Chapter 23: The Ethical Aspects of Critical Infrastructure Protection

Critical infrastructures across different sectors are being strongly affected by the introduction of the IoT paradigm, CPS systems, intelligent digitally empowered devices, Big Data analytics, AI, and machine learning. Alongside an array of benefits, this transformational path also poses not only additional risks to their operation and security but also legal and ethical challenges and concerns for developers, practitioners, participants, and policy-makers, ranging from data protection and privacy preservation, to dataveillance, social cooling and dictatorship of data, to data ownership and access aspects, to safety, responsibility and liability, algorithmic bias and others.

The regulatory landscape is fragmented and runs at a much lower pace than technological development. Novel “soft law” tools, capable of giving granular and practical guidance, as well as ethics-related standardization initiatives, like the IEEE Global Initiative on Ethics of Autonomous and Intelligent Systems, provide complementary rules and useful insights to traditional legal instruments to overcome or mitigate the given challenges raised by these technologies.

Other driving factors towards legal compliance and ethically-sound design, development, and operation of such developments are the Privacy and security by design and ethics & rule of law by design approaches, the regulatory sandboxes, and the cross-fertilization of law and technology, such as certain forms of automated compliance tools [6].

Critical infrastructures that support the operation and development ofour societies across several sectors, like finance, healthcare, and energy, are being strongly affected by the introduction of the IoT paradigm, CPS systems and intelligent digitally empowered devices, such as sensors, to robots, smart wearables, smartphones, and drones, as well as by other emerging ICT technologies, like Big Data analytics, AI, and machine learning. Furthermore, critical infrastructures’ digitalized and interconnected operations, business processes, and decision-making imply large collection and processing of increasingly amount of field data, often exchanged between relevant stakeholders within the given value chain. The boundaries between the physical and digital worlds are vanishing, and the digital control of physical processes is a reality.

This transformational path has multiple benefits, in terms of increasing the efficiency and sustainability of current practices and better performance gains, for instance, unfolding a range of possibilities to discover, manage, orchestrate, and control physical space to realize coordinated behaviors within and across devices.

At the same time, this metamorphosis also poses additional risks to critical infrastructures’ operation and security. A novel range of cybersecurity challenges sums up to the traditional physical security ones faced by critical infrastructure operators, giving rise to the emergence of integrated approaches for critical infrastructures security, simultaneously protecting cyber and physical assets.

The introduction of integrated security systems into critical infrastructures poses ethical and legal challenges for developers, practitioners, participants, and policymakers.

In conjunction with the array of expected benefits of these systems, unintended negative effects might occur and need to be avoided, or at least minimized, by thinking ahead, while at the same time ensuring that these technologies can benefit everyone, upholding legal concepts and ethical values, protecting human safety, physical integrity, dignity, intimacy, autonomy, and self-determination [1, 2].

One of the challenges related to these systems is to maximize security, and therefore the utility of the overall systems towards this direction, while protecting human rights, preserving ethical values, and respecting the regulatory framework. The ethical dimensions of these systems need to be explored in an attempt to balance them with the protection of the critical infrastructures against physical and cyberattacks within the EU. Ethical risks, including data-related risks, have to be mitigated both at design time and run time, ensuring that architectures are safe and secure but also adhere to and promote European values (e.g., democracy, privacy safeguards, equal opportunities). Fair, trustworthy, ethical, and regulatory frameworks aimed at ensuring the compliance to the legislation enforcing these values should be perceived, rather than as restrictive, as an opportunity and competitive advantage, even more if taking place alongside technological developments.

In fact, an adequate ethical and legal framework, properly tackling with human-centered challenges and which would ensure that the solutions and services are designed and used in an ethical manner, is therefore critical to ensure trust in the security ecosystem around critical infrastructures, which, in turn, is essential to the acceptability of the technological artifacts, offering services and experimentation opportunities to the whole range of stakeholders across the critical infrastructure value chain [1].

