Blog Post | Incorporating gender considerations into international cybersecurity policy and practice
Gendered dynamics and assumptions are prevalent throughout the field of cybersecurity.
Many cybersecurity threats are experienced differently by women and girls, men and boys, and people of non-binary gender identities. For example, the design of smart household devices has not adequately included intimate partner violence in its ‘threat modelling’, meaning that supposedly secure smart devices increase gendered risks. People of different genders also participate unequally in the formation and enactment of cybersecurity policies and practices. An analysis of international cybersecurity negotiations by the UN Institute for Disarmament Research (UNIDIR) found that only 1 in 5 participants were women, and when states sent a single representative, it was nearly always a man.
Multilateral processes on cybersecurity have recently begun to include official statements drawing attention to its gendered dimensions. Several delegations participating in the UN Open Ended Working Group on cybersecurity have stated the need for gender mainstreaming into cyber norm implementation and gender-sensitive capacity building, as well as a better understanding of the linkages between cybersecurity and gender equality frameworks. However, questions remain about the overall application of gender perspectives to cybersecurity, as well as what kind of actions are needed to effectively implement a gender approach to cybersecurity and turn those goals into reality.
To tackle this knowledge gap, we wrote a report for UNIDIR that outlines a gendered approach to cybersecurity. We suggest that gender norms inform cybersecurity in two ways. First, gender constructs individual identities, roles, and expectations within cybersecurity and broader society, such as the frequent association of technical expertise with men and masculinity. Second, gender operates as a form of hierarchical social structure. This means that activities or concepts associated with masculinity, such as technical expertise, are often, but not always, valued over those associated with women and femininity, such as communications expertise or equality, diversity, and inclusion initiatives.
To understand how gender shapes specific cybersecurity activities, this report proposes a new ‘cyber-centric’ framework of design, defence, and response, aligned with prevalent perspectives among cybersecurity practitioners and policymakers. In each of these three pillars, the research identifies distinct dimensions of cyber-related activities that need to be considered from a gender perspective.
Design. Technology design is gendered: it misunderstands, omits, and consolidates certain gendered uses, privileges perceived masculine practices over feminine ones, and essentializes femininity in problematic ways. Cybersecurity design inherits these issues. The threat models, reporting and user control procedures, and advertising of cybersecurity technologies mean that cybersecurity threats to women are more likely to be downplayed or omitted by the cybersecurity industry; women are more likely to have additional security burdens, such as investing more time and effort in social media privacy settings; and are more likely to be targeted by spyware that is advertised under disingenuous cybersecurity marketing.
Defence. Defensive threat simulations and characterizations often involve gender stereotyping. More deeply, how we think about defence - i.e. what it means to defend and the common-sense actions we take to defend - reflects a series of norms associated with masculinity, such as protection, technical competence, and autonomy. Gender norms around vulnerability can make admitting error, seeking help, or working cooperatively more difficult, generating reluctance to effectively implement cybersecurity defences and improve transparency around the disclosure of cybersecurity incidents.
Response. Cybersecurity responses involve distinct gender dynamics. The priorities, composition, expected practices and working hours, and workplace culture, of incident response teams requires gender analysis. Furthermore, the informality of cybersecurity response communities – often composed of close trust networks formed through years of interaction – means that they may have lower participation from women and minorities, even when compared to low overall proportions in the industry. Cybersecurity responses can also involve a gendered dynamic of victim-blaming, wherein organisations or individuals with insufficient cyberdefences or identity protection measures are perceived as ‘asking to be hacked’.
Research addressing the linkages between gender and cybersecurity is sparse, although growing. Thus, in each of these pillars, the report outlines areas for further investigation. It also proposes recommendations for the incorporation of gender considerations throughout international cybersecurity policy and practice, including:
- Cybersecurity standards have an important role to play in the development of gender-sensitive technology design. Assessment is required of the extent of gender equality in cybersecurity standards, including meaningful participation, content and language, as well as direct and indirect gender effects. The first step towards this is the collection of gender-disaggregated data throughout cybersecurity policy and practice.
- Efforts to address the gender gap in cybersecurity should build on broader moves to increase women’s participation in science, technology, engineering and mathematics (STEM). Additionally, it is important to raise the profile and value of cybersecurity skills and expertise beyond STEM (e.g. communications, ethics, legal governance). All cybersecurity stakeholders should counter harmful gendered perceptions and stereotypes, and support organizational and cultural shifts that value diverse activities and capacities.
- Cybersecurity legal measures should incorporate a gender perspective into the development, implementation, oversight and evaluation of relevant laws. Legal measures should be underpinned by open and participatory legislative process involving all stakeholders, especially civil society groups and organizations promoting the rights of individuals of underrepresented and marginalized gender identities.
- All organisations – in the public and private sectors – should conduct “gender and cybersecurity” training for practitioners and policymakers. This training should incorporate a dual focus on a) gender equality, diversity, and inclusion in the workplace and b) the development of a gender perspectives on cybersecurity as a professional skill. This training will provide a practical introduction to gender as an element of policy, ensuring that gender expertise is a foundational and respected aspect of cybersecurity professional practice and policymaking. States should fund the development of a cyber and gender training toolkit and require public sector organisations and private sector contractors to use it where possible. States may also use the toolkit to build interstate cooperation on cybersecurity.
Such measures would ensure that cybersecurity improves the security of people of all gender identities and expressions, as well as international peace and security. The ultimate conclusion is that these two levels of security cannot be separated.
The views expressed in this article are the authors’ own and do not necessarily reflect the views of Women in International Security Netherlands (WIIS-NL).