Ethical Considerations in cybersecurity.

By On

 


In the field of cybersecurity, ethical considerations play a vital role in determining how security is managed, implemented, and enforced. As technology continues to advance, so do the complexities of protecting sensitive information and systems from cyber threats. Ethical frameworks help guide decision-making processes for cybersecurity professionals, ensuring that their actions not only protect assets but also respect individual rights and societal values.

Ethics have a lot to do with cyber security; cyber security practices aim to secure computer systems and networks and keep data safe. Those data, systems, and networks indeed hold some economic or other value in themselves, but what cyber security practices essentially protect is the integrity, functionality, and reliability of organizations that rely upon such data and systems. This means that ethical issues are at the core of cyber security practices, as these practices are increasingly required to secure the ability of human individuals and groups to live well. In an increasingly networked society, a wider and better comprehension of cyber security ethics is critical for promoting human prosperity. The following are the three important ethical issues in cyber security.[1]

Ethics in cyber security can be summarized into three important issues. The first issue is harms to privacy. Privacy harm is conceptualized as the negative consequence of a privacy violation. Some of the most common cyber threats to privacy include identity theft. Identity theft is the term used to refer to all sorts of crimes in which someone unlawfully gains and uses another person’s personal data in some way that involves fraud, usually for financial gain. The exposure of sensitive personal information results in costly spam, phishing, or other undesirable communications. That said, it is important to understand that privacy harms do not only jeopardize those whose sensitive information is directly exposed to cyber threats. Even those who try to live disconnected from the digital cannot prevent sensitive data about them from being generated and shared by their friends or family. This situation puts an enormous amount of pressure on cyber security specialists, who are trusted with manning the critical line of defense against personal and organizational privacy harms.[2]

The second ethical issue is; cyber security resource allocation. The cost is great because cyber security efforts take up a considerable number of individuals as well as organizational resources like time, money, and expertise. Not having adequate cyber security measures in place imposes even greater costs. You may naturally ask how the issue of resource allocation can be seen as an ethical issue. Imagine a situation where a cyber expert who works for a hospital responds to a possible threat by immediately instituting an extremely time-consuming security login procedure, where he/she does not first consider the core function and interests of the network users.[3]

The third ethical issue is Transparency and disclosure. Cyber security is a form of risk management, and because those risks substantially affect other parties, there is a default ethical duty to disclose those risks when identified, therefore affected parties can make informed decisions. For instance, if a company finds out a critical vulnerability in its software, it must notify its customers or clients of that discovery in a timely manner. That said, each cyber security scenario comprises different facts, different products or services, and interests at stake, thus there is no one-size-fits-all approach or guidance that one can utilize to guarantee adequately transparent cyber security practice. This translates into the fact that what is required in each case is a solid ethical reflection on the specific scenario and the risks, benefits, and tradeoffs involved, followed by a coherent ethical judgment about what is best to do, given the facts and options.[4]

In today’s digital world the need to maintain cyber-security and protect sensitive information is more important than ever. However, this must be balanced against the right to privacy, which is also a fundamental human right. The advancement of digital technologies has revolutionized the way we live, work, and communicates. The widespread use of the Internet and digital devices has made our lives easier, but it has also created new challenges, particularly in the area of cyber-security and privacy. With the increasing amount of personal and sensitive information being stored online, protecting this information from cyber-attacks has become a critical concern for individuals, businesses, and governments. At the same time, the right to privacy is also a fundamental human right recognized by international law. Protecting individuals’ privacy rights in the digital age has become a challenging task, as the collection and processing of personal data have become more widespread.[5]

To understand more about the ethical considerations and approaches to security; it is very important to highlight on the current legal framework for cyber-security and privacy in various jurisdictions.

In the US there are several laws and regulations that govern cyber-security and privacy. The most significant legislation is the Cyber-security Information Sharing Act (CISA) enacted in 2015 to encourage information sharing between the government and private entities regarding cyber threats. Other important laws include the Electronic Communications Privacy Act (ECPA), which regulates the interception of electronic communications, and the Health Insurance Portability and Accountability Act (HIPAA), establishing privacy standards for health information. The Federal Trade Commission (FTC) has been active in enforcing privacy and data security regulations, particularly with regard to consumer protection. The legal framework for cyber-security and privacy in the United States is complex and evolving, with a mix of federal and state laws, regulations, and guidelines that apply to different industries and sectors.

