Cybersecurity Regulation: A Global Overview of Standards and Regional Approaches Influenced by Legal Systems

Antonio Ieranò

Security, Data Protection, Privacy. Comments are on my own unique responsibility 🙂

October 10, 2024

NOTE: this is the second part of the short analisys I have been required,  enjoy :-)

https://www.linkedin.com/embeds/publishingEmbed.html?articleId=9050930498525188000&li_theme=light

Introduction

In today’s increasingly interconnected world, where digital infrastructures underpin critical sectors like healthcare, finance, and energy, robust cybersecurity regulation has become paramount. Cyberattacks are growing in both frequency and sophistication, making it crucial for countries and regions to implement strong cybersecurity frameworks. These frameworks are shaped not only by the evolving nature of cyber threats but also by the underlying legal systems that influence how laws are drafted, interpreted, and enforced.

Legal systems—whether civil (Roman law), common law, or socialist law—play a significant role in shaping regulatory approaches. For instance, the European Union’s civil law tradition results in highly codified and comprehensive cybersecurity regulations, while the United States, operating under common law, tends to develop more flexible, sector-specific laws. China’s socialist legal system, with its focus on state control and data sovereignty, enforces stringent cybersecurity standards.

This article explores widely accepted international cybersecurity standards and region-specific regulations, with a focus on the EU’s evolving cybersecurity landscape, including the NIS2 Directive, DORA, and other key regulations. It also examines how different legal systems impact the implementation of cybersecurity frameworks, particularly in critical sectors like healthcare and finance.

---

Widely Accepted Cybersecurity Standards

International cybersecurity standards serve as the foundation for many national regulations, providing a common language for addressing cybersecurity risks. Several globally accepted frameworks are referenced across industries, helping organisations manage and mitigate cyber threats.

ISO/IEC 27001 – Information Security Management Systems (ISMS)

ISO/IEC 27001 is a widely recognised standard for information security management, offering a systematic approach to protecting sensitive data, managing risks, and ensuring cybersecurity resilience. This standard is particularly relevant for critical sectors such as healthcare and finance, where data protection is paramount.

NIST Cybersecurity Framework (CSF)

The NIST Cybersecurity Framework (CSF), developed by the U.S. National Institute of Standards and Technology (NIST), provides a flexible, risk-based approach to managing cybersecurity risks. It is composed of five core functions: Identify, Protect, Detect, Respond, and Recover. While originally designed for critical infrastructure sectors in the U.S., it has been widely adopted internationally due to its comprehensive approach.

CIS Controls

The Center for Internet Security (CIS) Controls offer practical, action-oriented guidelines for mitigating cyber threats. These controls are used by organisations around the world to align their cybersecurity practices with industry best practices, particularly in sectors that handle sensitive data.

ISO/IEC 27701 – Privacy Information Management

Building on ISO/IEC 27001, ISO/IEC 27701 addresses privacy information management. It helps organisations that must comply with data protection regulations like the General Data Protection Regulation (GDPR) integrate privacy controls into their broader cybersecurity strategies.

---

Cybersecurity Regulations in the European Union (EU)

The European Union has developed one of the most comprehensive and prescriptive cybersecurity frameworks in the world, heavily influenced by its Roman law tradition. The EU’s approach to cybersecurity is codified in several key regulations and directives aimed at harmonising standards across its member states. These regulations are essential for securing critical sectors such as healthcare, finance, energy, and transportation.

NIS2 Directive (2022)

The NIS2 Directive, which updates and replaces the original Network and Information Systems (NIS) Directive of 2016, significantly strengthens cybersecurity requirements across the EU. NIS2 expands the scope of the original directive, covering more sectors and requiring operators of essential services (OES) and digital service providers (DSPs) to implement stronger cybersecurity measures.

Key aspects of the NIS2 Directive include:

• Expanded scope: NIS2 applies to additional sectors beyond the original NIS Directive, including healthcare, energy, transport, banking, and digital infrastructure.
• Stricter incident reporting: Organisations must report significant cybersecurity incidents within 24 hours of detection.
• Enhanced cooperation: The directive encourages greater cooperation between member states, including information sharing and coordination during cyber crises.
• Cybersecurity risk management: NIS2 mandates that organisations adopt advanced cybersecurity measures, conduct regular risk assessments, and ensure that cybersecurity is integrated into their broader business operations.

The European Union Agency for Cybersecurity (ENISA) plays a key role in supporting the implementation of NIS2 by providing guidance, coordinating responses to cross-border incidents, and facilitating cooperation between member states.

General Data Protection Regulation (GDPR)

While the General Data Protection Regulation (GDPR) is primarily focused on data protection, it has significant implications for cybersecurity. GDPR sets out strict requirements for the processing, storing, and securing of personal data, particularly in critical sectors like healthcare and finance. Organisations must implement appropriate technical and organisational measures, such as encryption and pseudonymisation, to safeguard personal data.

A key challenge in applying GDPR within the EU’s civil law system is the regulation’s common law origins. The flexibility inherent in GDPR’s language has led to differing interpretations across member states, requiring ongoing clarification from the European Data Protection Board (EDPB) and national data protection authorities (DPAs). This has created a need for continuous guidance and harmonisation efforts across the EU.

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a groundbreaking regulation aimed at enhancing the cybersecurity resilience of the financial services sector across the EU. DORA focuses on ensuring that financial institutions are equipped to withstand, respond to, and recover from cyberattacks and other operational disruptions.

Key aspects of DORA include:

• Cybersecurity resilience testing: Financial institutions are required to conduct regular cybersecurity resilience tests, including penetration testing and vulnerability assessments.
• Third-party risk management: DORA mandates stringent oversight of third-party service providers, particularly those that supply critical ICT services to financial institutions.
• Incident reporting: Financial institutions must report significant cybersecurity incidents to their national authorities within a strict timeframe.

Cybersecurity Act (2019)

The Cybersecurity Act, enacted in 2019, establishes a European cybersecurity certification framework for ICT products, services, and processes. The goal of the act is to enhance trust and security in digital products and services across the EU. ENISA is responsible for managing the certification process and ensuring that products and services comply with EU cybersecurity standards.

The Cybersecurity Act also enhances ENISA’s role as the EU’s central cybersecurity agency, giving it a stronger mandate to support member states, coordinate responses to large-scale cyber incidents, and provide guidance on implementing cybersecurity regulations.

Payment Services Directive 2 (PSD2)

The Payment Services Directive 2 (PSD2) introduces stringent cybersecurity requirements for the financial sector, particularly regarding online transactions and digital payments. PSD2 mandates strong customer authentication (SCA) for electronic payments and sets cybersecurity standards for third-party payment service providers (TPPs). Financial institutions must ensure that all customer data is protected in compliance with GDPR and other cybersecurity regulations.

---

The Role of Legal Systems in Shaping Cybersecurity Regulation

Different legal systems—whether Roman law (civil law), common law, or socialist law—greatly influence how cybersecurity regulations are structured, interpreted, and enforced. These legal traditions shape the regulatory approaches of regions like the European Union, the United States, and China.

Civil Law Systems (Roman Law)

In civil law systems, such as those in the EU, regulations are codified and prescriptive, with detailed rules that apply uniformly across all jurisdictions. The EU’s legal system, based on Roman law, has led to the development of comprehensive cybersecurity frameworks such as NIS2, DORA, and GDPR. However, the application of GDPR—a regulation rooted in common law principles—has led to challenges in interpretation, as civil law systems typically prefer strict codification over flexibility. This has required ongoing clarifications from EU regulatory bodies like the EDPB and national DPAs.

