01 CYBERSECURITY AND HUMAN RIGHTS

CAROLINA ROSSINI AND NATALIE GREEN, PUBLIC KNOWLEDGE

EXECUTIVE SUMMARY

This will serve as an introduction to cybersecurity with a particular focus on the policy aspect of cyber security, including how cyber security is addressed in international relations and the impact cyber security has on human rights. By the end of the module, you should be able to answer the following questions:

• decisions? • What arerole the do main“definitions” human rightsplay in concerns cybersecurity when debates, dealing withdiscussions, cybersecurity? and policy • Are there international laws and standards that apply to cybersecurity? Do they address human rights concerns? • How is cybersecurity addressed regionally and internationally?

BACKGROUND: HISTORY AND DEFINITIONS

includingSince the firstthe Internet, computer are worm often was cornerstones unleashed fromin the which late 1980’s discussions to the aroundrecent cybersecurity,2014 Sony Pictures Internet Entertainment governance, hack, and Internet the security freedom and stabilitybegin. Threats of cyberspace, to cybersecurity can include computer viruses, spam, identity theft, data breaches, milliondenial of people service falling attacks, victim and to . Attackers each year can andrange tens from of thousands hackers to of activists to petty criminals to2, the businesses threats to to our national security governments.1 are real - but With so areover the 370 known viruses in existence cybersecurity.threats to our human rights online. Before looking at the human rights concerns in relation to cybersecurity, let’s take a quick look at the outward expressions of

In practice, outward expressions of cybersecurity include domestic public policy and laws (creation of cybersecurity agencies, such as the United States’ Cyber Command), international public policy discussions (talks around creating an ITU/UN cybersecurity treaty), private business practices (anti-virus software, notification programs by ISPs, firewalls, etc), online surveillance (often by governments), and technical community practices aimed at maintaining the critical infrastructure of the Internet (Internet Engineering Task Force is one of these independent technical agencies). 2 1 http://www.pcmag.com/article2/0,2817,2425118,00.asp https://www.uhd.edu/computing/helpdesk/documents/virusfacts.pdf

09 GCCS 2015 - WEBINAR SERIES TRAINING SUMMARIES

governments,When talking aboutinternational cybersecurity, organisations, what exactly human do rights we mean? activists, As you’ll and otherssoon realise, for differentthere are means,a variety though of definitions they vary and by termsa few words.that are used by cybersecurity firms,

DEFINITIONS

In fact, a great example is the term cybersecurity itself, which the European Union defines as “safeguards and actions that can be used to protect the cyber domain,3. both in the civilian and military fields, from those threats that are associated with or that may harm its interdependent networks and information infrastructure” training,The ITU definesbest practices, cybersecurity assurance as “the and collection technologies of tools, that canpolicies, be used security to protect concepts, security safeguards, guidelines, risk management approaches, actions,

4 the cyber environment and organisation and user’s assets” . Another example is the definition developed by the Freedom Online Coalition’s cybersecurity Working Group “An Internet Free and Secure” based on the ISO 27000 standard, “Cybersecurity is the preservation – through policy, technology, and education –

of the availability, confidentiality and integrity of information and its underlying5 infrastructure so as to preserve the security of persons both online and offline.”

The Internet Society (ISOC) has pointed that cybersecurity is “a catchword” that is “frighteningly inexact and can stand for an almost endless list of different security seriousconcerns, discussions technical challenges,of security and the“solutions” Internet ranging require from a shared the technicalunderstanding to the of legislative. While buzzwords like cybersecurity may make for good headlines,

Aswhat compared is meant to by many cybersecurity.” other areas of international relations or Internet-related

topics, there is a void of concrete internationally-agreed upon definitions andfor phrases many others and definitions have not been used agreed to discuss upon cybersecurity. in a binding, standardThe definitions setting of international‘’, body or agreement. ‘cybersecurity,’ That ‘cyber-warfare’, means these terms ‘cyber-surveillance’ are used by different

actors in different ways, thus making policy discussions more confusing and making it easier for some governments to violate basic rights in the name of a Databasebroad ‘cybersecurity’ threat. In 2014, the Swiss government funded a project ofto eachconsolidate of the following, cybersecurity as these related words definitions are crucial in theto your Global understanding Cyber Definitions of the basics of cybersecurity:. Before you continue, use the database to look up the various definitions

