Promoting trust in cybersecurity through ethics and law

Modern society is increasingly dependent on information technology, which explains the importance of cybersecurity. The call for the development of expertise has led to the «National strategy for Switzerland’s protection against cyber risks» (NCS). Its core principles include a) a risk-based approach to cybersecurity, according to which risks cannot be completely avoided but can be reduced to an acceptable minimum, b) a decentralised implementation of appropriate measures, c) a subsidiary role of the state, d) the promotion of public-private partnerships, and e) active communication with civil society, the private sector and policymakers. The central aim of the project is to support these key elements of the NCS through research that provides data, insights and recommendations, with a special focus on non-technical aspects of cybersecurity.

Cybersecurity is characterised by rapid technological developments. The constant appearance of new security holes calls for technical protection measures. Many users feel overwhelmed by the speed of this development; a situation that prevents them from making informed decisions regarding their usage behaviour. The constitutional state too is challenged by this technological change, as democratically-based legislative procedures are not always able to keep up with the speed of technological development. This leads to gaps in governance and legislation, which make it more difficult to achieve effective and democratically supported cybersecurity.

The project has three main objectives: firstly, to identify the regulatory needs in the field of cybersecurity, resulting from the mismatch between technological and legislative speed. Secondly, to obtain data through surveys of critical infrastructure operators and experts, in order to support the national cybersecurity strategy. Thirdly, to establish a governance framework on ethical and legal aspects of cybersecurity for the various stakeholders in Switzerland.

The project aims to develop concrete suggestions for parliament and the administration on how Swiss legislation can meet the challenges related to cybersecurity. It will also draw up guidelines for computer emergency response teams, risk and compliance teams of critical infrastructures and providers of cybersecurity solutions on how to deal with difficult decisions related to averting cyber-attacks, for instance in situations in which it is necessary to prioritize the infrastructures that need to be protected.

Creating an ethical and legal governance framework for trustworthy cybersecurity in Switzerland