Blog series: Exploring cybersecurity discussion and human rights

Why Do We Need a New Definition for Cybersecurity?

This post originally appeared on the Freedom Online Coalition website.

The Freedom Online Coalition (FOC) is a partnership of 27 governments working to advance Internet freedom created in 2011. Coalition members spanning from Africa to Asia, Europe, the Americas, and the Middle East work closely together to coordinate their diplomatic efforts and engage with civil society and the private sector to support Internet freedom – freedom of expression, freedom of association, freedom of peaceful assembly, and freedom from arbitrary or unlawful interference with privacy – worldwide. In 2014, the Freedom Online Coalition established three working groups focusing on cybersecurity, on digital development and openness as well as on privacy and transparency online.

The primary purpose of FOC working group “An Internet Free and Secure” is to raise the profile of human rights as an integral consideration in cybersecurity policy-making. The working group’s goal is to build upon and advance existing cybersecurity policy-making efforts while increasing the priority placed on human rights protections, as a central concern to improve both security and promote the rights of individual internet users.

The first task of the working group was to generate a definition of cybersecurity. Why was a new definition of cybersecurity necessary? The term “cybersecurity” is used by different stakeholders to reference many different subjects often depending upon context, ranging from national security, to data security, to critical infrastructure security, and beyond. While it is true that numerous definitions relating to cybersecurity already exist, it is difficult to find any cybersecurity definitions that include clear commitments to and respect for human rights.

In order to enhance the quality of cybersecurity policy-making, the working group believed it crucial to put forth a human rights-respecting cybersecurity definition that others could adopt and integrate into policies and publications. Accordingly, in the fall of 2014, the working group developed and agreed to the following definition:

PREAMBLE: International human rights law and international humanitarian law apply online and well as offline. Cybersecurity must protect technological innovation and the exercise of human rights.

DEFINITION: Cybersecurity is the preservation – through policy, technology, and education – of the availability*, confidentiality* and integrity* of information and its underlying infrastructure so as to enhance the security of persons both online and offline.

*as defined by ISO 27000 standard which informed this process to ensure that the work of the technical community was adequately taken into account.

The definition includes three core elements:

  1. The ultimate goal of cybersecurity: “to enhance the security of persons both online and offline”;
  2. Articulation of how this ultimate goal and the dimensions of cybersecurity translate into technical terms: “cybersecurity is the preservation…of the availability, confidentiality and integrity of information and its underlying infrastructure”
  3. The means through which this goal is being achieved: “through policy, technology, and education” with the understanding that “policy” includes the law.

In developing the definition, the working group was driven by the belief that respecting human rights should be a central part of cybersecurity-related decision-making. Raising the profile of human rights protections in existing cybersecurity policy-making was seen as necessary to offset the current trend of addressing cybersecurity through the lens of national and international security. It was also seen as instrumental in reminding policy makers that cybersecurity must take into account security for individuals. In short, the working group tried to put forward a framing of cybersecurity that aims to promote a shift in perspective from a systems approach towards an approach that recognizes individual security as a core component of cybersecurity.

At the same time, rather than playing into a binary, zero-sum framing, common in many cybersecurity-related conversations, the definition supports the view that security and freedom (as well as cybersecurity and human rights) are deeply interrelated and synergistic, rather than zero-sum, and that cybersecurity and human rights protection are mutually reinforcing, interdependent, and both essential to promoting freedom and security.

Supporting and building on existing cybersecurity efforts in international fora, the working group decided to include a preamble stating that; “International human rights law and international humanitarian law apply online as well as offline.” This sentence is intended to emphasize the landmark resolution (A/HRC/20/8) adopted by the UN Human Rights Council in 2012 “affirm[ing] that the same rights that people have offline must also be protected online.” It also underscores the conclusion reached in 2013 by the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, that existing international law is applicable in cyberspace.

The definition also includes an assertion about the importance of technological innovation, which the working group sees as essential to the free flow of information, to the continued functioning of the open interoperable Internet as a platform for communication, and to the protection of both freedom and security.

Another intentional dimension of the definition was to include terminology that is well informed technically, and widely accepted by technical communities, so that it would provide a bridge between human rights policy and technical communities. The working group therefore relied on the International Organization of Standardization (ISO) 27000 standard to signal that the work of the technical community is adequately taken into account.

The working group’s hope is that policy makers and institutions utilize this human rights-respecting cybersecurity definition and integrate it into their work. Widespread adoption of this definition and approach could have the functional effect of breaking down policy-silo boundaries, dislodging the dominant zero-sum paradigm, and helping propagate the view that human rights and cybersecurity are mutually reinforcing, interdependent, and both essential to promoting freedom and security.

Bringing Clarity to Cybersecurity

This post originally appeared on the Freedom Online Coalition website.

It seems a day does not go by without a new story about cyberspace security: the data of fortune 500 companies breached; cyber espionage campaigns uncovered; shadowy hacker groups breaking into websites and posting extremist propaganda. And, since June 2013, a series of riveting disclosures from former NSA contractor Edward Snowden, which have captured the world’s attention and put a spotlight on the most powerful signals intelligence (SIGINT) agencies.

Cybersecurity is important to all of us because our lives are now enmeshed with digital information and communication technologies.  Our kids, our work, our livelihood — everything we do — now depends on instantaneous access to communications and information networks.

While everyone can readily agree that cybersecurity is critical, how to secure cyberspace, to what end, and for whom are all questions around which there is widespread controversy and disagreement.  For some, cybersecurity means securing the global communications infrastructure regardless of territorial boundaries, from the code to the satellites and everything inbetween.  For others, cybersecurity is about securing one government’s critical infrastructure first and foremost, with some even developing offensive weapons to exploit vulnerabilities in other government’s networks.  For yet others, the security of cyberspace is a function of an overarching concern with the security of human rights.

Moving from the “what” to the “how” of cybersecurity brings yet more confusion: In what forums are the most important decisions around cybersecurity taken? Who is permitted to participate in those forums?  As cyberspace deepens and expands, these issues are becoming more complex. Staying on top of and engaging all of these different forums is a growing challenge for all stakeholders.

In attempt to bring clarity to these issues, the Freedom Online Coalition (FOC) has created a working group on “Internet Free and Secure” in the lead-up to the next meeting of the FOC in Mongolia in May 2015.  I am pleased to co chair that working group with Simone Halink from the Dutch Foreign Ministry.  A description of the working group can be found here.

As part of our working group’s outputs, we are producing a blog series (of which this post is the first).  Subsequent posts will be written by other working group members (or guest authors), and will cover a range of topics related to cybersecurity including discussions taking place at the ITU, the UN, the London Cyber Process, NATO, OSCE, WSIS, the IGF, and other regional forums.  Our aim (as we outlined it in our first working group meeting) is to create a blog series “that would serve as a platform to explore in depth the existence, relevance, and status of various spaces where cybersecurity issues are being discussed” and provide “a way to share this information with the broader community and highlight potential avenues for greater civil society engagement.” In an effort to add value to the ongoing work on cybersecurity done elsewhere, other activities undertaken by the working group include refining the definition of cybersecurity, developing a visual overview of relevant global spaces where cybersecurity debates are taking place, and advancing the normative debate on cybersecurity.

The working group represents a diverse group of stakeholders, including representatives from civil society and government.  No doubt, with such a diverse group we are going to have some views that overlap, but also some disagreement. (I recently outlined my own views on what I think are the most important concerns around cybersecurity today, which can be found here).   While we may not agree entirely on all of the outstanding questions around cybersecurity, we hope to generate through this series of blog posts some interesting insights.