Common Law Systems

In contrast, common law systems, such as those in the United States, are more flexible and rely on precedent and judicial interpretation. The U.S. cybersecurity landscape is characterised by a patchwork of sector-specific regulations, such as HIPAA for healthcare and GLBA for finance, as well as voluntary frameworks like the NIST Cybersecurity Framework. This flexibility allows for quicker adaptation to emerging cybersecurity threats but can lead to inconsistencies across sectors.

Socialist Legal Systems

China’s socialist legal system prioritises state control and national security. The country’s Cybersecurity Law and Data Security Law impose stringent requirements on data localisation and cybersecurity, particularly for operators of critical infrastructure. The government’s focus on controlling data flows and protecting sensitive information is a central feature of China’s regulatory approach.

---

Cybersecurity Regulation for Critical Sectors

Healthcare Sector

The healthcare sector is highly regulated due to the sensitivity of personal health information (PHI) and the potential life-threatening consequences of cyberattacks on healthcare systems.

• HIPAA (U.S.): The Health Insurance Portability and Accountability Act (HIPAA) requires U.S. healthcare providers and their associates to implement administrative, physical, and technical safeguards to protect electronic personal health information (ePHI).
• GDPR (EU): In the EU, healthcare providers must comply with GDPR when processing health data. GDPR mandates strict security measures, such as encryption and access controls, to ensure that patient data is protected.
• NIS2 Directive (EU): Healthcare providers in the EU are also subject to the NIS2 Directive, which strengthens cybersecurity requirements for operators of essential services (OES), including healthcare organisations. NIS2 mandates incident reporting, regular risk assessments, and the implementation of advanced cybersecurity measures.

Financial Sector

The financial sector is a frequent target for cyberattacks due to the volume of sensitive financial data it handles. Financial institutions are subject to strict cybersecurity regulations aimed at protecting consumer information and ensuring the resilience of financial systems.

• GLBA (U.S.): The Gramm-Leach-Bliley Act (GLBA) requires U.S. financial institutions to implement cybersecurity safeguards to protect consumer financial data.
• PSD2 (EU): The EU’s Payment Services Directive 2 (PSD2) mandates strong customer authentication (SCA) for electronic payments and requires financial institutions to implement robust cybersecurity measures.
• DORA (EU): The Digital Operational Resilience Act (DORA) focuses on ensuring the cybersecurity resilience of the financial sector. Financial institutions are required to conduct regular cybersecurity testing, monitor third-party risks, and report incidents.

---

Conclusion

As cyber threats continue to grow in complexity and scale, cybersecurity regulation must evolve to protect critical infrastructure and sensitive data. Global standards like ISO/IEC 27001 and the NIST Cybersecurity Framework provide essential guidelines, while region-specific regulations—such as the EU’s NIS2 Directive, DORA, and GDPR, the U.S. HIPAA and GLBA, and China’s Cybersecurity Law—address the unique risks faced by critical sectors like healthcare and finance.

In the European Union, the challenges of applying common law-inspired regulations like GDPR in a civil law environment have underscored the importance of regulatory bodies like ENISA and the EDPB in providing continuous guidance and harmonising interpretation across member states. As organisations worldwide strive to build cybersecurity resilience, cross-border cooperation, and alignment with both global standards and local regulations will remain key to addressing the evolving cyber threat landscape.

Appendix: principal regulations per geographic area

Here’s a breakdown of specific regulations covered in the article, focusing on cybersecurity and critical services across different regions:

1. European Union (EU)

• General Data Protection Regulation (GDPR): Aimed at protecting personal data and ensuring data security, GDPR sets strict guidelines for data processing, including requirements for encryption, breach reporting, and user consent. It applies across sectors but has specific importance in healthcare and finance, given the sensitivity of personal data.
• NIS2 Directive: Expands the original NIS Directive, increasing the scope to cover more critical sectors such as healthcare, energy, and digital infrastructure. It introduces stricter requirements for incident reporting, cybersecurity risk management, and harmonises cybersecurity standards across member states.
• Digital Operational Resilience Act (DORA): Focused on the financial sector, DORA ensures that financial institutions are equipped to handle cyberattacks and operational disruptions. It mandates continuous testing of cybersecurity resilience, incident reporting, and third-party risk management for critical financial services.
• Cybersecurity Act (2019): Establishes a European cybersecurity certification framework for ICT products, services, and processes, enhancing trust and security in digital products across the EU. ENISA’s role is also expanded under this act to facilitate cross-border cooperation and incident response.

2. United States

• NIST Cybersecurity Framework: A voluntary but widely adopted framework designed to manage and reduce cybersecurity risks. It consists of five core functions (Identify, Protect, Detect, Respond, and Recover) and is frequently referenced by federal agencies and critical infrastructure operators.
• HIPAA (Health Insurance Portability and Accountability Act): Mandates strict protection of personal health information (PHI) in the healthcare sector. It requires healthcare organisations to implement safeguards, encryption, access controls, and regular security assessments.
• GLBA (Gramm-Leach-Bliley Act): Focused on financial institutions, GLBA requires measures to protect consumers’ financial information. It mandates encryption, multi-factor authentication, and data privacy policies for financial institutions.
• FISMA (Federal Information Security Management Act): Governs federal agency information security, requiring agencies to develop, document, and implement information security programs. It is sector-specific but critical for managing the cybersecurity risks of federal agencies.

3. China

• Cybersecurity Law: Imposes strict data localisation and cybersecurity requirements on all sectors, with particular emphasis on critical infrastructure. Companies are required to store data locally, undergo cybersecurity assessments, and ensure government oversight on cross-border data transfers.
• Data Security Law: Regulates the collection, storage, and transfer of data, especially focusing on protecting state interests and critical information infrastructure (CII). Like the Cybersecurity Law, it requires data localisation and security assessments.

4. United Kingdom

• NIS Regulations: Following Brexit, the UK implemented its own version of the NIS Directive, which focuses on the protection of critical infrastructure, including healthcare and financial services. The regulations include incident reporting and cybersecurity risk management.
• UK GDPR: Mirroring the EU GDPR, the UK GDPR ensures data protection standards remain high post-Brexit, focusing on protecting sensitive personal data across sectors, including healthcare and finance.
• FCA Guidelines (Financial Conduct Authority): Financial institutions in the UK are required to follow FCA cybersecurity guidelines, ensuring resilience against cyber threats through continuous monitoring, incident reporting, and strict cybersecurity controls.

5. Singapore

• Cybersecurity Act: Requires operators of critical information infrastructure (CII) to comply with stringent cybersecurity measures. These include incident reporting and regular risk assessments to prevent and mitigate cyber threats.
• MAS TRM Guidelines (Monetary Authority of Singapore): Focused on the financial sector, these guidelines require financial institutions to implement robust cybersecurity measures, including vulnerability assessments, penetration testing, and encryption of sensitive data.

6. Japan

• Cybersecurity Basic Act: Establishes guidelines for securing critical infrastructure and promoting collaboration between the public and private sectors. It mandates that companies in critical sectors adopt cybersecurity measures and report cyber incidents.
• FSA (Financial Services Agency) Regulations: Focuses on cybersecurity in the financial services sector, requiring firms to implement robust risk management practices, encrypt financial data, and perform continuous cybersecurity resilience testing.

