

Industry leaders and AI developers must continue to take responsibility for the societal impact of their technologies by adhering to ethical standards, ensuring explainability, and making AI accessible for the broader public good. At the same time, civil society organisations and academic institutions should remain vigilant and participate in shaping AI governance, ensuring that AI benefits all of humanity while avoiding potential harms.

The future of generative AI will be shaped by the actions we take today. It is essential that all stakeholders act collectively to build an ethical, inclusive, and innovative future for AI technologies. By working together, we can ensure that the transformative power of AI is harnessed for the greater good, enhancing society while safeguarding individual freedoms and rights.

#GenerativeAI #AIRegulation #AIEthics #AIInnovation #DataPrivacy

Italian PiracyShield: An Hermeneutic Disquisition on the Shadows of Digital Control

Antonio Ieranò

Security, Data Protection, Privacy. Comments are on my own unique responsibility 🙂

October 10, 2024

Preface: The inspiration for this reflection comes from none other than our esteemed Italian Minister of Culture, whose lofty rhetoric has brought to light an implicit truth: perhaps the real issue with the Italian government’s understanding of anti-piracy legislation lies not in intent, but in the debased, impoverished language that has veiled this matter. Ah, yes! It could well be that the inadequacy of verbal expression has obfuscated the complexity and the depth of a digital system that defies the simpleminded rhetoric of control. And so, it is in the hope of awakening a sharper critical faculty, that I set forth on this hermeneutic disquisition—an odyssey of thought and signification—on the Italian Piracy Shield, with a view to shedding light where shadows now reign.

Written in English for the sake and joy of Alessandro Bottonelli

---

1. The Dialectic of Censorship: Between Presence and Absence of Digital Power

Italian Piracy Shield. A thing, a specter perhaps, a mere legislative tool, on the surface, yes, no more than a hand, invisible yet felt, poised to block, cancel, and erase. Yet! In its deeper essence, it is but a symbol of power exercised in absentia, a force unseen, a paradox of control and relinquishment, manifesting in the blink—ah!—of the digital dark. An act of deletion, of dissimulation, that ever-so-slightly betrays the violent hand behind the curtain.

Do you see it? The act itself—no contradiction, no verification—floats, yes, floats in the sea of invisible operations, permeating the entire digital architecture like smoke through keyholes. Italian Piracy Shield does not just negate, it becomes the negation, it is the smothering of critique, the silencing of questions. That which is blocked is not merely the website, but the hermeneutic access itself—the very logos of the network is rendered mute. A block, yes, a blot, as though one were to blot out a page from Finnegans Wake, leaving only the ghost of the ink.

No need, none at all, for justification, for light. What use is light, when power wields the darkness? The power moves, a shadow casting shadows—there it goes—on the sprawling universe of the digital.

---

2. From “Univocum” to “Prevalente”: The Semantic Mutation of Arbitrary Power

Ah! The slip, the shift, the sleight of the pen! From “univocamente” to “prevalentemente,” we are led, drawn like the unwitting, across the semantic precipice. What once was certain, nailed down—ah, that precise correlate between illicit activity and IP—now crumbles, dissolves into a vaporous “prevalence,” a haze of legal ambiguity. Oh, what a dance it is! Prevalente, the word hangs in the air like a half-uttered secret, a term at once so soft, so vague, that it invites the most dangerous of interpretations.

What now, what now, is the meaning of “prevalente”? Do you know? I don’t. Not with certainty, not in the way the law should know. It hovers, it flickers. Like a moth caught in the flicker of flame, it wavers, leaving in its wake an epistemological chasm, a breach through which the arbitrary might slink unnoticed. And so the regulation—the law itself!—shifts, moves from its regulatory roots and becomes something else, something wild, something untamed. Beware! it whispers, beware the dangerous arbitrariness that comes creeping when precision abandons its seat!

---

3. Suspended Time: The Atemporality of Permanent Blocking

Time—tick-tock, tock-tick—it stops. Suspended, frozen in its eternal moment. No, my friends, we are no longer in the world of swift movements, of unblocking and resolution. Once, once that domain or IP address is taken, locked, interdicted—ah, interdicted!—there is no return, not easily, not quickly. You see, the law gives us no release, no remedy. It casts its shadow and leaves it there, a block, an interdict in perpetuity, hanging in the aether.

What do we call this? The block is no longer a block—it is an exile. It is the time of the condemned, suspended in space, cast from the fold of access. Not merely a website gone dark, but an entire existence denied, relegated to the forgotten corner of some distant virtual limbo. Do you hear it? The silence, the long, echoing silence that follows when there is no unblocking, no undoing. And so time itself becomes an instrument of control—time blocked, time stopped, time locked in the permanent now. Ah! There it is—no appeal, no revision, just an unrelenting, eternal block.