• • • InformationCybersecurity security • • • Critical infrastructure • Cyber space • Cybercrime • Cyber warfare Cyber threat Hacktivism

3 http://ec.europa.eu/digital-agenda/en/news/eu-cybersecurity-plan-protect-open- internet-and-online-freedom-and-opportunity-cyber-security

4 http://www.itu.int/online/termite/index.html 10 5 https://www.freedomonlinecoalition.com/how-we-work/working-groups/working- group-1/ BRIEF OVERVIEW WHERE CYBERSECURITY IS BEING DISCUSSED

HOW CYBERSECURITY IS ADDRESSED AT THE NATIONAL LEVEL

Cybersecurity involves helping protect the information that you, me, governments, businesses, and others keep online or in cyberspace, including communications (email, video messaging), finances (credit card information on websites like Amazon or the account numbers and information you use for e-banking), (social security number, medical records on healthcare website), military secrets, and much more. Cyber incidents can also cause physical damage to critical ininfrastructure Iran. and networks as evidenced by the discovered in 2010 that targeted and destroyed some of centrifuges at the Natanz nuclear facility

It is under this backdrop that cybersecurity threats and the risk of cyber attacks that could leak confidential military secrets or damage a country’s economic/ securitypolitical threatsinfrastructure throughout have thegarnered world largeinclude attention nuclear not weapons just as proliferationan Internet- and war.related issues, but also as a national security issue. Other examples of national

The United States, Russia, Japan, Kenya, , are among the many countries that have declared European Union countries the issue of cybersecurity, and specifically threat and developed national cybersecurity strategies or initiatives. Such cyber attacks against their governments and citizens as a national security cybersecurity.cybersecurity initiativesInitiatives andalso strategies can set up normally the creation outline of new the agenciescountry’s to primary deal with goals, concerns, set of principles or norms, and actions to be taken related to law enforcement, military, defense and foreign affairs ministries, in implementing cybersecurity domestically or outline the role of already existingUnited agencies, States such as support the development of public-private partnerships (PPPs) between governmentcybersecurity agencies policies. and Cybersecurity private sector initiatives, companies, such such as the as Internet Service’ also implementing cybersecurity measures across sectors. While governments mostly createProviders and (ISPs), develop critical the cybersecurity infrastructure initiatives, owners, andthey technical may also companies consult technical around improve strategies. experts, private businesses, and civil society for recommendations on how to In discussing cybersecurity, you will most often hear about cybersecurity laws and measures to defeat cybercrime. In general, cybercrime refers to crimes that take place with or deal with computers and cyberspace, but also to traditional andacts initiativesof crime (such towards as drug combating trafficking) cybercrime that take based place off online. current Within law enforcement many countries’ national cybersecurity initiatives and strategies are specific references Human Rights Concerns About Cybersecurity and criminal justice systems. As you’ll see in the cybercrime laws section, and practices. governments and surveillance agencies alike often cite “combating cybercrime” as a reason to support overarching cybersecurity and

CYBERSECURITY AT THE INTERNATIONAL LEVEL

While domestic laws and practices have been working to address cybersecurity concerns, the issue of cybersecurity is a truly transnational issue. Cyberspace is

11 GCCS 2015 - WEBINAR SERIES TRAINING SUMMARIES

choosea borderless to unleash series a of threat networks, that could and cybersecurity impact dozens threats of countries move acrossand millions, military, or political, and geographical boundaries. Attackers can be highly targeted or they can cybersecurity plans, have failed to stop the growing number of highly sophisticated transnationalbillions of people viruses at once. and Asthreats, domestic international initiatives, cooperation and countries around without cybersecurity extensive issues is becoming the focal point of civil society, governments, private sector, and others.

