The treacherous world of cyber attacks is becoming an increasingly pressing problem for civil society. Just last week, news broke about easing export rules on offensive cyber weapons, despite the fact that some of these technologies are used by governments to spy on and quell political opposition and activists. This is just one of many news items that highlight how technologies can be abused, not for simple crime or state-to-state cyber war, but in order to focus on civil society.
Why are we so vulnerable and how did we get here? More importantly, how do we prepare for the role and impact of cyber conflict on civil society? These are the questions we need to address urgently because we have firmly entered an era of cyberattacks, and some states are working overtime to normalize a state of ongoing cyber conflict.
Civil society’s difficulties are rooted in the asymmetry of cyber conflict. Oftentimes, as civil society actors, we don’t even know we have been attacked. And then, think of the impact of the cyber commands, the black box algorithms that track us, and the corporate malware we don’t even have names for.
We don’t have the defensive capacity, let alone the means or desire for offensive operations. And even if we did, there is little or no chance at attribution. So often, we have little idea how to find out who the attacker is. It is therefore almost impossible to respond, to mediate, or to remediate. In the few cases where civil society manages to identify those responsible, securing remedy is elusive. The surveillance tech sector operates in legal shadows, hiding in cracks to avoid accountability, while their government clients turn a blind eye.
Add to this the fact that civil society has so few resources dedicated to tackling this problem. The cybersecurity sector is a multibillion dollar industry, and yet the blogger, the journalist, the freedom movement, and the peace activists have access to almost none of it.
Without budget or clear rules on attribution, we also face another digital roadblock – the internet shutdown. Governments are increasingly exerting unilateral control over the space. When in doubt about rising tensions, or the sharing of information, governments often seek to turn the internet off entirely.
Using the weaponization of information, disinformation, and terrorist content as justification, governments forced over 196 internet shutdowns last year. The valiant #KeepItOn coalition of almost 200 NGOs fighting this trend doesn’t rest, because it doesn’t have the luxury to do so.
And when we are connected, the security of our communication channels is under attack, with attempts the world over to weaken encryption and insert backdoors making it easier for malicious hackers to gain access to personal communications, to data and location. Increasingly, some states are also trying to take control of the content, location and jurisdiction of data centers, arguing that this is for their own “digital sovereignty,” leaving civil society further isolated.
These threats to the security and accessibility of communications platforms are part of a broader trend of closing digital civic space. We need to understand now that civic space in the digital realm is shrinking and increasingly vulnerable, as a whole and in more targeted ways. Recent reports detailing the onslaught against the Uighur community in China are a portentous reminder of what lies ahead.
The focus should not be on legitimizing cyber attacks or new forms of cyberwarfare, but on ensuring that all efforts are put on de-escalation and an international legal framework that is observed globally.
We firmly believe that international humanitarian law should apply online. Complemented with other global norms, it’s not like the laws of war, conflict and peace in cyberspace have yet to be entirely determined. There are nonetheless gaps that bad actors, in bad faith, exploit to their advantage, and the nature of responsible state behavior in cyberspace has yet to be agreed upon. As two parallel UN processes deliberate over these coming months, civil society is the first victim of this uncertainty.
Getting our global cyber norms right has consequences on our ability to enjoy our rights. Cyber attacks have real life impact – on hospitals, electric grids, and elections. What’s worse is that asymmetrical and targeted attacks against civil society can lead to imprisonment, torture, and even death.
The international community has built up a humanitarian response framework and precedent for such dangers offline, but the online equivalents are nascent. Hospitals are frequently targets of attacks, and the computer emergency response teams established to protect them are grappling.
Access Now runs the Digital Security Helpline to respond to threats to civil society in real time. Together with partners in the field, we are on full alert but it doesn’t prepare us or our colleagues for the emergence of new forms of government surveillance, the onslaught of shutdowns or the hacking of citizens.
Emerging norms of global cybersecurity and digital peace need to do more to protect the most vulnerable. Civil society must be resourced and empowered to protect itself, the private sector needs to ensure it is not willing partners in human rights abuses, and states must agree to a rights respecting cyberspace, particularly at times of conflict.