Exclusive: France warns of “poisoned data” threat

By Yun Xuan Poon and Medha Basu

The Head of National Cybersecurity Agency and the Ambassador for Digital Affairs discuss how the country will fight irresponsible AI development, fake news, foreign election interference, and hacks into critical infrastructure.

We are what we eat - and this can sometimes be fatal. The first Roman Emperor, Augustus, was topped by poisoned figs, while Alexander the Great died after consuming vast quantities of unmixed wine.

As artificial intelligence advances, it can also be affected by what it consumes. One of the new risks is “poisoned data”, where AI can be fooled by bad data to act in malicious ways.

France’s government is troubled by this, and is taking steps to mitigate the problem. Guillaume Poupard, General Director of the French National Cybersecurity Agency, and Henri Verdier, Ambassador for Digital Affairs, sat down with GovInsider to discuss how their government is combating poisoned data, fake news and critical infrastructure hacking.

Poisoned data and AI regulation

Poupard foresees that AI and machine learning security will become “a real topic in the future”. Poisoned data is gaining increasing attention from cyber security researchers. Machines that learn from poisoned data can lead to disastrous results. Take an AI doctor that starts giving false healthcare advice, for instance.

It also takes little interference to create severe consequences. Stanford University researchers have warned that “even a single poisoned point can in some cases arbitrarily change” what the machine learns.

Poisoned data can also harm AI’s threat detection capabilities. “We’ve worked a lot on protection and incident response, now the priority is about detection as fast as possible,” Poupard says. France combines its security operations centre with cyber research so that the capabilities are alongside the latest intelligence, he says.

AI worries

Concerns about poisoned data feed into broader worries about an unregulated AI industry. President Macron wants France to become Europe’s tech startup hub, but more needs to be done to keep tech companies accountable for their algorithms and products, he believes. “The development of AI cannot be derived just by some libertarian utopia from the Silicon Valley,” says Verdier. “We want more accountability”.

France wants to make sure companies that develop AI keep customers, not profits, in mind. “We could end up investing a lot just in personal advertising and social control, instead of education or health,” warns Verdier.

Online content regulation

France is also concerned about regulating social media platforms, especially terrorist content. They, along with five other countries, have worked with social media companies to set up the Global Internet Forum to Counter Terrorism (GIFCT).

Governments and companies in GIFCT will share their database on terrorist content so regulators can take down repostings of harmful content more effectively. “After the Christchurch attack, there were one million attempts to republish the same content in one week. That’s more than one every second,” says Verdier. Having a broader pool of information on existing terrorist-related posts would make taking down subsequent postings easier.

France is targeting another type of harmful online content - fake news. Misinformation campaigns during elections can threaten social stability. France experienced this first-hand during the 2017 presidential elections, when false information about the current president, Emmanuel Macron, was leaked just hours before voting began.

The French government has taken a stern approach to this by enacting a fake news law, which will be effective in the three months leading up to an election. “In France, we want our national laws respected online. If it’s forbidden on the streets, it’s forbidden online,” says Verdier. Citizens may report misleading news they find online to a judge, who will decide if it needs to be removed within 24 hours.

Other digital industries do already follow tighter rules than Facebook or Twitter. As OneZero notes, the online pornography industry vets all content uploaded before publication. It is an outlier that social media companies publish everything with no regulation or rules.

Enforcing cybersecurity for critical infrastructure

France has also passed a law that makes it compulsory for critical infrastructure companies to prioritise cybersecurity. “We need to make sure we are connected with critical infrastructure to develop the cyber industry,” says Poupard. Companies have to share all relevant data and details should they come under a cyber attack, and they have to actively develop cybersecurity awareness amongst employees.

France has committed to securing the cyberspace by adhering to the guidelines laid out in the Paris Call, which was established last year. This is an international agreement between more than 500 public and private sector organisations to prioritise cybersecurity.

France is determined to regulate its AI companies, social media platforms and critical infrastructure. “The idea is not to do regulation for regulation’s sake, that would be inefficient. The idea is to be sure that cybersecurity becomes a high level priority for big companies,” says Poupard.