Internet in the future, many countries have yet to set their own domestic policies thatWhile properly some have address pointed cybersecurity, to international and other cooperation countries as havethe key adopted to a secure overarching policies that directly violate human rights. In fact, an often ignored factor in cybersecurity debates on the international scene is the role that states themselves

6 , Israel 7 have all been accused play in exacerbating cybersecurity threats and concerns. The8 United States, European Union countries, Iran , China, and Russia race - the cyber arms race. of launching cyber attacks against other states and of creating a 21st century arms

draft resolution in At the international organisation level, the issue of cybersecurity first came to the UN’s agenda when the Russian Federation introduced a the First Committee of the UN General Assembly that was later adopted in 1998. toSince cybersecurity 2010, three and Groups recommendations of Governmental on Expertshow to address (GCEs) havethem. been In their tasked by, the UN and General Assembly to research and report on existing and potential threats 2010 2011 2012/2013 reports, GCEs concluded, amongst a number of things, an increased need for “international cooperation against threats in the sphere of ICT respectsecurity” for with human input rights from and civil fundamental society and thefreedoms private set sector, forth but in thealso Universal emphasised that “State efforts to address the security of ICTs must go hand-in-hand with UN adopted a new resolution Declaration of Human Rights and other international instruments.” In 2014, the on cybersecurity, and it is expected that another GCE report, possibly influenced by revelations of United States and United Kingdom Anothermass online important surveillance, move thatwill bewas issued made in at 2015. the UN was the letter sent by Russia,

Though the letter recognizesChina, Uzbekistan, the role and of human Tajikistan rights to inthe cybersecurity, UN Secretary-General it also emphasises calling for the an needInternational for states Code to curb of Conduct “the dissemination for Information of information Security. that incites terrorism,

secessionism, extremism, or undermines other countries’ political, economic and social stability,” a clause that is worrying to free expression advocates. The allUN made Institute various for Disarmament statements and Research, pushed thefor initiativesUN Office onrelated Drugs to and cybersecurity. Crime, the International Telecommunications Union, and the UN Human Rights Council have At the regional and bilateral level, almost every single world region has held policy discussions, and some have even issued treaties, on cybersecurity. Both the

toNorth build Atlantic collaboration Treaty Organisationaround cybersecurity (NATO) and issues the such Organisation as, capacity for building,Security and Cooperation in Europe (OSCE) have adopted principles or tasked member states

cybercrime, and the applicability of international law (including which human emphasised rights law) to cybersecurity. In 2013, the European Union (EU) adopted the Cyber Strategy of the6 European Union: An Open, Safe and Secure Cyberspace 7 http://www.businessinsider.com/iran-is-officially-a-real-player-in-the-cyber- war-2014-12 http://f.cl.ly/items/0t073Y3i3P0v2o2x0q39/Baseline%20Review%202014%20ICT%20 Processes%20colprint.pdf 8 http://www.computerworld.com/article/2532289/cybercrime-hacking/cyberattacks- knock-out-georgia-s-internet-presence.html

12 protecting freedom of expression and in core cybersecurity principles, but also tasked a number of other bodies in Europe including the European Parliament, the European Network and Information Security Agency, and others to Toprovide read morefurther about assistance, these regional information efforts sharing, including and those training in Asia, to EU Africa, member and states. Latin

“ America and global bilateral efforts in cybersecurity, consider reading pg. 15-25 in Baseline Review of ICT-Related Processes and Events.” cybersecurity has become increasingly central within the spectrum of traditional Other than the conventions and decisions already mentioned, the issue of onmultistakeholder US and UK mass and surveillance, multilateral and internet the push governance for increased spaces. cooperation In summer and 2013, shamingthe Internet related governance to cybersecurity community increased was shaken dramatically. by Edward As Snowden’salready mentioned, revelations within months of the revelations, Brazil and Germany sponsored a resolution at the UN on “The Right to Privacy in the Digital Age,” which was eventuallyoutcome adopted documentin 2014. In that April was 2014, created Brazil with hosted civil Netmundial, society input the called Global for Multistakeholderinternational Meeting on the Future of Internet Governance. The non-binding engagement from all interested parties, including civil society. While non-binding, thecybersecurity Netmundial policy outcome decisions document to be hasheld been in multistakeholder a tool for governments fora with and civil society who have pushed against international multilateral cybersecurity treaties

