Should Cybersecurity Be a Human Right?

The May 2017 WannaCry ransomware attack affected more than 200,000 computers spread across 150 nations. The results of the attack made clear that computers whose software is not up to date can hurt not only the computers’ owners, but ultimately the larger internet ecosystem. This fact was brought into harsh relief a month later, when perpetrators of the NotPetya attack used  the same vulnerability as WannaCry.

Spurred on by such attacks, more firms are viewing cybersecurity as essential to corporate social responsibility (CSR). Some contend that cybersecurity promotes human rights, on and offline, by protecting privacy, free expression, and the exchange of information. Indeed, access to the internet is increasingly considered an emerging human right. Spain, France, Finland, Costa Rica, Estonia, and Greece, for example, have codified this right in their constitutions, laws, and judicial rulings. The former secretary general of the International Telecommunication Union has argued that governments must “regard the internet as basic infrastructure – just like roads, waste and water.” Global public opinion seems to favor that position, which gained the support of nearly 80 percent of those polled in 26 nations by the BBC.

Some policymakers and managers are starting to take notice. In the U.S., the Department of Homeland Security, the chief federal agency dealing with cybersecurity, has highlighted businesses’ “shared responsibility” to protect themselves against cyber attacks. International organizations and national governments have begun to formally recognize the importance of the internet to freedom of speech, expression, and information exchange. The next step to help ensure some measure of cyber peace online may be for cybersecurity to be recognized as a human right, too.

In my new article, I explore the intersection of internet access, human rights, and cybersecurity In particular, I investigate the benefits and drawbacks of pushing the emerging international norm of internet access (a topic not without some controversy) to include cybersecurity, as well as analyze the implications of such a designation on organizations through the lens of CSR.

In addition to applying international human rights law to cybersecurity, I show that nations are strategizing about the intersection of cybersecurity and human rights by leveraging their national cybersecurity strategies. I analyzed 34 of these strategies as a starting point to explore this trend. The primary findings are summarized in Figure 1.

In brief, 60 percent of the 34 nations analyzed discussed the importance of promoting privacy in their national cybersecurity strategies. Other areas of agreement among the strategies include 17 countries (47 percent) referencing “civil rights,” while seven nations (21 percent) discuss “civil liberties” broadly. However, of the 34 nations surveyed for this study, only two—Turkey and Macedonia—argue for human rights to be included as an integral component to build out the edifice of cyber peace. Perhaps surprisingly—especially given the overwhelming popular support for the concept—none of the nations surveyed discussed the emerging norm of internet access as a human right in their national cybersecurity strategies. Still, the fact that more nations are recognizing civil rights, particularly privacy, could signify momentum toward crystalizing these norms in the future.

Figure 1: Treatment of Human Rights in national Cybersecurity Strategies

Further, more companies are already treating cybersecurity as a human right, though a great deal of work remains. As seen in the fall of the regime called Safe Harbor, which allowed for transatlantic data flows until the U.S. government was found to be not in compliance with European Union data privacy safeguards, and the rise of the new Privacy Shield, it is past time for the international community to  clarify and strengthen global privacy and cybersecurity standards. Bottom-up steps such as including cybersecurity due diligence and integrated reporting should be part of this effort. Ultimately, the trick is finding the appropriate balance between simplicity and complexity to better leverage the power of multi-level polycentric governance to promote some measure of cyber peace.

This post comes to us from Professor Scott Shackelford, chair of Indiana University’s Cybersecurity Program and director of the Ostrom Workshop Program in Cybersecurity and Internet Governance. It is based on his recent article, “Exploring the ‘Shared Responsibility’ of Cyber Peace: Should Cybersecurity be a Human Right?” available here, and on a related article, “Should Cybersecurity Be a Human Right?” available here. An earlier version of this essay was published as Scott Shackelford, ‘NotPetya’ Ransomware Attack Shows Corporate Social Responsibility Should Include Cybersecurity, The Conversation (June 27, 2017).