About the author: Anabela Paula Brízido is a PhD Candidate in Law and a Guest Professor at NOVA School of Law. She is also a Research Associate at the NOVA Knowledge Centre for Business, Human Rights and the Environment (NOVA BHRE) and an Associate Member of the Military Academy Research Centre (CINAMIL).
The UN Guiding Principles on Business and Human Rights lay much of the groundwork for a discussion of cybersecurity as a human right in the context of business enterprises having a duty to respect those rights and act with due diligence. The private sector, which operates critical infrastructure and provides essential digital services, needs to be aware of the importance of those rights to the economy and social welfare.
In his speech to the General Assembly on 19 September 2017, UN General Secretary António Guterres warned of the risks of cyber threats and their impact on societies and States.
The impact is particularly noticeable when cyberattacks target critical infrastructures and essential digital services that are vital to the economy and social welfare, thereby compromising the functioning of both society and the State, because most public and private sector infrastructures are hosted and deliver their services in and through cyberspace. It follows that cybersecurity neglect is synonymous with vulnerability and considerable risk exposure.
For a better understanding, let us look at the incidents in Estonia in 2007 and the current ongoing armed conflict between Russia and Ukraine.
Between 27 April and 18 May 2007, Estonia was subjected to massive cyberattacks targetting banks, online media, internet service providers (ISP), government entities, its Parliament and the police[1]. As to the ongoing conflict between Russia and Ukraine, the Fridbertsson Report records that Russian cyberattacks have been directed against Ukrainian governmental websites and critical infrastructures, such as rail systems. The Ukrainian cyberattacks have targeted not only Russia’s railway system but also its electrical grid (a critical infrastructure) in an attempt to prevent Russia from getting weapons and supplies to the Ukrainian front[2].
These two examples serve to illustrate the negative impact caused by damage to critical infrastructures and services and the consequent loss of functionality. Given their importance, both the State and society will remain partially or totally dysfunctional until infrastructural functionality is fully restored.
The private sector plays a key role in making those infrastructures operational and delivering those services. It is therefore worth familiarising ourselves with the Portuguese legal framework, strongly influenced by the European Union, and then examine cybersecurity through the prism of the challenges raised to business enterprises.
According to the ENISA Threat Landscape 2022 report[3], the prime threats were ransomware, malware, social engineering, threats against data; Distributed Denial of Service (DDoS); internet threats, disinformation, misinformation and supply-chain attacks.
Operators and service providers cannot ensure cybersecurity unless they know how to assess, evaluate, mitigate, and control the risks in cyberspace. It is also important that they notify the relevant legal authorities of all incidents likely to have a significant impact on ensuring the continuity of the services provided. The aim is to mitigate negative impacts on the State and society.
It was against this background that the European Union (EU) adopted Directive (EU) 2016/1148 of the European Parliament and of the Council on 6 July 2016, concerning measures for a high common level of security of network and information systems across the Union (The NIS Directive[4]). In 2020, the European Commission set out the EU Security Union Strategy in its communication of 24 July, COM (2020) 605 Final, which is gradually being implemented[5].
The NIS Directive was transposed into Portuguese law by Law n. 46/2018, of 13 August, which established the legal framework for cyberspace security. Given that it has to comply with the National Cyberspace Security Strategy 2019-2023 (NCSS) adopted by the Resolution of the Council of Ministers (RCM) No 108/2019 of the 5 June, and given the 2019-2023 time frame, there exists a substantial probability that it will be revised.
The RCM defines cybersecurity as a set of “prevention, monitoring, detection, reaction, analysis and correction measures and actions aimed at maintaining the desired level of security and ensuring the confidentiality, integrity, availability and non-repudiation of the information, networks and information systems in cyberspace, and the people who interact in it”.
For its part, the NIS Directive determines that there are operators of essential services in the energy, transport, banking and health sectors, financial market infrastructures, drinking water supply and distribution operations, and digital infrastructures (Annex II). Digital services provision includes cloud computing services, online marketplace services, and online search engine services (Annex III).
The COVID-19 pandemic and the ongoing armed conflict between Russia and Ukraine have accentuated dependence on the internet, revealing its vulnerabilitie to cyber threats. The immediate solution is to build on a corporate culture of cybersecurity. Parallel to that, there is consenus within legal scholarship that new technologies and cyberspace fall within the scope of human rights considerations. There is disagreement, however, on the types of human rights to be considered. And the question still remains as whether access to the internet and cybersecurity are indeed human rights.
From a more conservative point of view, such as that of Vinton Gray Cerf (father of the internet), the internet is a means through which rights are exercised. The UN perspective is that the internet is a fundamental infrastructure, like roads and water, where its misuse can compromise important human rights such as the right to freedom of expression, information, and privacy.
As to cybersecurity itself, the general focus has been more on the spheres of internal security (cybersecurity) and international security (cyber defence), giving little attention to the human rights aspect.
In Portugal, there has been lively debate around the Portuguese Charter of Human Rights in the digital era, approved by Law n.º 27/2021 of 17 May[6] . In it, important right are enshrined, specifically Articles 3 (Right to access to the digital environment), 5 (Guarantee of access and use) and 15 (Right to cybersecurity[7]).
However, the Charter is criticized for many reasons by legal scholars and some public entities, such as the National Communications Authority (known as ANACOM), the High Council of the Public Prosecutor’s Office, the National Commission for the Protection of Data and the Regulatory Authority for the Media.
