Cybersecurity has become conflated with ‘national security’, with no consideration of what a ‘secure’ internet might mean for individual users. But, such a definition can be diametrically opposed to individual security.
In July 2015, UKTrade and Investment (UKTI) opened a new centre in London to showcase Britain’s ‘dynamic and innovative’ cybersecurity industry to global investors. Four months later, the UK and US governments conducted a widely reported joint exercise with leading global financial firms to test collective resilience in the face of a ‘cyberterrorism’ incident. Last week, in the wake of horrific scenes in Paris, UK Chancellor George Osborne unveiled a comprehensive new ‘national cyber plan’, allocating £1.9 billion of new funding against a backdrop of swingeing cuts across government departments.
In his speech announcing it, which contained 134 instances of the word cyber, he boasted that despite “taking the most difficult decisions on spending in other areas,” the government has made “a deliberate decision to increase spending on cyber.” These are just three particularly high-profile instances in a year which has seen cybersecurity rise to unprecedented prominence in the media and policy space.
Nor is it just a UK phenomenon. Out of 193 International Telecommunications Union (ITU) member states globally, 67 now have live national cybersecurity strategies, and 102 have National Computer Incident Response Teams (CIRTs). International institutions including the Organisation of American States and the African Union are considering cybercrime conventions to set normative standards across whole continents. Cybersecurity is also increasingly present and visible as an issue in international relations and diplomacy. Recall, for example, Chinese prime minister Xi Xinping’s recent visit to the UK in October, where the main news story was a joint statement on cybersecurity, only a month after reports of a similar ‘cyber-peace deal’ between China and the US. As an ex-foreign minister of India recently noted, “[cybersecurity] has become a fresh domain of contention between states. It is true of land, seas, skies and outer space, all of which we have successfully militarized. Exactly the same thing is happening in cyberspace.” “We have successfully militarized land, seas, skies and outer space. Exactly the same thing is happening in cyberspace.”
A rights-based cybersecurity?
Among civil society and public interest groups however, there has, as yet, been little engagement or even research on this issue – something which unbalances the debate and locates cybersecurity as something for systems, rather than people. But cybersecurity is intrinsically about people. As a policy area concerned with the regulation of online behaviour, how it is defined and implemented will have – and is already having – profound implications for essential human rights such as privacy and freedom of expression.
As human rights defenders, it is therefore crucial that we engage in this debate. But how? And what would a rights-based cybersecurity look like?
The natural starting point is to define what cybersecurity is – or at least how it is currently understood. This is surprisingly difficult. Cybersecurity encompasses a universe of different definitions, as the Global Cyber Definitions database (with 900 definitions and counting) demonstrates. To further complicate matters, cybersecurity is often conflated with cybercrime, or confused with related but distinct concepts such as cyber-resilience, cyber-warfare and cyber-defence.
Cybersecurity is intrinsically about people. How it is defined will have profound implications for privacy and freedom of expression.Broadly speaking, it is taken to mean the protection of digital information systems against attack, either by states or individual hackers. Recent high-profile incidents of this kind, like the TalkTalk data breach and Sony Pictures hack, have fed alarmist narratives of a ‘cyber-crimewave’, in spite of the absence of reliable supporting evidence (indeed, a recent report suggested cybercrime is actually becoming rarer).
This is not to suggest that threats don’t exist, or that cybersecurity isn’t important – quite the contrary. From a human rights point of view the US Personnel Department hack earlier this year, which exposed the sensitive personal information of 22 million people – including mental health records and details of drug and alcohol abuse – is a catastrophe, demanding urgent remedial action and radical reform to ensure it never happens again.
But because of the poverty and narrowness of current discourse around cybersecurity, this hasn’t happened. There has been no discussion about whether such vast amounts of data should have been collected in the first place, given the weak safeguards in place – a risk which the Electronic Frontier Foundation had flagged as early as 2010. Instead, the incident was treated as a diplomatic incident, with US officials blaming China and weighing options for ‘retaliation’.