---

4. VPNs and DNS: The Symbolic Flight from Authority

But wait! What is that? A ghost, a shadow moving against the tide. VPNs, DNSs, whispering their defiance, their refusal to be caged. You cannot cage us, they seem to say, these fluid, shifting technologies. And Italian Piracy Shield, for all its power, all its might, cannot grasp them. For the network is a wild thing, fluid and mercurial, a thing of mist and light that slips through the fingers of control.

VPNs! DNSs! They rise like the tide, offering passage, refuge, to those who would escape the grip of the block. Oh no, they say, you cannot bind us, not so easily! And yet, the law—it tries, it tries to stretch its fingers around the globe, seeking to block, to restrain, to cage even these intangible whispers of freedom. A folly, a madness! It seeks to block the un-blockable, to fence in that which by its very nature cannot be contained.

But no—VPNs laugh in the face of the block, DNSs dance through the cracks. And so the network rebels, slips free of its chains, a thing forever untamable.

---

5. The Harmony of the Absurd: Repression Without Resolution

Ah, the absurdity! The sweet, bitter irony that lies at the heart of it all. For here we are, with all the blocking, all the repression, and yet—the piracy remains. No, no, repression alone will not solve it. And how could it? For this is not a question of simple illegality, but of something far deeper, far more structural. The people—yes, the people!—they will not be so easily tamed. They seek what they seek, and if the law offers no remedy, if the legal paths are barren and overgrown, they will find another way.

And so Piracy Shield strikes and strikes, but the problem—ah!—the problem does not disappear. No, it deepens, grows. And those who seek, who search, will continue, for they do not find in the legal offer a solace. The high costs, the poor services—what is there for them? They will turn, as they have always turned, to the hidden paths, to the secret ways, to the pirated streams and the shadowed sites.

Ah, and so it goes! The harmony of the absurd, where repression pretends to solve, but only ever exacerbates the wound.

---

6. The Exile of Truth: The Network as a Battleground of Power

And in the end—where are we? Ah, my friends, we stand at the precipice, gazing into the abyss of what could be. A network—yes, the very network we cherish—turned into a battlefield, a place of war, not of innovation, not of creativity, but of power, of censorship, of control. Italian Piracy Shield—yes, it whispers its threat. It tells us that the future, if we are not careful, is a place of darkness, of blocks, of silent censorship.

Do you see it? The exile of information, the exile of truth, as entire swathes of the network fall silent, fall into shadow. What will become of it, of us, of this space we have made? A space of freedom, of voices, of endless connections—no more, no more, unless we resist, unless we fight against this creeping darkness.

For the threat is not only piracy, no—no, my friends—the threat comes from within, from the very forces that seek to defend us.

---

Conclusion: Towards a Future of Digital Darkness?

Italian Piracy Shield is not just a law, no, not merely a tool of control—it is a window into the possible future. A future where the network itself—once a place of light, of freedom, of endless possibility—becomes a battlefield of blocks, of chains, of control. Ah, the flaws, the cracks in its foundation! But deeper still lies the danger, the attempt to tame what cannot be tamed, to bind what should be free.

And so, we must ask—what does freedom mean in the digital age? What does it mean to be free, to have access, in a world of invisible blocks, of silent censorships?

#ItalianPiracyShield #DigitalCensorship #AGCM #Control #VPN #DNS #Freedom

8 Marzo - March 8

Italiano

A Vindication of the Rights of Woman: with Strictures on Political and Moral Subjects 1792, Mary Wollstonecraft¹ 1759–1797.
Vi viene rivendicato il diritto all’uguaglianza giuridica della donna sottolineandone il ruolo nella società.

Buon 8 marzo🌾🌹

Per festeggiare in maniera seria questa ricorrenza vi propongo l’opera rivoluzionaria di Mary Wollstonecraft, “Una Giustificazione dei Diritti delle Donne: con Osservazioni su Soggetti Politici e Morali,” ci troviamo nel contesto dell’8 marzo, una giornata che simboleggia la lotta continua per l’uguaglianza di genere. Oggi, più che mai, è essenziale riconoscere la necessità per le donne di ottenere pieni diritti uguali in tutte le sfere della vita.

Pubblicato nel 1792, il lavoro di Wollstonecraft è stato un’illuminazione nel mezzo di un’epoca in cui le donne erano sistematicamente discriminate e negate nelle loro aspirazioni. Le parole di Wollstonecraft risuonano ancora oggi, poiché sottolineano l’importanza di affrontare le disuguaglianze di genere e promuovere l’uguaglianza in tutto il mondo.

Mentre celebriamo l’eredità di Mary Wollstonecraft, dobbiamo anche guardare avanti e riconoscere che, nonostante i progressi compiuti nel corso degli anni, le donne continuano ad affrontare sfide e discriminazioni. Dall’accesso all’istruzione e al lavoro alla partecipazione politica e alla sicurezza personale, vi sono ancora molte aree in cui le donne non godono di diritti uguali.