 

The current legal framework for cyber-security and privacy in Europe is primarily governed by the General Data Protection Regulation (GDPR), in effect in May 2018. The GDPR applies to all businesses operating within the European Union (EU) and regulates the processing of personal data of individuals within the EU. The regulation outlines strict requirements for obtaining consent, data breach notifications, and the right to be forgotten, among other provisions. The Network and Information Systems Directive (NIS Directive) requires EU member states to implement cyber-security measures for critical infrastructure and digital service providers, and to report major security incidents to national authorities. The EU Cyber-security Act also establishes a framework for the certification of information and communication technology products and services. The legal framework in Europe prioritizes the protection of personal data and cyber-security while balancing these interests with the needs of businesses and national security concerns.

In the United Kingdom main legislation governing cyber-security and privacy is the Data Protection Act of 2018, incorporating the General Data Protection Regulation (GDPR) into UK law. The GDPR provides a comprehensive framework for protecting individuals’ personal data and sets out strict rules for the collection, storage, and processing of such data by organizations. The act also establishes the Information Commissioner’s Office (ICO) as the regulator for data protection in the UK, with the power to enforce compliance and issue fines for non-compliance.16 The UK has the Computer Misuse Act 1990, that criminalizes unauthorized access to computer systems, hacking, and other cyber-related offences. The UK government has also recently introduced the National Cyber Security Strategy, which sets out a comprehensive approach to enhancing the country’s cyber-security capabilities and protecting against cyber-attacks. The UK has a robust legal framework for cyber-security and privacy that seeks to balance the need for strong security measures with the protection of individuals’ privacy rights.

In Canada the Personal Information Protection and Electronic Documents Act (PIPEDA) is the primary legislation governing the collection, use, and disclosure of personal information by private sector organizations. It requires organizations to obtain an individual’s consent before collecting, using, or disclosing their personal information, and to take reasonable measures to safeguard that information from unauthorized access, use, or disclosure. Canada’s Anti-Spam Legislation (CASL) 20 regulates the sending commercial electronic messages, and the Digital Privacy Act 21 introduced several amendments to PIPEDA, including mandatory breach notification requirements for organizations. Office of the Privacy Commissioner is responsible for enforcing PIPEDA and promoting privacy rights.

The United Arab Emirates (UAE) has implemented several legal measures to regulate cyber-security and privacy. One of the key instruments in this regard is the UAE Cybercrime Law criminalizing various cyber offenses, such as hacking, phishing, and spreading false information online. The law also outlines punishments for violating the cyber-security of individuals or organizations, including fines and imprisonment. In addition, the UAE has established the National Electronic Security Authority (NESA), which is responsible for securing the country’s critical information infra structure and developing national cyber-security policies. The UAE also recently enacted a data protection law, which regulates the processing of personal data and requires organizations to implement adequate measures to protect the privacy of individuals. Despite these legal frameworks, concerns have been raised about the lack of transparency and due process in some cases related to cyber-security and privacy in the UAE.

In Singapore cyber-security and privacy are governed by a range of laws and regulations. The Personal Data Protection Act (PDPA) is the main piece of legislation that regulates the collection, use, and disclosure of personal data in Singapore. The PDPA requires organizations to obtain individuals’ consent before collecting, using, or disclosing their personal data and to take reasonable steps to protect that data. The Cyber-security Act,28 introduced in 2018, establishes a framework for the regulation of critical information infrastructure (CII) and provides for the sharing of information between CII owners and the government in the event of a cyber-attack. The Computer Misuse Act30 criminalizes various types of cyber-crime, including unauthorized access and hacking. The Monetary Authority of Singapore also issued a set of guidelines on technology risk management, that sets out best practices for financial institutions to manage cyber-risk.

China has a complex legal framework for cyber-security and privacy, which is heavily influenced by the country’s political and social context. The Cyber-security Law of the People’s Republic of China, in force since 2016, provides a comprehensive regulatory framework for cyber-security. The law requires network operators to take measures to protect the security of personal information and to report cyber-security incidents to the authorities. It also empowers the Chinese government to conduct cyber-security inspections and investigations, and to take measures to prevent and respond to cyber-security threats.

In Japan legal framework for cyber-security and privacy is primarily governed by the Act on the Protection of Personal Information (APPI)36 revised in 2020 to strengthen privacy protections for individuals. The APPI applies to both private and public sector organizations and sets out requirements for the collection, use, and disclosure of personal information, as well as the establishment of security measures to protect against unauthorized access, loss, destruction, alteration, or disclosure of personal information. In addition to the APPI, Japan has also implemented the Cyber-security Basic Act37; its aims are to ensure security of information and communications networks, and the Act on the Protection of Specially Designated Secrets regulating the handling of confidential information related to national security. The Japanese government has also established the Cyber-security Strategy Headquarters to promote cyber-security measures and coordinate efforts among relevant agencies and organizations.

