Allison Pytlak, Women’s International League for Peace and Freedom
In 2017, the WannaCry ransomware operation affected around 200,000 computers in over 150 countries, most notably causing the British National Health Service to cancel thousands of medical operations and appointments, and displacing emergency room patients within affected facilties. When the servers of the International Committee of the Red Cross (ICRC) were hacked in early 2022, the personal data of more than 500,000 people—most of whom were among the highly vulnerable populations that the ICRC works to protect and support—was compromised. In June 2022 the UN Office of the High Commissioner for Human Rights (UNOHCHR) released a report describing the manifold impacts of internet shutdowns, noting that, “When a state shuts down the internet, both people and economies suffer. The costs to jobs, education, health and political participation virtually always exceed any hoped for benefit.”
These three examples of different types of cyber operations demonstrate that, as with physical weapons and war, malicious cyber activity can have very real human impacts and consequences, many of which are only starting to be documented and understood.
But, as is also the case with physical weapons and war, the discourse in many cyber policy and governance spaces tends to default to a state-centric approach of what safety and security mean. Humanitarian disarmament, by contrast, seeks to prevent and remediate arms-inflicted human and environmental harm through the establishment and implementation of norms. This people-centred approach has, over time, transformed the narrative away from state-centrism and become a driving force in addressing the suffering caused by weapons and armed violence. In a digital context, where the “weapons” are largely invisible and the perpetrators deliberately anonymous, humanitarian disarmament offers a model for cyber peace through its human focus and emphasis on inclusivity.
Enter the Human-Centric Approach
Many civil society groups and some governments have been advocating for a human-centric approach to international cyber security, which has some notable parallels to humanitarian disarmament, despite there being little crossover between the people and organizations working in these areas.
This approach has been emerging slowly but steadily over the last decade. It began within the human rights community, in response to the increased reliance of human rights defenders—as well as most other people and societies—on digital technology, and a corresponding need for safe and secure networks and access. They were also reacting to the stepped up, harmful activities of state and non-state actors, such as cyber criminals, hackers-for-hire, and private companies peddling surveillance technology. These actors undermine or directly infringe on human rights, including through internet shutdowns, the use of spy- and other malware, data theft, and the passing of restrictive national cybersecurity laws, as just some examples.
In forums such as the Internet Governance Forum (IGF) and the Freedom Online Coalition, states and “multistakeholders” (a term used in these forums to describe civil society, the technical community, and private sector) worked to clarify what a rights-based approach to cybersecurity could and should look like and sought to identify what it means in practice. Like their humanitarian disarmament counterparts, these advocates put people at the center of their work. As Professor Ron Deibert of the University of Toronto’s Citizen Lab outlined in a 2018 article, a human-centric approach to cyber security “prioritizes the individual, and views networks as part of the essential foundation for the modern exercise of human rights, such as access to information, freedom of thought, and freedom of association.”
This perspective has been reflected elsewhere. “Cybersecurity cannot be equated with national security or achieved through a narrow national approach,” wrote Deborah Brown and Anriette Esterhuysen in a report of an IGF event that discussed rights-based approaches to cyber security. The same report observed that event participants characterised a human rights-based approach to cybersecurity “. . . as putting people at the centre and ensuring that there is trust and security in networks and devices that reinforce, rather than threaten, human security.”
Another similarity with humanitarian disarmament is the emphasis on inclusivity. Sheetal Kumar of Global Partners Digital writes: “Open and inclusive approaches to governance are another feature of a human-centric approach, and widely cited as an important element in relevant discussions and literature. Inclusive governance is important to the human-centric approach to cybersecurity because a number of the roles which non-state actors play—such as the provision of oversight, monitoring and critical assessment of policies and their implementation—can only occur where meaningful opportunities for engagement exist.”
How Has It Been Received?
How this approach has been received depends on whom you ask. Forums like the IGF were somewhat more predisposed to consideration of a human rights or human-centric dimensions of cyber and digital security, in contrast to more traditional disarmament bodies like the UN General Assembly (UNGA) First Committee on Disarmament and International Security, where the framing centers around state use of information and communications technology (ICT) and “cyber war.”
For instance, there are states that argue that human rights law should have no applicability or relevance when talking about cyber issues “in the context of international security,” the framing given to the UN Open-Ended Working Group (OEWG) on Information and Communications Technology (also known as cyber issues). Others object to allocating time for discussion of cross-cutting topics whose inclusion exemplifies a human-centric approach; for instance, during a recent OEWG session in July 2022, one state questioned what gender has to do with the group’s mandate while another mocked the concept of gender-sensitive cyber capacity-building by asking if “this is something for the ladies?” Meanwhile, a small group of states have consistently blocked the access and participation of several relevant non-governmental actors in the UN OEWG sessions, a challenge to the priority that human-centric approaches accord to inclusivity. Certainly there has not been the sort of direct testimony from survivors and impacted communities as we have now come to accept as routine in many weapons and even international security-related forums.
Time for Change
The threats posted by cyber operations and the challenges outlined above demonstrate precisely why a human-centric approach is so vital for how the international community addresses cyber issues going forward. They are rapidly becoming one of the most pressing security issues we face, as the integration of ICTs into nearly every facet of our lives makes their vulnerability—and relatedly, our vulnerability—to attack or misuse so great. Cyber is also historically an area with little to no transparency and accountability, which is part of the reason why such operations are an attractive option for those seeking to avoid retaliation or retribution. Furthermore, as we are seeing now more than ever, cyber operations do affect people at a personal and a societal level and infringe on rights and freedoms. Such operations and related structures need to be brought out of the shadows and governed, with a view to their humanitarian impacts, and clearer rules of the road established.
Humanitarian disarmament provides many strong examples of how to change narratives and connect human-centric considerations with matters of “international security.” The 2013 Arms Trade Treaty and the 2017 Treaty on the Prohibition of Nuclear Weapons both emerged from the same body in which current UN cyber talks are based (the UNGA First Committee), and went on to establish ground-breaking standards in the area of arms control and nuclear disarmament, respectively. In the processes leading up to the adoption of those agreements, there were many moments when proponents were told that human rights, humanitarian, or environmental concerns had no place in the arms trade or nuclear weapon policy-making.
To be sure, cyber violence raises some distinct concerns from those caused by nuclear weapons and arms trading, but the core message is the same: people matter, the planet matters. We need approaches that put their protection first.