You can't talk about cybersecurity without talking about technology. And when engaging with policymakers, it's helpful for human rights defenders to understand the basic concepts of this domain. But from a technical perspective, what does security mean?
Popular conceptions of cybersecurity often focus on securing information and its underlying infrastructure. Information is the lifeblood of cyberspace, from personal data to high-level state communication. It flows through networks in huge quantities and is stored on devices and data centers. It is subject to voluntary standards but without a central authority and in a rapidly changing environment. These can be subject to change in cyberspace information is digital and intangible. Still, it relies on an infrastructure, which is physical, from cables to servers, routers to satellite connections, data, and metadata in cyberspace which can be vulnerable at different points and be undermined in different ways. It can be copied, modified, or made inaccessible, or its origin could be faked- a violation of authenticity. Violations of confidentiality, integrity, availability, and authenticity can have different culprits. It might be criminal activity, a deliberate shut down by a government, or even an accident. These violations can undermine security in cyberspace, but they also impact a range of human rights, including privacy, freedom of expression, and information freedom.
The Border Gateway Protocol or BGP illustrates these well. This refers to the set of rules which enables communications between large networks. Despite its central role in the functioning of the internet, it remains vulnerable to misuse or attack. For example, in 2008, Pakistan's government ordered a local internet service provider to block YouTube. Its attempts to do so resulted in a global outage of the video-sharing website for two hours. The ISP exploited a weakness in the Border Gateway Protocol, and all traffic trying to get to YouTube went to the ISP instead. As a result, YouTube became unavailable.
Vulnerabilities in the BGP routes can also be manipulated to intercept internet traffic. Man-in-the-middle attacks work by redirecting large quantities of traffic to an unauthorized router. If the data is unencrypted, those controlling the router can then monitor or tamper with it before sending it on its way without the data owner knowing anything has happened. This undermines the principles of integrity and confidentiality. But just as you can undermine these principles, you can also preserve and strengthen them.
On the Internet, Engineering Task Force measures are under discussion to address weaknesses in BGP. If finalized, they could help ensure data goes to and originates in the right places and identify whether data is traveling on the right routes. This makes it less likely that traffic will be inadvertently intercepted or blocked and will help ensure confidentiality, integrity, and availability. The human rights that depend on them are respected on a technical level. Security can also be built into products and services by design. Apple and WhatsApp's adoption of default end-to-end encryption is a good example. Other tools include SSL TLS, encryption of emails, and certificate pinning in browsers; the stakes couldn't be higher.
Today, the internet isn't just a communications network. It's a network for industrial control systems, health care, and in some countries, even voting. As our reliance on network systems and technology increases, the risks associated with insecure networks also increase. Things are about to usher in a whole new universe of connected objects. This will pose huge challenges for both security and human rights. A big part of the solution is technical, as we've seen, but it's not the whole picture.
Let's look again at the incident in Pakistan. After a few hours, YouTube was restored at the global level by a technical fix. But in Pakistan itself, the censorship audit didn't go away, and YouTube remained blocked there until they removed the offending content. This shows that technical solutions are not enough. Security in cyberspace will only be possible with a holistic approach, which means robust technical measures and standards bolstered by rights-respecting policies and laws, responsible business practices, and education.