The next paragraph will focus specifically on some key questions and ethical challenges, which can provide a basis for the development of an ethical and legal framework on systems relying on holistic approaches for critical infrastructures security against cyber and physical threats.

As underlined in the previous paragraph, the technological changes related to the Cyber-Physical System (CPS), Artificial Intelligence (AI), Internet of Things (IoT), and integrated security systems introduction in the critical infrastructures, while carrying the potential to yield new solutions and opportunities for business, government, and societies, also generate newrisks, concerns, and challenges in multiple contexts.

IoT, AI, blockchain and Distributed Ledger Technology (DLT), collaborative and intelligent devices, cyber ranges, cyber-physical systems are expected to optimize and make more secure and more efficient the critical infrastructures’ processes. These processes and the operation of the system are fuelled by digital assets like digital twins, operational data, and machine learning models. They manifest both in the cyberspace and in the physical world, depending on underlying cloud-based infrastructure and other operational and information technology infrastructures, often geographically spread.

Being such digital assets and infrastructure increasingly interconnected, automated, and geographically distributed, not only the security challenges are greater but also ethical concerns and the risk of non-compliance with internationally recognized human rights, such as the right to privacy. The same apply to AI-supported technology with, for instance, facial recognition and emotion detection.

The increasing fragmentation in the legal and regulatory landscape at global, regional, and national level contributes to make the situation even more complex and to the emergence of novel accountability challenges.

Without claiming to be complete, the following list provides hints on some of the most pressing legal and ethical issues and concerns that need to be addressed, ranging from privacy and data protection rights, to liability, inequality, discrimination, algorithmic bias and non-transparency, safety, personal autonomy, and identity [3, 7, 11, 12].

CPS extract, collect, and share vast amounts of data to operate effectively, including sensitive information, especially in the healthcare and financial sectors. This raises privacy concerns.

The areas of interest or concern and possible issues and challenges include:

• –

  Data practices in relation to obtaining and ensuring informed consent

• –

  Ensuring transparency of the process by which the tools collect, process, and make use of personal data, including the terms of use of algorithms

• –

  Materialization of the concept of privacy by design and by default in IoT, CPS, and AI applications

• –

  Concepts of sensitiveness and vulnerability, especially in case of patients and/or people under constant direct observation or surveillance

• –

  Sharing of private individual information collected by IoT devices with other systems and preventing the potential misuse of data

• –

  Data collection and processing during the research, development, and testing of AI-empowered tools and CPS

• –

  Tackling inverse privacy and safeguarding personal data rights, filling the gap between the rights enacted by the GDPR (and its 28 national implementations) and the average understanding of their implications, both from citizens and businesses, as well as their operationalization in IoT and AI settings, where sticky policies, dynamic user consent, and other developments could be further explored to to develop legally compliant, smart solutions.

• –

  The awareness ofthe kind of data that is being collected and processes is often scarce, and this diminishes an individual’s power and freedom.

• –

  Considering that the human-data relation is asymmetric, individuals can feel powerless in the relation to data, and there is the risk of leading to a loss of control over the access to one’s own personal data, including the so-called right to be forgotten, which is considered in the EU as one of the pillars of an individual’s control over their personal data.

The risk of dataveillance and intrusive big data practices, due to the availability of more and more data sources and the easier and faster data analysis to generate insights. For instance, for addressing the security challenges posed by the critical infrastructures protection, one’s position can be tracked over time, through tools like the ubiquitous use of Closed-circuit Television (CCTV) circuits, coupled with Global Positioning System (GPS) positioning in mobile devices, as well as the use of credit cards and Automated Teller Machine (ATM) cards for payments and withdrawals.

People’s awareness of the possibility of being watched at any moment might result, as shown by field experiments, in the so-called social cooling, which is a side effect of Big Data, and refers to the individuals’ attitude to conform to the expected norm, especially considering that our society makes extensive use of scoring systems, where critical life changing opportunities are increasingly determined by such scoring systems, often obtained through opaque predictive algorithms applied to data to determine the value of an individual or social group. This is capable of limiting people’s desire to take risks or exercise free speech. Over the long term, these self-censorship, risk aversion, and waiver to the exercise of free speech might “cool down” society and produce increased social rigidity and have an impact on human ability to evolve as an inclusive society, where minority views and vulnerable people are still able to flourish.

