These days, everything is online or moving online, necessitating cybersecurity provisions. At times, cybersecurity can violate European social values such as privacy, freedom and equality. Additionally, neglecting cybersecurity can violate other social values, including trust and the expectation of safety. So, cybersecurity is neither simple nor a purely technical issue. For example, the same provisions that protect personal data can make private information available to cybersecurity experts, thus undermining privacy. Existing cybersecurity guidelines are too simple to resolve the complex web of ethical conflicts and prioritisation questions that arise from the topic.
Network of experts
The EU-funded project CANVAS was the first to create a context-dependent framework for resolving cybersecurity ethical conflicts. To do this, the team created a multidisciplinary network, involving dozens of experts, to discuss the issues. CANVAS’ network of experts structured existing cybersecurity knowledge from the fields of ethics, law and technology. This knowledge focused primarily on health, business and legal/security applications. The team disseminated the results of the discussions as the proceedings of 14 workshops and 1 conference. The team also created a series of publications, including four white papers and a book, ‘The Ethics of Cybersecurity’. “We identified several gaps with respect to ethical research,” says project coordinator Markus Christen, “and European cybersecurity regulations that need to be addressed by future research.” For example, one such gap concerns the operations of cybersecurity service providers. The project’s ethics book discusses customer data handling, information about breaches, threat intelligence, vulnerability-related information and data involved in research collaborations. The book further discusses specific issues of penetration testing, including its supervision, and also customer recruitment and execution. The experts determined that EU cybersecurity policy needs an overhaul. Policies remain inconsistent, uncertain regarding regulatory competences, and conflicted where stakeholder responsibilities are concerned. The team produced a set of briefing packages for policymakers to address these shortcomings.
“Ethical and legal challenges in cybersecurity are complex, and there is no ‘easy fix’,” says Christen. “What we need is to create awareness on those dilemmas for technical practitioners of the industry.” The team addressed this by producing a reference curriculum that outlines legal issues in cybersecurity, intended for industry experts and academic teachers to use during the training of cybersecurity experts. For students of ICT, the project team produced a massive open online course. All teaching materials are resources for future cybersecurity experts, detailing fundamental concepts to be used in the resolution of cybersecurity dilemmas. The project received encouraging feedback from several academic institutions that are willing to focus their training as recommended by the CANVAS network of experts. Being a coordination and support action project, CANVAS had no commercial goals. Furthermore, all project-developed resources are open access. Yet, several partners will in the immediate future be using the teaching materials developed by the project. Further on, the team hopes to gain funding for several follow-up research projects. As a result, future European cybersecurity guidelines may be able to balance real-world dilemmas.
CANVAS, cybersecurity, ethics, social values, ethical conflicts, policymakers, teaching resources, massive open online course