CSRIC Finds That AI Spurs New Security and Privacy Threats for Telecom Sector

The Trump administration has pushed a pro-AI strategy, emphasizing the importance of beating China on the emerging technology (see 2509160040), with less emphasis than the last administration on AI guardrails.

The report, approved during CSRIC's meeting at the FCC, examines making AI more “trustworthy” and is based on the National Institute of Standards and Technology’s AI risk management framework, said Jen Oberhausen, Microsoft's senior counsel and co-chair of the AI/ML working group. The group also studied frameworks from Europe and industry and found significant “overlap,” she said. AI systems “are inherently complex, and the exercise of assessing a system’s trustworthy characteristics is fact-specific.”

The report recommends that the FCC collaborate with NIST “to identify and manage risks of AI” while facilitating the “beneficial use cases,” Oberhausen said. It also recommends that the FCC encourage industry and standards bodies to increase participation with groups developing international standards, she said, and calls for research on the "interpretability and explainability" of AI models for telecom networks.

Among the report's recommendations for industry, companies should develop risk management strategies in keeping with the NIST framework, Oberhausen said. Industry should focus on “the intersection” of AI and cybersecurity to address “improved threat detection, security automation and identity and access management.” Companies should also take into account earlier CSRIC reports that touch on AI and 5G security, she said.

The report “offers a balanced, actionable set of best practice guidelines and recommendations for responsible AI integration into the communications networks,” said Vijay Gurbani, chief data scientist at Vail Systems and the working group's other co-chair.

Gurbani said the report puts risks into categories, starting with “existing, systemic risks that AI can amplify.” Like humans, “AI is susceptible to bias, error and poor performance, but given the scale at which the AI/ML models operate, these risks are easily multiplied."

There are also new risks unique to AI, Gurbani said. AI systems analyze vast amounts of data, and how it will be used to arrive at a decision “may not be fully known by the system owner.” That means “new security and privacy risks that expand the network's attack surface.”

Automatic speech recognition used in AI also raises new privacy concerns, he added. It “may inadvertently record conversations … that are not pertinent to the transcription.” People are better than AI at distinguishing between background audio and the primary speaker and can choose to focus on the speaker, Gurbani said. The transcript can include nuances, idioms and grammatical quirks as well, which “collectively form a linguistic fingerprint of the caller.” AI can match that fingerprint to other transcripts with the same user, creating privacy issues, he said.

In addition, the report looks at major use cases, including employing AI to convert speech to text and text to speech, Gurbani said. It also covers biometric detection used to determine if a caller is a real person, finding that synthetic voice generation models “are now capable of generating a very accurate facsimile of a particular human’s voice” using a voice sample of 10 seconds or less. The report examines retrieval-augmented generation, a technique that enables large language models to retrieve and incorporate new information, he added.

CSRIC will next meet Dec. 19.