In strict correlation with dataveillance and social cooling, another ethical concern arises. Despite the undoubted advantages of digital identities, for example, in terms of possibility to access to online contents and all related services through them, the widespread use of such identities makes possible retrieving from the web publicly available information on an individual and generating insights. This might determine the dictatorship of data, with discriminating effects, based on the representation of a person as portrayed by his/her data, as opposed to the real self. In other words, individuals are treated as mere aggregates of data and are therefore no longer respected.

Data ownership, control, and access aspects need to be investigated, as regards the claimed property right on data and information, in relation to human data interaction and interconnected devices, that is the case of data retrieved by the sensors of the objects connected to the Internet of Things, with even more complexity when the information is personal or financial data. Radio-frequency identification (RFID), GPS, and Near Field Communication (NFC) technologies allow to track the geographic place where a person is and his movements from one place to another, without his knowledge.

Ubiquitous devices embedded in daily lives in a IoT landscape, primarily collect data that is about or produced by people, either explicitly produced by themselves (such as location data in case of sharing location while running through wearable accessories) or implicitly inferred by the sensing infrastructures, in cases such as monitoring critical infrastructures. Data collection and processing serves them in a broad range of purposes in everyday life in connection, for instance, with the operation of the critical infrastructures in the health, energy and financial sectors, ranging from personal healthcare to tailored smart city services for energy savings, processing data on energy footprint of an individual’s home or other situational context. In relation to the unprecedented amount of data collected by these devices, the fundamental research questions are who owns this data and who might have access to it.

The data ownership claims are also related with the risk of data monopolies and with the theme of asymmetries of powers.

In fact, data ownership might be referred also to proprietary data, not only to personal data: data producers have the interest to remain in control of their data and to retain their rights as the original owners and therefore demand for the recognition of ownership claims. However, the legal framework is uncertain and fragmented, and it is difficult to apply legal categories: for instance, data is an intangible good difficult to define, and it is not clear the legal concept itself of data ownership. Many questions arise, such as if the EU’s existing law provides sufficient protection for data and, if not, what more is needed; if data is capable of ownership (sui generis right or copyright law); if and which is the legal basis for claims of ownership of data. Meanwhile, there are solutions, such as those reflecting the IDSA Data Sovereignty paradigm, that provide the factual exclusivity of data through flexible and pragmatic tools, combining agile contracting with enabling technological artifacts, able to provide certainty and predictability.

In relation to accessibility ofinformation, a cyberattack in IoT employed in critical infrastructures, which makes the system vulnerable, might have a direct influence on people’s lives, and this might happen in electric heating systems, bank and insurance IT infrastructures, food distribution networks, hospitals, transport networks, and many others.

One of the main concerns, especially in relation to AI and human—machine interaction, refers to safety aspects, which are especially important as the complex, intelligent, and self-learning CPS increasingly operate in close proximity to humans.

Furthermore, also finding the initial cause and the allocation of liability might prove complex. In case of malfunctioning, who can we hold accountable and responsible for failure? Which is the position of the developer or producer of the CPS?

The theme of liability, including the identification of who is responsible — and liable — for failures and insurance instruments for products/users, is a key issue for CPS systems and their integrated security solutions to reach their full potential, especially in contexts with multiple stakeholders and decisions being made by artificial intelligence.

Another concern regards the difficulty of some individuals in understanding and accessing services delivered through the use of these new technologies, not being familiar with them.

Another issue pertains to the risk of algorithmic bias and in general the risk of discrimination, manipulation, misuse, and technological determinism.

