These are the kinds of mind-boggling questions someone may be facing right now.
Should a hospital pay a ransom to get back medical records needed to treat critically ill patients? Is it okay for hacked corporations attempt to even the score by hacking back? When governments become aware of a cyber attack, do they have an obligation to inform the targets immediately, even if that eliminates the chance to corner the intruders? When investigating systems of their customer, what should incident response consultants do if they come across traces of illegal activities by the customer?
The stakes are high
“The ethical dilemmas that arise from securing our cyber space are growing more complex, as the stakes of protecting systems and data have risen from billions of dollars to trillions, along with human lives,” said Alexey Kirichenko, Research Collaboration Manager at F-Secure’s Security Research and Technologies department.
That’s why three years ago, F-Secure joined the European Commission-funded CANVAS project. It was launched with the goal of bringing together stakeholders from across the European Digital Agenda with social scientists, legal and ethical experts, and the industry’s leading cyber security technology and service providers.
The first project of its kind, CANVAS, set a goal of aligning cyber security with European rights and values. Now, after three years of work and 14 workshops with dozens of cyber security experts, the results are in and available to the world.
“The goal was to arm people who have to or want to confront these dilemmas effectively and ethically with the insights they need to make the best decisions possible,” says Dr. Markus Christen, Managing Director of the Digital Society Initiative of the University of Zurich and the project coordinator.
Deliverables for the future
In addition to a book and four white papers collecting the findings, CANVAS has prepared three sets of deliverables for the audiences that need them most.
For policy makers charged with establishing and enforcing regulations, CANVAS produced four briefing packages that include case studies and reading lists. They focus on:
- Achieving Trust in EU Cyber Security
- Cyber Security and the European Data Protection Framework
- All Fundamental Rights are relevant for Cyber Security
- Achieving Comprehensive and Consistent EU Cyber Security Policies
Next, a reference curriculum outlines how teachers and industry leaders can train cyber security experts in legal and ethical issues. It includes teaching material such as lecture slides, case studies, and reading pointers.
And the third deliverable – a massive open online course (MOOC) – is of use to anyone who wants to educate themselves about these issues, whether you’re an aspiring expert or a lifelong learner who is trying to prepare for a future where almost everything will be connected and needs to be protected.
“This is the deliverable that has the potential to inform the largest number of people right now,” Alexey says.
The Cyber Security Ethics MOOC, which launched last summer, offers “a comprehensive overview of the central principles and challenges in the fields of cyber security, privacy and trust.”
What are the pre-requisites?
“No special knowledge required. This course is open to all interested parties.”
Who are the interested parties?
“Anyone,” Alexey says. “You may not be obsessed with cyber security yet. But you and your family already depend on it. Anyone who cares about the future may want to take a focused look on what exactly it means to secure your data, devices and communications without losing your values.”
The end of the CANVAS project doesn’t mean the work is done and all the ethical quandaries have been solved. Most of those are heavily context-dependent, and a good approach in one case may not be acceptable in another. And, undoubtedly, more questions will arise in the future. Further research in ethics of cybersecurity is needed and will hopefully be supported by policy makers, industry and academia.