Three ECCRI Cybersecurity 2023-2024 Fellows – Cat Easdon, Aideen Fay, and Nils Brinker – presented their research at the 18th annual meeting of the Internet Governance Forum (IGF) that was hosted by the Government of Japan in Kyoto from 8 to 12 October 2023. The trip was made possible with the help of an additional grant from the Government of Malta, which supports the ECCRI Fellowship Program.

Cat Easdon and Dr. Ryan Payne (Queensland University of Technology) gave a presentation which discussed how privacy is an enabling right for other fundamental rights and freedoms. They introduced the concept of “Rights by Design” and provided examples of how rights protections can be designed into both the technology products we build and into tech policy.

Key takeaways:

• Conducting a human rights impact assessment is crucial when developing a new product, feature, or tech policy, and there are frameworks to help support this, such as the Microsoft Harms Modeling Framework and PLOT4AI.
• Organisations involved in technology development or policy-making should incorporate ethics and threat modelling training into their operations to facilitate these human rights impact assessments.

Aideen Fay focused on Co-operative AI and its Governance Implications. The goal of the talk was to provide policymakers with a framework for thinking about multi-agent AI systems and a better understanding of how these systems fail. “I hope this helps policymakers adapt and develop effective policy in the face of the rapid progress in AI that is set to continue and accelerate,” notes Fay.

Nils Brinker’s talk “The new European toolbox for cybersecurity regulation” provided an overview of the current regulatory efforts of the European Union to foster IT security within the European market. It elaborated mainly on the NIS 2 directive, the Proposal for a Cyberresillience Act, and the Proposal for an AI Act. It elaborated on the difficulties of actually promoting IT-security with regulatory means.

Key takeaways:

• Risk management is generally an effective way of implementing better security measures. However, it is still a method prone to subjectivity. Therefore, selecting responsible persons for such obligations has to be carefully considered. Also, there have to be ways to make the conductor of the risk management aware of risks for third parties.
• The complex landscape of actors, stakeholders, and regulations risks promoting mere compliance with regulation instead of operational security.

Nils also reflects on the general experience at the IGF, “As a multistakeholder conference, the IGF was an excellent place to gain insights into opinions and experiences outside my own bubble. Especially when working on European regulation, there is always the danger of thinking a bit too Eurocentric about specific issues.”

“After my talk, there was plenty of engagement, giving feedback on interfering domains that might interact with the European security regulation, such as trade law, that are usually not considered within my own bubble. Therefore, the IGF was a good place to gain a broader view,” he notes.

Supporting the fellows in their professional journey, including through presenting their research and initiating necessary and relevant discussions in their field is one of the key objectives of the ECCRI Fellowship Program. The 2023-2024 European Cybersecurity Fellowship is made possible through a partnership with the Government of Malta, William & Flora Hewlett Foundation, Mandiant, now part of Google Cloud, and Microsoft. For more information on the Fellowship Program, see here.

From November 26, 2024, the European Cyber Conflict Research Initiative (ECCRI) and the European Cyber Conflict Research Incubator (ECCRI CIC) operate under one umbrella brand – Virtual Routes. Read more about Virtual Routes here.