The legal and regulatory framework relevant in relation to the design, deployment, and operation of integrated security systems into critical infrastructures characterized by the wide use of the IoT paradigm, CPS systems, and intelligent digitally empowered devices and other emerging ICT technologies, like Big Data analytics, AI, and machine learning, is complex, fragmented, and significantly different in each of the domains concerned (financial, energy, and healthcare sectors).

The following notes are intended only to provide an overview of the main general pieces of legislation applicable across several domains and at EU level and need to be integrated with sector-specific and national-wide surveys dwelling upon the legislation underlining the security of the infrastructure employed in each sector.

The main pieces of legislation, partially overlapping among themselves, refer to Human Rights Law, Data Protection Law, Telecommunications Law, Information Technology Security Law, Law on Trust Services, Identification, Authentication, Intellectual Property Law, Critical Infrastructures Law, include:

• –

  Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;

• –

  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive), which is expected to be replaced by a Regulation on Privacy and Electronic Communications, whose proposal is currently following the approval process;

• –

  Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive);

• –

  Directive 96/9/EC of the European Parliament and the Council of 11 March 1996 on the legal protection of databases;

• –

  Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union;

• –

  Directive 2016/1148 concerning measures for a high common level of security of network and information systems across the Union

• –

  Regulation (EU) No 910/2014 ofthe European Parliament and ofthe Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (eIDAS Directive)

• –

  The set of Communications on Critical Infrastructures, including Communication 786/2006 on a European Programme for Critical Infrastructures Protection, the Communication 163/2011 on Critical Information Infrastructure Protection ‘Achievements and next steps: towards global cyber-security’ and others;

• –

  Directive 2008/114/EC on the identification and designation of European Critical infrastructures and the assessment of the need to improve their protection;

• –

  Set of Communication on data economy and Artificial Intelligence, framing the issues and discussing the evidence collected through public and targeted consultations, as well as dedicated support measures, such as the Communication COM(2017)9 “Building a European data economy,” the Communication COM (2018) 237 on “Artificial Intelligence for Europe,” COM (2019) 168 “Building Trust in Human-Centric AI” and other;

• –

  The Charter of Fundamental Rights of European Union.

In addition to the legislation and official regulatory instruments, complementary regulatory tools should be explored, shifting from a vision of mere legal compliance towards exploiting the possible benefits of the “soft law,” considering its relationship with the traditional legal instruments and its possible role in a landscape of increasingly and dynamic cross-fertilization of regulations and technology. Soft law is capable of providing important safeguards on issues like transparency and accountability, while, due to its flexibility, can be quickly adapted to the rapidly evolving technological artifacts, thereby ensuring alignment of the current legislative system, which is developing at a much slower pace.

“Soft law” instrument, in a broader sense, relevant in this context includes the Big Data Value Associations’ Position Papers, such as “Towards a European Data Sharing Space. Enabling data exchange and unlocking AI potential,” published on April 2019; “Data Protection in the era of Artificial Intelligence. Trends, existing solutions and recommendations for privacy-preserving technologies,” published on October 2019; and others.

Likewise, the following two works elaborated by expert groups appointed by the European Commission need to be taken into account:

• –

  The Ethics Guidelines for Trustworthy Artificial Intelligence, presented on 8 April 2019 by the High-Level Expert Group on AI;

• –

  The Report on Liability for Artificial Intelligence and other emerging technologies, released by the European Commission’s Expert Group on Liability and New Technologies—New Technologies Formation (“NTF”).

The main ethics-related standardization projects and initiatives to be considered for materializing EU human factors, ethical principles, and values prioritizing human well-being in the next generation of critical infrastructures’ integrated security systems relying on CPS, IoT, and other intelligent and autonomous applications and devices (in addition to other standardization initiatives, such as for security) are, besides the Technical Reports elaborated by ISO/IEC JTC 1/SC 42, above all the Standardization projects of the IEEE Global Initiative on Ethics of Autonomous and Intelligent Systems, whose mission is “to ensure every stakeholder involved in the design and development of autonomous and intelligent systems is educated, trained, and empowered to prioritize ethical considerations so that these technologies are advanced for the benefit of humanity.”¹

By following the indications of these projects, developers and operators will be guided to create and use the cutting-edge solutions in a way explicitly honoring the inalienable human rights and the beneficial values of their users, thereby maximizing the increase of human well-being as a key metric for progress and social sustainability.

