LOS ANGELES — Cyberspace is an uncharted territory for state and non-state actors alike. It serves as a space to engage in familiar activities while expanding political engagement to new heights. What makes cyberspace unique is that it is not characterized “by a binary between war and peace but by a spectrum between those two poles — and most cyber attacks fall somewhere in that murky space.”
Just as traditional political landscapes present risks of conflict, cyberspace allows actors to perpetrate attacks more readily and with less fear of attribution. This poses serious implications for global democracy, especially as authoritarian powers like China and Russia shore up their cyber capabilities.
Authoritarianism and Democracy-Building in Cyberspace
Authoritarian states rely on control for survival, and that includes controlling the ideas and information that flows within and across its borders. Advancements in information and communication technologies (ICTs) promote greater global connectivity between different groups of people, a source of power for the powerless that can seriously threaten authoritarian nations.
This is the view that has shaped American democracy-building for ages: the democratization of communications will spark the democratization of the world. These communication tools symbolize the American beliefs in the power of innovation for peace and that the Internet, an American technology, will enable widespread adoption of American political ideas. Americans have consistently championed the Internet’s power to promote pluralism in authoritarian regimes, like during the Arab Spring or the 2011 revolutions in North Africa and the Middle East.
The idea that cyberspace can promote democracy is a reassuring thought welcomed by Western powers. In reality, modern communications are value-neutral and can equally be used for non-democratic thought. According to Robin Mansell of the London School of Economics, cyberspace presents “many opportunities for new forms of business and governance as well as for new forms of criminal or unwanted behavior.”
For individual users, the Internet and other tools provide access to a wide range of information, as well as a platform to voice ideas and beliefs of all natures. As argued by Jaron Lanier in You Are Not A Gadget, cyberspace can be a dark place, and the anonymity provided by the internet can promote a “culture of sadism,” feeding an appetite for attacks and violent thoughts not permissible in everyday life.
ICTs are also readily available for government use. In many authoritarian states, these tools enable them to suppress political opposition and manipulate the conversation to advance their geopolitical goals.
China is using cyberspace to promote national pride at the expense of the West and regional powers, like Japan and Taiwan, and to justify their subjugation of minority groups like Uyghurs and Tibetans. On the other hand, Russia uses this realm to disseminate information campaigns to undermine democratic processes and fuel political divisiveness in the West.
In the past, the “strongman politics” of authoritarian governments created systems of state capitalism that promoted economic growth while retaining political control. They are now using the same strategy to still reap the economic benefits of cyberspace without letting it undermine its political power. For instance, the Chinese government, in its statement on the rights and responsibilities of Internet users, “guarantee[s]the citizens’ freedom of speech on the Internet as well as the public’s right to know, to participate, to be heard, and to oversee [the government]in accordance with the law.” But it also stipulates that “within Chinese territory, the Internet is under the jurisdiction of Chinese sovereignty.”
Private Technology Companies: The Cyber “Strongmen”
Cyberspace is unique in that, unlike traditional politics, it is governed not by various nation-states but by private technological companies. Consequently, efforts by authoritarian states to control ICTs have led to commercial conflicts between these governments and the private sector.
In 2010, Google reported a breach of private Gmail accounts by attackers in China, and in response, announced that it would no longer be censoring search results in mainland China. With Beijing refusing to back down from stringent censorship requirements, Google announced the shutdown of the Chinese site and redirected all mainland Chinese users to the uncensored Hong Kong version of the site. Chinese officials eventually renewed Google’s operating license. While this may seem like a win, China continues to develop its domestic technological sector and provides legal and financial support to these firms to abide by their censorship requirements. In the long run, companies like Google are slowly losing their war against the Chinese government’s censorship.
Unable to counter U.S. military defenses, China and Russia are also using information warfare tactics as a military strategy. In efforts to create a more definitive role for themselves in the domain of cyberspace, China has pushed a vision of “cyber sovereignty.” At the 2015 World Internet Conference, President Xi described cyber sovereignty as “respecting each country’s right to choose its own internet development path, its own internet management model, and its own public policies on the internet.” This position is in sharp contrast with the United States and private technology companies that view cyberspace as an “open, global platform.”
These developments are drawing Western technology companies to work more closely with U.S. national security agencies to protect their interests and prevent further co-opting by authoritarian regimes.
The complicated relationship between Washington and Silicon Valley may prove this challenging. Before 2013, the two sides had a shared mission advocating for free speech, reducing international trade barriers and promoting ICTs and the “Internet Revolution.” However, the reach of Western technological platforms would soon prove damaging in light of the Snowden revelations, which showed just how extensively national security agencies had penetrated these platforms without their knowledge for surveillance purposes. Both civilians and non-civilians use the same commercially-sourced networks and devices; as such, the data of terrorist organizations and other threats to national security could be stored on these very same devices and networks — making the widely-used Silicon Valley platforms a constant target to hackers and the intelligence community alike.
