*As defined by ISO 27000 standard
A hospital’s patient data is leaked, a power system is hacked, a comment insulting a political leader is posted on a social media network. These scenarios might seem different, but they could all come under the banner of cybersecurity. But this meaning of this word is contested. And its lack of a firm definition means it can be easily politicised and molded to suit different agendas.
Disputed definition of Cyber Security
Governments and businesses in particular tend to frame cybersecurity as the mitigation of risk for the state and its systems, rather than the empowerment and well-being of people. This can help justify repressive measures – like internet shutdowns and restrictions on encryption. To resist this human rights defenders need to understand the different definitions at play and be active in shaping a common definition of cybersecurity, which is positive and rights-respecting. At the end of this post, you should have abetter understanding of: the current range of possible cyber security definitions; the motivations for using them; and how we can advocate for a more rights-respecting framing for cyber security. The term “cybersecurity” is disputed. Its definition can vary even from one government department to the next and this vagueness means it can cover an almost endless range of different issues. This is illustrated by a New AmericaFoundation study from 2014, which found over 400 different cyber-related definitions.
The dominant framing of cybersecurity, developed over the years by technical, business, intelligence and military actors, focuses on the security of digital information and the network infrastructure that stores and transmits this information. For example, the International Telecommunications Union (ITU) definition focuses on the protection of “the cyber environment, organisation and user’s assets”. Similarly, many ICT businesses see cyber security mainly as protection against threats to information and networks – like malware, unauthorised access, and malicious code. Military organisations tend to see cybersecurity in terms of warfare. A good example is NATO’s 2016 agreement that cyberspace should be considered the fifth operational domain of warfare – alongside sea, land, air and space. Here, the focus is on ensuring the protection of networks owned and operated by NATO.
Another framing of cybersecurity also focuses on information and systems, but has a broader, content-related mandate. China, for example, defines cyber security as “information security” – a term whose remit goes beyond security of systems to include control over an exchange of information online.
What these definitions have in common is that their conception of security is all about the mitigation of risk. The range of risks they acknowledge may be broad, but their focus on protecting systems rather than people is narrow, and limiting. You might ask why we’re spending so much time talking about definitions. It’s just words isn’t it? But small differences in the emphasis of cybersecurity definitions can have big implications for human rights.
Definitions create the norms on which policies are based, and the narratives which justify them. If they’re too broad or focused on systems, they can be used to justify a wide range of measures – both legitimate and illegitimate. When we add securitisation into the mix, definitions become all the more important. Securitisation, is the process by which actors make issues into security concerns. This can then enable the passage of extraordinary measures – like emergency laws – without adequate debate. Securitised narratives around cyberspace often presented as a battlefield, or a den of criminals. In the absence of an internationally codified definition, this can be used to justify curbs on our fundamental rights. In the context of cyber security, this might mean more restrictions on content and freedom of expression, more disproportionate measures like mass surveillance, and more measures to undermine anonymity.
Security and human rights
These narratives may create the impression that security and human rights are somehow contradictory. But this isn’t true. In fact, they depend on one another. Security isn’t just something that is enacted on things in a narrow, negative sense of mitigating harm. Security is a positive concept, referring to a person’s freedom and capacity to act. This is even recognised in human rights law. Without security, we can’t fully exercise our rights. If we’re browsing on a vulnerable network, our personal information is at risk – with implications for a range of rights. But it goes the other way too. Unless we respect human rights we can’t have security either. Take South Korea’s effort to ban anonymous speech on certain websites in 2007. This not only impeded free expression and privacy, but also put the data of 35 million users at risk when two popular websites were hacked in 2011.
In this light, it’s clear that cyber security policy shouldn’t just be about risk mitigation. They should also empower people by facilitating the fuller exercise of their human rights. Without protected information and networks, people’s quality of life diminishes. Policies start with definitions. Human rights defenders therefore need to be active in shaping the norms and narratives which would underpin our rights-respecting, positive definition of cybersecurity.
Perhaps unsurprisingly, security actors play a big part in defining cybersecurity – from law enforcement bodies and intelligence agencies, to military entities and computer emergency response teams (CERTs). The forums they meet in can seem uninviting, but there is an increasing awareness of the benefit of multi-stakeholder exchange. Technical bodies (the Internet Engineering Task Force, the Internet Corporation for Assigned Names and Numbers, and the International Telecommunications Union are also active in developing their own definitions of cybersecurity. And many countries and regional organisations are now adopting cyber security strategies Here, human rights defenders can usefully contribute by outlining best practices and right-respecting models.
Policy forums and conferences can help create momentum to put a rights-focused understanding of cybersecurity on the international agenda. And don’t forget businesses. They handle huge amounts of our data and fund some of the main studies in forming the dominant narratives around cyber security. Their support will be crucial if we’re ever going to create consensus for a positive, rights-respecting definition. Let’s look at two examples of real life attempts to shape the definitions of cybersecurity, and their implications.
The Russian government’s definition of cyber security – or ‘information security’ as it calls it – emphasises, among other things, “the unconditional maintenance of law and order and the promotion of equal and mutually advantageous international cooperation”. The first part of this clause has already facilitated surveillance measures like data localisation and data retention in Russia itself. Now, alongside China, they’re trying to realise the second part internationally, with their proposal for an InternationalCode of Conduct for Information Security.
The proposal calls for international cooperation to curb “the dissemination of information that incites terrorism, secessionism or extremism or that undermines other country’s political, economic, and social stability as well as their spiritual and cultural environment”. This example shows how a negatively framed definition can provide cover for actions which threaten human rights both nationally and internationally. But there are also examples of initiatives working to promote rights-respecting conceptions of cybersecurity.
In 2015, the multi-stakeholder Working Group 1of the Freedom Online Coalition published a new definition of cybersecurity, in an attempt to challenge current dominant narratives in a balanced way. Starting from the principle that human rights apply online, as well as offline, it says that: “Cybersecurity is the preservation – through policy, technology and education of the availability confidentiality and integrity of information and its underlying infrastructure so as to enhance security of persons both online and offline.” Note the focus on people rather than systems, and how it bridges policy, technical and human rights perspectives. This creates the basis for a shift towards a more positive framing of cybersecurity – centered on individual rights, rather than threats to systems. Because cybersecurity is such a young policy area, there’s still a chance for human rights defenders to shape how it’s framed. To do this, they need to engage wherever it’s being discussed. By coming prepared, understanding different motivations and being able to convince stakeholders with well evidence arguments, it’s possible to counter the dominant framings which pit human rights against security. And by championing a rights-respecting definition in the right places, human rights defenders can help ensure any measures taken in the name of cybersecurity which restrict human rights face proper scrutiny.
Without proper implementation of Cyber Security we compromise with our Online and also Physical world. Artificial Intelligence and Machine learning makes this worst.
Indian Govt has set up a portal to deal with Cyber Crime.