L’8 marzo, Giornata Internazionale della Donna, è un’occasione per riflettere su queste sfide e rinnovare il nostro impegno per promuovere l’uguaglianza di genere. È un momento per celebrare i successi delle donne, ma anche per chiedere un maggiore cambiamento e azione per affrontare le disuguaglianze ancora presenti nella società.

Oggi, più che mai, è essenziale che tutti ci uniamo per garantire che le donne possano ottenere pieni diritti uguali. Dobbiamo lavorare insieme per eliminare gli ostacoli che impediscono alle donne di realizzare il loro pieno potenziale e assicurare che possano vivere vite libere e soddisfacenti, libere da discriminazioni e limitazioni.

In conclusione, mentre celebriamo l’8 marzo e riflettiamo sull’eredità di Mary Wollstonecraft, impegniamoci a continuare la lotta per l’uguaglianza di genere. Solo attraverso un impegno collettivo possiamo sperare di creare un mondo in cui tutte le donne possano godere di pieni diritti uguali, senza eccezioni.

Spero che concordiate sia questo il senso di questa ricorrenza.

English

A Vindication of the Rights of Woman: with Strictures on Political and Moral Subjects 1792, Mary Wollstonecraft² 1759–1797.
It vindicates women’s right to legal equality and emphasizes their societal role.

Happy March🌾🌹 8th.

To celebrate this anniversary seriously, I propose Mary Wollstonecraft’s groundbreaking work, “A Justification of Women’s Rights: With Observations on Political and Moral Subjects.” We find ourselves in the context of March 8, a day that symbolizes the ongoing struggle for gender equality. Today, more than ever, it is essential to recognize the need for women to obtain full equal rights in all spheres of life.

Published in 1792, Wollstonecraft’s work illuminated an era when women were systematically discriminated against and denied their aspirations. Wollstonecraft’s words still resonate today, emphasizing the importance of addressing gender inequalities and promoting equality worldwide.

As we celebrate Mary Wollstonecraft’s legacy, we must also look forward and recognize that despite the progress made over the years, women continue to face challenges and discrimination. From access to education and employment to political participation and personal security, there are still many areas where women do not enjoy equal rights.

March 8, International Women’s Day, is an opportunity to reflect on these challenges and renew our commitment to promoting gender equality. It is a time to celebrate women’s achievements and call for more change and action to address the inequalities still present in society.

Today, more than ever, it is essential that we all come together to ensure that women can achieve full equal rights. We must work together to remove the barriers that prevent women from realizing their full potential and ensure that they can live free and fulfilling lives, free from discrimination and limitations.

In conclusion, as we celebrate March 8 and reflect on Mary Wollstonecraft’s legacy, let’s commit to continuing the fight for gender equality. Only through collective commitment can we hope to create a world in which all women can enjoy full equal rights, without exception.

I hope you will agree that this is the meaning of this anniversary.

Buone Feste, Happy Holidays

Siamo prossimi al Natale!

We’re Close to #Christmas!

Siamo tutti più buoni!

Everyone is good!

Come tutti gli anni dovrei avvertirvi di non cadere in truffe, finte collette e cose del genere.

Like every year, I should warn you not to fall for scams, fake fundraising and things like that.

Ma quest’anno ho deciso di cambiare!

But this year, I decided to make a change!

Per #Natale e #Capodanno basta cadere in #truffe da sconosciuti.

For #Christmas and #NewYear, stop falling for #scams from strangers.

Basta #donare a persone che non avete mai sentito nominare con storie strappalacrime!

Stop #donating to people you’ve never heard of with sob stories!

Basta #credere ad organizzazioni farlocche!

Stop #believing in fake organizations!

Basta farvi #raggirare da gente ignota!

Stop letting yourself be fooled by unknown people!

Quest’anno fatti raggirare da chi conosci!

This year let yourself be fooled by those you know!

Fatti raggirare da me!

Let me fool you!

Prometto che spenderò tutto per fini egoistici miei.

I promise that I will spend everything for my selfish ends.

“Offerta libera” (<– giusto per la esigenza di non pagare tasse) minimo 30 euro

“Free offer” (<– just for the need not to pay taxes) minimum 30 euros

In cambio otterrete, via email, una autentica “denghiu card” fatta con un equivoco template free di word ed entrerete nella mia lista personale di possibili vittime di raggiri.

In exchange, you will receive, via email, an authentic “thank you card” made with a suspicious free Word template, and you will enter my list of possible victims of scams.

#quellascemenzadellasera #rant #fridayrant #buonnatale #buonanno #buonefeste #quellidelfascicolop #happyholydays

Natale, Anno Nuovo, Epifania e lo scam me li porta via.

E siamo ancora sotto le feste, e ci troviamo ancora a dover ripetere, come tutti gli anni, le stesse cose.

Chiunque, come me, lavori nel campo della sicurezza informatica sa che non vi è niente di piu remunerativo che far leva sui sentimenti per estorcere dati, denaro o entrambi alle persone.

