{"id":443,"date":"2024-09-30T13:49:10","date_gmt":"2024-09-30T13:49:10","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=443"},"modified":"2024-09-30T13:49:10","modified_gmt":"2024-09-30T13:49:10","slug":"cisos-to-grapple-with-a-thicket-of-emerging-regulations-after-newsom-vetoes-californias-ai-bill","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=443","title":{"rendered":"CISOs to grapple with a thicket of emerging regulations after Newsom vetoes California\u2019s AI bill"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Following a tense period of uncertainty, California Governor Gavin Newsom has vetoed a landmark bill, SB-1047<\/a>, the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act. Passed by the state\u2019s legislature on August 28, 2024, it was considered the world\u2019s most stringent set of regulations yet proposed for governing AI.<\/p>\n

Despite recently signing 17 other bills covering the deployment and regulation of GenAI technology, including AB 2655<\/a> and AB 2839<\/a>, two controversial pieces of legislation that limit the use of election-related AI and deepfakes, Newsom thought that SB 1047 was a bridge too far because it fell short<\/a> of \u201cproviding a flexible, comprehensive solution to curbing the potential catastrophic risks.\u201d<\/p>\n

\u201cThis bill would require developers of large artificial intelligence (Al) models, and those providing the computing power to train such models, to put certain safeguards and policies in place to prevent catastrophic harm,\u201d Newsom said<\/a>.<\/p>\n

\u201cBy focusing only on the most expensive and large-scale models, SB 1047 establishes a regulatory framework that could give the public a false sense of security about controlling this fast-moving technology,\u201d he argued.<\/p>\n

Newsom says the bill would potentially stifle innovation<\/h2>\n

\u201cSmaller, specialized models may emerge as equally or even more dangerous than the models targeted by SB 1047 \u2014 at the potential expense of curtailing the very innovation that fuels advancement in favor of the public good.\u201d<\/p>\n

He added that California, which is home to 32 of the world\u2019s 50 leading Al companies, will not abandon its responsibility as a steward of this new technology but stressed that any regulation adopted by the state must be \u201cinformed by an empirical trajectory analysis of Al systems and capabilities. Ultimately, any framework for effectively regulating Al needs to keep pace with the technology itself.\u201d<\/p>\n

Newsom\u2019s dramatic and last-minute rejection of a bill scuttles what its proponents envisioned as a comprehensive and global-leading regulatory framework due to the extensive safety and security guardrails it placed around foundational models, which they believed served as a high-bar template for organizations grappling with the complex creation and use of new genAI technologies.<\/p>\n

CISOs need to roll up their sleeves to tackle compliance<\/h2>\n

SB 1047 was a broadly popular bill. It received support from the majority of Californians<\/a> and garnered endorsements<\/a> from leading academics, legal experts, and dozens of Hollywood heavyweights<\/a>. Although Google, Meta, and OpenAI opposed the bill, some leading AI players, including Anthropic<\/a>, tentatively endorsed it.<\/p>\n

With the bill\u2019s veto, AI governance now falls to the EU AI Act<\/a>, a less expansive AI regime enacted this summer, plus a patchwork<\/a> of US state-level current and proposed AI regulatory frameworks of varying scope and intensity, an executive order<\/a> issued by the Biden administration, and the newly created AI Institute<\/a> at the National Institute of Standards and Technology (NIST). Most experts say that given the relentlessly divided US Congress, the prospect of a national AI safety and security law is highly doubtful.<\/p>\n

The bottom line for CISOs, then, is to \u201croll up your sleeves\u201d because complying with many of the forthcoming disparate and often contradictory requirements will fall on them, Bobby Malhotra, a member of Winston & Strawn\u2019s artificial intelligence (AI) strategy group, tells CSO. \u201cKeep your finger on the pulse. Things are changing dynamically, both in terms of technology and the underlying regulations.\u201d<\/p>\n

Was SB 1047 overkill?<\/h2>\n

As Governor Newsom indicated, SB 1047 was designed to impose its most expansive requirements on the biggest AI players. The bill broadly applied to \u201ccovered models,\u201d meaning models that cost over $100 million to develop that are trained using computing power \u201cgreater than 10^26 integer or floating-point operations\u201d (FLOPs) or are based on covered models and fine-tuned at a cost of over $10 million and using computing power of three times 10^25 integer or FLOPs.<\/p>\n

The bill would also have required developers to implement technical and organization controls designed to prevent covered models from causing \u201ccritical harms,\u201d defined as:<\/p>\n

creating or using certain weapons of mass destruction to cause mass casualties,<\/p>\n

causing mass casualties or at least $500 million in damages by conducting cyberattacks on critical infrastructure or acting with only limited human oversight and causing death, bodily injury, or property damage in a manner that would be a crime if committed by a human<\/p>\n

and other comparable harms.<\/p>\n

It also required developers to implement a kill-switch or \u201cshutdown capabilities\u201d in the event of disruptions to critical infrastructure. The bill further stipulated that covered models implement extensive cybersecurity and safety protocols subject to rigorous testing, assessment, reporting, and audit obligations.<\/p>\n