Among the most relevant, there are:

• –

  IEEE P7000^TM—Model Process for Addressing Ethical Concerns During System Design

• –

  IEEE P7001^TM—Transparency of Autonomous Systems

• –

  IEEE P7002^TM—Data Privacy Process

• –

  IEEE P7003^TM—Algorithmic Bias Considerations

• –

  IEEE P7006^TM—Standard on Personal Data AI Agent

• –

  IEEE P7007^TM—Ontological Standard for Ethically driven Robotics and Automation Systems

• –

  IEEE P7008^TM—Standard for Ethically Driven Nudging for Robotic, Intelligent and Autonomous Systems

• –

  IEEE P7009^TM—Standard for Fail-Safe Design of Autonomous and Semi-Autonomous Systems

• –

  IEEE P7010^TM—Wellbeing Metrics Standard for Ethical Artificial Intelligence and Autonomous Systems

• –

  IEEE P7012^TM—Standard for Machine Readable Personal Privacy Terms

There is the need for a coherent legal and ethical frame to delineate the limits of legal and ethical compliant behaviors and to provide responses for tackling the risks of integrated security infrastructures and surrounding technological developments for the protection of critical infrastructures, rooted in common human values and multi-stakeholder involvement, and relying on inclusiveness, adaptivity, agility and fitness for purpose, and thereby functional to the achievement of the sustainable development goals, as recently emphasized by the United Nations Secretary-General’s High-level Panel on Digital Cooperation.

Such a framework should take the form of a code of conduct for researchers/designers and users and should be based on the principles enshrined in the EU Charter of Fundamental Rights (such as human dignity, autonomy and human rights, non-discrimination and non-stigmatization, the integration of persons with disabilities and of elderly people and other) and on existing ethical practices and codes.

The values enshrined in the EU Charter of Fundamental Rights represent the normative framework on which a common understanding of the ethical risks associated with the operation of robots could be built. Still, judgments about the ethical soundness of robotics applications depend significantly on the specific context of application and the findings of the respective risk assessment process.

The production of realistic and workable codes of conduct for each domain provides a number of advantages, because they, as a typical “soft law” tool, are capable of offering practical guidance and tackling in meaningful, flexible, and practical ways the issues and ethical challenges of CPS, IoT, and AI breakthroughs in each of such domain. They are also aligned with the legislative support for the self-regulation and accountability instruments (e.g., General Data Protection Regulation (GDPR) Regulation (EU) 2016/679, art. 40). An example of this codes, though referring only to Data Protection, is the Cloud Security Alliance Code of Conduct for GDPR Compliance.

The production ofthese codes and, in general, the ethics reasoning in relation to integrated security infrastructures for the protection of critical infrastructures need to be based on a prioritization approach and resulting balancing operations, in order to let fully reaping the benefits coming from technological progress in conjunction with the safeguard of human rights and ethical values [5].

In line with the European Group on Ethics (EGE’s) in Science and New Technology, aiming at identifying criteria of accountability and oversight in order to protect the ethical values and the freedom of individuals together with security, without giving up on any of the rights and interests at stake, there is the need to find a compromise and a balance between, on the one hand, the interest in strengthening the public safety and in protecting critical infrastructures and the set of related human rights, and, on the other hand, the need to safeguard other human rights, such as privacy, data protection, freedom of expression, freedom of association, freedom of movement, due process and non-discrimination [13].

