Timbre

SAUS, Quadra 6, Bloco H, 7º andar, Ala Sul - Bairro Asa Sul, Brasília/DF, CEP 70070-940
Telefone: (61)2312-2031 - https://www.gov.br/anatel
  

Importante: O Acesso Externo (www.anatel.gov.br/seiusuarioexterno) possibilita o Peticionamento Eletrônico para abrir Processo Novo, Intercorrente e Resposta de Intimação. Pesquisa Pública do SEI: www.anatel.gov.br/seipesquisa
  

Ofício nº 7/2024/C-INT-ANATEL

Translation of the Official Letter:

 

Official Letter No. 6/2024/C-INT-ANATEL

 

To the
Representative of Open AI Inc. and/or OpenAI LP,
in Brazil/Latin America

 

 

Subject: Cybersecurity risks of malicious use of ChatGPT to consumer health and safety.

 

Dear Sir orMadam,

 

 

The National Telecommunication Agency (Anatel) is the regulatory body for telecommunications in Brazil, created by Law No. 9.472 of July 16th, 1997. Regulating and overseeing the execution, commercialization, and use of services, the implementation and operation of telecommunications networks, and the management of the use of orbit resources and radiofrequency spectrum are among its mandate.

In exercising its institutional mission, one of the priority topics is cybersecurity, which justified the approval of a dedicated sectoral framework   in 2020: the Cybersecurity Regulation Applied to the Telecommunications Sector (R-Ciber), which establishes a set of principles, guidelines, and obligations, in addition to institutionalizing the sectoral cybersecurity governance structure, with the creation of the Technical Group on Cybersecurity and Critical Infrastructure Risk Management (GT-Ciber).

Considering the evolving landscape of risks and threats, R-Ciber was recently updated with the aim, among others, of increasing the number of providers subject to the ex-ante control regime of cybersecurity obligations. In this regard, Anatel's Board of Commisioners, in Process No. 53500.057799/2021-74, accepted the terms of Analysis No. 46/2024/AF (SEI No. 11926663).

In the aforementioned deliberation, the Board of Commisioners instructed the Telecommunications Infrastructure Committee (C-INT) and the Agency's Superintendencies to continue developing studies on emerging topics related to cybersecurity, notably data centers and cloud computing; the use of artificial intelligence (AI) in telecommunications infrastructure; submarine cables; and generative artificial intelligence  (GenAI) applications.

Reinforcing the priority of the topic, the Agency's Strategic Plan 2023-2027 included two initiatives associated with it:

- Initiative 7: Promote holistic risk management and protection of critical infrastructures.
- Strategic process objective: 1D) Protect critical connectivity infrastructures.
- Expected results: Greater protection of critical infrastructures and Increased protection against cyber threats.
 

- Initiative 17: Ensure prevention against fraud in the digital ecosystem.
- Strategic process objective: 3A) Promote digital security awareness and safety for users and other agents.
- Expected results: Reduction of digital scams/fraud and Increased user trust in technology.

Numerous actions are being planned and executed to improve cybersecurity in its various dimensions—processes, technology, people, and governance.

Notably, the Agency has been working from the perspective of the safety of telecommunications.

The centrality of telecommunications' role in the digital ecosystem and consistent action on the topic, both nationally and internationally, led to Anatel being included as the only Regulatory Agency with ministerial linkage to have a seat on the National Cybersecurity Committee (CNCiber). Established by Decree No. 11.856 of December 26th, 2023, CNCiber is responsible, in summary, for leading the implementation of the National Cybersecurity Policy (PNCIber).

Internationally, Anatel represents Brazil in collaboration with other Executive Branch entities in various organizations, highlighting its already recognized leadership with the International Telecommunications Union (ITU), a specialized agency of the United Nations for Information and Communication Technologies (ICTs). ITU has been progressively working on Artificial Intelligence and Cybersecurity topics, such as study items in the Standardization Sector (ITU-T) and the "AI for Good" Platform.

In exercising this leadership, Anatel promoted the approval of the first resolution on Artificial Intelligence (AI) at the last ITU Plenipotentiary Conference, proposing the inclusion of a specific study item on the opportunities and challenges of GenAI. It will also bring a related proposal to the next World Telecommunication Standardization Assembly (WTSA-24).