In South Korea the Personal Information Protection Act (PIPA) serves as the primary legislation governing data privacy and cyber-security.40 The PIPA aims to protect personal information by regulating its collection, storage, use, and provision to third parties. It also mandates the implementation of appropriate security measures to prevent data breaches and requires prompt notification of affected individuals in case of any security incidents. In addition, the

Network Act requires Internet service providers to retain user data for a certain period and grants law enforcement agencies access to this data under circumstances indicated in the Act.41 It also prohibits cyber-bullying and the spreading of false information online. The South Korean government has also established the Ministry of Science and ICT and the Korea Internet & Security Agency to oversee and regulate cyber-security measures in the country. Despite these regulations, there have been concerns over government surveillance and censorship in South Korea, particularly in the context of national security.

Australia has a comprehensive legal framework for cyber-security and privacy. The Privacy Act of 1988 sets out the Australian Privacy Principles (APPs), which regulate the collection, use, and disclosure of personal information by government agencies and private organizations. The Privacy Act also establishes Office of the Australian Information Commissioner responsible for enforcing the APPs and promoting privacy rights. In addition, the Cyber Security Strategy 2020 outlines Australia’s approach to cyber-security; it includes enhancing the resilience of critical infrastructure, promoting cyber-awareness, and strengthening law enforcement capabilities.46 The Australian Signals Directorate (ASD) also provides guidance on cyber-security best practices for government agencies and critical infrastructure operators. Australia’s legal framework aims to balance the need for effective cyber-security measures with the protection of individuals’ privacy rights.

Rwanda has established a comprehensive legal framework to address cybersecurity challenges, ensure data protection, and promote a safe and resilient cyberspace. The country's cyber laws and regulations are aligned with international standards and are aimed at safeguarding individuals, businesses, and the government against cyber threats. Below are key aspects of Rwanda’s legal framework on cybersecurity:

Law No. 60/2018 of 22/08/2018 on Prevention and Punishment of Cybercrimes. This is the primary law governing cybercrime in Rwanda. It aims to prevent, control, and punish cybercrimes while ensuring the protection of information systems, infrastructure, and data. Key provisions in this law are; Cybercrime offenses: The law defines various offenses, including unauthorized access to computer systems, hacking, phishing, identity theft, and cyber fraud. Cyber espionage and terrorism: It criminalizes actions that involve cyber espionage, cyberterrorism, and attacks on critical infrastructure. Child exploitation and pornography: Strict penalties for the use of information technology to exploit or harm children, including the distribution of child pornography. Punitive measures: Outlines penalties for individuals and organizations engaged in cybercriminal activities, including fines, imprisonment, and asset seizure.

Law No. 24/2016 of 18/06/2016 Governing Information and Communication Technologies (ICT). This law establishes the general framework for the ICT sector in Rwanda and includes provisions related to cybersecurity. Key provisions in this law are; Data protection: The law emphasizes the protection of personal data and the need for consent when processing data. Cybersecurity obligations for service providers: ICT service providers are required to take necessary security measures to ensure the integrity and availability of their services. Licensing and compliance: Companies operating in the ICT sector must adhere to security standards set by the Rwanda Utilities Regulatory Authority (RURA), the agency responsible for ICT regulation.

National Cyber Security Policy (2015). The National Cyber Security Policy provides strategic guidance for the protection of Rwanda’s cyberspace. It was developed in response to increasing cyber threats and the need to secure the country's digital infrastructure. Key objectives are; Resilient digital infrastructure: Strengthening critical information infrastructure and securing public and private sector networks. Capacity building: Developing cybersecurity skills and expertise across various sectors, including law enforcement and private industry. Public awareness: Promoting awareness of cyber risks and best practices among citizens, businesses, and institutions. Collaboration: Encouraging collaboration with international partners, other countries, and regional bodies to combat cybercrime and improve cyber resilience.

Rwanda Data Protection and Privacy Law (2021). Rwanda has enacted the Law No. 058/2021 of 13/10/2021 Relating to the Protection of Personal Data and Privacy, which regulates the processing, storage, and sharing of personal data. Key provisions: Consent and transparency: Data subjects must give informed consent before their data is processed, and organizations must be transparent about how they use personal data. Data controllers and processors: Organizations processing personal data must implement appropriate security measures to prevent breaches or unauthorized access. Data breach notifications: Companies are required to notify the regulator and affected individuals in case of a data breach. Rights of data subjects: Individuals have the right to access, correct, and delete their personal data.

