This article explores Vietnam’s distinctive approach to data privacy regulation and its implications for the established understandings of privacy law. While global data privacy regulations are premised on individual freedom and integrity of information flows, the recent Vietnamese Decree 13/2023/NĐ-CP on Personal Data Protection (herein PDPD) prioritise state oversight and centralised control over information flows to safeguard collective interests and cyberspace security. The fresh regulatory logic puts data privacy under the regulation of government agencies and moves the privacy law arena even further away from the already distant judicial power. This prompts an exploration of the nuances underlying the ways regulators and the regulated communities understand data privacy regulation. The article draws on social constructionist accounts of regulation and discourse analysis to explore the epistemic interaction between regulators and those subject to regulation during the PDPD’s drafting period. The process is highlighted by the dynamics between actors within a complex semantic network established by the state’s policy initiatives, where tacit assumptions and normative beliefs direct the way actors in various communities favour one type of thinking about data privacy regulation over another. The findings suggest that reforms to privacy laws may not result in “more privacy” to individuals and that divergences in global privacy regulation may not be easily explained by drawing merely from cultural and institutional variances.

The development of medical artificial intelligence is dependent on the availability of vast quantities of data, a considerable proportion of which is medical data containing sensitive information pertaining to the health and well-being of patients. The use of such data is subject to extensive legal regulation and is further hindered by financial and organisational constraints, which can result in limitations on accessibility. One potential solution to this problem is the use of synthetic data. This article examines the potential for their use in light of cybersecurity requirements derived from horizontal and sectoral EU legislation. The outcome of this analysis is that EU legislation does not contain specific regulations on the use of synthetic data. Consequently, it cannot be concluded that there is any prohibition on their use. Moreover, while the Medical Device Regulation (MDR) contains some general requirements for cybersecurity, these are further specified by the provisions of the AI Act. It is important to note, however, that the AI Act will not apply to Class I medical devices, which are subject only to the MDR. Furthermore, only indirect obligations within the scope under consideration can be derived from the horizontal regulations, which will apply in a limited number of cases.

Global digital integration is desirable and perhaps even inevitable for most States. However, there is currently no systematic framework or narrative to drive such integration in trade agreements. This article evaluates whether community values can offer a normative foundation for rules governing digital trade. It uses the African Continental Free Trade Area (AfCFTA) Digital Trade Protocol as a case study and argues that identifying and solidifying the collective needs of the African region through this instrument will be key to shaping an inclusive and holistic regional framework. These arguments are substantiated by analysis of the regulation of cross-border data flows, privacy and cybersecurity.

In this article, I critically examine the ‘Cyber Kill Chain’, a methodological framework for thought and action that shapes both contemporary cybersecurity practice and the discursive construction of security threats. The history and epistemology of the Cyber Kill Chain provide unique insight into the practice of contemporary cybersecurity, insofar as the Kill Chain provides cybersecurity practitioners with predetermined categories and indicators of threat that shape how threats are conceptualised and understood by defenders and suggests actions to secure against them. Locating the origins of the kill chain concept in US military operational logics, its transformation through the anticipatory inquiries of intelligence, and its automation in computational networks, this article argues that the Cyber Kill Chain is emblematic of a vigilant socio-technical logic of security, where human perception, technical sensing, and automation all respond to and co-produce the (in)security through which political security concerns are articulated. This practice makes politics; it excludes, includes, and shapes what is perceived to be dangerous and not, directly impacting the security constructed. Through a critical reading of the Cyber Kill Chain, this article provides insight into cybersecurity practitioners’ epistemic practice and as such contributes to discussions of cybersecurity expertise, threat construction, and the way in which cybersecurity is understood and practised as a global security concern.

Phishing emails cost companies millions. In the absence of technology to perfectly block phishing emails, the responsibility falls on employees to identify and appropriately respond to phishing attempts and on employers to train them to do so. We report results from an experiment with around 11,000 employees of a large U.S. corporation, testing the efficacy of just-in-time feedback delivered at a teachable moment – immediately after succumbing to a phishing email – to reduce susceptibility to phishing emails. Employees in the study were sent an initial pseudo-phishing email, and those who either ignored or fell victim to the phishing email were randomized to receive or not receive feedback about their response. Just-in-time feedback for employees who fell victim to or ignored the initial pseudo-phishing email reduced susceptibility to a second pseudo-phishing email sent by the research team. Additionally, for employees who ignored the initial email, feedback also increased reporting rates.