#CybersecurityRegulation #NIS2Directive #DORARegulation #ISO27001 #GDPRCompliance #CyberResilience #HealthcareCybersecurity #FinancialCybersecurity #ENISA #DataProtection #NISTFramework #CybersecurityStandards

Regulation of Generative AI Across Global Jurisdictions: A Comparative Analysis

Antonio Ieranò

Security, Data Protection, Privacy. Comments are on my own unique responsibility 🙂

October 10, 2024

NOTE: I wrote this because of a specific request, hoping that could be useful for a more larger audience.

Introduction

The regulation of generative Artificial Intelligence (GenAI) represents a significant and increasingly complex issue in the global technological landscape. With the rapid advancement of AI technologies, particularly in the field of generative models, regional differences in regulatory frameworks are becoming more pronounced. The European Union (EU), the United States (U.S.), and China, as three of the leading powers in AI, have adopted divergent approaches to regulating AI development and deployment. These differences reflect the unique legal traditions, regulatory philosophies, and policy priorities of each region.

This article will explore these different regulatory strategies in detail, offering a comparative analysis of the strengths and weaknesses of each. Additionally, it will examine the underlying legal systems in the EU, U.S., and China, alongside emerging frameworks in other countries such as Canada, the United Kingdom, Singapore, and Japan. Furthermore, this paper will consider the implications for global AI governance, the need for international cooperation, and the role of both industry-led and government initiatives. The discussion will highlight the necessity of balancing innovation with the protection of privacy, user rights, and societal well-being in the development of GenAI.

---

Legal Systems Overview

The regulatory approaches to generative AI in different regions are heavily influenced by their underlying legal systems. This section provides an overview of these legal systems and their impact on the regulation of AI technologies.

European Union (EU) – Roman Law Tradition

The European Union’s legal framework is founded upon the Roman law tradition, which emphasizes the codification of laws and the establishment of comprehensive regulatory systems. The EU’s regulatory approach is characterised by its prescriptive nature, with laws being uniformly applied across member states. This system prioritises the protection of individual rights, particularly in the areas of data privacy and security.

The General Data Protection Regulation (GDPR), adopted in 2018, is a prime example of the EU’s strict regulatory approach. GDPR is one of the most comprehensive data privacy regulations globally, focusing on safeguarding individuals’ data and ensuring transparency in how personal data is processed. It requires companies to obtain explicit consent from users for data collection, to anonymise data where possible, and to report data breaches promptly. While GDPR has set a global standard for privacy regulation, its strict requirements have been criticised for potentially stifling innovation and placing a heavy compliance burden on businesses, especially startups.

• General Data Protection Regulation (GDPR):
• Official text (English): GDPR Full Text
• Official text (French): Règlement général sur la protection des données (RGPD)

United States (U.S.) – Common Law Tradition

In contrast, the United States operates under a common law system, where legal precedents established through court rulings play a central role in shaping laws and regulations. This system offers greater flexibility and allows for a more reactive approach to regulation. In the context of AI, the U.S. has traditionally favoured a permissive regulatory environment, prioritising technological innovation and leadership in global AI development.

The California Consumer Privacy Act (CCPA) is one of the most significant state-level privacy laws in the U.S., enacted to provide consumers with greater control over their personal data. However, the U.S. lacks a unified federal framework for AI regulation, which has led to a fragmented regulatory landscape where different states implement varying levels of protection.

• California Consumer Privacy Act (CCPA):

Official text (English): CCPA Full Text

China – Socialist Legal Tradition

China’s legal system represents a hybrid model that combines elements of civil law with socialist legal principles, allowing for strong state intervention in regulatory affairs. The Chinese government has been proactive in promoting AI development while maintaining strict control over data privacy and security, particularly where national interests are concerned.

The Personal Information Protection Law (PIPL), which came into effect in 2021, sets out comprehensive rules for how personal data should be collected, stored, and transferred. Like the GDPR, PIPL requires explicit consent for data collection and imposes heavy penalties for non-compliance. However, the Chinese framework is distinguished by its focus on state interests, with data localisation requirements ensuring that sensitive data remains within Chinese borders. The Cybersecurity Law further bolsters this framework, reinforcing state control over data security in critical sectors.

• Personal Information Protection Law (PIPL):
• Official text (Chinese): 个人信息保护法全文
• Official text (English): PIPL Full Text
• Cybersecurity Law:
• Official text (Chinese): 中华人民共和国网络安全法

---

Regulatory Approaches to Generative AI

Each of the major players in AI regulation—the EU, U.S., and China—has developed distinct approaches to regulating generative AI. These approaches are shaped not only by their legal systems but also by their broader political and economic priorities.

European Union (EU)

The EU has taken a leadership role in the global regulation of AI, seeking to set standards that ensure both the ethical use of AI technologies and the protection of user rights. The AI Act, currently in the proposal stage, aims to introduce a comprehensive legal framework that classifies AI systems based on their potential risks to society. High-risk AI systems, such as those used in healthcare or law enforcement, will be subject to stringent regulatory requirements, including transparency, explainability, and human oversight.

While the EU’s regulatory model prioritises user protection and ethical considerations, there are concerns that its prescriptive nature may hinder innovation. The compliance costs associated with meeting the requirements of the AI Act could place a significant burden on companies, particularly smaller startups, potentially slowing down the development of innovative AI solutions in the region.

United States (U.S.)

The U.S. approach to AI regulation is largely driven by a desire to foster innovation and maintain its leadership in AI development. The National AI Initiative Act of 2020 is a key piece of legislation aimed at promoting AI research and development, ensuring that AI systems are both ethical and aligned with societal values. However, unlike the EU, the U.S. has yet to introduce a comprehensive federal framework for AI regulation.

Much of the U.S. regulatory environment is shaped by state-level initiatives, such as the CCPA, and by voluntary industry guidelines. Major tech companies, including Google and Microsoft, have established internal AI ethics boards and developed frameworks to ensure that their AI systems are transparent and accountable. While this decentralised approach allows for rapid technological development, it also raises concerns about the lack of uniform protections for consumers.

China

China’s regulatory approach to AI is underpinned by its emphasis on state control and national security. The PIPL and Cybersecurity Law form the core of China’s regulatory framework for AI, ensuring that personal data is protected and that AI systems align with state interests. The Chinese government has also implemented additional regulations targeting specific industries, such as finance and healthcare, to ensure that AI technologies in these sectors are used responsibly.

Unlike the EU and U.S., where AI regulation is often focused on protecting individual rights, China’s regulatory model prioritises state security and control over data flows. While this has allowed China to rapidly advance its AI capabilities, it has also raised concerns about the potential for state surveillance and the erosion of individual privacy rights.

---

Examples from Other Jurisdictions: Canada, UK, Singapore, and Japan

Beyond the EU, U.S., and China, other countries are also playing important roles in shaping the regulatory landscape for GenAI. Countries like Canada, the United Kingdom (UK), Singapore, and Japan have adopted distinct approaches to AI regulation, each reflecting their unique legal systems and policy priorities.

Canada

Canada has been a leader in AI ethics and governance, particularly in the public sector. The Directive on Automated Decision-Making, introduced in 2019, is one of the first regulatory frameworks in the world specifically addressing the use of AI in government decision-making. The Directive ensures that AI systems used by the government are transparent, fair, and accountable, and includes provisions for human oversight and the prevention of bias.

Canada has also been active in promoting responsible AI development at the international level, playing a key role in the development of global AI governance frameworks through organisations like the OECD.

• Directive on Automated Decision-Making:
• Official text (English): Canada’s Directive on Automated Decision-Making

United Kingdom (UK)

The United Kingdom has taken a proactive stance on AI regulation, with the establishment of the Centre for Data Ethics and Innovation (CDEI) and the introduction of the UK National AI Strategy. The CDEI provides guidance on the ethical use of AI, focusing on issues such as data privacy, bias, and transparency. The UK’s approach to AI regulation is more flexible than that of the EU, seeking to strike a balance between promoting innovation and ensuring ethical AI use.