Theand decision-making. is the multilateral UN agency

International Telecommunication Union (ITU) membertasked with states issues decide related on the to informationfuture of the and organisation. communications This meeting technologies is open (ICTs). only toEvery member four years, states the and ITU the hosts delegation a plenipotentiary members that conference these states in which choose. the After 193 the aroundUN-sponsored the world World to give Summit their oninput the onInformation issues related Society to Internet (WSIS) globalaccess, events security, were held in 2003 in Geneva and 2005 in Tunis to allow people and stakeholders and privacy, the ITU was granted a role in facilitating WSIS Action Line item c5 consolidation“Building Confidence of cybersecurity and Security issues in thewithin Use the of ICTs”. ITU. Governments such as Russia and China have been able to use this Action Item role to push for increased

In 2007, the ITU adopted a Global Cybersecurity, Agenda, andas a framework for international engagement between Member States on cybersecurity issues. Busan,Four of Souththe ITU’s Korea, resolutions a number (resolutions of country delegations,130 174 179, including181 Russia) relate and to Arab cybersecurity, and leading up to the 2014 ITU plenipotentiary conference held in cybersecurity. states, suggested modifications to the resolutions to increase the ITU’s role in

cybersecurity,At the annual multistakeholder but the non-binding, UN-sponsored non-outcome Internet based Governancefora have not Forum yet produced any(IGF), positions an increasing or policy number statements of workshops on cybersecurity-related and discussions have issues. focused In addition on fromto the the IGF, UK the government. multi-stakeholder The conference conference is anseries opportunity first held for in Londonall interested in 2011, called the “London Conference on Cyberspace” was launched with support

Netherlands.stakeholders to engage in discussions and debates on cybersecurity issues, and has since been held in Hungary and South Korea. The 2015 conference was held in the

13 GCCS 2015 - WEBINAR SERIES TRAINING SUMMARIES

AN INTERNATIONAL TREATY ON CYBERSECURITY?

discussion of a cybersecurity treaty being negotiated, but that never came Leading up to the ITU’s 2014’s plenipotentiary conference, there was also

to fruition. Even so, discussions of an international convention or treaty on raisedcybersecurity throughout with the a focus world, on especially expanding post-ITU the already plenipotentiary existing 2001 . CouncilThe Budapest of Europe Convention on Cybercrime (aka the Budapest Convention)9 have been

Convention, though focusing specifically on cybercrime and not all cybersecurity issues, has been ratified by 44 countries (mostly European, but also including criminalAustralia, law the to Dominican certain areas Republic, of cybercrime Japan, Mauritius, in order toPanama, create anand international the United normStates). for The enhanced Budapest cooperation Convention’s on cyberprimary crime. goal In is theto harmonise convention, domestic illegal access and interception, data and system interference, misuse of devices, computer- related forgery and fraud, child pornography, and some instances related to copyright are considered cybercrime offenses.

