Cyber Export Guidance
A case study from the 2014 Human Rights and Democracy Report.
The expansion of “cyber space” has brought huge economic and social benefits; it underpins almost every aspect of modern life and has revolutionised the way we work. However, the very same benefits we enjoy from ease of communication and access to information online also pose risks and provide hackers, terrorists, and other criminals with new opportunities. To help mitigate these risks, companies have developed security products and services which defend networks from malicious activity. Some of these capabilities enable users to monitor systems, analyse behaviour, or block harmful content. In many countries, such as the UK, these products are used legitimately, including by law enforcement authorities, in accordance with the domestic and international law obligations. However, in countries which do not have a similar approach to human rights, or adhere to their international human rights obligations, the same products are at risk of being used in ways that could breach states’ legal obligations, e.g. as tools contributing to internal repression or to restrict freedom of expression of individuals, including journalists, activists and marginalised groups, unlawfully or arbitrarily. Such activity may also risk either directly or indirectly contributing to other human rights abuses, including arbitrary arrest, torture and death.
Normally exports which could cause harm, such as arms, are covered by the export licensing system. However, many cyber capabilities, products and services are not listed. This problem was recognised by the Cyber Growth Partnership, a joint body representing industry, academia and government. In September 2013, the government undertook to develop practical guidance for companies in managing these risks.
The FCO worked with techUK, a technology trade association, and the IHRB to produce this guidance. IHRB facilitated consultation with industry and played a central role drafting and reviewing the human rights chapter. The resulting 35-page document, entitled “Assessing Cyber Security Export Risks: Human Rights and National Security” was published on 26 November 2014. It sets out:
the different sorts of potential harm associated with particular cyber capabilities;
a process to help companies assess country-specific risks and to evaluate business partners and re-sellers; and
potential mitigation options for avoiding or reducing risks.
techUK will evaluate the document after six months and assess whether it has helped companies to build confidence. In the meantime, the FCO will ensure that the Overseas Business Risk service provides the requisite level of support to companies. It will also explore additional options to raise risk awareness and promote good practice.
At the international level, the government continues to support the work of the UN Working Group and the Office of the High Commissioner for Human Rights, and we have actively participated in their projects to develop guidance for the development of national action plans, and for addressing the issue of remedy in the case of gross human rights abuses. The UK participated in the Asia Europe Meeting Seminar on Human Rights, which focused on business and human rights, in Vietnam in November; the Second World Forum on Human Rights, in Marrakesh in December, for a panel discussion on business and human rights, and a delegation led by Minister for Employment Relations and Consumer Affairs, Jo Swinson, attended the 3rd Annual UN Forum on Business and Human Rights in Geneva.