The following definition reflects the belief that respecting human rights should be a central part of cybersecurity and cybersecurity-related policy making. This definition leads to a framing of cybersecurity that promotes a shift in perspective from a systems approach towards one that recognizes individual security as a core component of cybersecurity.
PREAMBLE: International human rights law and international humanitarian law apply online and well as offline. Cybersecurity must protect technological innovation and the exercise of human rights.
DEFINITION: Cybersecurity is the preservation – through policy, technology, and education – of the availability*, confidentiality* and integrity* of information and its underlying infrastructure so as to enhance the security of persons both online and offline.
*as defined by ISO 27000 standard which informed this process to ensure that the work of the technical community was adequately taken into account.
The definition includes three core elements:
- The ultimate goal of cybersecurity: “to enhance the security of persons both online and offline”;
- Articulation of how this ultimate goal and the dimensions of cybersecurity translate into technical terms: “cybersecurity is the preservation…of the availability, confidentiality and integrity of information and its underlying infrastructure”
- The means through which this goal is being achieved: “through policy, technology, and education” with the understanding that “policy” includes the law.
Supporting and building on existing cybersecurity efforts in international fora, the preamble states that; “International human rights law and international humanitarian law apply online as well as offline.” This is intended to emphasize the landmark resolution (A/HRC/20/8) adopted by the UN Human Rights Council in 2012 “affirm[ing] that the same rights that people have offline must also be protected online.” It also underscores the conclusion reached in 2013 by the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, that existing international law is applicable in cyberspace.
The definition also includes an assertion about the importance of technological innovation, which is essential to the free flow of information, to the continued functioning of the open interoperable Internet as a platform for communication, and to the protection of both freedom and security.
The definition includes terminology that is well informed technically, and widely accepted by technical communities. It therefore relies on the International Organization of Standardization (ISO) 27000 standard to signal that the work of the technical community is adequately taken into account.
The definition supports the view that security and freedom (as well as cybersecurity and human rights) are deeply interrelated and synergistic, rather than zero-sum, and that cybersecurity and human rights protection are mutually reinforcing, interdependent, and both essential to promoting freedom and security.