In the public debate about how to provide security in the digital context, the dominant narrative has become increasingly entrenched pitting privacy and other human rights against public safety and national security. In practice, though, threats to privacy and other human rights can also harm public safety and security. This binary framing is therefore damaging to both sides of the equation, and creates antagonisms where mutual reinforcement is possible. Framing privacy and other human rights as antithetical to public safety and national security is not only misleading, but undermines public safety and security, as well as freedom. Raising the profile of human rights protections in existing cybersecurity policy-making is necessary to offset this trend.

Individual security is a core purpose of cybersecurity and a secure Internet is central to human rights protection in the digital context. Recognising this requires a definition of cybersecurity that states that privacy and confidentiality of information are essential to the security of people, as well as to data, especially in the digital context where physical security and digital information are linked.

Recognizing that individual security is at the core of cybersecurity means that protection for human rights should be at the center of cybersecurity policy development. Such an approach is instrumental in reminding policy-makers that cybersecurity must take into account individual security and human rights and that, as a consequence, cybersecurity policies should be human rights respecting by design.

Translating this paradigm shift into action across a diversity of policy spaces will change the conversation so that human rights are a central part of cybersecurity related decision making. To do so requires breaking down policy-silo boundaries, dislodging the dominant rights versus-security paradigm, and building evidence that human rights and cybersecurity are mutually reinforcing and interdependent.

In the context of increasing cyber vulnerability, where cybersecurity and cybercrime challenges are increasing in frequency and complexity, there is a need for all stakeholders to work together to preserve human rights, particularly privacy and free expression. Cybersecurity and human rights are complementary, mutually reinforcing and interdependent. Both need to be pursued together to effectively promote freedom and security.

The following definition reflects the belief that respecting human rights should be a central part of cybersecurity and cybersecurity-related policy making. This definition leads to a framing of cybersecurity that promotes a shift in perspective from a systems approach towards one that recognizes individual security as a core component of cybersecurity.

PREAMBLE: International human rights law and international humanitarian law apply online and well as offline. Cybersecurity must protect technological innovation and the exercise of human rights.

DEFINITION: Cybersecurity is the preservation – through policy, technology, and education – of the availability*, confidentiality* and integrity* of information and its underlying infrastructure so as to enhance the security of persons both online and offline.

*as defined by ISO 27000 standard which informed this process to ensure that the work of the technical community was adequately taken into account.

The definition includes three core elements:

1. The ultimate goal of cybersecurity: “to enhance the security of persons both online and offline”;
2. Articulation of how this ultimate goal and the dimensions of cybersecurity translate into technical terms: “cybersecurity is the preservation…of the availability, confidentiality and integrity of information and its underlying infrastructure”
3. The means through which this goal is being achieved: “through policy, technology, and education” with the understanding that “policy” includes the law.

Supporting and building on existing cybersecurity efforts in international fora, the preamble states that; “International human rights law and international humanitarian law apply online as well as offline.” This is intended to emphasize the landmark resolution (A/HRC/20/8) adopted by the UN Human Rights Council in 2012 “affirm[ing] that the same rights that people have offline must also be protected online.” It also underscores the conclusion reached in 2013 by the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, that existing international law is applicable in cyberspace.

The definition also includes an assertion about the importance of technological innovation, which is essential to the free flow of information, to the continued functioning of the open interoperable Internet as a platform for communication, and to the protection of both freedom and security.

The definition includes terminology that is well informed technically, and widely accepted by technical communities. It therefore relies on the International Organization of Standardization (ISO) 27000 standard to signal that the work of the technical community is adequately taken into account.

The definition supports the view that security and freedom (as well as cybersecurity and human rights) are deeply interrelated and synergistic, rather than zero-sum, and that cybersecurity and human rights protection are mutually reinforcing, interdependent, and both essential to promoting freedom and security.

These recommendations are a first step towards ensuring that cybersecurity policies and practices are based upon and fully consistent with human rights – effectively, that cybersecurity policies and practices are rights-respecting by design.

1. Cybersecurity policies and decision-making processes should protect and respect human rights.
2. The development of cybersecurity-related laws, policies, and practices should from their inception be human rights respecting by design.
3. Cybersecurity-related laws, policies and practices should enhance the security of persons online and offline, taking into consideration the disproportionate threats faced by individuals and groups at risk.
4. The development and implementation of cybersecurity-related laws, policies and practices should be consistent with international law, including international human rights law and international humanitarian law.
5. Cybersecurity-related laws, policies and practices should not be used as a pretext to violate human rights, especially free expression, association, assembly, and privacy.
6. Responses to cyber incidents should not violate human rights.
7. Cybersecurity-related laws, policies and practices should uphold and protect the stability and security of the Internet, and should not undermine the integrity of infrastructure, hardware, software and services.
8. Cybersecurity-related laws, policies and practices should reflect the key role of encryption and anonymity in enabling the exercise of human rights, especially free expression, association, assembly, and privacy.
9. Cybersecurity-related laws, policies and practices should not impede technological developments that contribute to the protection of human rights.
10. Cybersecurity-related laws, policies, and practices at national, regional and international levels should be developed through open, inclusive, and transparent approaches that involve all stakeholders.
11. Stakeholders should promote education, digital literacy, and technical and legal training as a means to improving cybersecurity and the realization of human rights.
12. Human rights respecting cybersecurity best practices should be shared and promoted among all stakeholders.
13. Cybersecurity capacity building has an important role in enhancing the security of persons both online and offline; such efforts should promote human rights respecting approaches to cybersecurity.

Concerns related to specific practices – including surveillance and content control – are addressed in these recommendations in two ways. First, to the extent that cybersecurity is used to advance other unrelated objectives such as censorship or surveillance activities, Recommendation 5 specifically highlights that cybersecurity-related laws, policies and practices should not be used as a pretext to violate human rights. Moreover, with regard to content control and surveillance activities relating to cybersecurity, Recommendations 1 and 2 highlight that cybersecurity laws, policies, practices, and decision-making processes should protect and respect human rights.