Promoting trust in cybersecurity through ethics and law

Modern society is increasingly dependent on information technology, which explains the importance of cybersecurity. The call for the development of expertise has led to the «National strategy for Switzerland’s protection against cyber risks» (NCS). Its core principles include a) a risk-based approach to cybersecurity, according to which risks cannot be completely avoided but can be reduced to an acceptable minimum, b) a decentralised implementation of appropriate measures, c) a subsidiary role of the state, d) the promotion of public-private partnerships, and e) active communication with civil society, the private sector and policymakers. The central aim of the project is to support these key elements of the NCS through research that provides data, insights and recommendations, with a special focus on non-technical aspects of cybersecurity.

Cybersecurity is characterised by rapid technological developments. The constant appearance of new security holes calls for technical protection measures. Many users feel overwhelmed by the speed of this development; a situation that prevents them from making informed decisions regarding their usage behaviour. The constitutional state too is challenged by this technological change, as democratically-based legislative procedures are not always able to keep up with the speed of technological development. This leads to gaps in governance and legislation, which make it more difficult to achieve effective and democratically supported cybersecurity.

The project pursued three goals: First, to identify the regulatory needs in the field of cybersecurity, resulting from the mismatch between technological and legislative speed. Second, to obtain data through surveys of critical infrastructure operators and cybersecurity professionals to support the national cybersecurity strategy. Third, to create a governance framework based on the results of the first two goals, consisting of recommendations for legislators and ethical guidelines for professionals.

The need for legislation was specified in several events for the attention of national and cantonal parliaments, the scientific community and the economy. In particular, the following points were addressed: 1) A sharpening of the legal concept of “critical infrastructure” and an expansion of the scope of application of the minimum requirements for cybersecurity in the Information Security Act. 2) A tightening of the existing minimum requirements. 3) The introduction of additional legal requirements for IT services, in particular for digital security services. Furthermore, guidelines for the creation of a value-oriented cybersecurity culture were developed. This is intended to ensure that ethical and legal uncertainties are addressed early enough so that they do not hinder the decision-making process in the event of cybersecurity incidents that require rapid decision-making and which create complex situations that cannot be completely covered by law.

Three main messages

1. State involvement in the cybersecurity of critical infrastructures should focus on three aspects: 1) Cybersecurity legislation should focus more on preventative measures, whereas soft law could support critical infrastructures in responding to cyber-incidents; 2) Collaboration with the authorities should exist but should not compromise the autonomy of critical infrastructure; 3) Information sharing, both on technical and management levels, should be supported by adequate legislation.
2. Critical infrastructures must adhere to enhanced minimum cybersecurity requirements detailed in the Information Security Act, which should also be amended to clarify the concept of critical infrastructures and to impose additional requirements on IT services.
3. First responders to incidents should develop a value-driven cybersecurity culture through preparatory steps that involve open and lawful discussions among peers about how their actions align with personal and societal values to make incident handling more effective.

Creating an ethical and legal governance framework for trustworthy cybersecurity in Switzerland

Dr. Markus Christen, UZH Digital Society Initiative, University of Zurich