Established in the summer of 2014, the FOC’s multistakeholder Working Group 1 “An Internet Free and Secure” has been working to bring a human rights framing to ongoing debates on cybersecurity. WG1 consists of 14 selected individuals who joined the Working Group Co-chairs – Simone Halink from the Dutch Government and Matthew Shears of the Center for Democracy and Technology – and interested FOC country members (Canada and United States). The Group’s mandate and activities have been developed by consensus by its members, taking into consideration existing initiatives in the field and the unique opportunity to advance the debate on cybersecurity through multistakeholder cooperation and dialogue. Since its inception, the Working Group has been carrying out the following activities:
- Developing a working definition of cybersecurity;
- Mapping key cybersecurity events and processes to help inform civil society engagement in the field;
- Advancing the normative debate on cybersecurity and human rights; and
- Exploring spaces where cybersecurity is being discussed and avenues for engagement through a blog-series.
As the Group presents its outputs at the fifth annual FO Conference in Mongolia, this installment of the FOC Working Group 1 (WG1) blog-series takes stock of the progress of the Group’s activities to date and outlines potential next steps. For more information on WG1, including its mandate and members, please follow this link.
(1) A definition of cybersecurity
The first activity of the Working Group was to develop a working definition of cybersecurity. From the outset, it was recognized that the term “cybersecurity” signifies different things to different people: in some settings the term points principally to protection of critical infrastructure; in others, the importance of cybersecurity relates fundamentally to digital security for users; elsewhere, concern about cybersecurity relates primarily to data protection. The Group agreed that its working definition should be technically informed, while addressing these different dimensions of the term.
Second, in keeping with its overarching FOC theme, the Group understood that part of its responsibility was to help optimize protection for both freedom and security, and avoid playing into the binary, zero-sum framing that is common in many security-related conversations. The Group thus set out to reinforce that security and freedom are deeply interrelated in terms of their values and goals, and that outcomes for both suffer when the values on either side are not adequately protected. To address this, the Group agreed that reinforcement of existing obligations under international human rights law and international humanitarian law must be a key component of its working definition.
Third, the Group agreed that the definition should support the commitment to technological innovation in addition to the protection of both freedom and security.
Accordingly, the preamble and definition for cybersecurity generated by WG1 reads as follows:
PREAMBLE: International human rights law and international humanitarian law apply online and well as offline. Cybersecurity must protect technological innovation and the exercise of human rights.
DEFINITION: Cybersecurity is the preservation – through policy, technology, and education – of the availability*, confidentiality* and integrity* of information and its underlying infrastructure so as to preserve the security of persons both online and offline.
*as defined by ISO 27000 standard which informed this process to ensure that the work of the technical community was adequately taken into account.
This working definition became a framing for subsequent activities of the Working Group. As the understanding of cybersecurity continues to evolve, the Group considers this definition as a work in progress.
(2) Mapping cybersecurity events and processes
In considering the necessary steps to bring a human rights framing to cybersecurity debates, the Group recognized the important role played by civil society and public interest groups in this space, but also identified significant obstacles towards their effective engagement. Resources and capacity pose a continuous challenge, as do the sensitivities inherent in security-related policy making, and the growing complexity of the field. To help address the need for reliable and user-friendly information on where key cybersecurity-related debates are taking place, the WG set out to develop a visual timeline of relevant events and processes.
In the first instance, Group members gathered information about over 50 events related to cybersecurity taking place in 2015 and “tagged” them with several attributes considered relevant for civil society engagement:
- Level of inclusiveness: to indicate whether an event is closed (by invitation only or for “members of the club”), open for anyone, or conditionally open (e.g. anyone can apply, but there is a limited number of places available so selection of some sort takes place).
- Thematic coverage: to indicate the main thematic focus of the event, in particular whether it deals with cybercrime (including child safety or spam), network security and critical resources (including incident-handling), international peace and security (including arms control, cyber defence and cyber-warfare, international humanitarian law, confidence building measures, disarmament), or digital rights (including privacy and online freedoms); events covering more than one theme were given a “multiple topics” attribute.
- Functional mechanism: to indicate whether the function of the event is to make decisions (either at the event or within the broader related) or to discuss (where no direct decisions come from the discussion or the process).
Additional tags were added to mark events that provide e-participation possibilities and those that are capacity building in nature.
Once the key events were identified and described, the Group set out to “cluster” these events into process tracks that help place a certain event relative to the broader landscape. After several “trial and error” attempts, the Group decided to cluster the events according into five process tracks:
- United Nations and subsidiary bodies (including the ITU, UN Human Rights Council, UNODC or the work of the Governmental Group of Experts within the first committee of the UNGA).
- Internet Governance Forum and related processes (the global IGF as well as its regional offspring).
