Back to search

IKTPLUSS-IKT og digital innovasjon

Security in Internet Governance and Networks: Analysing the Law (SIGNAL)

Alternative title: Sikkerhet og Internet GoverNance. En Analyse av Legale aspekter (SIGNAL)

Awarded: NOK 12.2 mill.

Internet security depends not only on technological factors but also on an adequate legal framework. Therefore, the SIGNAL project scrutinizes legal requirements for such security. One set of requirements examined by the project concern the prevention of cybercrime. Criminal law plays a significant role in combatting cybercrime at the national level, but there is also an international convention on cybercrime which shapes the national rules. A sub-goal of the project is to assess the extent to which the Convention is sufficiently "up-to-date" in relation to technological developments. Our research reveals that an update of the Convention would be in order. In particular, the current version of the Convention falls short in capturing some of the important technological developments of the last decade. Our research also reveals that cybersecurity is possibly on the way to becoming recognized as a fundamental human right and that this change of status may have profound implications for how we tackle reform of rules on cybercrime. While such a right has yet to attain full legal recognition across Europe, a similar sort of right has already been recognized by some influential national high courts. A recognition of the right in EU law would have profound consequences for both governments and private actors, as they would need to adapt their policies and business practices to ensure respect for the new right. Legal rules for use of cryptography constitute another focus for our research. Cryptography is an important enabler of internet security, but it can also be a tool for cybercrime. This dual potential raises vexing issues. Amongst the questions discussed in the project are the extent to which police should be given access to unencrypted or decrypted data sent over the internet, and what limitations human rights law imposes on such access. Our research shows that recent proposals to introduce mandatory "back-doors" to encrypted systems violate fundamental human rights, particularly the right to privacy. Our research also shows that there are other deep-rooted barriers to law-makers' ability to "resolve" the dilemmas arising from use of encryption by private actors. At the international level, no single intergovernmental organization (IGO) has a mandate to ensure all aspects of internet security. Instead, there are several organizations with overlapping but distinct policy frameworks. Some of these organizations are moving to increase their security mandates. Our research has found, though, that the possibility for IGOs to craft a global consensus on how best to achieve cybersecurity is very limited. This is due to a range of factors connected with the general problem of "multilateral gridlock" along with several factors that are specific to the realm of cybersecurity. Nonetheless, our research also finds that IGOs with a similar ideology - such as the Council of Europe and EU - may be able to collaborate with each other in respect of particular sub-sets of the cybersecurity policy realm, and thereby weaken the grip of this gridlock. Over the last few years, "security by design" has emerged as a goal in cybersecurity regulation and policy. Although the mantra is diffuse, it basically means that security concerns shall be integrated into the entire development of information systems and other products/services. The SIGNAL project has examined the meaning and utility of this mantra, particularly as a legal requirement. We find that the mantra is a valuable addition to cybersecurity law and policy, and, indeed, has become a constitutional rule in EU law. However, we argue that its application is hampered by its vague meaning and by the way software programming is currently undertaken. So law makers cannot take for granted that requiring "security by design" in legislation will lead to proper implementation of the requirement. Our research also shows a similar difficulty with legal requirements for "data protection by design". While data protection authorities have recently provided practical guidance on how to fulfil the requirements, this advice could have been clearer on certain points. Many persons connect cybersecurity with use of PCs and smart phones. Security is nevertheless important also in other machines, such as self-driving cars and robots. One of the questions that the project tackles is how law contributes, and ought to contribute, to ensuring the security of such machines. A related question is whether legal rules on physical safety connected with use of such machines should be integrated with legal rules on cybersecurity. Our research finds that the ability of EU product safety law to address cybersecurity risks is unsatisfactory, particularly for risks where the causal link between the vulnerability and the physical impact is weak. Accordingly, we argue that the EU ought to adopt a new, holistic cybersecurity law.

The SIGNAL project has made major and in some cases seminal contributions to cybersecurity scholarship on a range of "cutting edge" issues, including the development of a fundamental right to cybersecurity, the regulatory challenges posed by encryption, the legal implications of "security by design", and the legal responsibilities of domain name service actors in relation to security of critical internet infrastructure. In tackling these issues, the project has helped define and lift the status of cybersecurity regulation as a field of research in its own right. The project has also helped establish new university courses in the field. Moreover, the project has made significant contributions to the development of concrete regulatory policy outside the academic sphere, both internationally and nationally.

The project examines the legal regulatory structures for internet security by focusing on established, new and proposed legal security requirements, at both international and national levels, for critical internet infrastructure and cloud computing. The project has four main prongs of research. The first prong studies legal requirements relating to use of cryptography. The second prong studies legal rules concerning the prevention of cybercrime. The third prong examines the role of intergovernmental organisations and international law in establishing security frameworks for critical internet infrastructure and cloud computing. The fourth prong assesses rules on the development and use of privacy-enhancing technologies.

Publications from Cristin

No publications found

Funding scheme:

IKTPLUSS-IKT og digital innovasjon