Leave No One Behind: How to Include Civil Society in the Cybersecurity Debate

As cybersecurity breaches intensify and become more frequent, there is increasing awareness of the threat and impact of cyber attacks on different sectors of society. Businesses and government departments appear to be the major victims of these online assaults, such as the recent breaches associated with Microsoft's Exchange Server software and the SolarWinds Orion network management application. But that is because the dominant narrative on cybersecurity is shaped and promoted by the consolidated interests of the public and private sectors.

The experiences and participation of citizens and vulnerable communities – notably civil society organizations (CSOs), women and minority groups – in cybersecurity dialogues, design, defense and responses are limited. Relative to public-sector entities and private corporations, these civil society stakeholders are at a greater risk of cyber threats, given their continued marginalization in commercial threat reporting, technology design and the research agenda. Moreover, these communities are constrained in their capacity to overcome such risks, especially as evidenced during the ongoing Covid-19 pandemic that saw a surge in harmful disinformation and the use of unprotected digital devices for remote working.

CSOs – supported by the equivalent of 54 million full-time workers worldwide and a global volunteer workforce of over 350 million – take up critical societal roles and support many communities. Globally, and in general, they are caught up in a precarious and vulnerable position as far as their cybersecurity and resilience are concerned because they are neither well positioned to nor sufficiently capable of safeguarding their digital space. CSOs are under pressure from the public and funders to focus their operations on their mission. They lack financial resources, technical capacity, skilled IT staff, awareness of compliance risks, and the ability to engage in long-term strategic and contingency planning. As a result, CSOs underinvest in cybersecurity and end up relying on external advice that is often neither affordable nor informed by their specific organizational needs and risk landscape.

Further, since these organizations, including humanitarian non-governmental organizations (NGOs), collect and store large quantities of sensitive data from vulnerable populations, they face more significant data-protection risks from the combining or “mosaicking” of humanitarian and social-protection data systems. This may lead to unintentional disclosures that make it easier for vulnerable communities to be identified or recognized, thereby compromising humanitarian operations, especially in conflict areas.

The cyber vulnerability of civil society stakeholders, particularly human rights activists and journalists, can be further compounded and exacerbated by their political vulnerability. For example, since the Arab Spring, the space for digital activism has shrunk in the Middle East, as governments employ laws to criminalize free speech and propagate state-approved messaging through automated bots and social-media platforms. According to Microsoft statistics on nation-state activities against individuals or organizations, NGOs were the most targeted (32 percent) industry sector from July 2019 to June 2020.

Human-centric, citizen-centric and intersectional approach

It is, therefore, necessary for civil society stakeholders to be cyber resilient, which requires enhancing their capability to prepare for, absorb, recover from and adapt to significant cyber threats emanating from the social, technological, environmental and personal environments. This calls for a human-centric, citizen-centric and intersectional approach to cybersecurity that considers vulnerable users' profiles, needs, capabilities, and contexts in all phases of cyber resilience.

A human-centered focus, in contrast to a purely technology-centered or organization-centered focus, is foundational to this approach. Cyberspace is made up of physical, logical (or information) and social layers. While the physical and logical layers focus on the infrastructure and connections between network nodes, respectively, the social layer emphasizes the role and capabilities of humans in cybersecurity. Therefore, the social layer of cybersecurity, where civil society and communities interact and are most vulnerable, should be as much of a priority as the other layers.

On the other hand, citizen-centricity involves active citizen participation in the design and implementation of cybersecurity solutions. As cybersecurity can be considered a public good, it should not be captured by the interests of private actors and the state alone. Yet, this is frequently the reality. Responsible co-production of cyber resilience involves the coordination of civil society activity by the state within the bounds of laws. Indeed, the cybersecurity laws and frameworks under which civil society is governed should reflect a cross-section of society at large.

It is essential to think from the perspective of intersectional disadvantages as a starting point to design cybersecurity solutions. Specific communities are marginalized under the dominant power and privilege structures due to their various identities. Many cyber risks are experienced differently by communities online, reflecting the structural dynamics of the offline world.

For instance, individuals' characteristics – such as user trust in social network providers and members, gender and age – are found to influence their levels of vulnerability to social engineering in social networks. Another illustrative case is the data breach that revealed the personal data including abortion records of nearly 650,000 patients from the Brazilian municipality of São Paulo in 2016, exposing women and their doctors to potential criminal charges as abortion is illegal in the country. Intersectional inequality is also pronounced in online hate speech in Europe, which is often targeted against women, especially those working in public positions or from minority religious, ethnic and gender-identity communities.

A global study of the information security workforce by the International Information System Security Certification Consortium (ISSCC) found that wage and workplace discrimination – factors that deter new entrants into the workforce – are the most prevalent for female minority cybersecurity professionals, while ethnic minorities are underrepresented in leadership roles. The lack of diversity and meaningful participation from different communities in the formation of cybersecurity practices perpetuates the barriers and disincentives for inclusive and context-sensitive cyberspace.

The recent study conducted by the United Nations Institute For Disarmament Research emphasizes the need for technology design to be gender-sensitive – for example, smart household devices have not been designed, in the threat modelling phase, to include intimate partner violence. Similarly, much of the assistance to civil society organizations is concentrated on emergency response, analysis and advocacy, while direct technical assistance targeting threats specific to these organizations and long-term capacity-building against cyber attacks are rare.

Current research on an intersectional approach to cybersecurity is still at its nascent stage. A scoping study on gender and digital security by the Citizen Lab has revealed that gaps still exist in topics such as targeted threats, free expression online, app privacy and security, and transparency and accountability of social media companies. Indeed, in this article, we have not covered all the affected vulnerable communities in cyberspace, but have only shed light on the differentiated impact digital risks have on specific communities that are often marginalized in cyberspace.

Integrating underserved communities

To promote greater inclusion in cybersecurity efforts, states and intergovernmental organizations should begin by mainstreaming the perspectives, experiences and participation of different communities into the underlying norms and structures governing cyberspace. For instance, understandings from existing international gender frameworks such as the 2018 Human Rights Council Resolution that calls for “preventing and responding to violence against women and girls in digital contexts” could be integrated into intergovernmental cybersecurity efforts. Such initiatives include the 2015 UN Group of Governmental Experts (GGE) cyber norms and the Open-Ended Working Group on Developments in the Field of ICTs in the Context of International Security.

Only when citizens, including vulnerable civil society stakeholders, take ownership of and contribute to the co-production of cybersecurity can we ensure that no one is left behind in cyberspace.