SHOULD CYBERSECURITY BE A HUMAN RIGHT? EXPLORING THE 'SHARED RESPONSIBILITY' OF CYBER PEACE.

• Author: Shackelford, Scott J.

1. DEFINING KEY TERMS 158 A. Cyber-What? Understanding the Twenty-First Century's Most Worrying Prefix 158 B. Unpacking the Cybersecurity Challenge 161 C. Cyber Peace 162 D. Polycentric Governance 164 II. IS INTERNET ACCESS A RIGHT? 165 III. APPLYING HUMAN RIGHTS LAW TO CYBERSECURITY 167 IV. UNPACKING STATE PRACTICE: AN ANALYSIS OF THE TREATMENT OF HUMAN Rights in National Cybersecurity Strategies 168 A. Human Rights, Civil Rights, and Civil Liberties 169 B. Privacy 170 C. Free Speech 171 D. Internet Access 171 E. Governance Trends 172 F. Summary 173 V. OPERATIONALIZING A HUMAN RIGHT TO CYBERSECURITY: LESSONS FROM THE CSR AND DUE DILIGENCE CONTEXTS 173 A. Cybersecurity as a Social Responsibility 173 B. Cybersecurity Due Diligence 178 C. Toward a Positive, Polycentric Cyber Peace 180 D. Implications for Managers and Policymakers 181 INTRODUCTION

   No individual, organization, or nation is an island in cyberspace. That point was brought home with the 2017 WannaCry ransomware attack allegedly masterminded by North Korea that infected more than 200,000 computers spread across 150 nations. (1) The consequences of this campaign put into stark relief the way outdated software can negatively affect not only the computers' owners, but also the wider Internet ecosystem. (2) In response to the WannaCry attack, Microsoft President and Chief Legal Officer Brad Smith stated, "We should take from this recent [ransomware] attack a renewed determination for more urgent collective action. Wc need the tech sector, customers, and governments to work together to protect against cybersecurity attacks. More action is needed, and it's needed now." (3)

   The companies hit a month later by the June 2017 NotPetya attack did not heed that warning; attackers exploited the same vulnerability as WannaCry. (4) Some public and private-sector stakeholders are taking notice. (5) The U.S. Department of Homeland Security, for example, has highlighted businesses' "shared responsibility" to protect themselves against cyber attacks.'' Consumers cannot protect their utility services, banking systems, or even their personal data on their own, and must depend on companies to handle that security and government to help hold free riders accountable. (7)

   Rather than being defined exclusively in terms of return on investment, (8) more firms are similarly considering their cybersecurity decision making in terms of its impact on overall corporate and social sustainability. (9) By promoting both Internet access and Internet freedoms, some argue that cybersecurity helps support human rights, both online and offline. Indeed, Internet access may be considered as an emerging human right, of which cybersecurity may be viewed as a component part. (10) However, it should be noted that a tension is also present between universal access and cyber peace given products like Facebook's Free Basics program, which offer a curated and essentially closed approach to accessing cyberspace." As has been previously argued, "International organizations and national governments alike have begun to formally recognize its importance to freedom of speech, expression, and information exchange. The next step to help ensure some measure of cyber peace may be for cybersecurity to be recognized as a human right, too." (12) Yet the connection between cybersecurity and human rights has been underappreciated in the literature to date." This Article investigates the nuances of this debate, and analyzes the implications of such a designation on organizations through the lens of the Corporate Social Responsibility (CSR) and cybersecurity due diligence movements. Ultimately, it is important to leverage an array of interdisciplinary tools from law, the social sciences, and the humanities to promote cyber peace such as by broadening workforce development programs and looking for lessons from related areas like sustainability. The literature on polycentric governance, which is introduced below, (14) is used as a lens through which to view this effort.

   This Article is structured as follows. Part I defines key terms, including "cyber peace." Part II explores the nuances of the debate surrounding whether or not Internet access should be defined as a human right. Part III builds from this foundation by analyzing the benefits, drawbacks, and implications of nations designating cybersecurity as a human right. Part IV analyzes how nations are actually strategizing about the intersection between cybersecurity and human rights by using the national cybersecurity strategies of thirty-four nations as a reference for discussion. As we will see, state practice has not kept pace with popular opinion on whether or not cither Internet access or cybersecurity should, in fact, be considered human rights. Part V then investigates the ways in which cybersecurity is being treated by organizations as a matter of social responsibility, which may be considered as a step on the long road to cyber peace. (15) The Article concludes with an analysis of the implications of this movement on managers and policymakers, as well as how interdisciplinary tools from related areas from the social sciences and humanities, can help to address latent cyber insecurity.