It was decided that redundancy, contradiction, and the compromise of freedom of expression in several of the arguments in this controversy. As to the redundancy, the Charter does not bring anything new. Indeed, its rights are already enshrined in the Portuguese Constitution (fundamental rights), international human rights treaties and the EU. Instead, the Charter contributes to legal uncertainty. In terms of contradiction, the Charter conflicts on several points with EU law and with case law of the European Court of Justice. Finally, with regard to compromising freedom of expression, the Charter increases the State’s intervention in an area where this is not desirable in accordance withArticle 19 of the Universal Declaration of Human Rights and Article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR)[8].
Regardless of one’s position on such a complex topic, there can be no doubt that businesses operating in this sector must respect human rights. In turn, the States must ensure compliance and accountability in the event of violation.
Scholars such as Scott J. Shackelford[9] use the UN Guiding Principles on Business and Human Rights to operationalize a human right to cybersecurity grounded in corporate social responsibility (CSR) and the principle of due diligence. According to this form of self-regulation, business enterprises must identify, assess, evaluate, and control the negative impacts on human rights of their activity.
This seems to be a good first step, for a number of reasons. The effects of cyberattacks on critical infrastructure and essential and digital services do need to be highlighted, however, since they compromise the functioning of Society and the State. Who wants to be deprived, even temporarily, of health services,, energy, water or even access to the internet? As these are vital services, provided mainly by the States in the past, and nowadays by the private sector, the resulting obligations on companies are also more demanding. Due to the particularities of the business activity itself, their obligations extended beyond merely respecing of human rights, and now cover the concrete implementation of those human rights.
Cyberspace’s ubiquitous, borderless, and anonymous nature also demands extra caution on the part of companies. This is because once a cyberattack has been launched, its dissemination through networks and information systems may be difficult to contain. Finally, the losses that companies may sustain cannot be overlooked. The most common are systems failure and temporary interruptions, which may lead to a non-compliance by companies with their obligations to customers and third parties. Loss of information (data), loss of reputation, and the payment of a ransom, usually in cryptocurrency[10], are among the most widespread types of damage that can occur.
[1] Ottis, Rian, Analysis of the 2007 Cyber Attacks Against Estonia from the Information Warfare Perspective, Cooperative Cyber Defence Centre of Excellence, Tallinhttps://ccdcoe.org/uploads/2018/10/Ottis2008_AnalysisOf2007FromTheInformationWarfarePerspective.pdf, accessed on 13 January 2022.
[2] 2 Report of the Rapporteur Njall Trausti Fridbertsson addressed to the NATO Parliamentary Assembly;Technological Innovation for Future Warfare, 025 STCTTS 22 E ver.1 fin, of November 2022, NATO
[3] ENISA Threat Landscape 2022, November 2022, ENISA, ISBN: 978-92-9204-588-3, DOI: 10.2824/764318. ENISA is the European Union Agency for Cybersecurity.
[4] In 2023, the NIS2 Directive, which updated the NIS Directive, entered into force. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) N.º 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148. Article 41 stipulates that by 17 October 2024, Member States “shall adopt and publish the measures necessary to comply with this Directive. They shall immediately inform the Commission thereof. They shall apply those measures from 18 October 2024”.
[5] Communication from the Commission to The European Parliament, the European Council, the Council, the European Economic and Social Committee and The Committee of the Regions on the EU Security Union Strategy, Brussels 24.07.2020 COM (2020) 605 Final.
[6] As amended by Act No 15/2022 of 11 August.
[7] Article 15 provides for the following: 1. Everyone has the right to security in cyberspace. The State has a duty to define public policies that guarantee the protection of citizens, networks, and information systems. Mechanisms should be provided to increase the security on the use of the internet, mainly in respect of children and young people. 2: The National Cybersecurity Centre promotes, in coordination with other competent public entities and private partners, the acquisition by citizens and companies of practical training and their benefiting from online services for the prevention and neutralization of threats to security in cyberspace; to this end, it is endowed with administrative and financial autonomy.
[8] See, Alexandrino, José Melo, Dez breves apontamentos sobre a Carta Portuguesa de Direitos Humanos na Era Digital, 2021, Instituto de Ciências Jurídico Políticas e Centro de Investigação de Direito Público da Faculdade de Direito de Lisboa.
[9] Shackelford, Scott J., Should Cybersecurity Be a Human Right? Exploring the ‘Shared Responsibility’ of Cyber Peace (July 19, 2017). Stanford Journal of International Law No. 2019, Kelley School of Business Research Paper No. 17-55, in SSRN: https://ssrn.com/abstract=3005062 or http://dx.doi.org/10.2139/ssrn.3005062, accessed on 13 January 2023.
[10] CNCS, Relatório Cibersegurança em Portugal, Economia, maio 2022, CNCS.
Suggested citation: A. Brízido, ‘Cybersecurity as a Human Right?’, Nova Centre on Business, Human Rights and the Environment Blog, 25th January 2023.
Latest Posts
Categories
- Annual Conference on Business; Human Rights and Sustainability
- Blogging on B&HR: Towards an EU CSDDD
- Business and Human Rights Developments at the European Level
- Business and Human Rights Developments in Central and Eastern Europe
- Business and Human Rights Developments in Southern Europe
- Business and Human Rights in Conflict
- Business and Human Rights in the World
- Corporate Sustainability Due Diligence Directive
- Exploring new frontiers in the updated OECD Guidelines
- Latest Business and Human Rights Developments
- National Contact Points for Responsible Business Conduct: the road ahead for achieving effective remedies
- Notícias sobre Empresas e Direitos Humanos
- Second Annual Conference on Business; Human Rights and Sustainability
- Serie de blogs “Explorando los caminos hacia el acceso efectivo a la justicia en materia de empresas y derechos humanos”
- Short-Termism in Business Law: A Global Approach
- Sustainability Talks
- Young Voices and Fresh Perspectives