Cybersecurity Standards and Guidelines. The Rwanda Information Society Authority (RISA), in collaboration with RURA, develops cybersecurity guidelines and technical standards to be followed by public and private organizations. Key elements: Security protocols: Organizations are encouraged to implement strong security measures, such as encryption, firewalls, and intrusion detection systems. Incident response: Entities are required to establish incident response plans to quickly mitigate and recover from cyberattacks. Audit and compliance: Regular audits are conducted to ensure compliance with national cybersecurity standards.

Rwanda Computer Security Incident Response Team (Rw-CSIRT).  Rwanda established the Rw-CSIRT to coordinate responses to cyber incidents and attacks. This body is responsible for monitoring cybersecurity threats, sharing threat intelligence, and providing technical assistance to organizations in the event of a breach. Responsibilities: Incident management: Rw-CSIRT coordinates efforts to handle cybersecurity incidents across various sectors, including government, businesses, and critical infrastructure. Cyber threat intelligence: The agency gathers and disseminates information on emerging cyber threats and vulnerabilities. Capacity building: Rw-CSIRT offers training and resources to strengthen the technical skills of cybersecurity professionals in Rwanda.

Rwanda Utilities Regulatory Authority (RURA). RURA is the regulatory body responsible for overseeing the ICT sector, including cybersecurity. It works closely with RISA and other agencies to enforce cybersecurity regulations and ensure that organizations comply with the country’s legal framework.

 

Regional and International Collaboration. Rwanda actively collaborates with regional organizations such as the East African Communications Organization (EACO) and participates in international forums to address global cybersecurity challenges. The country is also a member of the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), which sets cybersecurity and data protection standards for African nations.

 

 

Practical ethical considerations in security require balancing protection with respect for privacy, fairness, transparency, and accountability. Cybersecurity professionals must adopt approaches that protect both individual rights and broader societal interests while maintaining trust and minimizing harm. Ethics guide the application of security measures, ensuring that they are not only effective but also just and humane.


[1] A Holistic Approach to Ethical Issues in Cyber Security, Swiss Cyber Institute

[2] IDEM

[3] IDEM

[4] IDEM

[5] Balancing Cyber-security and Privacy: Legal and Ethical Considerations in the Digital Age, Naeem Allahrakha

Tashkent State University of Law.  

I'm here to shed light on; Law, History, and Politics.

Comments

Post a Comment

Popular posts from this blog

So, you want to be the president.

By On
Image
                                                          You who’s reading this article you might be the president in the future. To be the president it has a lot of requirements to fulfil, be it age, having Rwandan nationality as the sole nationality and other requirements that are honestly not easy to get.  So, you still wanna be the president. Let’s go deep into the subject. In brief the president of the Republic is the Head of State. The President of the Republic is also the defender of the Constitution and the guarantor of national unity. In addition to that, the President of the Republic is elected for a five (5) year term and may be re-elected once. [1] Let’s go back in time to understand how the system of presidency came and we analyze it till today. Before presidency Rwanda was ruled under the absolute monarchy.  Rwa...
Read more

The concept of ubunywarwanda from a legal & historical perspective.

By On
Image
                    Rwandans have existed for centuries. After deciding to have a common country, they distinguished themselves from other kingdoms and became abanyarwanda. Through the expansion of the territory, different clans joined the country and also became abanyarwanda.  To have a country requires a territory, people and a name. As any other project it requires people to move it forward. Those people who got a sovereign territory establish rules that govern them in their territory. Through those rules and laws, they decide how outsiders might be integrated in their society. The time of conquering territories has ended, but conquering minds and hearts has never stopped. In those outsiders who may want to be in the society here we mean a country they follow laws established so as to be accepted. A country not only expands territorially but also in population size. Before independence Rwanda had never had any regulation on n...
Read more

Rethinking War: The Burden of Conflict on a New Generation

By On
Image
  My knowledge of war is primarily based on documentaries, movies, books and now news. The first book I read that walked me through the image of war in the book by Ishmael Beah, A Long Way Gone. The author tells his story as a forced child soldier in Sierra Leone. Politicians initiate the war; the businessmen finance it and the young ones go to the battleground. In the news we mainly see politicians explaining why the war is happening and analysts in different fields get busy in explaining what really happening.   We don’t need economists to explain to us that the economy is going bad while the prices are raising on a daily basis. People are fighting faraway from your country but the consequences are reaching you. I guess the world being a village isn’t entirely good. Its now close to ten years since I read Africa's World War by Gérard Prunier. Anyone who doesn’t know the cause of what’s happening in the great lakes region, that’s the right book to start with in my h...
Read more