1. DEFINING KEY TERMS

   In order to establish a common foundation for analysis, this Part first introduces the cyber threat, and then moves on to discuss the concepts of cyber peace and polycentric governance.

   1. Cyber-What? Understanding the Twenty-First Century's Most Worrying Prefix

      In September 2017, Equifax admitted that the personal data of more than 143 million of its customers were compromised."' This single breach, first discovered on July 29, 2017 and impacting the majority of American adults, is particularly serious given the high likelihood of resulting identify theft cases that could arise long after the offered one year of credit monitoring has expired. (17) The breach has renewed a debate about ensuring appropriate oversight for the credit reporting industry. There have also been calls for the Federal Trade Commission (FTC) to investigate the company under its Section 5 authority from the Federal Trade Act. (18) Yet the Equifax breach was only one of the largest and most notable in a string of cyber attacks impacting the public and private sectors from Yahoo! to the Democratic National Committee.'"

      From attacks on Marriott's systems, (2)" to Ukraine's critical infrastructure, (21) to smart phones that can be turned into microphones, (22) organizations of all sizes and levels of sophistication are increasingly being targeted. Verifiable data on the cost of cyber attacks in the United States is difficult to verify, a problem that is compounded when considering the global reach of cybercrime. (23) Until 2011, U.S. firms did not even have guidance on when to disclose data breaches. That changed when the U.S. Securities and Exchange Commission (SEC) published guidance on the topic, requiring disclosure of "material" attacks, (24) and suggested that more stringent reporting requirements may be coming. (25) As of this writing, they have not materialized, (26) and the results are to be expected: many firms are ignoring the guidance. The New York Times, for instance, found that only twenty-four firms reported breaches to the SEC in 2017, despite 4,732 cyber attacks being reported by the Privacy Rights Clearinghouse during the same period. (27) There are many reasons for this state of affairs, such as being unaware of the breach (Marriott had been compromised for years, as one example), (28) as well as an apparent lack of confidence in law enforcement. (29) Congress has long grappled with the issue, and there have been some partial fixes rolled out, such as the Cybersecurity Act of 2015. (30) Yet even this effort was far from the "comprehensive" bill originally envisioned, which is why former President Obama and President Trump continued with executive action that has expanded public-private information sharing and established the National Institute for Standards and Technology (NIST) Cybersecurity Framework. This framework comprises private-sector best practices that companies can adopt to better secure critical infrastructure. (31) As of this writing, the Trump administration has done relatively little to change the status quo, (32) even as both foreign governments--such as European Union countries through the General Data Protection Regulation (GDPR)--and U.S. states--such as California--have moved in to begin addressing governance gaps. (33)

      Given the complexities inherent in mitigating multifaceted cyber risk, and the associated difficulties with even defining the scope of the problem (such as defining the line between cybercrime and espionage), more firms are moving from a reactive, defensive posture, to a more proactive one. (34) These concepts may be combined within the literature on due diligence, (35) which includes the so-called passive active defense discussed further below. (36) First, though, it is important to further unpack the cybersecurity challenge facing the public and private sectors, before moving on to the related concepts of cyber peace and polycentric governance.

   2. Unpacking the Cybersecurity Challenge

      Even though cyberattacks are commonplace today, they are nothing new. In fact, hackers have been active on the Internet at least since the first Internet worm was reported back on November 2, 1988, when a Cornell graduate student infected MIT's network with one of the world's first logic bombs." The man, Roger Morris, was prosecuted under the then fairly new Computer Fraud and Abuse Act. (38) However, Morris eventually joined the faculty at MIT, and became a dot-com millionaire (39); in other words, things did not work out too poorly for one of the world's first documented hackers. (40)

      What has changed, then, in the thirty years since, is not the fact that cyberattacks are taking place, but rather how quickly they are proliferating in...