E le feste, come le disgrazie, sono un momento fantastico per fare leva sulla percezione ed i sentimenti della gente per trarne profitto.

Purtroppo il fenomeno non solo diminuisce, ma assume ogni anno nuove vesti e nuove forme, navigando tra social media, email, siti web e pubblicità online.

Per coprire la mia quota di servizio alla società civile vi condivido un semplice decalogo a prova di informatico per aiutarvi a proteggervi dalle insidie delle feste.

1. Carte regalo gratuite: i budget possono diventare limitati quando si trovano regali per i propri cari, quindi qualsiasi sollievo finanziario è il benvenuto. Tuttavia, potresti imbatterti in e-mail o annunci pop-up che offrono buoni regalo gratuiti. Diffidate di queste opportunità allettanti. Sono spesso uno stratagemma per raccogliere le tue informazioni personali che possono essere successivamente utilizzate per rubare la tua identità. 

2. Scambio di regali sui social media: sei invitato tramite i social media a partecipare a uno scambio di regali, che sembra innocuo e divertente. Perché non dovrebbe esserlo? Se acquisti un regalo da $ 10 per uno sconosciuto, riceverai fino a 36 regali indietro! In realtà è una bufala con la stessa premessa di uno schema piramidale in cui si basa sul reclutamento costante di nuovi partecipanti. Meglio rifiutare rispettosamente qualsiasi invito a partecipare. 

3. Lavori per le vacanze: non è raro che le persone vogliano fare qualche soldo extra con un lavoro stagionale. Devi solo stare attento alle truffe sul lavoro, soprattutto quando i rivenditori e i servizi di consegna spesso hanno bisogno di ulteriore aiuto durante le vacanze. Fai attenzione alle sollecitazioni che richiedono di condividere informazioni personali online o di pagare per un lead di lavoro.

4. Truffe sui cuccioli: gli animali domestici fanno grandi regali, ma ci sono molti che dovresti prima considerare. Se decidi che è la decisione giusta, fai attenzione ad adottare un animale domestico online. Potresti finire con un cagnolino o niente. I venditori di animali falsi possono attirarti a pensare che stai prendendo un amico a quattro zampe, solo per prendere i tuoi soldi e non consegnare.

5. Truffe romantiche: se quella persona “speciale” che hai incontrato online diventa rapidamente interessata ma in difficoltà e chiede soldi, tieni alta la guardia. I truffatori possono apparire come un soggetto per cui hai sviluppato un interesse romantico, ma con l’intenzione di sfruttare le tue emozioni per il proprio tornaconto. Proteggi il tuo cuore e il tuo portafoglio!

6. Truffe di viaggio: sia che tu stia viaggiando per celebrare le vacanze con i tuoi cari o cercando un clima più caldo, i viaggi per le vacanze possono essere costosi. Le occasioni online per offerte migliori possono essere allettanti, quindi assicurati che le offerte siano legittime.  

7. Siti Web fasulli: lo shopping online è conveniente soprattutto quando si cerca di evitare la corsa allo shopping natalizio. Quando fai acquisti online, assicurati di utilizzare solo siti Web legittimi. I truffatori utilizzano URL molto simili a quelli dei siti legittimi. Controlla sempre l’URL prima di effettuare un acquisto e diffida dei siti in cui il nome del marchio è incluso con URL più lunghi.

8. Borseggiatori: mentre la maggior parte dei truffatori tende a concentrare i propri sforzi online in questi giorni, il borseggio avviene ancora. Ricordati di salvaguardare i tuoi effetti personali durante lo shopping, specialmente nelle aree affollate. Nonostante quanto tu possa essere agitato, non lasciare mai le tue cose incustodite. 

9. Regali contraffatti: quando beni di lusso e altri articoli costosi vengono offerti a un prezzo stracciato o con provenienza discutibile, è probabile che si tratti di merce contraffatta. Raramente si ottiene la stessa qualità di un originale e, in alcuni casi, il denaro finanzia attività illegali come il traffico di droga e il lavoro minorile.

10. Email malware: non essere veloce a cliccare! Fare clic sul collegamento sbagliato o scaricare l’allegato di un truffatore può causare la diffusione di malware sul computer. Questo virus informatico o “bug” può rubare informazioni personali o persino tenere in ostaggio il tuo dispositivo a meno che tu non paghi un prezzo. Link e allegati possono presentarsi sotto forma di e-mail o pubblicità pop-up.

Lo so che le sapete queste cose, ma sono sicuro che l’amico del fratello del cognato del cugino del vostro vicino non è cosi aperto.

Diffondete ed aiutate il prossimo

Buone Feste

A year lived turbulently

Can you make a resume of the year even if we are only on November 14th? And why not?

First of all, I wanted to apologize to those who had wondered what happened to me, but it has been an intense year from different points of view: personal, work and family. I have significantly reduced my presence here for reasons of survival; I put in good intentions to return.