Some AI experts say these and other bill provisions were overkill. David Brauchler, head of AI and machine learning for North America at NCC Group, tells CSO the bill was \u201caddressing a risk that\u2019s been brought up by a culture of alarmism, where people are afraid that these models are going to go haywire and begin acting out in ways that they weren\u2019t designed to behave. In the space where we\u2019re hands-on with these systems, we haven\u2019t observed that that\u2019s anywhere near an immediate or a near-term risk for systems.\u201d<\/p>\n

Critical harms burdens were possibly too heavy for even big players<\/h2>\n

Moreover, the critical harms burdens of the bill might have been too heavy for even the most prominent players to bear. \u201cThe critical harm definition is so broad that developers will be required to make assurances and make guarantees that span a huge number of potential risk areas and make guarantees that are very difficult to do if you\u2019re releasing that model publicly and openly,\u201d Benjamin Brooks, Fellow at the Berkman Klein Center for Internet & Society at Harvard University, and the former head of public policy for Stability AI, tells CSO.<\/p>\n

California State Senator Scott Wiener, the bill\u2019s sponsor, lamented the lost opportunity to impose meaningful restraints on AI. \u201cThe companies developing advanced AI systems acknowledge that the risks these models present to the public are real and rapidly increasing,\u201d he said<\/a> after Newsom\u2019s veto.<\/p>\n

\u201cWhile the large AI labs have made admirable commitments to monitor and mitigate these risks, the truth is that voluntary commitments from industry are not enforceable and rarely work out well for the public,\u201d Wiener said. \u201cThis veto leaves us with the troubling reality that companies aiming to create an extremely powerful technology face no binding restrictions from US policymakers, particularly given Congress\u2019s continuing paralysis around regulating the tech industry in any meaningful way.\u201d<\/p>\n

Although Newsom contends that smaller and potentially equally risky AI models would have been free of SB 1047\u2019s obligations, some AI experts say that any substantial Gen AI player would likely have crossed the law\u2019s thresholds quite soon. \u201cIt is fair to say that SB 1047 covers the largest AI models that cost over $100 million to train and develop,\u201d Brooks says.<\/p>\n

\u201cHowever, those thresholds aren\u2019t particularly durable. I think we\u2019ll have many models that will cross that threshold in the near future,\u201d Brooks says. \u201cAgain, a hundred million dollars might sound like a lot to you and me, but in the context of big AI investments, that is not a high bar. There are a number of early-stage companies that are making investments within that order of magnitude.\u201d<\/p>\n

Where does AI regulation go next?<\/h2>\n

Newsom plans to work on a new AI bill during the California legislature\u2019s next session. He hopes to work with \u201cthe leading experts on genAI to help California develop workable guardrails for deploying genAI, focusing on developing an empirical, science-based trajectory analysis of frontier models and their capabilities and attendant risks.\u201d<\/p>\n

Newsom also plans to work with \u201cacademia to convene labor stakeholders and the private sector to explore approaches to use genAI technology in the workplace.\u201d Moreover, following his veto, he signed a bill that requires California\u2019s Office of Emergency Services \u201cto expand their work assessing the potential threats posed by the use of genAI to California\u2019s critical infrastructure, including those that could lead to mass casualty events.\u201d<\/p>\n

Davis Hake, senior director of cybersecurity services at Venable, tells CSO that \u201c[AI safety and security efforts] weren\u2019t going to go away or be settled with SB 1047, even if it set some type of high watermark. If you sell to Europeans or interact with their systems, you need to start thinking about their potential obligations under the EU AI Act because the Europeans have moved first.\u201d<\/p>\n

Unlike most experts, Hake is hopeful that federal lawmakers or policymakers will find a more comprehensive solution that takes precedence over all the emerging AI regulations, at least in the US. \u201cRight now, we have this realm where California is in the discussion as are the Europeans, but shouldn\u2019t it be the US negotiating with Europe, not just California negotiating with Europe?\u201d he asks.<\/p>\n

\u201cIn terms of policymaking issues like trust and safety, requirements for risk assessment are probably better left to a federal level because the Department of Commerce and Department of State are used to doing these types of negotiations.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Following a tense period of uncertainty, California Governor Gavin Newsom has vetoed a landmark bill, SB-1047, the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act. Passed by the state\u2019s legislature on August 28, 2024, it was considered the world\u2019s most stringent set of regulations yet proposed for governing AI. Despite recently signing 17 […]<\/p>\n","protected":false},"author":0,"featured_media":444,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-443","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/443"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=443"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/443\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/444"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=443"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=443"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=443"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}