Book contents
- Frontmatter
- Contents
- List of Contributors
- Chapter 1 Introduction: Security and Law in a Digitizing World
- Chapter 2 Safety, Security and Ethics
- Chapter 3 National and Public Security within and beyond the Police Directive
- Chapter 4 Criminal Profiling and Non-Discrimination: On Firm Grounds for the Digital Era?
- Chapter 5 Operationalization of Information Security through Compliance with Directive 2016/680 in Law Enforcement Technology and Practice
- Chapter 6 Protecting Human Rights through a Global Encryption Provision
- Chapter 7 Identity Management and Security
- Chapter 8 Towards an Obligation to Secure Connected and Automated Vehicles “by Design”?
- Chapter 9 The Cybersecurity Requirements for Operators of Essential Services under the NIS Directive – An Analysis of Potential Liability Issues from an EU, German and UK Perspective
- Chapter 10 The ‘by Design’ Turn in EU Cybersecurity Law: Emergence, Challenges and Ways Forward
- Chapter 11 Promoting Coherence in the EU Cybersecurity Strategy
- Chapter 12 Challenges of the Cyber Sanctions Regime under the Common Foreign and Security Policy (CFSP)
- Chapter 13 International (Cyber)security of the Global Aviation Critical Infrastructure as a Community Interest
- Cumulative Bibliography
- Miscellaneous Endmatter
Chapter 10 - The ‘by Design’ Turn in EU Cybersecurity Law: Emergence, Challenges and Ways Forward
Published online by Cambridge University Press: 23 January 2020
- Frontmatter
- Contents
- List of Contributors
- Chapter 1 Introduction: Security and Law in a Digitizing World
- Chapter 2 Safety, Security and Ethics
- Chapter 3 National and Public Security within and beyond the Police Directive
- Chapter 4 Criminal Profiling and Non-Discrimination: On Firm Grounds for the Digital Era?
- Chapter 5 Operationalization of Information Security through Compliance with Directive 2016/680 in Law Enforcement Technology and Practice
- Chapter 6 Protecting Human Rights through a Global Encryption Provision
- Chapter 7 Identity Management and Security
- Chapter 8 Towards an Obligation to Secure Connected and Automated Vehicles “by Design”?
- Chapter 9 The Cybersecurity Requirements for Operators of Essential Services under the NIS Directive – An Analysis of Potential Liability Issues from an EU, German and UK Perspective
- Chapter 10 The ‘by Design’ Turn in EU Cybersecurity Law: Emergence, Challenges and Ways Forward
- Chapter 11 Promoting Coherence in the EU Cybersecurity Strategy
- Chapter 12 Challenges of the Cyber Sanctions Regime under the Common Foreign and Security Policy (CFSP)
- Chapter 13 International (Cyber)security of the Global Aviation Critical Infrastructure as a Community Interest
- Cumulative Bibliography
- Miscellaneous Endmatter
Summary
INTRODUCTION
The aim of this chapter is to analyse ‘Security by Design’ (SbD) as an emerging concept in EU Law, especially in the fields of information security and data protection. This is especially relevant in light of the growing amount of data breaches and ever-increasing pervasiveness of Internet of Things (IoT) devices. This is even more so if we take into account the worrying trend, especially from important market players, to tolerate risks of data breaches and therefore keep IT security investments relatively low. The first part of this chapter will substantiate the notion of SbD by deciphering the exact meaning of the concepts of ‘design’ and ‘security’, with a strong focus on the IT sector. The second part will then explore the emergence of SbD as a principle in the EU legislative framework. In that context, a comparison will be made with the ‘Data Protection by Design’ (DPbD) paradigm, which has been one of the cornerstones of the data protection reform. The last part will then highlight some of the challenges inherent to the ‘by design’ approach.
DECODING ‘SECURITY BY DESIGN’: A TALE OF ‘SECURITY’ AND ‘DESIGN’
Before delving into the substance and challenges of the SbD paradigm, it is crucial to clarify the exact scope of the notions that lie at the heart of that approach, namely: ‘security’ and ‘design’. In the ICT context, ‘security’ has been defined by the European Union Agency for Network and Information Security (ENISA) as the protection against the threat of theft, deletion or alteration of data stored or transmitted within a system. Such a definition echoes the so-called ‘CIA triad’ – namely confidentiality, integrity and availability – which has been recognised as the basis of information security over the last decade. While the notion of security traditionally encompasses the protection of both physical (e.g. a data centre) and non-physical (e.g. the data processed on the said servers) assets, the present contribution will – for the sake of conciseness – be limited to the analysis of the second component.
‘Design’, on the other hand, refers to “the process by which an agent creates a specification of a soft ware artefact intended to accomplish goals, using a set of primitive components and subject to constraints”. Alternatively, the notion of ‘soft ware design’ has been referred to as “all the activities involved in conceptualising, framing, implementing, commissioning, and ultimately modifying complex systems”.
- Type
- Chapter
- Information
- Security and LawLegal and Ethical Aspects of Public Security, Cyber Security and Critical Infrastructure Security, pp. 239 - 252Publisher: IntersentiaPrint publication year: 2019