A difficult year. It started under the signs of the pandemic and the war, and then cancer to move on to stratospheric energy bills, to the damage of bad weather, to health problems in the family, up to the last painful but tragicomic health problems. I can not say that I loved this year in a particular way.

But, even in the shadows, a light must be seen, and therefore I also had satisfactions, things that have improved even beyond expectations and others that, in hindsight, could have been worse.

Where have I been?

If writing a long text had become extremely expensive, I found consolation in Twitter, where my vein of pernicious irony has a more suitable home. There I discovered a funny world between conspiracies, egotisms, and assorted sarcasm, voluntary and not.

It served me to refine the ability to make irony and sarcasm in a few characters, which for someone who is naturally long-winded like me is certainly a useful exercise.

Obviously, being ” 2022″ always ” 2020-2,” Elon arrived to make everything more interesting, bringing the twitterer on the verge of perhaps oblivion.🤣

What I learned (if I learned anything)

Those who know me know that even in the worst situations, I prefer the levity of a smile to the heaviness of seriousness.

For the umpteenth time, I have found that this thing often clashes with an idea of seriousness that is all in form and not in content. Not that it bothers me; on the contrary, it amuses me. 

Once again, I found confirmation that few use numbers for what they are, and the most bizarre interpretations are always at hand. I must never assume that the person I speak to can understand a statistic or graph: I always specify the context, the nature of the data, and how it is represented.

But do you know if this were not where the fun would be?

Resolutions for the future

Beyond the obvious, survive, I would say that I would like to resume attending these shores, and resume the discourse interrupted with the Email Files and expand the perimeter

 Thank you for the friendship I have collected in recent months, see you soon

Antonio

Happy Lunar New Year 2022

World Economic Forum on cybersecurity

World Economic Forum Risk Report 2022 is exciting reading.

Being aware of the risk is necessary to address them and understand the landscape we live in.

It is also a great way to see how risk perception changes year by year.

Looking at the short-term global risk picture, we can see we have weather and climate; economic risks are not top of mind. We have “infectious diseases” to remind us that a pandemic can happen, and we have, some years now, “Cyber Security failure.”

Since I work in the Cyber Security field, I have had, as evident, immediate interest in the cyber security section.

https://www.weforum.org/reports/global-risks-report-2022/in-full/chapter-3-digital-dependencies-and-cyber-vulnerabilities

Data from the report are interesting, but I think that we should understand what those data tell us, so let me do some examples:

“95% of cybersecurity issues can be traced to human error“

the global risk report 2022

Means: Train people, put the correct processes in place, put proper technology in place with a people-centric approach to address the “human” factor. If 95% of cybersecurity issues are related somehow to human error, we have to consider human behavior into the equation. This means that the technologies and processes we put in place should tell us the risk related to our people. People make mistakes, are attacked, are exposed to stakes that can hit our assets. Without understanding this, we will not address the overall risk we face in cybersecurity.

What to do: We have to properly raise awareness and protect communication channels used by people because there will be where a skilled attacker will try his\her move. But in an ever-changing landscape, this is not easy nor enough. For example, we should continually update awareness programs according to people’s current risks and train people based on their risk exposure. This means that our security technology should understand the user risk exposure. This information should be available for the awareness program, and the other security implemented technologies.

At the same time, a security awareness program should be able to monitor the understanding and knowledge of the users and use this information as a parameter not only to deploy the training needs for the specific set of users correctly but also to report the user vulnerability in the user risk rating.

Addressing 95% of cyber security issues caused by humans requires understanding why humans fail and what drives them to make mistakes. This does not require a boolean approach but a complex construction of the context of the risks in a holistic way.

“Insider threats (intentional or accidental) represent 43% of all breaches”

the global risk report 2022

Means: the risks do not come only from outside; the problem can be internal, you have to monitor where data goes, and data do not move by itself; people move data. Again people are the key.

What to do: Data are not all the same, and handling data can be a problem if the data express critical information. Sensitive data, Private data, Intellectual Property, there are dozen of reasons we should protect what makes our digital world “digital.”

But data should be kept alive. Otherwise, they are useless, so people have to access, manage, modify data. But we have to do it correctly and securely. Data does not move; people move it. Data does not change; people change it. And when handling data, people can do a series of actions that, considered an atomic action, are legit. Users can read, modify, move, copy, and delete data.

So how to understand the threats? We should realize the danger not by a single indicator but by the sequence of action performed on the data. And we should be able to do it in a simple way. Simple means I do not have to die to do this check, and I have to understand what sequence of action is potentially dangerous.

“Malware increased by 358% in 2020, while ransomware increased by 435%,

the global risk report 2022

Means: where do malware and ransomware come from? How is it activated?

