On November 7, the Swiss Chairmanship of the Organization for Security and Co-operation in Europe (OSCE) held a conference in Vienna on confidence-building measures for cybersecurity. The event built on several positive international developments last year, including a bilateral agreement between the U.S. and Russia and the member states of the OSCE to adopt “an initial set of OSCE Confidence-Building Measures (CBMs) to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies.” Last week’s conference sought to promote the implementation of the latter and further negotiations. This includes a recent study commissioned by the Swiss Government, and available at the Global Cyber Definitions Database, which offers a compilation of existing cybersecurity-related terms in order to shed light on these differences.
The debate over definitions has been one of the more contentious issues in international fora such as at the OSCE as well as in national debates. In the United States, for example, the term ‘information security’ is used more often on the West Coast, whereas ‘cybersecurity’ is more common on the East Coast, especially inside the Beltway. The latter term is sometimes criticized because it is perceived to be a government or military term describing what IT experts called information security long before ‘cyber’ became mainstream (though, interestingly, John Perry Barlow didn’t mind calling his notorious 1996 declaration “A Declaration of the Independence of Cyberspace”).
However, many people focused on domestic policy are unaware that the term ‘information security’ has developed a life of its own at the international level. The Russian and Chinese governments support a notion of information security in their proposed International Code of Conduct for Information Security that calls for international cooperation to curb “the dissemination of information that incites terrorism, secessionism or extremism or that undermines other countries’ political, economic and social stability, as well as their spiritual and cultural environment.” In other words, under this code, states would cooperate to restrict content deemed to undermine a country’s “social stability.” This proposal is clearly at odds with international human rights. The dangers of abuse that this notion of information security entails are why the U.S. government and many other governments use the term ‘cybersecurity’ in fora like the OSCE and the United Nations and why the Russian and Chinese initiative has been criticized from cybersecurity experts and human rights advocates alike including the study’s authors.
The government of the United Kingdom has been among the most explicit in drawing attention to this issue. In a submission to the United Nations, the United Kingdom acknowledged that many businesses and standards organizations use the term ‘information security.’ But the document also highlighted the “potential confusion in using the term ‘information security,’ which is also used by some countries and organizations as part of a doctrine that regards information itself as a threat against which additional protection is needed.” As the document outlines, “the United Kingdom does not recognize the validity of the term ‘information security’ when used in this context, since it could be employed in attempts to legitimize further controls on freedom of expression beyond those agreed in the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights.”
On the whole, this debate over definitions is making it more challenging to make progress towards addressing the actual mutual cybersecurity risks – those excluding content – that affect all states. As the current chair of the OSCE, the Swiss government seeks to move this agenda forward including addressing one of the OSCE Confidence-Building Measures that was agreed to last year stating,
“In order to reduce the risk of misunderstandings in the absence of agreed terminology and to further a continuing dialogue, participating States will, as a first step, voluntarily provide a list of national terminology related to security of and in the use of ICTs accompanied by an explanation or definition of each term.”
In order to aid the process, the Swiss government commissioned the authors to compile a global, comprehensive list of existing definitions of terms related to cybersecurity and information security. While this study was conducted in the context of the OSCE’s process, its output is useful to a much broader audience of policy-makers domestically and internationally as well as to audiences in academia, the press, the private sector, civil society, and the general public. The launch of the searchable website last week, to accompany the commissioned study, aims to make these data and definitions available to the public. Because the study is designed to be a living document, the website includes a form to submit new documents and terms. These can be submitted at: cyberdefinitions.newamerica.org
Importantly, this study is not an endorsement of proposals for an international cybersecurity treaty that carry more potential risks than benefits in the current environment. In fact, the compilation reveals the extent to which definitions differ between countries, including the critical human rights component described earlier. It also shows that even at the national level, many governments do not have a common national glossary. Different agencies and ministries within a country often use different definitions depending on their specific focus and mandate.
According to the Internet Society, “as a catchword, cybersecurity is frighteningly inexact and can stand for an almost endless list of different security concerns, technical challenges, and ‘solutions’ ranging from the technical to the legislative.” This highlights that there is not only a need to carefully distinguish between the use of ‘cybersecurity’ and ‘information security’ in various fora and to clearly delineate security issues from human rights, but also to clarify what each term means.
Tim Maurer is a non-resident fellow at the Global Public Policy Institute (GPPi) and a research fellow at the New America Foundation’s Open Technology Institute in Washington DC. Prior to joining the New America Foundation, Tim was a research associate at the Center for Strategic and International Studies, where he continues to be an adjunct fellow.
Robert Morgus is a research associate at the Open Technology Institute where he provides research and writing support on cyber space and international affairs. His work focuses on swing states in the Internet governance debate, Internet freedom in the context of U.S. export controls, technical sovereignty, and cybersecurity.
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.