Security by Design (SbD) is emerging as a core goal in US and European regulatory policy for cybersecurity. For instance, California has just enacted legislation mandating SbD for 'connected devices', while the European Commission's European Cyber Security Strategy, published in September 2017, prioritises 'the use of "security by design" methods in low-cost, digital, interconnected mass consumer devices which make up the Internet of Things'.
There is as yet, however, very little critical appraisal of the semantics and normative dimensions of SbD. Drawing on insights from parallel discourses on 'Privacy by Design', 'Data Protection by Design' and, more broadly, 'Legal Protection by Design', this lecture explores the semantics, origins and potential value of SbD as a nascent regulatory principle.
Lee A. Bygrave is professor at the Department of Private Law, University of Oslo, where he is in charge of the Norwegian Research Center for Computers and Law (NRCCL). He is currently a guest professor at the Australian National University's newly established 3A Institute. For the past three decades, Lee has been engaged in researching and developing regulatory policy for information and communications technology (ICT). He has functioned as expert advisor on ICT regulation for numerous organisations, including the European Commission, Nordic Council of Ministers and Internet Corporation for Assigned Names and Numbers.
He was recently appointed by the Norwegian government to sit on Norway's ICT Security Commission, with a mandate to recommend improvements to the country's cybersecurity framework. He also heads two major interdisciplinary research projects at the NRCCL, one entitled 'Security in Internet Governance and Networks: Analysing the Law' (SIGNAL), and the other entitled 'Vulnerability in the Robot Society' (VIROS).
Lee has published particularly extensively within the field of data privacy law where his two principal books on the subject - Data Protection Law: Approaching Its Rationale, Logic and Limits (2002) and Data Privacy Law: An International Perspective (2014) - are widely acknowledged as standard international texts. He is currently co-editing and co-authoring a comprehensive Commentary on the EU General Data Protection Regulation, to be published by Oxford University Press in 2019.