- Governmental and intergovernmental processes (such as the GCCS and FCO but also the SCO events or OSCE CBM track).
- Technical and standard-setting bodies (including ICANN, IETF or W3C events).
- Other processes (especially those organised by the civil society groups).
Events were mapped visually according to the five process tracks onto a 2015 calendar with specific “icons” marking the key tags of each event (thematic coverage, level openness and decision-making or discussion format). A brief description of each process track was also provided, along with the acronyms of the key institutions and organisations related to the events. To make sure that the map is functional and user-friendly, some information about the events was inevitably excluded; nevertheless, the full set of data continues to be available in the database, which is available online.
* The visual map and a brief description have been developed with the financial support of the Dutch government in the run-up to the Global Conference on Cyberspace. (GCCS)
(3) Advancing the normative debate on cybersecurity and human rights
There is a growing recognition that much greater engagement by all stakeholder groups in cybersecurity issues and policies is needed and that cybersecurity must respect and uphold human rights, in particular the right to privacy and free expression. To date, however, the degree to which human rights concerns have been given due consideration in the development of cybersecurity policy has been far from adequate; the members of the Group believe that greater efforts need to be made to turn words into action.
With this in mind, the third activity that the Group decided to work on was to advance the normative debate on cybersecurity through developing a set of recommendations that promote greater stakeholder-driven and human rights respecting approaches to cybersecurity. These recommendations are being developed with the aim to provide guidance to all stakeholders involved in cybersecurity matters, and in particular those involved in developing and implementing cybersecurity policies and frameworks. They are being designed to encourage stakeholders to incorporate the protection and promotion of human rights in all matters related to cybersecurity and to ensure that cybersecurity policy is rights-respecting by design.
As a starting point, the Group took into consideration existing language that supports the idea that stakeholder engagement and respect for human rights in cybersecurity matters are indivisible:
- The 2013 UNGA report A/68/98 by the UNGA First Committee’s Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security states that “efforts to address the security of ICTs must go hand-in-hand with respect for human rights and fundamental freedoms set forth in the Universal Declaration of Human Rights and other international instruments,” and that “States should encourage the private sector and civil society to play an appropriate role to improve security of and in the use of ICTs.”
- More recently in April 2015, the Chair’s Statement of the Global Conference on Cyberspace in The Hague urged “all stakeholders to work together proactively to ensure that cybersecurity policies are, from their inception, rights-respecting and consistent with international law and international human rights instruments” and urged governments “to ensure that cyber policy at national, regional and international level is developed through multistakeholder approaches, including civil society, the technical community, businesses and governments across the globe.”
- The normative work of Working Group 1 also builds on the FOC Tallinn Agenda, where FOC governments collectively note their “obligation to adopt and encourage policies and practices, nationally and internationally, that promote the protection of human rights and fundamental freedoms online, in particular freedom of expression, including the freedom to seek, receive and impart information, the right to privacy, as set out in Article 17 of the International Covenant on Civil and Political Rights, and freedom of peaceful assembly and association.”
The Group’s work on the recommendations also builds on the recognition that cyber-attacks and cybercrime undermine not just a nation’s infrastructure and economy, but also an individual’s digital security and infringe their human rights, in particular the rights to freedom of expression, information, privacy, and association. The Group believes that protecting the rights of citizens is central to their security: freedom and security are mutually reinforcing and the security of persons should be upheld through cybersecurity policies and practices that comply with the rule of law in a human rights framework.
Work on the recommendations is ongoing.
(4) Exploring spaces where cybersecurity is being discussed and avenues for engagement
In a further effort to raise awareness about relevant forums and processes where cybersecurity debates are taking place, the group has also issued a blog series that serves as a platform to explore in depth the existence, relevance, and status of various spaces where cybersecurity issues are being discussed. The blogs are a way to share this information with the broader community and highlight potential avenues for greater civil society engagement. The blogs cover a range of topics related to cybersecurity including a general introductory note on cybersecurity by Ron Deibert, and discussions taking place at the UN, the London Process, and the IETF. Upcoming installments will focus on the ITU, OSCE, WSIS, the IGF, and other forums.
The activities of Working Group 1 are ongoing. During the FO Conference, 4-5 May in Ulaanbaatar, Mongolia, the group will further discuss their development. The Group also intends to engage on the normative framework with a broad stakeholder group in different meetings later this year. Please keep an eye on the FOC website to stay updated on these developments.
The views expressed in this blog represent the views of individual authors, and do not represent the views of the Freedom Online Coalition or its members.
If you are interested in contributing to this blog series as a guest author, please contact the FOC Support Unit at info (at) freedomonlinecoalition.com indicating which forum relevant for cybersecurity debates you are interested in writing about.