Can we build tools to support technology aware regulations and regulations aware technologies in cybersecurity and privacy?

When we study policy and technology approaches to cybersecurity and privacy, we discover that there is some level of agreement on high level concepts and principles shared by diverse stakeholders that include technologists and regulators in different geographic regions. However, transition from these principles to specific technology requirements continues to be complicated and is not yet addressed in a structured and broadly applicable manner.
The essential role of privacy in cyberspace is universally recognized, and most constituencies support principles of Privacy by Design—proactive rather than remedial support for privacy; privacy as a default setting; privacy embedded in design; full functionality supported by privacy; end-to-end security; visibility and transparency; user centric approach to privacy. However, translation of these principles to specific technology and process requirements continues to present a challenge, and research projects focusing on this translation, such as PRIPARE  have created an extensive inventory of tools and methodologies to enable technologists to formulate engineering requirements that are objectively linked to the principles of Privacy by Design.
The OECD’s report, “Cybersecurity Policy Making at a Turning Point: Analyzing a New Generation of National Cybersecurity Strategies for the Internet Economy and Non-governmental Perspectives on a New Generation of National Cybersecurity Strategies: Contributions from BIAC, CSISAC and ITAC,” reveals that cybersecurity strategies developed by different nations share a number of common elements, including emphasis on private-public partnerships, need for international cooperation, or support for fundamental values, e.g., privacy and reliance on innovation and open Internet. Although there is a good level of agreement on high level concepts, processes, structures, and mechanisms associated with them remain diverse, complicating the international dialog on cybersecurity issues.
The modern technology environment and associated regulatory space are extremely complex, and the expectations that the regulators and technologists could possess expert knowledge of the context necessary for in-depth discussions are becoming unrealistic. While understanding of high level principles can be achieved by all parties, more specialized areas, such as regulatory traditions, legal frameworks, international issues, best practices, engineering requirements, and technology constraints require expert knowledge. The lack of a mutually accepted shared context makes multi-stakeholders initiatives more difficult to conduct successfully and efficiently.
For similar reasons, discussions associated with emerging regulations and their implementation, e.g., the proposed EU Network and Information Security (NIS) Directive, are increasingly lengthy and complicated, and adoption of general purpose technologies in different geographic regions is increasingly unpredictable.
The absence of more objective connections between high level principles and context-specific requirements and best practices in cybersecurity and privacy is only part of a very complex picture, but the creation of a shared context is likely to have a positive effect on the efficiency of multi-stakeholder activities.
Research linking technology and policy made progress in recent years, resulting in productive ideas, such as Prof. Latanya Sweeney’s Technology Dialectics framework  that “blends different research traditions into a unified approach for developing technology such that the resulting technology is provably appropriate for a given personal, societal, organizational, and/or legal context.”
Decision support tools have become ubiquitous in multi-disciplinary domains, such as healthcare, aviation administration, finance, urban planning, or environmental management. The environment is ready to use the advances in Knowledge Engineering to build modern Decision Support Systems that can serve multi-disciplinary fields. A multi-domain ontology for cybersecurity and privacy, linking high level principles with best practices, policy, legal, and engineering requirements, could provide an early approach to creating a context shared by regulators and technologists. Such an ontology could also support the ability to reason about a domain and identify constraints early, bringing greater efficiency to the dialog. While semantic tools are notoriously difficult to develop, Knowledge Engineering research in cybersecurity and privacy has been active, and a foundation already exists to build the first generation of ontologies that could bring technology and policy development closer together.

Comments are closed.