What to do: Where does malware come from? If 95% of the cybersecurity issues can be traced to humans, I would probably assume that humans are the primary targets used to trigger malware and ransomware. There is the exploitation of vulnerabilities, the use of backdoors, and other fine technicalities, but, according to the report, those address 100% – 95% = 5%. But again, how do humans get in touch with malware or ransomware? How do they trigger it? Email and browsing are probably the most used channel. This consideration per se should address our security spending, focusing on Prevention (trying to stop things from arriving at users), remediation, and, yes, once again, education.

“There is an undersupply of cyber professionals—a gap of more than 3 million worldwide.“

the global risk report 2022

Means: When planning technology deployment, be sure it is easy to manage, provide information that is easy to be understood, give you context. You probably will not have dozens of skilled specialists, so make your investment effective otherwise, you’ll waste your money and security.

What to do: The undersupply of cyber professionals is a plague we will bring with us for some years more. The problem is that a cyber security professional has experience, knowledge, flexibility, and commitment. All those things are expensive and require time to be developed. This means it is not easy to foresee a solution that will quickly fill the gap. We can train more people, but we need to wait until they get the correct experience, and we have to incentivize people to pursue a career that requires constant learning, critical thinking, stress, and passion.

We will not have unlimited plenty of people at our service easily; this means that we need to ease the load of the cyberpeople providing tools, technologies, and consoles, that will make their lives easier, not harder. The easiest way is to plan your security investments, focusing on integration, automation, and visibility. Context and Threat Intelligence should be the way to understand what is going on and focus on the most dangerous threats.

Reading reports is not just reading cold numbers but is a way to understand the actual landscape and the close calls to action.

Happy reading.

What is Democracy?

Belarus was on the news recently for the discussed reelections of its leader Alexander Lukashenko. Suspect that the election process was not honest and clear is not insignificant.

Malian coup d’etat is just one of the many we listen to periodically in several parts of the world.

I wrote recently on Trump threatening to not agree to leave his office in case he will lose the next 2020 elections.

Reading or listening news we can easily make a shortlist of how difficult it is to have in place and maintain such a thing known as democracy. In the Middle East and Africa, we have a lot of countries who have been struggling to land there for a long time now. But also in the old sweet Europe, some countries struggle to find an acceptable level of democracy, Poland, and Hungary, as an example, struggle between authoritarianism and European values.

Not to forget the various democracy leaking European parties that from time to time come out form some elections.

• Why democracy is such a hard habit to take?

• Do we really need a democratic system?

• And, even more important, what is Democracy?

What does Democracy mean?

Democracy is a form of government in which all eligible citizens (we should say people) participate equally—either directly or indirectly through elected representatives—in the proposal, development, and creation of laws.

The name was taken from the ancient Greek δημοκρατία (dēmokratía) “rule of the people” and comes from demos (δῆμος people) Kratos (κράτος rulespower) the term is an antonym to ἀριστοκρατία (aristokratia) “rule of an elite” although even Athens would not be considered a democracy in our time.

As a form of government the key points to consider are related to how we decide that a citizen is eligible, the form of the institutions that will be elected and the extension or limits we have in the proposal, development and creation of laws. Theoretically those points are, or should be, the main differentiators that allow us to choose our representatives.

All over the world, we have different ways to express those points. For example, a citizen is eligible because of some conditions as:

• is a citizen
• has reached a certain age
• has specific other condition like census or gender or criminal records and so on.

This seems quite easy, right?

Well, we should first ponder whether someone needs to be a citizen in the first place: in some countries, you are allowed to participate in some elections (usually local ones) even if you’re not a citizen but just a resident (or, at least, you have different levels of citizenships).

The idea of citizen is even not so easy: we could be citizens because of jus soli (right of soil) or jus sanguinis (right of blood) or a mix of both. We can be citizens because we, somehow, acquire this right. It is all quite variable. So in Germany, you’re not considered German if you do not have German blood (jus sanguinis) otherwise you would be an Ausländer (Gaijin in Japan), while in Italy it is enough to born inside the country or to have Italian blood.

And if we use age as criterion, well when someone could be considered mature enough? We in ol’Europe usually put this line at 18 years old, but it is not so everywhere. So the question is not barely easy even from a basic point of view.

In literature we find different kinds of democracy (liberal, oligarchy, direct, representative…) and different kinds of democratic forms of government: constitutional republics, such as France, Germany, India, Ireland, Italy, or the United States, or a constitutional monarchies, such as Japan, Spain, the Netherlands, Canada, or the United Kingdom. It may have a presidential system (Argentina, Brazil, Mexico, the United States), a semi-presidential system (France), or a parliamentary system (Australia, Canada, India, Italy, New Zealand, Poland, the Netherlands and the United Kingdom).

And then we should consider the other implications related to the term democracy; the assumption is so hard that philosopher Karl Popper “simplified” the question making the assumption that democracy is where there is not tyranny or dictatorship and people is able to change the people at the government without a revolution.

What a Democracy is not?