The UK National AI Strategy, published in 2021, outlines the government’s vision for making the UK a global leader in AI. The strategy emphasises the importance of developing ethical AI systems that promote fairness and transparency while encouraging investment in AI research and innovation.

• UK National AI Strategy:
• Official text (English): UK National AI Strategy

Singapore

Singapore is rapidly emerging as a hub for AI innovation and governance. The government has introduced the Model AI Governance Framework, a voluntary framework that provides businesses with guidance on the responsible use of AI. The framework focuses on ensuring that AI systems are transparent, explainable, and accountable, and encourages companies to adopt best practices in data management and user protection.

Singapore’s regulatory approach is designed to support innovation while ensuring that AI technologies are used ethically. The government has also established the AI Ethics and Governance Body of Knowledge, a comprehensive resource for companies seeking to implement ethical AI systems.

• Model AI Governance Framework:
• Official text (English): Model AI Governance Framework

Japan

Japan has adopted a unique approach to AI regulation, aligning its AI strategy with the broader concept of Society 5.0, a vision for a super-smart society that integrates AI into various aspects of daily life to address societal challenges such as an aging population. Japan’s regulatory framework focuses on promoting the use of AI for societal benefit while ensuring that AI technologies are developed and used in an ethical and transparent manner.

The AI Strategy 2021, published by the Japanese government, outlines the country’s approach to AI governance, with a particular emphasis on addressing the ethical challenges posed by AI and ensuring that AI systems are aligned with human values.

• AI Strategy 2021: Official text (Japanese): 人工知能技術戦略2021

---

Implications for Global Governance and International Cooperation

The diverse approaches to GenAI regulation adopted by the EU, U.S., China, and other countries raise important questions about the future of global AI governance. The rapid pace of AI development, combined with the transnational nature of AI technologies, underscores the need for international cooperation in the development of regulatory frameworks.

International Organisations

Organisations such as the Organisation for Economic Co-operation and Development (OECD) and United Nations Educational, Scientific and Cultural Organization (UNESCO) have played a key role in promoting global AI governance. The OECD’s AI Principles, adopted by over 40 countries, provide a framework for responsible AI development, focusing on fairness, transparency, and accountability. UNESCO’s Recommendation on the Ethics of Artificial Intelligence further promotes the ethical use of AI, encouraging countries to align their AI policies with human rights and ethical principles.

• OECD AI Principles:
• Official text (English): AI principles | OECD

Industry Initiatives

In addition to government-led efforts, industry initiatives such as the Partnership on AI and the World Economic Forum’s Global AI Action Alliance (GAIA) have emerged as important platforms for promoting responsible AI development. These initiatives bring together companies, governments, and civil society organisations to address the ethical challenges posed by AI and to promote best practices in AI governance.

---

Conclusion

The regulation of generative AI represents a multifaceted challenge that requires balancing the need for innovation with the protection of privacy, user rights, and societal well-being. The EU, U.S., China, and other key players have each adopted distinct regulatory approaches, shaped by their unique legal systems and policy priorities. While the EU has taken a strong stance on user protection and transparency, the U.S. focuses on promoting innovation, and China emphasises state control and data sovereignty.

As AI technologies continue to evolve, there is a growing need for greater international cooperation and the development of global standards for AI governance. International organisations and industry-led initiatives have made significant progress in promoting responsible AI development, but achieving a unified global approach will require sustained collaboration between governments, industry, and civil society. The future of AI regulation will depend on the ability of these stakeholders to work together to ensure that AI technologies are developed and used in a manner that is ethical, transparent, and aligned with the broader interests of society.

Appendix A: Other Approaches in Asia, Africa, and the Middle East

Asia

Several Asian countries are increasingly focusing on the regulation of AI. In South Korea, for instance, the government has introduced the AI National Strategy, which outlines the country’s goals for AI development while ensuring that AI technologies are used responsibly. South Korea is particularly focused on AI in sectors such as healthcare and education.

India, as another major player in Asia, has adopted a somewhat different approach. While India does not yet have comprehensive AI legislation, the government has launched the National AI Strategy, which emphasizes the need for AI technologies to align with India’s development goals, including addressing issues such as poverty, education, and healthcare.

Africa

Africa presents a unique case in the global AI regulatory landscape. Many countries on the continent are still in the early stages of AI development, but several have begun to explore the potential of AI in addressing pressing social and economic challenges. Rwanda has been a leader in AI innovation in Africa, establishing the Centre of Excellence in AI and Internet of Things (IoT) to drive AI research and development.

Other African nations such as Kenya, Ghana, and South Africa are beginning to explore the regulation of AI. These countries are focusing on how AI can be harnessed to address issues such as healthcare access, education, and economic inequality.

Middle East

In the Middle East, countries such as the United Arab Emirates (UAE) and Saudi Arabia have positioned themselves as leaders in AI development and governance. The UAE, for example, was the first country in the world to appoint a Minister of State for Artificial Intelligence, and it has developed a national AI strategy that aims to make the UAE a global leader in AI by 2031.

Similarly, Saudi Arabia is investing heavily in AI, with its Vision 2030 plan outlining the country’s ambitions to become a leader in AI and other emerging technologies. The Saudi government has established several initiatives aimed at promoting AI research and development, while also ensuring that AI systems are aligned with ethical principles.

Appendix B: Company Approaches to Generative AI (GenAI)

The role of private sector companies in shaping the development and governance of generative AI (GenAI) cannot be overstated. With AI technologies rapidly evolving, tech giants and emerging companies are playing a central role not only in advancing AI capabilities but also in establishing self-regulatory frameworks and ethical guidelines to ensure the responsible use of AI. This appendix outlines the approaches adopted by several major companies in the GenAI space, focusing on their internal governance structures, AI ethics initiatives, and strategies for addressing the ethical, legal, and social implications of AI.

1. Google (Alphabet Inc.)

Google, through its parent company Alphabet, has been at the forefront of AI development, particularly in the realm of machine learning and generative AI technologies such as Google DeepMind and Google Bard. Recognizing the potential ethical concerns surrounding AI, Google has established clear principles and guidelines to govern the development and deployment of its AI systems.

Key Elements of Google’s AI Approach:

• AI Principles: Google introduced a set of AI principles in 2018, which guide the ethical development and deployment of AI. These principles include ensuring AI is socially beneficial, avoiding harmful applications, and fostering accountability and privacy. Google has explicitly stated that its AI should not be used for harmful purposes such as surveillance, weapons development, or violations of human rights.
• Explainability and Fairness: Google emphasizes the importance of making AI systems explainable and transparent to users. This includes ensuring that AI decisions can be understood and audited to prevent bias or unfair outcomes, especially in areas like healthcare, hiring, and finance.
• AI Ethics Board: Google formed an internal AI ethics advisory board to review high-impact projects, ensuring that the company adheres to its own AI principles. Although the board has faced some controversies, Google continues to refine its approach to ethical AI governance.

2. Microsoft

Microsoft has become a significant player in generative AI, particularly through its collaboration with OpenAI and the integration of AI capabilities into its products like Azure AI, Microsoft 365, and GitHub Copilot. Microsoft has taken a proactive stance on AI ethics, focusing on developing trustworthy and inclusive AI systems.

