I know nothing about cybersecurity, apart from that my internet passwords are usually rubbish. But they asked my view on the Responsible Innovation aspect. If anyone would like to submit their views here is the link:
Here is my submission:
Regarding your description of RRI
8. Responsible research and innovation
“Growing public concerns about both privacy and fraud mean that a debate about cybersecurity research is timely. Debates about technology frequently react to products and services as they enter the marketplace. This is often too late. An inclusive and reflective debate could explore the ethical and legal challenges facing researchers in a field which is often at the centre of challenges over control of technologies, markets and personal information. Specific challenges include the management of the dual use potential of cybersecurity research & the disclosure of security flaws during the conduct of research. “
I currently consider that Responsible Research and Innovation is not limited to stakeholder involvement, as is suggested by your document, though it is an important component. It is much broader than this, encompassing:
- The deliberate focus of research and the products of innovation to achieve a social or environmental benefit.
- Assessing and effectively prioritising social, ethical and environmental impacts, risks and opportunities, both now and in the future, alongside the technical and commercial.
- Where oversight mechanisms are better able to anticipate and manage problems and opportunities and which are also able to adapt and respond quickly to changing knowledge or circumstances.
- The consistent, ongoing involvement of society, from beginning to end of the innovation process, including the public & non-governmental groups, who are themselves mindful of the public good.
- Where openness and transparency are an integral component of the innovation process.
In fact, what you are doing, the questions you are asking, the process you are undergoing are in fact fundamental to the responsible development of the internet and the many innovations it has spawned in which cybersecurity is a growing issue. What you are doing is Responsible Research and Innovation in action!
Your vision of ‘privacy by design and security by design as technological norms’ are to me part of the ‘deliberate focus of research on social benefit’. One could argue that the concerns about cybersecurity are part of ‘assessing and effectively prioritising social, ethical and environmental impacts’ , developing ‘oversight mechanisms to adapt and respond quickly to changing knowledge’ and ‘the consistent, ongoing involvement of society’. The ‘openness and transparency aspect’ is very interesting in the context of cybersecurity and is one of its critical dilemmas, as you have identified, though this initiative is demonstrating transparency in process design.
I know nothing at all about this area, so my should be put under the heading of ‘lay opinions’!
A suggested new question: What are the responsibilities of different actors in this process
Though it is a component of all of your questions, I feel that under RRI, there should be a specific programme which explores ‘What are the responsibilities of different actors in this process – eg software designers, search companies, organisations using passwords such as banks where £ is at stake, or where sensitive personal information is at stake, and also just where email addresses are at stake (as their are cost implications for them and us). What is government’s responsibility, what is campaigners responsibility and what is our own responsibility?
What do manifestations of these responsibilities look like in practice, from the simple to the very complex ones you are researching. So for example, in very basic terms, should all companies ask for more complex passwords as a position of responsibility, or is it one’s own fault for using 12345 every time. What personally is my responsibility?
I don’t see from the various Responsibility in ICT projects that this has been done and I think clarity about responsibility, or at least debate about it, as clarity is perhaps optimistic, is important, probably essential to answering many of the questions you pose.
The UK is seen as taking a lead on such initiatives in other areas and is at the forefront of the Responsible Innovation and ICT area, though this must be an international effort and international organisations such as the World Economic Forum who are interested in such issues could host such an initiative.
In response to your specific question on RRI
4 Responsible research and innovation
a. What are the major ethical and legal challenges facing the above cybersecurity research challenges?
I don’t make the distinction between the ethical aspects of the research and the ethical aspects of the issues around cybersecurity itself. Re research only, perhaps one of the ethical challenges for the research is that by using an academic approach, social science jargon and only publishing its findings in academic journals (as pretty much most research does) it singularly fails with the primary goal of RRI of contributing to social benefit! Perhaps the RRI component of this research could consider as a specific component how its findings should involve and inform the real life decision making of actors in the field.
b. How should the potential dual use of cybersecurity research be managed most effectively?
Isn’t that a substantial component of the research!?
c. What does an ethical and legal framework look like for ‘responsible disclosure’?
I may be misunderstanding what you mean by ‘responsible disclosure’, but not sure that is the area needing the framework, this is a sub question of the whole ‘responsibility’ question. Referring back to my initial recommendation above a Responsible Innovation framework for ICT/cybersecurity, which helps delineate responsibilities, of which disclosure is one, would be more useful, more engaging and more appropriate.
I have been involved in initiatives on ‘transparency’ and ‘disclosure’ in various areas in which ‘companies should be more transparent and disclose information on x’ have been mooted. Many of these have been ill thought through and are ignored by the very people they are designed for. A multi-stakeholder process must be designed to consider what is meant by disclosure, at what point, for what purpose, to whom.
d. What does a national programme of public engagement on cybersecurity research look like, and how could it be developed and implemented in the UK?
First, I would consider the national programme to be one which engages all stakeholders involved in the process of developing cybersecurity measures, not just the general public. First you would need to engaged those users of cybersecurity measures in what their needs/constraints/barriers may be, which I assume will be a part of your research questions on all areas. It is likely the findings of this research will raise specific questions for specific stakeholders, including the general public.
If a broader question was useful to ask, for example: What do you see is your responsibility in cybersecurity and what should be others’ responsibilities would perhaps be helpful. In this way, (as is the way of Responsible Research and Innovation) the public involvement initiatives are actually not just ‘market research’, but are an integral component of developing understanding and solutions to key questions. Ie they are a good use of the public’s valuable time.
It is important also not just to consider citizens in a lay capacity, but also other groups, such as civil society organisations, and those individuals within companies who are doing work ‘on the ground’. Eg not just the Head of Cyber-risk’ if there is such a thing, but individuals developing software or managing databases. They will know more about what the real world, and the often surprisingly practical, and ordinary issues related to cybersecurity which may be important.
How could it be developed:
Maybe there isn’t a national programme. The critical thing for me, is that it isn’t just a bland question ‘what do you think about x’, but is an intrinsic and important component of the research or solution development. Maybe there isn’t a ‘big conversation’ type approach, perhaps it is quite specific, e.g. it could be done with banks or Amazon customers, related to applications – eg bank security, or passwords.
It could be testing out a proposed solution in a certain area ‘we are considering x solution to this problem, what issues does this raise for you, if we asked you to do ‘y’, what would be your view’ etc.
The research questions and process should dictate the engagement theme, but fundamentally it should be a good use of their time, not a tick box for the sake of Responsible Innovation and not an indulgence which is going to be ignored.
Submitted by Hilary Sutcliffe
5 December 2013