It is not an exaggeration to say that modern society couldn’t function without information technologies. Our health, safety, security and well-being depend on a variety of networks and systems providing essential services with these are known as a critical information infrastructure. Even a short interruption of these networks can have a drastic consequence both national and across borders like a mass out leak of identity number or electricity blackout.

Looking from a human right defenders’ perspective it’s clear that achieving cybersecurity isn’t just about the security of systems but a battle range of systems from encryption to access infrastructure development to data ethics with the view to preserve the rights and not to infringe them. Since these networks do not stop at national borders, trust and cooperation between nations are essential to keep cyberspace open, safe and secure. Otherwise sensitive information related to cyber threats will be shared leaving critical information infrastructure vulnerable to manipulation and abuse.

States can have conflicting views and their levels of capabilities aren’t always the same. These can cause problems. The way states try to get around this, is called confidence and capacity building. It refers to measures taken by the international community which include clarifying how existing international laws apply to cyberspace, developing norms of responsible state behaviour, sharing information about cyber threats and developing confidence and security-building measures to keep cyberspace open, safe and secure.

Some of the issues that fall under this practice include civil defence, military defence and the general resilience of critical information infrastructure, national security and crime investigation. In the past, the sensitive areas were strongly tightened national state borders and sovereignty states. But today, states need to cooperate with other countries on these issues to a far greater extent. Many critical information infrastructures and information assets are also known by private sectors.

This makes public-private cooperation an additional and essential element in securing cyberspace both nationally and internationally. Giving another country or a private actor access to the system and letting them know your vulnerabilities requires confidence that this information will not be abused. These in turn require trust. Achieving this level of trust can be hard at the international level, that’s why most of the agreements on these issues tend to be between two governments directly or limited to a small group of governments.

However, these scattered effects can be contradictory or incompatible which makes coordination and cooperation even harder. As a result, states must find agreement on confidence and security-building measures, these are called CSBM. One example is the G7 group of governments who issue the following statements of above CSBM, “ we commit to promote the strategic framework of international cyber stability consisting of the applicability of existing international law to state behaviour in cyberspace”, “ the promotion of voluntary norms of responsible state behaviour during peacetime, and the development and implementation of practical cyber confidence-building measures between states.”

There is always a potential for abuse wherever collection of data and information is a necessary form of national security to criminal justice, this could mean mishandling of criminal investigation, improper use of shared personal information like monetizing the data through an advertisement for targeting political dissidents, surveillance and other privacy intrusions. The frequent cross border nature of these risks may insight the cooperation between states.

By getting involved in discussions on interstate CSBM, human rights defenders can help to make sure that the information gathered, handled and shared in a human rights-respecting manner. International human rights law is a crucial starting point. If states pay more importance to the shared human rights standards building trust between states will be easy to achieve. It would help states to find compatible mechanisms for agreement and cooperation. Above all, it could ensure cybersecurity measures focus on empowering individuals not just protecting systems from harm.

Perhaps surprisingly the key players in confidence capacity building between countries have been traditionally nation-states. The first attempt to create cyber capacity building forums were by international organizations and states, the United Nations Group of Governmental Experts (UNGGE), the International Telecommunication Union (ITU), the African Union, the Organisation for Security and Cooperation in Europe (OSCE) and the Organisation for American State (OAS). These intergovernmental forums do not just support trust-building but also a binding obligation and voluntary agreements between states. For example, by signing the norms of state behaviour, capacity building or information sharing. Many of these forums and initiatives also acknowledge the need to cooperate with industry and other stakeholders.

They are slowly transforming into an inclusive model of participation. Generally, more inclusive multi-stakeholder forums like the Internet Governance Forum and other state-led forums like the Global Forum on Cyber Expertise (GFCE) support these effects. They do this by inviting stakeholder input by creating platforms where cybersecurity development can be discussed comprehensively generating mutual understanding and generating best practices.

There are many examples of cyber capacity in confidence-building initiatives happening now in these forums. The UNGGE examines existing and potential threats in cyberspace to propose possible cooperative measures between states. All the participating experts are government officials. However, many of them take advice from national advisers. Some of them come from civil society which means human rights concerns can be raised. The most promising avenue for getting involved is through debates with the UNGGE representatives and advisers at the national level. Here identifying relevant cybersecurity issues and supporting human rights defenders understanding is possible.

The OAS developed CSBM by the Inter American Integral Strategy to Combat Threats to Cyber Security adopted in 2004 while all OAS members are government representatives. They have been trying to include other stakeholders in the discussion on how to best tackle cybersecurity. Acknowledging that cybersecurity needs may vary from country to country. However, much more could be done to bring consideration into practice. The GFCE launched in 2015 as a global platform with different actors and stakeholders can exchange expertise or capabilities on cybersecurity.

Due to its approach where practical capacities are traded it has been hard on a civil society actor to be as involved as the private sectors, governments who have more resources to offer. The GFCE is still a promising avenue for human rights defenders. While many initiatives exist bilateral, regional or international mechanisms to build capacity while still in their infancy. Building trust will take time, coordinated and persistent efforts as well as dialogues across different forums. Hence the first thing to note is that everyone has a crucial role to play and unless human rights defenders contribute to the initiatives mentioned and will never be able to face the challenges of mistrust, cross border nature of problems and the need to share sensitive information in a rights-respecting manner. The processing of capacity building used to be largely between states. Now they are becoming more open and inclusive. The role of civil society is increasingly valued. There are two main ways one can get involved, you can help build bridges between countries by functioning as a mediator. This could also support the cross-border relationship, especially in regional and global forums. You can raise awareness by advising and informing your governments. As rightly said national activities can have an international impact.