Key Elements of Microsoft’s AI Approach:

• Responsible AI Principles: Microsoft’s AI ethics framework is built around six principles: fairness, reliability, privacy, security, inclusiveness, transparency, and accountability. These principles are applied across all its AI projects, with a particular focus on preventing bias and ensuring the responsible use of AI in sensitive domains like criminal justice and healthcare.
• Office of Responsible AI: Microsoft established an Office of Responsible AI to oversee the company’s AI initiatives. This office sets company-wide policies, conducts risk assessments, and ensures that AI projects adhere to Microsoft’s ethical standards.
• AI for Good Initiatives: Microsoft is actively involved in several global initiatives aimed at using AI for positive social impact. Its AI for Good program focuses on projects that address global challenges such as climate change, accessibility for people with disabilities, and humanitarian crises.

3. OpenAI

OpenAI, the developer of advanced generative models such as GPT-3 and DALL·E, is committed to ensuring that AI benefits humanity as a whole. OpenAI’s unique structure as a capped-profit organization allows it to prioritize ethical considerations while advancing state-of-the-art AI research.

Key Elements of OpenAI’s AI Approach:

• AI Alignment: OpenAI’s mission is to ensure that artificial general intelligence (AGI), when it is eventually developed, is aligned with human values and that its benefits are broadly shared. OpenAI’s work on AI alignment aims to address the risks of unintended consequences from increasingly powerful AI systems.
• Transparency and Research Sharing: OpenAI has adopted a model of research transparency, regularly publishing its findings to advance global understanding of AI capabilities and risks. This transparency is balanced with concerns about the potential misuse of AI technology, particularly in the case of models like GPT-3, which can generate highly convincing but false information.
• Ethical AI Deployment: OpenAI has implemented usage policies that limit how its models can be used. This includes restricting use cases in areas such as political manipulation, disinformation, and generating abusive content. OpenAI works with partners and licensees to ensure compliance with these policies.

4. Amazon Web Services (AWS)

Amazon’s AI initiatives, driven primarily through its AWS cloud platform, have positioned the company as a leading provider of AI services and infrastructure. AWS offers a broad range of machine learning tools, including services for generative AI applications like Amazon Polly and Amazon Lex.

Key Elements of Amazon’s AI Approach:

• Focus on AI Safety and Security: AWS emphasizes the security and reliability of its AI services, providing customers with tools to ensure that AI systems are both robust and safe. AWS’s AI/ML services are designed to include built-in security features that protect data privacy and integrity.
• Ethical AI Development: Amazon has faced criticism in the past for its facial recognition technology, Rekognition, particularly regarding its use by law enforcement. In response, Amazon implemented a one-year moratorium on police use of Rekognition and has increased its focus on ensuring that its AI tools are not used in ways that could violate civil liberties or perpetuate bias.
• Diversity and Inclusion: Amazon is committed to promoting diversity in AI development, ensuring that its models and datasets are representative of the diverse populations they serve. The company has launched several initiatives aimed at reducing bias in AI and promoting inclusivity in AI-based decision-making systems.

5. IBM

IBM has been a leader in AI for decades, particularly through its IBM Watson platform, which offers advanced natural language processing and machine learning capabilities. IBM’s approach to AI is deeply rooted in ethical considerations and responsible AI practices.

Key Elements of IBM’s AI Approach:

• AI Ethics Pledge: IBM was one of the first major tech companies to publicly pledge to use AI responsibly. IBM’s AI ethics framework emphasizes the importance of trust and transparency in AI development, ensuring that AI systems are explainable, fair, and free from bias.
• Explainable AI (XAI): IBM has invested heavily in explainable AI, developing tools that allow users to understand how AI models make decisions. This is particularly important in fields such as healthcare and finance, where trust in AI decision-making is critical.
• AI for Social Good: IBM’s AI for Social Good initiative focuses on leveraging AI to address global challenges such as climate change, disease management, and disaster response. IBM Watson has been used to assist researchers in developing new treatments for diseases and to support efforts to combat climate change through data-driven insights.

General Conclusion and Call to Action

The regulation of generative AI (GenAI) represents one of the most pressing challenges in the modern technological landscape. Across global jurisdictions, varying legal systems and policy priorities have shaped the development of distinct regulatory frameworks in regions such as the European Union, the United States, and China. While the EU has focused on robust citizen protections and transparency through frameworks like the GDPR and the AI Act, the U.S. has prioritised flexibility and innovation, allowing the private sector to lead with self-regulatory practices. In contrast, China’s state-driven approach reflects its focus on national security and data sovereignty.

In addition to these regional differences, emerging economies and key players such as Canada, the United Kingdom, Singapore, and Japan are also contributing to global AI governance. Their approaches emphasise ethics, transparency, and responsible development, illustrating the increasing global recognition of the need to regulate AI in a way that balances innovation with ethical considerations. At the company level, technology giants like Google, Microsoft, OpenAI, Amazon, and IBM are setting their own standards for ethical AI, with internal governance structures and principles designed to ensure accountability, fairness, and inclusiveness in AI development.

While these various efforts are commendable, they underscore the need for greater international cooperation. AI is a transnational technology, and its societal impact transcends borders. As the deployment of AI continues to grow, there is an urgent need for a harmonised approach to regulation that addresses the risks and opportunities AI presents across all regions and industries.

Call to Action

It is imperative for governments, international organisations, and the private sector to collaborate more closely in the development of global standards for generative AI regulation. A unified framework that incorporates ethical principles, accountability, and transparency can mitigate the risks associated with AI technologies while fostering innovation. Policymakers should prioritise creating adaptable regulatory environments that protect individual rights, prevent biases, and promote data privacy without stifling technological progress.

Industry leaders and AI developers must continue to take responsibility for the societal impact of their technologies by adhering to ethical standards, ensuring explainability, and making AI accessible for the broader public good. At the same time, civil society organisations and academic institutions should remain vigilant and participate in shaping AI governance, ensuring that AI benefits all of humanity while avoiding potential harms.

The future of generative AI will be shaped by the actions we take today. It is essential that all stakeholders act collectively to build an ethical, inclusive, and innovative future for AI technologies. By working together, we can ensure that the transformative power of AI is harnessed for the greater good, enhancing society while safeguarding individual freedoms and rights.

#GenerativeAI #AIRegulation #AIEthics #AIInnovation #DataPrivacy

Italian PiracyShield: An Hermeneutic Disquisition on the Shadows of Digital Control

Antonio Ieranò

Security, Data Protection, Privacy. Comments are on my own unique responsibility 🙂

October 10, 2024

Preface: The inspiration for this reflection comes from none other than our esteemed Italian Minister of Culture, whose lofty rhetoric has brought to light an implicit truth: perhaps the real issue with the Italian government’s understanding of anti-piracy legislation lies not in intent, but in the debased, impoverished language that has veiled this matter. Ah, yes! It could well be that the inadequacy of verbal expression has obfuscated the complexity and the depth of a digital system that defies the simpleminded rhetoric of control. And so, it is in the hope of awakening a sharper critical faculty, that I set forth on this hermeneutic disquisition—an odyssey of thought and signification—on the Italian Piracy Shield, with a view to shedding light where shadows now reign.

Written in English for the sake and joy of Alessandro Bottonelli

---

1. The Dialectic of Censorship: Between Presence and Absence of Digital Power

Italian Piracy Shield. A thing, a specter perhaps, a mere legislative tool, on the surface, yes, no more than a hand, invisible yet felt, poised to block, cancel, and erase. Yet! In its deeper essence, it is but a symbol of power exercised in absentia, a force unseen, a paradox of control and relinquishment, manifesting in the blink—ah!—of the digital dark. An act of deletion, of dissimulation, that ever-so-slightly betrays the violent hand behind the curtain.