Nevertheless, the sense of betrayal felt by Western technology companies, coupled with their commitment to an open Internet and economic interests, has led them to increasingly define themselves not as “American” but as “global actors.” In response, many tech officials have pushed for a broader definition of cybersecurity that extends past U.S. national security and prioritizes the security of the companies themselves and their users. Silicon Valley has acted on this in a number of public disputes: notably, in 2015, Apple’s refusal to allow the FBI to unlock the iPhone of one of the perpetrators of the San Bernardino terrorist attacks.
Despite this antagonism, the combination of a “more assertive Chinese cyber diplomacy, the globalization of Chinese technology giants and China’s position as a leading hub for artificial intelligence research and development” now gives Washington and Silicon Valley a common enemy.
Human Rights in Cybersecurity Strategy
The greatest obstacle is finding an effective cyber strategy that provides enough protection from cyberattacks without undermining human rights. Understanding cybersecurity requires defining security in general: “Security for whom? Security from what? And security by what means?” For a state, security is protection from political instability; it can go as far as ensuring self-preservation by any means necessary, which in many cases, leads to even greater insecurity for civilians. Governments often protect national security at the expense of human rights, like the right to privacy, freedom of expression, assembly, etc. In cyberspace, this comes at the cost of the “availability, confidentiality and integrity of information and its underlying infrastructure.”
In the digital age, managing cyberspace should be regarded not as a national security issue but as a human rights issue. Governments consistently push for weakening encryption to provide access to law enforcement, even though this in turn weakens human security. Threats to cyberspace should not be a pretext to undermine human rights, and human rights should not be a part of the trade-off for greater security. In fact, cybersecurity and human rights are “complementary, mutually reinforcing and interdependent. Therefore, a necessary step is applying a human rights-based approach in how we pursue cybersecurity and rooting cyber decision-making in international law.
There are inherent problems with how international law currently regards cyberspace. The UN has held since 2013 that international law, specifically humanitarian law, applies in cyberspace. This presents a few challenges. For one, differences in national law have made it challenging to create a universally applicable framework to protect human rights from “lesser” cyberattacks — such as hate speech over the Internet. Specifically, lawmakers struggle to strike the appropriate balance between the “protection of reputation from defamatory speech” and the “right to freedom of expression.”
In the case of cyberattacks, it is also unclear whether or not liability should fall on the “perpetrator” or the Internet Service provider for failing to prevent the attack. Cyberlaw scholar Diane Rowland explains that “’[t]he application of existing legal rules and pre-existing tension between rights of reputation and those of free speech’ should pertain, notwithstanding the fact that the stability of the law and its enforcement and challenged by the global reach of the Internet and many different local legal and cultural norms.”
Another issue is that the focus on humanitarian law is flawed. For one, international humanitarian law only applies in times of armed conflict. Most cyber threats occur in times of peace, and linking cyberspace with international humanitarian law can perpetuate the notion that states are in constant cyber conflict and lead to even more cyberattacks.
There must be an institutional shift towards international human rights law, which applies both in times of war and peace. There has been some progress on this front – international human rights bodies have provided specific guidance regarding cybersecurity, emphasizing the need for strong encryption and condemning network shutdowns for violating human rights and removing access to information. The next goal is to develop norms for responsible state behavior in cyberspace. Existing international human rights norms provide a basis for this, but there is a “serious implementation gap.” For instance, the UN’s proposed cyber Programme of Action (PoA) was a step in the right direction to limit the manipulation of cyberspace by state actors. Still, it is not a legally binding instrument. It merely signals the political intention to address a global issue. A stronger move is establishing a permanent UN forum to consider the impacts of cyberspace policies on human rights.
For there to be a sustainable solution that generates monumental change, above all else, there needs to be a multi-stakeholder environment that includes all relevant actors to promote greater transparency, trust, inclusiveness, and equity in cyberspace. There are currently no consistent practices in the public and private sectors that assess the human rights impact of ICT solutions. Therefore, protecting human rights in cyberspace and maintaining an inclusive information society requires collaboration between governments, private sector actors that operate networks and platforms and new Internet governance institutions that manage technical infrastructure to implement these norms.
However, with the domination of private technology companies and state actors’ lack of coordination capability, significant strides need to be made to ensure a well-balanced relationship. This necessitates greater scrutiny and oversight of technology companies. The platforms and networks used to launch cyberattacks should serve as the “first line of defense” in cyberattacks. Along with human rights impact assessments, technology companies should also be involved in cybersecurity due diligence to review the “governance, processes, and controls” used to secure the information on their platforms. Governments can also regulate the technology sector to prevent and mitigate human rights violations. Through international legal mechanisms and multilateral cooperation, we can effectively protect cyberspace without undermining human rights.
The rapidly evolving realm of cyberspace presents many opportunities to promote democracy, but authoritarian governments have also exploited it to advance their national interest and suppress political dissent.
Yet, when overly regarded through the lens of national security, protecting cyberspace can also threaten human rights. As cyberspace continues to grow in coming years, so will the threat of cyberspace conflict — and while bearing similarities to traditional spheres of conflict, a novel domain like cyberspace requires novel solutions.
Information and communication technologies may be inherently value-neutral, but with the right balance, they can be tools for greater global connectivity, and in turn, greater democracy and human rights.