The impact of cyberattacks on people’s lives is increasing. It’s time for more action from governments, whose role it is to provide security for their citizens. Here are four calls to world leaders for 2022 and the measures we would like to see them take.
1. De-militarise national ransomware responses
Ransomware is a national and human security threat, so it is little surprise that governments are using an array of tools in their possession to fight it. However, there is a discussion in some countries towards employing military authorities, capabilities and resources against ransomware groups (criminal) resources to tackle ransomware. This is a concerning response for what we believe should be a law enforcement matter. Where law enforcement investigations takedown and seek to arrest criminals to bring them to justice, the military resources and capabilities focus on the disruption of operations and infrastructure, with potential unintended consequences due to the interconnected nature of our systems and infrastructure.
This not only sends a contradictory message when contrasted with other efforts to reduce risks to peace, stability, and security but it also runs contrary to the spirit of the peaceful use of Information and Communication Technologies (ICTs) which is what governments, industry and civil society are trying to achieve in our interconnected world.
There can also be unintended consequences. Tools used for offensive operations can – and have – ended up in criminal hands, for example. Transnational crimes often surpass the capabilities of law enforcement, but this is only an argument for greater international cooperation. It is right to do everything we can to stop ransomware, but our efforts should be led by law enforcement. There are successful precedents. Law enforcement took down a major darknet marketplace, arrested operators of a prolific malware variant, and disrupted two infamous ransomware groups. This demonstrates that the focus should be on utilizing and reinforcing existing capabilities:
- continued investments in law enforcement capabilities with transparent and democratic oversight,
- capacity and capability programs to enable international judicial and law enforcement collaboration, and
- concerted diplomatic action to hold perpetrators accountable for their malicious actions.
2. Increase transparency about the use of spyware and ensure human rights safeguards
There have been encouraging steps recently towards holding providers of spyware accountable for the sale of the products and services to repressive regimes. We’d like to see these initiatives go further but, more importantly, we’d like to see greater scrutiny of the entire spyware ecosystem. We know the companies that sell these products, but who are the clients and intermediaries creating the market? Who is buying the software and what for? And what are the gaps in safeguarding the protections of human rights that allow these tools to be used to target journalists and dissidents?
Once we have identified these gaps we need to create greater accountability across the whole system. One way to do this would be to make the UN Guiding Principles on Business and Human Rights mandatory, rather than voluntary. They provide guidelines for states and businesses to prevent, address and remedy human rights abuses committed in business operations. But as these principles are not enforceable, there is no way to ensure they are followed. Governments could mandate that any business operating within their jurisdiction adheres, implements, and audits the conformity with these principles.
Until rigorous human rights safeguards are adopted to regulate practices with potential to abuse human rights and guarantees put in place that governments and non-state actors don’t abuse these capabilities, the world leaders should agree on a global moratorium on the sale and transfer of surveillance technology.
3. Connect the international, multistakeholder processes Three major multilateral negotiations are going on at the moment, all of which should converge – and conclude – by 2025. The first is the UN Cybercrime Treaty, the outcome of which will influence how cybercrime is understood, investigated, and prosecuted around the world. These discussions are a chance for countries outside the West to contribute to the process. Second, the UN Cybersecurity Open-Ended Working Group II allows all member states to continue discussions on the use and security of ICTs. Finally, the World Summit on the Information Society, will enable stakeholders from around the world to review the outcomes 20 years after the Summit’s end. At the moment, world leaders are not looking at these as converging processes but they should. We call on them to consider the convergence of topics such as emerging technologies, human rights and an open and free internet within these discussions.
A further key action governments can take is to ensure that the cybersecurity expertise across civil society, in industry, academia and in NGOs and grassroots groups is able to actively contribute to these processes.
4. Focus on the impact that cyberattacks have on people’s lives
It’s common to focus on the economic cost of cyberattacks or technical remediation measures but the true cost is always paid by people, including with their lives. We expect the human impact of threats to grow. For instance, we might see ransomware spread to the Internet of Things. Aside from the direct harm of such attacks, the long-term risk may be declining trust in technology. If people lose faith in the technology they use, then they may not be able to access vital services. Ultimately, given the government’s central role in providing security, they will lose faith in the government itself.
Governments need to focus first on understanding the human impact of security threats and use data and metrics to inform their decisions, such as the Cyber Incident Tracer for the Healthcare sector that documents these attacks and their operational disruption. Any measures they take to improve cyber resilience, defend against ransomware or measures to tackle threats such as cybercrime, terrorism, or nation state agresssion should be done with human rights and freedoms in mind. All measures should consider whether ultimately people will be safer. It would be counterproductive to undermine the human rights of victims in the pursuit of criminals or national security and foreign policy goals.