Do you see it? The act itself—no contradiction, no verification—floats, yes, floats in the sea of invisible operations, permeating the entire digital architecture like smoke through keyholes. Italian Piracy Shield does not just negate, it becomes the negation, it is the smothering of critique, the silencing of questions. That which is blocked is not merely the website, but the hermeneutic access itself—the very logos of the network is rendered mute. A block, yes, a blot, as though one were to blot out a page from Finnegans Wake, leaving only the ghost of the ink.

No need, none at all, for justification, for light. What use is light, when power wields the darkness? The power moves, a shadow casting shadows—there it goes—on the sprawling universe of the digital.

---

2. From “Univocum” to “Prevalente”: The Semantic Mutation of Arbitrary Power

Ah! The slip, the shift, the sleight of the pen! From “univocamente” to “prevalentemente,” we are led, drawn like the unwitting, across the semantic precipice. What once was certain, nailed down—ah, that precise correlate between illicit activity and IP—now crumbles, dissolves into a vaporous “prevalence,” a haze of legal ambiguity. Oh, what a dance it is! Prevalente, the word hangs in the air like a half-uttered secret, a term at once so soft, so vague, that it invites the most dangerous of interpretations.

What now, what now, is the meaning of “prevalente”? Do you know? I don’t. Not with certainty, not in the way the law should know. It hovers, it flickers. Like a moth caught in the flicker of flame, it wavers, leaving in its wake an epistemological chasm, a breach through which the arbitrary might slink unnoticed. And so the regulation—the law itself!—shifts, moves from its regulatory roots and becomes something else, something wild, something untamed. Beware! it whispers, beware the dangerous arbitrariness that comes creeping when precision abandons its seat!

---

3. Suspended Time: The Atemporality of Permanent Blocking

Time—tick-tock, tock-tick—it stops. Suspended, frozen in its eternal moment. No, my friends, we are no longer in the world of swift movements, of unblocking and resolution. Once, once that domain or IP address is taken, locked, interdicted—ah, interdicted!—there is no return, not easily, not quickly. You see, the law gives us no release, no remedy. It casts its shadow and leaves it there, a block, an interdict in perpetuity, hanging in the aether.

What do we call this? The block is no longer a block—it is an exile. It is the time of the condemned, suspended in space, cast from the fold of access. Not merely a website gone dark, but an entire existence denied, relegated to the forgotten corner of some distant virtual limbo. Do you hear it? The silence, the long, echoing silence that follows when there is no unblocking, no undoing. And so time itself becomes an instrument of control—time blocked, time stopped, time locked in the permanent now. Ah! There it is—no appeal, no revision, just an unrelenting, eternal block.

---

4. VPNs and DNS: The Symbolic Flight from Authority

But wait! What is that? A ghost, a shadow moving against the tide. VPNs, DNSs, whispering their defiance, their refusal to be caged. You cannot cage us, they seem to say, these fluid, shifting technologies. And Italian Piracy Shield, for all its power, all its might, cannot grasp them. For the network is a wild thing, fluid and mercurial, a thing of mist and light that slips through the fingers of control.

VPNs! DNSs! They rise like the tide, offering passage, refuge, to those who would escape the grip of the block. Oh no, they say, you cannot bind us, not so easily! And yet, the law—it tries, it tries to stretch its fingers around the globe, seeking to block, to restrain, to cage even these intangible whispers of freedom. A folly, a madness! It seeks to block the un-blockable, to fence in that which by its very nature cannot be contained.

But no—VPNs laugh in the face of the block, DNSs dance through the cracks. And so the network rebels, slips free of its chains, a thing forever untamable.

---

5. The Harmony of the Absurd: Repression Without Resolution

Ah, the absurdity! The sweet, bitter irony that lies at the heart of it all. For here we are, with all the blocking, all the repression, and yet—the piracy remains. No, no, repression alone will not solve it. And how could it? For this is not a question of simple illegality, but of something far deeper, far more structural. The people—yes, the people!—they will not be so easily tamed. They seek what they seek, and if the law offers no remedy, if the legal paths are barren and overgrown, they will find another way.

And so Piracy Shield strikes and strikes, but the problem—ah!—the problem does not disappear. No, it deepens, grows. And those who seek, who search, will continue, for they do not find in the legal offer a solace. The high costs, the poor services—what is there for them? They will turn, as they have always turned, to the hidden paths, to the secret ways, to the pirated streams and the shadowed sites.

Ah, and so it goes! The harmony of the absurd, where repression pretends to solve, but only ever exacerbates the wound.

---

6. The Exile of Truth: The Network as a Battleground of Power

And in the end—where are we? Ah, my friends, we stand at the precipice, gazing into the abyss of what could be. A network—yes, the very network we cherish—turned into a battlefield, a place of war, not of innovation, not of creativity, but of power, of censorship, of control. Italian Piracy Shield—yes, it whispers its threat. It tells us that the future, if we are not careful, is a place of darkness, of blocks, of silent censorship.

Do you see it? The exile of information, the exile of truth, as entire swathes of the network fall silent, fall into shadow. What will become of it, of us, of this space we have made? A space of freedom, of voices, of endless connections—no more, no more, unless we resist, unless we fight against this creeping darkness.

For the threat is not only piracy, no—no, my friends—the threat comes from within, from the very forces that seek to defend us.

---

Conclusion: Towards a Future of Digital Darkness?

Italian Piracy Shield is not just a law, no, not merely a tool of control—it is a window into the possible future. A future where the network itself—once a place of light, of freedom, of endless possibility—becomes a battlefield of blocks, of chains, of control. Ah, the flaws, the cracks in its foundation! But deeper still lies the danger, the attempt to tame what cannot be tamed, to bind what should be free.

And so, we must ask—what does freedom mean in the digital age? What does it mean to be free, to have access, in a world of invisible blocks, of silent censorships?

#ItalianPiracyShield #DigitalCensorship #AGCM #Control #VPN #DNS #Freedom

8 Marzo - March 8

Italiano

A Vindication of the Rights of Woman: with Strictures on Political and Moral Subjects 1792, Mary Wollstonecraft¹ 1759–1797.
Vi viene rivendicato il diritto all’uguaglianza giuridica della donna sottolineandone il ruolo nella società.

Buon 8 marzo🌾🌹

Per festeggiare in maniera seria questa ricorrenza vi propongo l’opera rivoluzionaria di Mary Wollstonecraft, “Una Giustificazione dei Diritti delle Donne: con Osservazioni su Soggetti Politici e Morali,” ci troviamo nel contesto dell’8 marzo, una giornata che simboleggia la lotta continua per l’uguaglianza di genere. Oggi, più che mai, è essenziale riconoscere la necessità per le donne di ottenere pieni diritti uguali in tutte le sfere della vita.

Pubblicato nel 1792, il lavoro di Wollstonecraft è stato un’illuminazione nel mezzo di un’epoca in cui le donne erano sistematicamente discriminate e negate nelle loro aspirazioni. Le parole di Wollstonecraft risuonano ancora oggi, poiché sottolineano l’importanza di affrontare le disuguaglianze di genere e promuovere l’uguaglianza in tutto il mondo.

Mentre celebriamo l’eredità di Mary Wollstonecraft, dobbiamo anche guardare avanti e riconoscere che, nonostante i progressi compiuti nel corso degli anni, le donne continuano ad affrontare sfide e discriminazioni. Dall’accesso all’istruzione e al lavoro alla partecipazione politica e alla sicurezza personale, vi sono ancora molte aree in cui le donne non godono di diritti uguali.