Arguments in favour of creating a cybersecurity treaty, with remnants of the

lead to creating laws of cyberwar, similar to conventional war treaties that may Budapest Convention, include that the creation of an Internet-specific treaty could

andrestrict become attacks highly against politicised citizens in or an children. international Others organisation, have claimed such that as the the creation U.N. of a cybersecurity treaty would likely be closed to the public and civil society

There’s also significant worry that an international treaty relateddefinitions to issues is especially of relevantsecurity wouldas many not countries fully take use into terms consideration such as cybersecurity human rights and law information or would make securityexceptions to human rights law. Unsurprisingly,attackers the, hacktivists issue of differently. The harmonisation of such terms could lead to the acceptance of broad cybersecurity interchangeably terms that orcould may be define used to further violate basic, and human other rights key words in the name of security.

civil society groups, including the digital rights coalition Best Bits, actively petitioned That’s why a variety of against increasing the ITU’s role in cybersecurity and the development of an international cybersecurity treaty. The ITU’s role in ofcybersecurity proposed cybersecurity is often rebuked treaty by language, governments the number and civil of society other UNfor aagencies number of reasons including lack of technical-expertise at the ITU, the broad language

and other fora (both multistakeholder and multilateral) that could address cybersecurity, and the lack of transparency and participation opportunities, countries,especially forincluding civil society. the United Others States look and at the Russia. debate of the ITU’s role in cybersecurity as a part of ongoing cyber-related issues and attacks between

HUMAN RIGHTS CONCERNS ABOUT CYBERSECURITY

Though some domestic and international laws attempt to address human rights considerations in forming cybersecurity standards, the negative impact on human rights caused by overarching and broad cybersecurity laws and principles has become apparent to civil society advocates and others.

When talking about human rights, we are mostly referring to those rights 9 http://f.cl.ly/items/0t073Y3i3P0v2o2x0q39/Baseline%20Review%202014%20ICT%20 Processes%20colprint.pdf

14 guaranteed under the United Nations’ Universal Declaration of Human Rights including freedom of expression, freedom of speech, the right to privacy, (UDHR) and the International Covenant on Civil and Political Rights (ICCPR), freedom of opinion, and freedom of association as some of the most basic rights of all humans. In response to the creation of the Internet as a new platform for expressing basic human rights, the UN Special Rapporteur on Freedom of “freedom of Opinion and Expression and free expression rapporteurs from Europe, Latin expression applies to the Internet” America, and Africa signed a joint declaration confirming that “the same rights that people have offline must in 2011. In July 2012 the UN Human Rights also be protected online,” Council further confirmed that thus making the formerly mentioned human rights declarations of UDHR, ICCPR applicable to the Internet. countries could have a negative impact on online speech and freedom of A number of cybersecurity laws and measures that have been taken by individual expression by directly infringing upon such rights or creating a chilling effect on

Arabia and its vague clause on “protection of public interest, morals, and common the desire of people to express their rights. The Anti-Cyber Crime Law of Saudi by imprisoning bloggers and others for voicing different opinions, insulting public values”, have been used to crack down on online speech and freedom of expression cybersecurityofficials, or supporting concerns, forces such asother child than pornography the government and spam, in power. but also In 2012, criminalised the libel.Philippines Though approved the provision the Cyber on libel Crime was Prevention eventually Act dropped that addressed the following legitimate year, oppositionits original intentionsto the law. Inwere addition enough to to cybersecurity worry Filipino laws activists developed and lawmakersby governments, into drafting a bill called Magna Carta for Philippine Internet Freedom in direct online censorship. firewalls developed by IT businesses and companies (with government support) can be used to block specific websites and content, leading to asJust Whatsapp, a week after if British the Charlie intelligence Hebdo agenciesattacks in were Paris not in givenearly 2015,increased Prime access Minister David Cameron announced his support to ban encrypted message services, such