This is what happens when a policy area is exclusively framed by security agencies and selected private sector interests. The US Cybersecurity Information Sharing Act (CISA), for example – which many argue undermines data protection law, and increases rather than reduces the risk of future attacks – was negotiated entirely behind closed doors, with the only non-governmental input coming from telecoms industry lobbyists. We live in a world where a small elite of tech companies have built vast monopolies on a business model which relies on the extraction, storage and monetization of our personal information.
As a result, cybersecurity has become wholly conflated with ‘national security’, with no consideration of what a ‘secure’ internet might mean for individual users. Indeed, such a definition of cybersecurity – in which surveillance powers are expanded, encryption and anonymity limited, ‘backdoors’ installed and accountability structures weakened – can be diametrically opposed to individual security.
Ironically, from the user point of view there has never been a greater need for cybersecurity. We live in a world increasingly defined by data, where a small elite of tech companies have built vast monopolies on a business model which relies on the extraction, storage and monetization of our personal information. Government services, which hold sensitive data on everything from taxation to health records, are rapidly moving online, while a nascent Internet of things ushers in a new age of wearable health monitors, hackable toasters and TVs that listen to you.
That is why rather than simply decrying current attacks on data protection and privacy, we need to proactively advocate for a new definition of cybersecurity, centered on the security and rights of the end user, rather than on systems.
Our informed consent
What would this look like? It might mean a legal and normative shift in our conception of data ownership, putting ownership and control of personal information in the hands of the user, rather than the service provider. It might mean guaranteed end-to-end encryption and public education programs that focus upon personal privacy and data protection. It could mean instilling stronger accountability and oversight structures where data collection is deemed necessary, by ensuring that the scope of such powers is narrowly defined, and that oversight mechanisms include staff with high level computer skills, and judicial authorisation for any interference in people’s’ privacy.
The internet is interoperable, multi-jurisdictional, and horizontal, qualities which seldom conduce to security.Above all, we need to fight for an open, inclusive, multistakeholder approach to internet policy-making. In a democratic society, the implementation of cybersecurity demands the informed consent of the population – which means ensuring that voices other than security agencies are involved in the debate. How can human rights defenders push for this?
Local campaigns against proposed legislation are, of course, crucial – with the coordinated fight against CISA in the US an inspiring recent example. But we also need to be thinking about how to drive engagement on this issue in the absence of big legislative flashpoints.
This will mean proactive lobbying and a willingness to engage in public debate – not simply denouncing measures that promote cybersecurity, but consciously seeking to shift the debate to an understanding of cybersecurity as the protection of the person. It will require action at the global, as well as local and regional, level.
There are signs that these issues are beginning to be addressed. At the recent Internet Governance Forum in Brazil, Working Group 1 of the Freedom Online Coalition (FOC) presented a set of draft recommendations for a rights-respecting cybersecurity policy, developed through a multistakeholder process, complementing earlier efforts by civil society groups like CitizenLab and ICT4Peace to move the debate forward. Earlier this year, the Dutch government decided to invite over 500 civil society participants to the Global Conference on Cyberspace – the most recent iteration of the London Process, which previously offered very limited provision for civil society input. We must encourage more initiatives like this.
Cybersecurity is an issue that goes to the very essence of what the internet is. The internet was never, after all, made to be secure – by design it is interoperable, multi-jurisdictional, and horizontal, qualities which seldom conduce to security. But it is these qualities which make it valuable and worth fighting for. If we want to keep it that way, this is a debate we can’t afford to avoid.
The article references the work of the Freedom Online Coalition and the Global Conference on Cyber Space. For the sake of transparency, the authors would like to clarify that Global Partners Digital is the Secretariat of the Freedom Online Coalition, and was a facilitator in the Global Conference on Cyber Space in 2015.