L’8 marzo, Giornata Internazionale della Donna, è un’occasione per riflettere su queste sfide e rinnovare il nostro impegno per promuovere l’uguaglianza di genere. È un momento per celebrare i successi delle donne, ma anche per chiedere un maggiore cambiamento e azione per affrontare le disuguaglianze ancora presenti nella società.

Oggi, più che mai, è essenziale che tutti ci uniamo per garantire che le donne possano ottenere pieni diritti uguali. Dobbiamo lavorare insieme per eliminare gli ostacoli che impediscono alle donne di realizzare il loro pieno potenziale e assicurare che possano vivere vite libere e soddisfacenti, libere da discriminazioni e limitazioni.

In conclusione, mentre celebriamo l’8 marzo e riflettiamo sull’eredità di Mary Wollstonecraft, impegniamoci a continuare la lotta per l’uguaglianza di genere. Solo attraverso un impegno collettivo possiamo sperare di creare un mondo in cui tutte le donne possano godere di pieni diritti uguali, senza eccezioni.

Spero che concordiate sia questo il senso di questa ricorrenza.

English

A Vindication of the Rights of Woman: with Strictures on Political and Moral Subjects 1792, Mary Wollstonecraft² 1759–1797.
It vindicates women’s right to legal equality and emphasizes their societal role.

Happy March🌾🌹 8th.

To celebrate this anniversary seriously, I propose Mary Wollstonecraft’s groundbreaking work, “A Justification of Women’s Rights: With Observations on Political and Moral Subjects.” We find ourselves in the context of March 8, a day that symbolizes the ongoing struggle for gender equality. Today, more than ever, it is essential to recognize the need for women to obtain full equal rights in all spheres of life.

Published in 1792, Wollstonecraft’s work illuminated an era when women were systematically discriminated against and denied their aspirations. Wollstonecraft’s words still resonate today, emphasizing the importance of addressing gender inequalities and promoting equality worldwide.

As we celebrate Mary Wollstonecraft’s legacy, we must also look forward and recognize that despite the progress made over the years, women continue to face challenges and discrimination. From access to education and employment to political participation and personal security, there are still many areas where women do not enjoy equal rights.

March 8, International Women’s Day, is an opportunity to reflect on these challenges and renew our commitment to promoting gender equality. It is a time to celebrate women’s achievements and call for more change and action to address the inequalities still present in society.

Today, more than ever, it is essential that we all come together to ensure that women can achieve full equal rights. We must work together to remove the barriers that prevent women from realizing their full potential and ensure that they can live free and fulfilling lives, free from discrimination and limitations.

In conclusion, as we celebrate March 8 and reflect on Mary Wollstonecraft’s legacy, let’s commit to continuing the fight for gender equality. Only through collective commitment can we hope to create a world in which all women can enjoy full equal rights, without exception.

I hope you will agree that this is the meaning of this anniversary.

Ramadan Mubarak

As the holy month of Ramadan is approaching, I wish all Muslims a blessed Ramadan full of Health, Wealth, and Joy!

Ramadan Mubarak / Selamat Berpuasa / رمضان كريم

#ramadan2022 #ramadan #holymonth

Ucraina Ukraine

Non sono un esperto di geopolitica, come non sono un esperto di pandemie e quindi mediamente mi asterrò dal fare commenti (pur avendo idee precise in merito) su quello che stà avvenendo in Ucraina cosi come non commento le vicende pandemiche.

Ma so che la guerra fa schifo, fa male e può anche ammazzarti, e so che farà soffrire persone che conosco e a cui voglio bene.

Non posso che sperare per il meglio.

I am not an expert in geopolitics, just as I am not on pandemics. Therefore, I will refrain from making comments (despite having precise ideas about it) on what is happening in Ukraine as I do not comment on the pandemic events.

But I know that war sucks, hurts, and can even kill you, and I know it will hurt people I know and love.

I can only hope for the best.

😔

#ucraina #ukraine #ukrainecrisis #ukraineconflict

Happy Lunar New Year 2022

World Economic Forum on cybersecurity

World Economic Forum Risk Report 2022 is exciting reading.

Being aware of the risk is necessary to address them and understand the landscape we live in.

It is also a great way to see how risk perception changes year by year.

Looking at the short-term global risk picture, we can see we have weather and climate; economic risks are not top of mind. We have “infectious diseases” to remind us that a pandemic can happen, and we have, some years now, “Cyber Security failure.”

Since I work in the Cyber Security field, I have had, as evident, immediate interest in the cyber security section.

https://www.weforum.org/reports/global-risks-report-2022/in-full/chapter-3-digital-dependencies-and-cyber-vulnerabilities

Data from the report are interesting, but I think that we should understand what those data tell us, so let me do some examples:

“95% of cybersecurity issues can be traced to human error“

the global risk report 2022

Means: Train people, put the correct processes in place, put proper technology in place with a people-centric approach to address the “human” factor. If 95% of cybersecurity issues are related somehow to human error, we have to consider human behavior into the equation. This means that the technologies and processes we put in place should tell us the risk related to our people. People make mistakes, are attacked, are exposed to stakes that can hit our assets. Without understanding this, we will not address the overall risk we face in cybersecurity.

What to do: We have to properly raise awareness and protect communication channels used by people because there will be where a skilled attacker will try his\her move. But in an ever-changing landscape, this is not easy nor enough. For example, we should continually update awareness programs according to people’s current risks and train people based on their risk exposure. This means that our security technology should understand the user risk exposure. This information should be available for the awareness program, and the other security implemented technologies.

At the same time, a security awareness program should be able to monitor the understanding and knowledge of the users and use this information as a parameter not only to deploy the training needs for the specific set of users correctly but also to report the user vulnerability in the user risk rating.

Addressing 95% of cyber security issues caused by humans requires understanding why humans fail and what drives them to make mistakes. This does not require a boolean approach but a complex construction of the context of the risks in a holistic way.

“Insider threats (intentional or accidental) represent 43% of all breaches”

the global risk report 2022

Means: the risks do not come only from outside; the problem can be internal, you have to monitor where data goes, and data do not move by itself; people move data. Again people are the key.

What to do: Data are not all the same, and handling data can be a problem if the data express critical information. Sensitive data, Private data, Intellectual Property, there are dozen of reasons we should protect what makes our digital world “digital.”

But data should be kept alive. Otherwise, they are useless, so people have to access, manage, modify data. But we have to do it correctly and securely. Data does not move; people move it. Data does not change; people change it. And when handling data, people can do a series of actions that, considered an atomic action, are legit. Users can read, modify, move, copy, and delete data.

So how to understand the threats? We should realize the danger not by a single indicator but by the sequence of action performed on the data. And we should be able to do it in a simple way. Simple means I do not have to die to do this check, and I have to understand what sequence of action is potentially dangerous.

“Malware increased by 358% in 2020, while ransomware increased by 435%,

the global risk report 2022

Means: where do malware and ransomware come from? How is it activated?

What to do: Where does malware come from? If 95% of the cybersecurity issues can be traced to humans, I would probably assume that humans are the primary targets used to trigger malware and ransomware. There is the exploitation of vulnerabilities, the use of backdoors, and other fine technicalities, but, according to the report, those address 100% – 95% = 5%. But again, how do humans get in touch with malware or ransomware? How do they trigger it? Email and browsing are probably the most used channel. This consideration per se should address our security spending, focusing on Prevention (trying to stop things from arriving at users), remediation, and, yes, once again, education.