If defining and understanding democracy is so difficult then one could already see in that the reason why so many democracies look flawed. But somehow if we cannot say what is, we can still say what it is not.

Democracy is not “our way of life”

Do you think that yours is a democracy because you are used to do something? This is a slippery floor. Something you consider normal could be considered crazy in other places even if both the places are considered “democratic” by their respective citizens. So if in USA you have in the constitution the right to bring weapons with you (and consider this a sign of progress, justice and democracy) we in Europe think exactly the opposite, and few exception aside (like Switzerland), people holding a gun machine are not considered a portrait of freedom and rights.

The same can be told for other things: death penalty is considered a barbarian heritage here in Europe while China, USA, North Korea and some countries in the Middle East consider this a sign of civilization.

Democracy is not an economic model

Capitalism is not a synonym of Democracy, and communism is not an economical model but a social model with economic implications. I always think of poor Adam Smith turning in his grave in Scotland every time he is named to justify modern capitalism and radical economic liberalism. The most used tags of our last centuries are completely misunderstood or misrepresented. When mixing different things together you may well obtain a salad but not a coherent theory. An economic model does necessarily fit the purpose of democracy, and capitalism, as an example, has driven right wind dictatorships as well as western democracies.

Democracy is not “this religion”

While religious people have the right to be represented in a democratic system, in a theocracy this is not always the case. This is not to say that a “confessional” form of democracy cannot exist. Let’s consider Iran as an example. It is a “democratic” Islamic republic, which means that the corpus of the law was coming out from the religion and so most of the rules, but the representatives are “democratically” elected inside this system. As a matter of fact, the form IS a democratic system unless you believe that religion should be completely disjointed from the government and the law. This is the case of France, where all religions are respected but the government and its ethic are secular.

Democracy is not “against a religion”

The relationship between democracy and religion is not always easy and sometimes the different ethics and rules collide. But for sure the meaning of a democratic system could not be to fight a religion, even if the religion itself is “anti-democratic”. Besides I’m not aware of religions that are strictly antidemocratic.

Democracy and democratic are not synonymous

While there can be no democracy without a democratic system, a democratic system can be present in non-democracy governments. Democratic systems are based on a form of government in which the people choose leaders by voting. So even a monarchy can be democratic while not clearly a democracy. At the same time, religious-based systems that are managed through a “democratic” election can not be considered democracy at all. Iran is a critical example of a place where the laws and the rules depend on a not democratic source (the religious clergy circle guided by the ayatollah. Ayatollah is an honorific title for high-ranking Shia clergy in Iran that came into widespread usage in the 20th century.) but the form of the state require democratic elections.

Democracy is not the only government system that works

In different ages and different countries some systems have been more effective than others. And sometimes there have been changes. In ancient Rome they started with elected kings to move then to a Republic than move to different form of governments to end with the dictator, the emperor. Kings still exist in our age, and can be elective (as the Pope in Vatican) or by blood streams (UK, Spain, Sweden, Holland, Japan, Thailand …) , bound to a constitutional law or not. As a matter of fact a King in a modern constitutional monarchy is a dictator that more or less graciously passed some of hisher rights to the parliament. A dictatorship is just a form of government where the dictator is the ruler and the driver of its people. And the dictator can be elected even with democratic instrument as happened to Adolf Hitler in Germany. There can be different forms of dictatorship as in monarchical absolutism and theocracy. Even if nowadays dictatorship is usually related to authoritarianism and totalitarianism, those are not synonyms of dictatorship and authoritarian or totalitarian form of governments can be also be dressed with a republican or elective outfit.

So Democracy is not a lot of things we are used to consider as democratic. This does means that “freedom” and “democracy” are not the same things, but they could to coexist in a sound environment. Democracy is not either free of speech or religion, but they can be part of a modern democratic system. To be clear a “democratic” system can be something different form a democracy, and the electoral process does not identify a democracy per se.

Democracy is not Human Rights

Don’t be fooled by marketing, Human rights and democracy don’t go hand in hand. While a democracy (and any other system) should respect human rights the truth is that even the biggest democracies do not always accomplish it. Instruction, death penalty, personal rights, privacy, health, there are thousands of Human Right violation even in the modern democracies.

Democracy is not “We are the Good”

Just to be clear living in democracy can allow us also to make the wrong choices. The fact that the majority want something does not necessarily means that that “something” is good, right, ethical, moral or just simply sound. While democracy has implications in terms of some moral and ethical constrains (I will talk about some constrains below) that does not mean that a democracy have to be peaceful of working for the “greater good” of mankind. Democracies, like the other forms of government, tend primarily to promote and preserve themselves even if this require to overcome freedom or rights of external entities. Somehow justified by some “greater good” or “people need” or “national security” even the greatest democracies do not hesitate to use force and impositions against other countries to preserve their own benefits and interests.

