Should Australian businesses block generative AI tools, and how?

In a previous article, we discussed the impact of generative AI tools and more specifically ChatGPT on Australian businesses.

There are a number of cases starting to come into the public and legal domains, such as Hepburn Shire Council Mayor, Brian Hood and this more intricate case where an AI platform can be determined as an "Inventor".

However this space pans out in the next few years, you cannot ignore the realities of Privacy and IP concerns in the Generative AI world. The definition of "Generative" means that it simply learns based on your interactions and inputs.

Whilst many reading this will know that AI solutions have been actively "learning" for many years, the crossover point is where these tools are both prevalent and trained on vast amounts of unqualified, varied data.

Let's talk about blocking

Should you block or control access to ChatGPT?

Firstly, we need to be mindful that ChatGPT is not the only Generative AI tool available via a web browser to end users. There is already, and will be a significant increase in publicly accessible and free end-user UI's that allow access to GPT models, whether as base, trained, or even fine-tuned.

Remember, OpenAI is not the only provider of capabilities at this level, Google has Bard for example (although its not in Oz yet!).

Next, let's define "block";

• Physically, where, as an end user from a device that is under some level of "control", you will be denied access, either you get a "connection failed" style message, or a friendly UX is displayed to the user explaining what happened.
• Theoretically, through policy and communication as an employee, contractor or affiliate, you are given instructions as to what you can or cannot do with Generative AI as a whole, or ChatGPT specifically.

Honestly, I find the strategy to physically block access to tools, is a strategy that delivers mixed results. But it has legs and should be considered.

With organisational policies such a BYOD (bring your own device) and remote working, add to that personal mobiles and tablets, it means the proliferation of devices that the end user can access these tools from becomes hard to manage.

Human-nature will typically lead most to circumvent these blocks, either accessing websites on their non-controlled devices and some even heading to personal VPN tools to get around them.

This eventually becomes a game of whack-a-mole for the IT and Cyber departments, spending significant time on reviewing logs, maintaining white and black-lists, creating new groups for "trusted" employees and so on.

But what blocking does do is reduce the intersection of company data accessed through normal day-to-day activities and risky/prohibited AI tools. The biggest opportunity here is to curtail the use of CTRL+C, CTRL+V. Whilst the astute network management and cyber professionals will point out that mobile and personal devices logged into Microsoft Teams & Outlook/Outlook.com makes this line blur quite quickly. Using filtering solutions to block access to the websites themselves, can make it harder for company data to be easily accessible.

I'm ready to block

So, you have instigated new policies and held education sessions with employees about privacy, security, ip and ethics of AI tools...

And, you have decided you are going to put in a blocking solution too.

Here are some of the approaches you can take;

Disclaimer: Device and network management techniques vary a lot across organisations of different sizes. What works for NAB, is not the solution in use for a 50-person steel fabrication company on the outskirts of Brisbane.

Web & DNS Filtering

For most businesses, this is a quick and easy solution. Bigger businesses may already have technologies in place to strip out known malware, adult and gambling websites. There are hardware and software solutions that range across the board from products such as Microsoft Defender for Endpoint, Fortinet , Cloudflare Gateway, Zscaler , Skyhigh Security and NordLayer .

To more open source, boutique and specialised solutions such as Arista.

What works best for you here is not something I can cover in this article, edge security and threat management is a vast topic.

Now, these technologies can be classified as active or passive.

• Active means "intelligent", potentially using a mixture of manual intervention, public and privately maintained grey/black lists and even ML trained models to detect a range of factors beyond just the URL, such as request size, content type, location and many more things. This may include device-level browser monitoring and in some cases can be very intrusive.
• Passive means, you simply tried to access this URL, therefore, no.

Smaller to medium businesses are likely to need just passive solutions, or active solutions that are delivered under a managed service, with extra layers of support for when these solutions fail or trigger a false positive.

One particular solution I am using proactively for my home network and family devices is Cloudflare Zero Trust with WARP, Free Edition.

For families and personal use, I can also highly recommend 1.1.1.1 from Cloudflare too. This won't solve your ChatGPT issues, but it will speed up your browsing and protect your children from Malware and Adult Content.

Mobile Device Management/Endpoint Protection

Whilst the features I mentioned above for DNS and Web Filtering are often encompassed within the broader "Endpoint protection" suites, (which, I might add is becoming a very messy, convoluted world of terminology not helped by the product marketing teams of these organisations), they can provide a specific feature called DLP, Data Loss Prevention.

Again, DLP, is a broad area of capability, but these specific features assist with detecting data leaving corporate devices in a number of ways;

• Encryption, including custom ciphers and keys
• Alerting and Auditing, including realtime SIEM integrations
• Rules, based on location, file size, time of day etc.
• Device features, such as being able to disable copy and paste between applications
• Data Integrity and Content Filtering, for credit card or PII data

I have real-world experience of Microsoft Defender for Endpoint and Google Endpoint Management and can highly recommend their capabilities for SMEs and Mid-sized organisations.

What about beyond OpenAI and ChatGPT

Well, this is something I consider small blindspot right now.

Naturally I do not have access to all Endpoint and DNS Filtering solutions, to hand I can see Microsoft and Cloudflare solutions, but neither have content filtering categories dedicated to Generative AI tools.

This means you might be left to manage this yourself.

I also could be wrong and service providers are delivering them.

Here is a great list to start from;

• steven2358/awesome-generative-ai: A curated list of modern Generative Artificial Intelligence projects and services (github.com)

Remember the intent is not to simply disable the tool "just because", it is about blocking access to tools that pose a security or privacy risk to your organisation.

Things to consider

Now, there are plenty of online resources and content, including dedicated courses and certifications that cover the Networking, Endpoint and DNS world. So it's not going to be covered in this article, but here's a few things to consider:

• Consider including personal devices that have access to O365 or G-suite.
• Blanket policies setup are better than no policies at all
• Be open to user feedback and define how you handle exceptions

Is this enough?

Right now, these two technical solutions are a strong foundation for blocking access, if you have alternative approaches, let me know in the comments.

Happy AI'ing.