Closing the Accountability Gap for Harms in Cyberspace
November 08, 2019
Most people cannot imagine living without cell phones, computers or well-functioning automated processes. Writing a report in the office, sending a friend a birthday-wish, planning surgery schedules in hospitals or ensuring optimal freight transportation routes in harbours. With more smart devices coming online every day, and the sprawling of artificial intelligence applications, technology is everywhere. Layers of technology are woven into all aspects of life, so the resilience of networks connecting us is crucial for the wellbeing of people all around the world.
Yet the internet is being weaponized. An attacker can instrumentalise any device to inflict maximum harm. Networked systems and even personal computers can become the platforms for war and conflict. While risks and damages are serious, they are often invisible because the perpetrators do not use tanks and fighter jets.
Over the last decades, cyberattacks have gone from those inflicted by individual hackers to larger scale attacks. Criminal gangs use technology to hijack systems, steal data and extort victims with ransomware. Nation states are carrying out cyberespionage or even cyberwar. As part of their strategies, attackers subvert the security of everyday software or connected devices - from messaging apps to smart meters – and deploy innocent tools for their aggressive goals. Cyberconflict has professionalised.
Cyberweapons do not just give individuals a hard time or hurt businesses. Much worse, they cripple public services, from hospitals and universities to railways and telecommunications networks. They put lives at risk, from people who are denied life-saving surgery to commuters on crowded trains or people seeking to exercise their democratic rights when voting in elections. Attacks in turn can create economic instability, social unrest and erosion of trust in democracy. There is a lot at stake but the fact that there is often no follow up after major attacks, and hardly any accountability, leaves people disillusioned and wondering whether they are at all empowered. The undermining of trust that anything can be done is an additional harmful impact the attackers manage to inflict. Much more needs to be done towards de-escalation, protecting people and holding perpetrators to account.
Among the most vulnerable victims of cyberattacks are human rights defenders. By speaking out against injustice, repression, censorship or discrimination, they become the targets of attacks by those who prefer for their sinister operations to remain unknown and unchallenged. With the help of hacking, tracking and surveillance systems, human rights defenders are hunted down and imprisoned, or even murdered. But the harmful impact of a commercial market in cybersurveillance tools does not stop there. Cyberespionage as well as terrorist and criminal groups can buy ever more sophisticated technologies that are designed, marketed and sold to gain covert access and exfiltrate data. Whoever wants to work towards peace and stability, should start by drying up the source of instability, and restrict the development and trade in digital weapons. This is a clear area for international norms and the application of international human rights law, also in the digital domain. In the absence of rules, we see excesses and recently a legal challenge brought by WhatsApp against NSO Group.
But more is needed to close the accountability gap. Throughout history, it was often the rules and laws that helped avoid the worst outcomes. From aviation rules to non-proliferation work, they deescalated the threat of nuclear war. And even war itself knows rules of engagement anchored in international law, intended avoid harm to civilians and to protect the rights of soldiers. As we now clearly see the escalation of cyberattacks, we cannot be naïve about what is at stake. It is urgent to focus on limiting harms, and to work on resilience and peace, through the collective analysis of attacks, by assisting vulnerable communities, and making a coordinated effort towards accountability of perpetrators.
With daily attacks, and an erosion of stability of cyberspace, governments and companies alike are scrambling for solutions. A focus on peace, a better understanding of attacks, as well as an agenda to promote responsible behavior is exactly why the CyberPeace Institute has been created. Closing the accountability gap will require new forms of cooperation and a shared sense of responsibility.
To address this issue, the CyberPeace will host a panel discussion at the Paris Peace Forum on November 13. Our panelists include Latha Reddy, Co-Chair of the GCSC; Melody Patry, Advocacy Director at Access Now; and Patrick Gaspard, the President of the Open Society Foundations.
More information on the event can be found on our event page.
Inside the WhatsApp hack: how an Israeli technology was used to spy, Financial Times, (Oct 30, 2019). Article Link
A New Age of Warfare: How Internet Mercenaries Do Battle for Authoritarian Governments, New York Times, (Mar 21, 2019). Article Link
The Rise of Cyber-Mercenaries, Foreign Policy, (Aug 31, 2018). Article Link
When Espionage Skills Are for Sale, So Is Your Security, Stratfor, (Oct 22, 2019). Article Link
The Cybersecurity 202: Facebook spyware lawsuit opens a new front in encryption battle, Washington Post, (Oct 30, 2019). Article Link