“There is an undersupply of cyber professionals—a gap of more than 3 million worldwide.“

the global risk report 2022

Means: When planning technology deployment, be sure it is easy to manage, provide information that is easy to be understood, give you context. You probably will not have dozens of skilled specialists, so make your investment effective otherwise, you’ll waste your money and security.

What to do: The undersupply of cyber professionals is a plague we will bring with us for some years more. The problem is that a cyber security professional has experience, knowledge, flexibility, and commitment. All those things are expensive and require time to be developed. This means it is not easy to foresee a solution that will quickly fill the gap. We can train more people, but we need to wait until they get the correct experience, and we have to incentivize people to pursue a career that requires constant learning, critical thinking, stress, and passion.

We will not have unlimited plenty of people at our service easily; this means that we need to ease the load of the cyberpeople providing tools, technologies, and consoles, that will make their lives easier, not harder. The easiest way is to plan your security investments, focusing on integration, automation, and visibility. Context and Threat Intelligence should be the way to understand what is going on and focus on the most dangerous threats.

Reading reports is not just reading cold numbers but is a way to understand the actual landscape and the close calls to action.

Happy reading.

Is CV transmitting my real experience?

Note: I am expanding here a post I wrote on linkedin some time ago:

https://www.linkedin.com/posts/antonioierano_cv-by-image-activity-6767487628494299136-wdlh

I often read on LinkedIn posts on recruiting and the relative difficulties bounded to typical idiosyncrasies’ Italian job market.

In my area of experience (and due to my age), one of the biggest obstacles is to make experiences and their value understood by your counterpart.

The counterpart can be a customer, your employer\manager, a hiring manager if you’re looking for a change or a Head Hunter…

How difficult is it to pass experiences from a CV?

CV is the main way you “talk” about your professional experience with the other world and nowadays is subject to an automatic ATS system that analyzes and sorts them.

I am not ashamed to say I do not like ATS. While I can understand the need for ATS products to explain how an “ATS-friendly curriculum” should be written is beyond my scope (and interests).

I will only notice here that writing a CV for an ATS means you’re trying to make your CV better indexed, which could not be the best way to express who you are. So at least you need to write 2 CVs, one for ATS, ob built for the eventual interview.

However well it can be written a CV, anyway, using it to demonstrate your real value is a titanic undertaking, the CV is dimensionless or at most one-dimensional (the timeline), and often the reader does not connect the dots (for sure this is not what an ATS do, lol)!

Your experience is not the simple sum of the things you have done, but the relationships these things have.

So I said to myself, what if I try to express my experiences differently?

To give a CV a different look from a sterile list of things can be tricky. It is necessary to remember that the length has to be short; otherwise, we go back to the hundreds of pages of CVs world. Who would read them? No one!

But if I can not use many words which are needed to express what I want to express, I can try to use a graphical approach: at the end, an image tells more than a thousand words.

I try below to show some dimensions that can be obtained from my CV in graphic form, there is not everything (and so has to be), but it was an interesting exercise that I recommend to anyone.

I suggest this exercise because it helps you better understand who you are and what you want people to know about you. In the end, if you don’t know yourself and don’t know how to express your value, hardly an external source will be able to understand it.

The required elements of this exercise are basically: what I want to highlight and how.

Maybe if you try the same exercise, you will find something about yourself as I did.

First of all, I asked myself, what would I like to highlight from my CV?

I chose three domains :

• what is the market I can address
• what I am knowledgeable on
• how international is my experience

The process of building the graphical interface was challenging because it implied a different way to express things, but the reward was a better understanding of who I am, how I am perceived, and in the end, what I would like to do when I grow up.

What is the market, I know?

Usually, a HH or hiring manager reads your cv quickly and then, if you’re lucky, will ask some questions…but he\she\it does not know what does not know, does not have nor your experience nor your knowledge of your strengths. So how to make clear what is your real market experience?

I chose this approach:

This was a surprise to me when I did it; I spanned more than I was conscious in my career (ok, I am old), which is a value if you want to sell yourself as a senior guy.

As arbitrary as the division I made is, looks quite clear I spanned my activities in several areas and different roles, companies, and market. This makes my experience broader and more open.

My goal was to show my layered experience graphically. The nested circles with the feeds were a simple solution; this is better understandable and way more readable than the standard written CV.

I am almost sure this can be represented in some other graphical forms; at the end is just an exercise, so I’m open to suggestions.

But even with the limit in this view, one of the values here is that there is no temporal line; the experience is represented for what I did not when.. from this point of view, this is way more interesting than the usual CV format.

One of the standard CV issues is that the temporal line does not express what you learned and introduces a reading bias that arbitrarily puts a reading key that undermines your potential value. Maybe your latest activity is not the most representative.

What can I do?

The second question that came to my mind when discussing my CV was: ok, what are the things I can do?

This is an exciting topic and requires a double view:

• what the other recognize in me.
• what I think I am good at (or want to highlight)

Working on the exercise, I realized that Linkedin could be the source for the first point since there is a dedicated section so, why do not leverage it?

The result required some stretched graphical activity on a slide, and the work should be better than mine. Still, the output can be useful to understand how people perceive you.

The hyperlinks point to the relative section on Linkedin, so any deep dive is even possible 🙂

The second point is a trade-off between what you think is needed to be presented and what you actually think of yourself.

If you want, this is where you put the things you want to highlight about yourself. It is the most challenging because it requires you to decide what you want to highlight.

It would not be a surprise you find out your strength points do not align with the world’s perception of you. As an example, my knowledge of GDPR was not reported in the LinkedIn skills, even if I am quite active on that. But since I do not want to be a DPO (read my linked article below )https://www.linkedin.com/embeds/publishingEmbed.html?articleId=8926452567889499751

I opted for “data protection” as a skill (and no GDPR is not about privacy, shame on you)

Why could there be this difference? This can be due to different reasons but would worth a little introspective analysis of how you communicate outside your vale (this is the first step, isn’t it? let’s work on this).

While there can be many other domains of your experience you would like to highlight (technical skills, certifications, or whatever), I focused on a specific one: how international is my experience, and how can I pass this domain?

How international is my experience?

Again a double exercise.

Work and family reasons expanded my understanding of the world; therefore, it is important to highlight both.

Addressing this point is crucial if you want to show that you can adapt and work in an international environment with different cultures.

Just on the cover, I made clear the breadth of roles I covered …

The map is useful to show what “world experience” means. This is something that can give even to a distracted eye a glance at what you’re talking about.

Here, the aim was to show the western experience (EU and USA), the APAC experience, and China one. Areas of the world with a dramatic difference in terms of perception, language, rules, behavior…

But this, per se, would not mark the fact I am familiar with different cultures at high degrees. This is why it was worth adding family ties that could make my counterpart aware of my familiarity with culture’s varying peculiarities.

Introducing some personal elements, which usually are not present in an ordinary CV, would enforce and clarify what is your confidence related to different cultures (in my case, span from Europe to Japan, covering North America, the United States, and Mexico, where Mexico also tells I am familiar with Latin countries.

NOTE: Mexico is in North America from a geographical point of view, so everyone who refers to Mexico as south or central America demonstrates not only to not be able to read a map but, worse, do not understand how offensive this can be perceived. And, by the way, this is also the offence that comes out when asian countries are considered as an homogeneous set of cultures.

So I did this exercise for myself, and I found it extremely useful to understand myself better, my experience, goals, and even the value I would like to transmit… It is a complementary tool to a standard CV that talks about yourself.

Maybe by doing it, you will learn as well to better express who you are 🙂

And how many dimensions do you have that you would like to show?