One of the pillars on which product liability law is based is the defence for development risks. According to this defence, the producer is not liable for the damage caused to the injured party if, at the time the product was put into circulation, the state of scientific and technical knowledge did not allow the existence of the defect to be discovered. The Proposal for a Directive drafted by the European Commission and published on 28 September 2022 continues to provide, in Article 10.1.e), the defence for development risks. The Proposal for a Directive refers to this particular issue in Recital 39, which introduces some requirements for the assessment of such defence.

However, despite this recognition, does this defence fit into the digital paradigm, and how can it be applied to damage caused by defects in products with digital elements that incorporate artificial intelligence?

The Covid-19 pandemic saw a surge in cyber attacks targeting pharmaceutical companies and research organisations working on vaccines and treatments for the virus. Such attacks raised concerns around the (in)security of bioinformation (e.g. genomic data, epidemiological data, biomedical data, and health data) and the potential cyberbio risks resulting from stealing, compromising, or exploiting it in hostile cyber operations. This article critically investigates threat discourses around bioinformation as presented in the newly emerging field of ‘cyberbiosecurity’. As introduced by scholarly literature in life sciences, cyberbiosecurity aims to understand and address cyber risks engendered by the digitisation of biology. Such risks include, for example, embedding malware in DNA, corrupting gene-sequencing, manipulating biomedical materials, stealing epidemiological data, or even developing biological weapons and spreading diseases. This article brings the discussion on cyberbiosecurity into the realms of International Relations and Security Studies by problematising the futuristic threat discourses co-producing this burgeoning field and the pre-emptive security measures it advocates, specifically in relation to bioinformation. It analyses how cyberbiosecurity as a concept and field of policy analysis influences the existing securitised governance of bioinformation, the global competition to control it, and the inequalities associated with its ownership and dissemination. As such, the article presents a critical intervention in current debates around the intersection between biological dangers and cyber threats and in the calls for ‘peculiar’ policy measures to defend against cyberbio risks in the ‘new normal’.

The proposal for a European Health Data Space aims at creating a common space where individuals may control their health data in a trusted and secure way. The objective is not only improving healthcare delivery, but also enhancing the opportunities to use health data for research and innovation. To achieve these results, the proposal implements a mandatory self-certification scheme for European health records systems as well as for wellness devices and applications, setting up essential requirements related to interoperability and security. Although this is the first intervention that sets a horizontal framework that is mandatory for all Member States, the security requirements that are included in the legislative proposal are not sufficiently detailed and comprehensive. Given that cyberthreats are increasing and security incidents affecting health data may potentially have an impact on the lives of patients, it is important that cybersecurity measures are adopted and implemented in the most effective way. The paper will analyse the European Health Data Space proposal pointing to the open issues and doubts that may be emerging and it will compare them with the proposed Cyber Resilience Act, identifying the issues that may be solved thanks to this horizontal regulation and the ones that instead remain open.

Cybersecurity of medical devices has become a concrete concern for regulators and policymakers in the European Union and United States. Following the COVID-19 pandemic, there has been an increase in cyber-attacks on critical healthcare infrastructures and their IT systems, which have suffered service disruptions and put patients’ health and safety at risk. The increase in cyberattacks on healthcare infrastructure, including medical devices, exacerbated by the growing digitalisation of healthcare services in the EU and the US, has led legislators and regulatory bodies to pay more attention to cybersecurity. Cybersecurity of AI-based medical devices requires the assessment of three areas subject to evolving regulatory approaches: medical devices, Artificial Intelligence (AI), and cybersecurity. Although they may appear distinguished in regulatory matters, the existence of AI-based medical devices and their possible cyber vulnerabilities makes clear that the three are intertwined and deserve closer attention from a regulatory point of view. Few scholars have devoted attention to AI and cybersecurity together. Even less, in our understanding, few comprehensive and EU/US comparative pieces of literature reflect on this specific issue. This paper aims to fill this gap and address the main implications of different regulatory approaches toward AI medical device cybersecurity in the EU and the US. The research stems from the assumption that regulation of medical devices in the EU has been historically inspired by regulatory trends in the US, although with the different cultural, societal, and legal traditions that made them adapt to the specificities of the territory. The paper observes that the US is a rule-based system reflecting a “command-and-control” approach, while the EU system is a principle-based one. While they share the main characteristic of being risk-regulation-based systems, their differences impact how AI-enhanced cybersecurity is regulated.