Banningto messages encrypted and user message data. Cameron services stressedcould be the seen need as a for violation increased of both access the rightto encrypted to privacy messages and online as a anonymity means to protect in the name the UK of from national terrorist security, attacks. through cybersecurity and online surveillance. The right to privacy allows for all people to have the information. Online anonymity is the right to say something online withoutto keep information having it be aboutconnected themselves to your out real of identity, the hands and of both those are they important don’t want for maintaining the Internet as a platform for free , especially for political or social dissenters or those who want to avoid harassment,10 imprisonment or expression issued a report on the impact of surveillance on human rights, noting that “the use worse. In 2013, the UN Special Rapporteur on Freedom of Opinion and Expression of an amorphous concept of national security to justify invasive limitations on the enjoyment of human rights is a serious concern.” rights and fundamental freedoms while countering terrorism issued a report that In 2009, the UN Special Rapporteur on the promotion and protection of human stated that Article 17 of the International Covenant on Civil and Political Rights (ICCPR) which states that “no one shall be subjected to arbitrary or unlawful casesinterference where awith law his is already privacy” in is place actually that “flexible outlines enough when privacy to enable can necessary, be violated, whenlegitimate, it protects and proportionate the rights of others, restrictions and/or to whenthe right is in to line privacy,” with necessary but only in and proportionate principles. Necessary and proportionate principles, and similar terms are often used to distinguish how surveillance practices, including online https://www.eff.org/issues/anonymity

10

15 GCCS 2015 - WEBINAR SERIES TRAINING SUMMARIES

surveillance, can be done within international laws and human rights-based principles, including with proper public oversight, due process, and a system for

user notification. issues of ethnically and religiously discriminatory practices and standards within In addition to freedom of expression, speech, privacy, and anonymity comes the

cybersecurity laws in the West against Muslims and the validity of online protest, Thoughsuch as hacking,cybersecurity as a cybersecurity threats are real, threat. the ability to communicate anonymously, voice disapproval, protest, and have discourse without fear of persecution is an important part of human rights that all people are guaranteed. While state based agencies and actors have control and access to the Internet and its data, some

have claimed that checks and balances are needed, such as oversight committees, international laws, and internationally agreed upon definitions for key words.

ROLES OF STAKEHOLDERS IN CYBERSECURITY

inIn thesetalking discussions. about the multilateral Ideally, governments, and multistakeholder the private sector,ways in civil which society, cybersecurity and theis addressed, technical communityit is important would to understand all play equal what roles role in different creating stakeholdersand implementing play

Traditionally,cybersecurity governmentspolicies and decisions, play the primary but realistically role in creating this isn’t the always public the policies case. and laws that regulate and determine cybersecurity measures domestically, sometimes with non-governmental input, but usually from private cybersecurity

firms or industry. In addition, governments are also capable of launching and supporting of their own against other countries, and they are the only stakeholder guaranteed a say in the ITU and other international intergovernmentalmultilateral bodies. organisations On the international in cybersecurity. stage, a handful of governments (previously mentioned) have pushed for increasing the role of governments and

Private sector companies, including ISPs and the IT sector are crucial because of their role in creating and maintaining the technologies (computers, tablets, etc) standardson which cybersecurity can be applied issues to various arise. technologies.Governments At often the consultsame time, these the companies number when making public policy decisions in order to ensure that cybersecurity

of cybersecurity firms in the private sector is quickly growing, and they often andprofit is fromoften strict cited cybersecurityby governments policies. when Similardeveloping to private cybersecurity sector companies, policies. The the technical community,community hasincluding the technical the expertise and understanding of the Internet independent of governments and politically-motivated cybersecurity measures to Internet Engineering Taskforce also works

11 help ensure the security of the Internet’s critical infrastructure .

haveSimilar pushed to other for areasfurther of inclusionInternet governance, at international civil discussions society’s role and in domesticcybersecurity policy- has just begun to take off in recent years. On the one hand, civil society groups

inmaking being meetings, able to advocate but others for cybersecurityare calling for policiescivil society from to a createhuman their rights-based own positive agenda for cybersecurity policy developed and norm a making. report outlining Civil society the possiblehas a unique role role

approach. In 2011, CitizenLab

11 See pg. 106: http://www.oecd.org/sti/ieconomy/cybersecurity%20policy%20making.pdf

16 similar agenda. Both reports emphasise the importance offor civil civil society society in in bringing cybersecurity, to light and human in 2013, rights the considerations Association for in Progressive all cybersecurity- relatedCommunications discussions, created but also a address the need for civil society to call for evidence- based cybersecurity decisions and practices.

17