This balance between opposite interests is particularly relevant in case of critical infrastructure: their protection against physical and cyberattack has a growing role also in national security issues. Attacks on one of them are able to produce huge consequences, in terms of damage economies, cause disasters and other possible serious impacts on health, safety, security, or economic well-being of citizens or even preventing the effective functioning of governments in the Member States.²

A rich jurisprudence and a long history of scholarship both in ethical and in legal philosophy confirm the balancing and prioritizing of rights. For instance, in relation to the fundamental right to the protection of personal data under Article 8 of the Charter of Fundamental Rights of the European Union, the Court of Justice of the European Union (CJEU) stated that “is not, however, an absolute right, but must be considered in relation to its function in society.”³

In addition to the elaboration of Code of Conducts for a more agile and adaptive governance, as well as to the prioritization approach in ethical reasoning and operations, other driving factors and countermeasures for minimizing ethical risks and ensuring legal compliance include:

• Ethical and Legal oversight, for instance through the appointment of Ethics Boards or Ethics and Safety Officers

• Accountability Mechanisms, such as due diligence and certification of ethical and legal compliance, relying also on ad hoc metrics and on Fundamental Rights Impact Assessment and mechanisms afterwards to allow for feedback on any potential infringement of such rights. This impact assessment should be additional to the Data Protection Impact Assessment (DPIA) regulated by the GDPR and should be developed according to the set of indications adopted on it by the EC.

• Privacy and Security by design and Ethics & Rule of law by design

• Adequate redress mechanisms in place in case of damages caused by products and services

• Regulatory sandboxes, where innovative services and tools can be tested and experimented in real regulatory conditions (but with possible exceptions from some rules) in a gradual and controlled way before going to the market, pursuant to a specific testing plan agreed and monitored by the competent authority

• Exploiting and further advancing the cross-fertilization of law and technology, such as in terms of solutions aiming to translate and automate legal provisions into computer language, and then allow some form of human control or intervention to slightly modify the parameters in the computer language translation of legal requirements of compliance: Privacy-enhancing Technologies (PETs), sticky policies, dynamic user consent, blockchain-enabled transactions and smart contracts move in this direction, as well as in general, certain forms of automated compliance tools.

Beyond the identification of the main areas of potential legal and ethical concern and the associated challenges and the respective relevant pieces of EU legislation that might need to be reviewed or considered, the analysis leads to these conclusions:

• –

  Every attempt to conceive and tackle with the legal and ethical challenges associated with the multifaceted emerging technologies concerned needs to be set on each specific sector and, sometimes, fine-tuned on a case-by-case basis, reflecting on how much security it is reasonable to expect or claim in any given domain, and what is seen as responsible behavior.

• –

  The ethical and legal framework would not need to take a legally binding form but, preferably, should take the form of a domain-specific code of conduct, to be prepared through an holistic, prioritization approach supported by a multidisciplinary exercises, able capture and shape a pluralist conception of law, ethics, and technology.

• –

  The code of conducts and the other “soft law” instruments are expected to be capable of providing granular and practical guidance to all the relevant concerns previously identified, which include privacy and data protection issues, but also data ownership, certification, safety, liability, and much other.

• –

  By reflecting on such issues and conceiving and implementing adequate safeguards and mitigating measures, such as the appointment of ethical officers, the fundamental rights impact assessment, the alignment with ethics-related standardization outcomes and EC-promoted guidelines, and, overall, by ensuring legal compliance and upholding ethical values into the new technological developments at stake, the positive benefits can be reached while mitigating and the negative side effects potentially eliminated, thereby fostering societal acceptance.

• –

  CPS, IoT, AI, ubiquitous data streams, integrated and holistic security infrastructures are neutral even though they can give rise to a more complex world in which human beings will need to improve their ability to predict and understand the machines and their risks and effect on well-being and human rights. Regulatory sandboxes, as safe and controlled environment where innovative services and tools can be tested and experimented in real regulatory conditions before going to the market, are useful tool empowering a better understanding of legal and ethical implications of new technological developments.

• –

  Promising avenues come from the expected advancing of the cross-fertilization of law and technology, including solutions aiming to translate and automate legal provisions into computer language: PETs, sticky policies, dynamic user consent, blockchain-enabled solutions and automated compliance services and techniques.