Inconsistent policy on the use of ChatGPT by Government departments is a national security threat and needs to be banned until it is assessed, a Fine Gael TD and former minister has said.
The main concerns centre on Government officials potentially inputting sensitive official information into ChatGPT - an app where it is not clear what happens to the data shared with it.
ChatGPT is a generative artificial intelligence that can answer questions, compose emails, generate essays, write computer code and based on information or data given to it by whoever is using it.
Some Government departments have used the technology in recent months.
Galway East TD Ciaran Cannon raised concerns on the back of replies to 15 parliamentary questions he submitted to various departments on the use of ChatGPT and Artificial Intelligence.
Mr Cannon's concerns were followed by warnings from leading AI and computer science academics who said Government officials need to treat ChatGPT with caution.
The National Cyber Security Centre - which advises Government - has still to issue guidance to departments on the issue.
Mr Cannon, a former Minister of State at the Department of Foreign Affairs, asked if Government departments are using the app to conduct business, whether they had assessed the risk of officials using it, if departments were considering the use of other forms of AI and if the department is considering banning the use of ChatGPT by officials.
Reponses to those parliamentary questions show Government departments allow access to it, others have denied access to it, while others have restricted its use.
Major concerns lie around whether Government data privy to officials could inadvertently be inputted into ChatGPT or other GenAI leaving the data open to others to use or manipulate.
Speaking on RTÉ’s Morning Ireland, UCC lecturer in business information systems Simon Woodworth said Government needs to review use of ChatGPT within departments and by public servants and officials.
"There is another set of threats that emerge. Tools like ChatGPT make it much easier for people with malicious intent to craft a cyberattack," he said.
He added: "Responses from the departments are very concerning. Because there's a lack of consistency there, none of the departments seem to have developed a coherent response to the possible threats that ChatGPT represents."
Professor Barry Smyth – a UCD professor of computer science with expertise in artificial intelligence and machine learning – highlighted concerns about Government officials inputting data into ChatGPT.
He said responses, answers, code and essays generated by the application need to be checked because sometimes it can be factually incorrect.
"There are two sides to this. One is that if they're using it for Government business to prepare, let's say, for the sake of argument, a briefing document or report that will influence policy, then ChatGPT cannot be always relied upon to give us accurate information. Sometimes ChatGPT simply makes things up. It could be reporting statistics and metrics that simply aren't true," said Prof Smyth.
"A second problem is that in prompting ChatGPT or in asking ChatGPT a question you might be revealing sensitive information to it and people might not realise that sensitive information is being revealed. I don't think we can say with certainty how ChatGPT may or may not be incorporating that new information into its knowledge base," he added.
"Who's to know what people are asking it or how they're using the information that they're getting back to it. And we need to just be careful with how we use it and how we trust in it to give us correct and true answers".
A spokesperson for the Government Chief Information Officer confirmed that no advice has been issued in relation to the use of ChatGPT by Government departments and the public service. They added advice from the NCSC on the use of ChatGPT is not available and should be ready in "coming weeks".
However, the NCSC’s head of engagement recently warned in a blog of emerging threats associated with AI and open-source applications like ChatGPT.
Joseph Stephens wrote a detailed article addressing ways a cyber attacker "might leverage" AI applications to "make life easier in penetrating a computer network".
"We are very conscious of emerging threats and potential opportunities in relation to cyber security and adoption of GenAI. We are planning to continue to track this issue and provide appropriate guidance for organisations and individuals in the coming weeks," Mr Stephens said.
Mr Cannon criticised the NCSC for acknowledging a risk associated with the use of ChatGPT in a blog before issuing guidance to government departments.
"Each department has a different stance on the use of the AI app. This creates security concerns when it is up to Government officials to decide whether they can use the app and what information they put into it," said Mr Cannon.
Mr Cannon added he is concerned about national security if ChatGPT is used to generate a report for a minister "and that report about new government policy".
"Effectively you need to put in specific pieces of information into ChatGPT in order for it to produce the outcome you require. It’s entering that, that I think the greatest risk applies right now.
"We need to ensure there's absolute consistency across all Government departments into the nature of the information that's entered into ChatGPT, how we determine whether it's sensitive from a national perspective.
Mr Cannon added in the context of "potential national security challenges arising from the use of ChatGPT" that the National Cyber Security Centre should immediately ban it from Government departments until it is properly risk assessed.
He said the NCSC – particularly given last weekend’s incident involving the Irish Times – should be issuing "a very clear ban" on the use of the app "until such time as they've had the opportunity to assess its implications and offer really solid, reliable guidance".
Mr Cannon said he had not raised the issue with the Taoiseach but would raise it at Fine Gael’s parliamentary party meeting next Wednesday.
The Data Protection Commissioner has said that Open AI and ChatGPT are being examined at European level.
"The European Data Protection Board, of which the Irish Data Protection Commission is a member, recently discussed Open AI and Chat GPT and It decided to launch a dedicated task force which will bring Data Protection Authorities together to do some work in this area," a spokesperson for the commission said.
Each department's response on its use of ChatGPT can be viewed below:
- The Department of Foreign Affairs is 'risk assessing ChatGPT', while the Department of Defence has not used it.
- At the Department of Environment, Climate and Communications, Eamon Ryan has restricted access pending a risk assessment of its use and does not use it to conduct business.
- The Department of Transport has one division that has used ChatGPT. When contacted about the exact use of the app, the department did not give further details.
- The Department of Finance made no comment because it considers the issue a security matter. Minister Michael McGrath said department employees have a duty to comply with the department’s data protection policy.
- Officials at the Department of Public Expenditure, National Development Plan Delivery and Reform do not currently use ChatGPT to conduct official business, Minister Paschal Donohoe said. If it is considered for use it will be risk assessed. The department has used other AI for cyber security.
- The Department of Enterprise, Trade and Employment has used ChatGPT and written to staff about it and other technologies. Minister for Enterprise, Trade and Employment Simon Coveney said an advice note was issued to all staff in his Department about the use of ChatGPT. He said: "Staff members were advised to use caution when using this and similar services, and were instructed that they should not input any sensitive corporate data in to such applications". He said there is no plan to ban the AI chat bot and that "it is important that public servants gain an understanding of these technologies – and this is only possible if they have access to them".
- The Department of Agriculture has used ChatGPT and uses other AI. A spokesperson said use of the app was explored "for answering technical/software related questions." It was "of little benefit and was not used subsequently", and no information was uploaded or shared with the platform. Other AI is used for things such as predicting the likelihood of TB outbreaks and analysis for identifying species susceptible to H5N1 (Bird flu).
- The Department of Education, The Department of Further and Higher Education, Research, and the Department of Tourism, Culture, Arts, Gaeltacht, Sport and Media have not used ChatGPT. However, the Department of Tourism, Culture, Arts, Gaeltacht, Sport and Media funds an AI translation platform for rapid translation of texts between Irish and English.
- The Department of Justice has "no specific Departmental policy" on the use of ChatGPT. The minister said in his written reply "there is an onus on all civil servants to ensure their decisions are fair, impartial and in line with the Civil Service Code of Standards and Behaviour".
- Officials at the Department for Children, Equality, Disability, Integration and Youth are not authorised to use ChatGPT.
- The Minister for Health said that his officials have not used the app to conduct business. The Minister said: "access to the application has been denied pending a risk assessment of its use".
- Minister for Rural and Community Development Heather Humphries said her Department’s ICT is provided by the Minister for Public Expenditure through the Office of the Government Chief Information Officer. Chat GPT is not in use and there are no plans to use this or other forms of AI at this time.