Some clear democracy requirements

There are, anyway, some clear requirements to be able to implement a democracy. Requirements that seem obvious, may be, but not so universal:

1. There should be an elective procedure of some kind, ruled somehow and the voters should be able to move inside those rules without any external constrain. In other terms, people should be able to vote “freely” inside the set of rules that match specific democratic models.
2. A democracy should recognize the existence of different points of view, and this has some implications. In a democracy, there could be a majority, but for sure there will be minorities and those have to be protected by the system to avoid becoming a totalitarian one. Religious, political, cultural, ethnic, census minorities do have the right to be represented in some form. In democracy have to be implemented “super partes” controls that are needed to force the majority to respect rules and minorities.
3. In a democracy, all eligible people have the right to be informed to allow themselves to form an opinion.
4. In a democracy, all eligible people have the obligation to inform themselves in order to form an opinion.
5. The starting point of a democracy is the will of the people to live in such a system. By definition, democracy cannot be imposed, while can be imposed a democratic system that does not lead directly to democracy.

Those implications are mandatory and are bounded in the ethical and moral standard of a democracy.

The first point outline that cannot be a democracy without a democratic system. The key here is the respect of the rules, no matter what those rules are. It is not a specific rule (age, census, gender, religion …) that mark the difference, but the fact that the rules have to be the same for all the eligible ones. If for some reason a system adopts strategies to adjust the result of an election or force somehow people against its will then we have a great deficiency in terms of democracy. This is not a rhetorical point; when some party try to impose an arbitrary change of rule to target part of the eligible people to force them to modify their voting status, as in recent Unites Stated discussion over mail vote, democracy is threatened and the result questionable.

The “free” vote inside the rules also imply the existence of the third and forth points.

If for some reason we change rules in order to not allow a specific population to vote we are acting against democracy even if we played according to the local legislation. This is a typical example of a collision between law and ethical and moral standards. And this is not just a developing country issue, someone will remember all the democratic party rumors and complaints related to Florida when Republican Bush Jr. was elected for the 2nd mandate.

The second point contains the greatest number of unattended needs even in the so-called advanced democracies. Every system presents its soft spots and black holes, no country is immune. To mention old Europe think of Scotland, Ireland, the Basque region and Cataluna in Spain,.

The third and fourth points, on the right to have access to information, concerns me the most and are, in my opinion, crucial in all the democracies under construction.

If the whole point of democracy is being able to vote knowing what we are doing, we should be able to be as much knowledgeable as possible. The idea behind is that to be able to make a conscious choice we should be able to analyze and criticize what is proposed in order to make our opinion freely. Lack of information, knowledge, and ability to critically analyze it is a serious limitation in terms of democracy.

If you don’t know you cannot choose

Knowledge is the basis for any conscious choice, if we don’t know we have to trust more or less blindly. The problem here is to be able to find sources and verify facts. If we don’t do it we just simply make some act of faith and treat democracy as something that is not a religion. Democracy cannot be a religion because is a system that does not contain the truth inside, but just try to balance the different truths in the best effort way. A critical, and probably the biggest flawed, point is to be able to discuss and then decide. But, as someone may be remember, there is not a discussion without the assumption that we could even change our mind. If our starting point is “I am the truth” there will not be a discussion but a monologue, and so we will be right outside the democracy moral and ethical standards.

Knowledge is power, this is more real in a democracy where everyone is responsible for the free expressed vote, and its consequence. Basing a choice over an assumption like “you are wrong anyway” is just not the right thing.

Alas watching some scary threads on the various social networks remind me how little “critical thinking” is applied in nowadays political life. And I’m not talking of my country, but everywhere.

Numbers, historical facts, objective results are simply not considered. And sometimes to support a theory some “Dude, what are you talking about?” facts are presented as gospel even if have a little or no link with solid facts and history. And funny enough sometimes there would be plenty of good reason in support that are not even known or used.

Typical example is the worldwide obsession with immigrants. USA, Europe and even Asia and Africa are plenty of discussions based on dumb or untrue assumptions, wrong facts, tampered presented numbers and statistics. Follow a twitter thread to understand what I’m talking about. Very few times have I seen discussions based on fact.

They don’t want, they don’t know; why do you expect it works?

So let me recall: democracy is a very difficult environment that requires knowledge, will, application and sacrifice. There are specific needs that have to be respected and an overall agreement by all the involved parts.

Democracy is not a religion, does not have all the answers, ou contraire, is a system based on the assumption that the answers can be different and equally valuable.

It requires that all the part respect each other habits and ideas and will to discuss openly. On those assumption is quite understandable that implementing an election systems does not means to have introduced democracy in a country. By its nature democracy cannot be forced, because if you force someone to democracy there is not democracy at all, remember what Karl Popper say there is not democracy if to change the form of government you have to use a revolution.

The very pillars of democracy are will, knowledge and respect of the minorities, if a country is not ready to this every form of government will be less than a democracy, no matter if it is ….*

*Put the next country with elections you want where the dots are.