This Article considers the role of ideas in shaping law and policy processes, serving to facilitate certain actions or approaches while curtailing others. Using the development of the EU’s governance approach to online service providers and platforms, this Article demonstrates how ordoliberalism as a set of beliefs regarding the regulation of market activity through law have shaped the understanding of appropriate measures for combating hybrid threats such as disinformation. Highlighting the origins of the E-Commerce Directive and the influence of ordoliberalism in the application of a regulated self-regulation model, the Article explores how ordoliberal philosophical ideas have influenced programme and policy level ideas concerning EU cyberspace governance as it relates to online platform activities. Even where there has been discursive change regarding the role of online platforms in contributing to an environment of insecurity, there has nevertheless been ideational continuity in the approach to their regulation, dictating the legal response in the Digital Services Act.

Our last emerging trend article introduced Risks 1.0 (fairness and bias) and Risks 2.0 (addictive, dangerous, deadly, and insanely profitable). This article introduces Risks 3.0 (spyware and cyber weapons). Risks 3.0 are less profitable, but more destructive. We will summarize two recent books, Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity, and Democracy and This is How They Tell Me the World Ends: The Cyberweapons Arms Race. The first book starts with a leak of 50,000 phone numbers, targeted by spyware named Pegasus. Pegasus uses a zero-click exploit to obtain root access to your phone, taking control of the microphone, camera, GPS, text messages, etc. The list of 50,000 numbers includes journalists, politicians, and academics, as well as their friends and family. Some of these people have been murdered. The second book describes the history of cyber weapons such as Stuxnet, which is described as crossing the Rubicon. In the short term, it sets back Iran’s nuclear program for less than the cost of conventional weapons, but it did not take long for Iran to build the fourth-biggest cyber army in the world. As spyware continues to proliferate, we envision a future dystopia where everyone spies on everyone. Nothing will be safe from hacking: not your identity, or your secrets, or your passwords, or your bank accounts. When the endpoints (phones) have been compromised, technologies such as end-to-end encryption and multi-factor authentication offer a false sense of security; encryption and authentication are as pointless as closing the proverbial barn door after the fact. To address Risks 3.0, journalists are using the tools of their trade to raise awareness in the court of public opinion. We should do what we can to support them. This paper is a small step in that direction.

The goal of our paper is to demonstrate the potential effects of a tax on paying a ransom on the incentives of stakeholders involved: both the perpetrators (the attackers placing the ransomware) as well as the potential victim. We do think that there is a case for a ransom tax, but we do also realise that it is not easy to make that case, and hence we express this doubt in our title. A tax could stimulate ex ante cybersecurity and also (when price elasticity is not too low) reduce ex post ransom payments. In addition, a tax in combination with a smartly designed subsidy could have benefits.

The voyage data recorder (VDR) is a data recording system that aims to provide all navigational, positional, communicational, sensor, control and command information for data-driven investigation of accidents onboard ships. Due to the increasing dependence on interconnected networks, cybersecurity threats are one of the most severe issues and critical problems when it comes to safeguarding sensitive information and assets. Cybersecurity issues are extremely important for the VDR, considering that modern VDRs may have internet connections for data transfer, network links to the ship's critical systems and the capacity to record potentially sensitive data. Thus, this research adopted failure modes and effects analysis (FMEA) to perform a cybersecurity risk assessment of a VDR in order to identify cyber vulnerabilities and specific cyberattacks that might be launched against the VDR. The findings of the study indicate certain cyberattacks (false information, command injection, viruses) as well as specific VDR components (data acquisition unit (DAU), remote access, playback software) that required special attention. Accordingly, preventative and control measures to improve VDR cybersecurity have been discussed in detail. This research makes a contribution significantly to the improvement of ship safety management systems, particularly in terms of cybersecurity.