After this brief overview of Anatel's recent developments on cybersecurity, various cases of the use of GenAI to facilitate cyberattacks are publicly known. Examples include rewriting malware codes, creating phishing campaigns, and even spear phishing, using increasingly credible texts to deceive the recipient.

An example of the contours of threat posed by AI is detailed in the work Synthetic Cancer - Augmenting Worms with LLMs, authored by Professors Benjamin Zimmerman, from Ohio State University and David Zollikofer, from ETH Zürich & Innovista Management GmbH. This study, still pending peer review, shows, in a concrete and detailed fashion how the threat can occur using the ChatGPT platform.

The risks of faster, more effective, and larger-scale intrusions, with personalized phishing and malware methods, using GenAI resources have already been identified conceptually in studies such as Safety and Security Risks of Generative Artificial Intelligence to 2025, promoted by the British Government and Initial policy considerations for generative artificial intelligence, promoted by the Organization for Economic Cooperation and Development (OECD).

Additionally, the work Consumer policy and the smart home, mentions adverse events such as the use of infected devices against their own users and the launch of external attacks using multiple smart devices that have some kind of vulnerability maliciously exploited.

Four of the seven G7 member countries, in their understanding expressed during the discussion of the Hiroshima Process on Generative AI, consider security risks among the five most important associated with the use of this technology.

The article's content and the studies mentioned above raise concerns about the risks that the malicious use of GenAI tools can cause to the security of networks, telecommunications services, and consumer safety. These risks are particularly relevant to the various layers of telecommunications services, whose protection is within Anatel's mandate.

The emerging cybersecurity risks for consumers - related both to users of the services themselves and to third parties who may be affected by adverse events related to them - demand appropriate management measures, citing, by way of example, the following:

Exposure of consumer privacy to malicious agents, who can exploit this situation to gain undue advantages, harming their mental health and property;

Gaining access to consumer financial data, through which unauthorized bank account and other application movements can be made, resulting in losses that can lead to financial ruin, through phishing, smishing, and various social engineering practices, whose potential becomes progressively more sophisticated due to the increasingly realistic patterns of synthetic information generated by Generative AI tools; and

Devices infected with malware disseminated by Generative AI are used to target cyberattacks that can compromise essential services and other critical infrastructures, such as judicial services, water supply, electricity, medical services, financial services, etc., which require the regular operation of the digital ecosystem to function properly.

It is worth noting that there are over 260 million enabled telephone lines in Brazil, a number greater than its population.

From the consumer's point of view, the risks of digital environment scams are as impactful as cyberattacks themselves, and for this reason, Anatel has been engaging in various actions with actors from the telecommunications, financial, and digital platform sectors in prevention and reaction measures.

In this context, the propagation of malware, phishing campaigns, and other attacks using social engineering with GenAI resources initially amplifies the risks to the consumer when using products and services across the various layers of telecommunications.

While the numerous benefits and opportunities that GenAI brings to various societal and economic activities are recognized, it is important that these risks are adequately addressed so that GenAI consolidates itself constructively as a safe and useful technology for all consumers.

It is important to highlight that OpenAI's terms of use prohibit the use of its services for illegal, harmful, or abusive activities. Such activities include misappropriating or violating third-party rights and any action inconsistent with the protection and security measures implemented in the services offered.

Given the above, the Agency is committed to initiating an institutional dialogue. We are eager to understand how cybersecurity risks related to GenAI are being addressed and managed by your organization, including any frameworks that are being used.

I make my office available for clarifications or other necessary additional information and to schedule an initial conversation.

Respectfully,

 

ALEXANDRE FREIRE

Anatel Board Member

Chairman of the Telecommunications Infrastructure Committee (C-INT)

 

Reference: When responding to this official letter, expressly indicate Process No. 53500.058586/2024-11

SEI No. 12264310


logotipo

Documento assinado eletronicamente por Alexandre Reis Siqueira Freire, Presidente do Comitê, em 24/07/2024, às 11:58, conforme horário oficial de Brasília, com fundamento no art. 23, inciso II, da Portaria nº 912/2017 da Anatel.


QRCode Assinatura

A autenticidade deste documento pode ser conferida em http://www.anatel.gov.br/autenticidade, informando o código verificador 12316943 e o código CRC FC4EB44F.




Referência: Caso responda este Ofício, indicar expressamente o Processo nº 53500.058586/2024-11
Código de Barras do Processo
SEI nº 12316943
Código de Barras do Documento