A rights-based approach to cybersecurity

17 Dec 2017 09:00h - 14:00h

Event report

[Read more session reports and live updates from the 12th Internet Governance Forum]

Ms Deborah Brown, Association for Progressive Communications (APC), welcomed the participants. She started by providing a background to the session. Cybersecurity issues are increasingly visible on the IGF agenda, and there is an understanding that security and human rights (HR) need to be mutually reinforcing. However, there have been concerning trends of increasing securitisation and policies that encroach on privacy and other human rights. There is need for a multistakeholder conversation about how to make progress and this is the goal of this session.

The moderator, Ms Peggy Hicks, Office of the United Nations High Commissioner for Human Rights (OHCHR), introduced the first panel of the event, which aimed to provide a framework and some clarity to the question: ‘what do we mean by a rights-based approach to cybersecurity?’ She called attention to the importance of discussing the obligations and responsibilities of both governments and the private sector.

Ms Marietje Schaake, European Parliament, mentioned that in Europe, the idea that security and human rights are complementary and should be upheld together is being challenged in areas such as migration, terrorism and cybersecurity. Cybersecurity has been an excuse to create exceptions to human rights, weaken encryption and introduce backdoors. She mentioned that the private sector also has responsibilities in the cybersecurity discussion, such as introducing security by design and clear rules of liability to make them take responsibility to protect the users of the software they sell from flaws.

Ms Chinmayi Arun, Centre for Communication Governance (CCG) called attention to the fact that the conversation about HR and security is happening in separate silos, and there is little concern for principles such as proportionality. It is important to understand the baseline principles of national security and use the language that the security actors use in conversation with them.

Ms Kathy Brown, President and CEO of Internet Society (ISOC), opined that for the rights community to be successful, they need to have a seat at the table and educate themselves in the discipline of those that they are speaking to. There is need for convening various stakeholders with a multidisciplinary approach, including a technical background, in order to understand each others’ goals. The Internet has been a space for freedom. We need to discuss how we can preserve that. We should not make binary choices that would lead us to give up this freedom to preserve security.

Mr Francisco Vera Hott, Privacy International, opined that security and privacy cannot be seen at odds; they need to reinforce each other. There are also problems of perception. The expression ‘security incidents’ sounds threatening to governments and policy makers, but it can mean different things, including something as simple as the theft of a password. However, during the commotion that the expression ‘security incident’ causes, policy makers create new norms that encroach on rights.

Schaake emphasised that civil society needs to understand the needs of governments. Security is a legitimate concern and often times, the messages from civil society are rather negative and critical. Making proposals and solutions is a better approach to fostering dialogue and good outcomes with policy makers. Schaake further opined that it is too early to think about an international treaty on cybersecurity, while Brown said that we need to think about who an international treaty would benefit and which purpose it would serve.

The second panel of the event was dedicated to ‘Year in review: Overview of current initiatives in cybersecurity and stability’. Ms Mehwish Ansari, Article 19, focused on cybersecurity discussions  in ITU. The security of  infrastructure has been a very important point in security discussions. She explained the role of ITU and the recent efforts made by the organisation to expand its role on cybersecurity issues. According her, ITU is not a good institutional space for security discussions to flourish because it does not have the expertise or the capacity to do so. Moreover, there is no multistakeholder participation and there is a lack of transparency.

Ms Chrystiane Roy, Government of Canada, focused on the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE). For some countries in the UN GGE, cybersecurity is about keeping individuals safe, for other countries, it is about ensuring regime continuity. She shared her views on the collapse of the UN GGE.

Ms Lea Kasper, Global Partners Digital (GDP), shared her views on the Global Conference on Cyber Space (GCCS). She explained that the first GCCS, back in 2011, aimed to reach a consensus on the norms of responsible behaviour in cyberspace. Back then, there was no consensus over international law applying to cyberspace. She identified two trends during the the 2017 conference. First, the division between countries is becoming wider. They could not approve a final declaration, and only a chair statement was produced. Against this background, speaking about treaties on cybersecurity at the present moment seems to be non-realistic. The second trend is that discussions on cybersecurity are becoming increasingly securitised and government-led, and space for the participation of non-governmental actors looks discouraging.

Ms Kaja Ciglic, Microsoft, explained Microsoft’s proposal for a Digital Geneva Convention. Microsoft is increasingly worried to notice that states are arming themselves and dramatically expanding their capabilities, all across the world. Some estimations point to more than 100 countries with cyber-capabilities. Against this background, Microsoft came up with the proposal for a Digital Geneva Convention, as an aspirational starting point, to kickstart the debate. The proposal is composed of three different parts:

  • Creating an attribution organisation that would find technical data to reveal where the attacks are coming from. 
  • Technical accord for cybersecurity: A call for the industry to come together with an agreement around key points, such as not to accept backdoors, for example.
  • A convention or treaty: a call to governments to commit to refraining from certain actions in times of peace, such as attack CERTS and stockpile vulnerabilities.

Mr Markus Kummer, IGF Best Practice Forum on Cybersecurity, opined that treaties may be useful, but it will take time to get there, so we should start doing something. The IGF, for example, has several Best Practice Forums, including cybersecurity. The work started on unsolicited communications and C-CERTs. A template on how to create a C-CERTs was produced.

Dr Madeline Carr, Cardiff University, stressed the importance of multidisciplinarity and the bridging of gaps in different languages, such as the language used by national security. One way to include human rights in security conversations could be through a human-security approach. Human security could be discussed within a state-based approach to cybersecurity. It would ask different questions fromnational security, such as: Security for whom? Security from what? How do we do it? Through which norms? What happens when if the state itself becomes the source of insecurity? Human security embeds human rights into national security.

The third panel on the event took a ‘Deep dive on cybersecurity and human rights issues’ in order to assess the ’risks and challenges’. Ms Maria Paz Canales, Derechos Digitales, discussed the importance of tools for human rights defenders and the need to conceive security threats not only as external to the country, but also internal, because human rights defenders also need to protect themselves from their own governments.  Mr Luis Fernando García, Red en Defensa de los Derechos Digitales, called attention to the fact that is not enough to just include HR provisions in regulation, to just ‘just to tick a box’, but that compliance is also important. There is a need to challenge the perception that national security is free from accountability and transparency is needed in democratic policy discussions. He called attention to the dangers of securitisation. When the army intervenes in the offline world, causalities rise and HR get breached. Discussions on cybersecurity should not be guided by a military mindset. Mr Maarten van Horenbeeck, Technical community, mentioned that when policy makers try to find a solution for cybersecurity, they look for solutions that worked in the past, in other areas, which does not work. We need to embed transparent processes in our organisations that allow us to assess the HR implications of what we do.

Ms Anriette Esterhuysen, (APC) introduced the closing session, on possible approaches towards consolidating a rights-based and inclusive approach to cybersecurity. She started by asking whether this would be possible or just a dream.

Mr Sunil Abraham, Centre for Internet and Society, opined that civil society must become multidisciplinary and focus on standard setting organisations, but multistakeholderism cannot be substituted by multisdiciplinarity, because a panel can be filled only with one stakeholder group coming from different expertises. He believes that we cannot give up on governments as custodians of human rights and a source of transparency. We should continue to engage in multilateral fora.

Mr Matthew Shears, GPD, called attention to the importance of engaging with governments, particularly on the national and regional levels in developing strategies and frameworks. However, we cannot afford to step away from the global playing field. We need to leverage existing positive documents and commitments, such as previous reports of the UN GGE, which mentioned human rights. In order to start dealing with cybersecurity, we need to understand security concerns and security language and also to understand technology.

By Marilia Maciel