heise PlusAbo

EU cyber agency secretly uses AI for reports – and gets caught

Officials from the EU cybersecurity agency Enisa admit that two of their reports contained numerous hallucinated sources.

listen Print view
Two hands typing on a laptop keyboard, with a graphic above it bearing the lettering "AI".

The letters AI are surrounded by hooks and warning triangles.

(Image: tadamichi/Shutterstock.com)

2 min. read
By

Two reports from the EU cybersecurity agency Enisa have caused a stir: the documents were riddled with numerous fabricated sources. Scientists examined this more closely – and found strong indications that the false sources were hallucinated by an AI.

The reports in question were published last October and November, respectively. When researchers from Westfälische Hochschule read the publications, they became suspicious. For one thing, many passages sounded inconclusive to them. When they clicked on the provided links to cited sources, they didn't work at all. And on a large scale: according to Der Spiegel magazine, 26 out of 492 footnotes in one of the reports were incorrect.

"All it would have taken was one click"

Now, a link may not work for many reasons, for example, because the structure of the website it refers to has changed. However, the LLM-typical errors were striking about the incorrect links. For example, a link to a Microsoft page about the Russian hacker group APT29 also contained this name – but Microsoft itself refers to the group as Midnight Blizzard.

"What bothers me most is that a public authority, which in my eyes has the very important task of issuing reliable, traceable reports, has not done so in this case," criticizes Christian Dietrich, one of the researchers and a professor at Westfälische Hochschule. "All it would have taken was one click."

Videos by heise

Enisa speaks of "human errors"

Enisa, which has an annual budget of around 27 million euros, admitted the errors when asked by Der Spiegel magazine, speaking of "deficiencies" for which it takes responsibility. "Human errors" had occurred and the AI had been allowed to make "minor editorial revisions."

The Chaos Computer Club also has criticism. Spokesperson Linus Neumann called the incident "embarrassing." "Enisa is supposed to be the central point of contact for independent expertise, guidelines, and standards in Europe," Der Spiegel quotes Neumann. "If such sloppy work is done even in the very superficial threat reports, it casts a very bad light on the institution."

(nen)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten