Gendered dynamics and assumptions are prevalent in the field of cybersecurity. Many cybersecurity threats are experienced differently by women and girls, men and boys, and people of non-binary gender identities. The threat models, reporting and user control procedures, and advertising of cybersecurity technologies mean that the most vulnerable gender groups in a particular context are more likely to have cybersecurity threats downplayed or omitted; more likely to have additional security burdens; and more likely to be affected by disingenuous cybersecurity advertising.
Additionally, people of different genders also participate unequally in the formation and enactment of cybersecurity policies and practices. Following a recurrent pattern in arms control and disarmament diplomacy, men outnumber women 2 to 1 in large multilateral meetings dealing with information and telecommunications (ICTs) in the context of international security.
However, it was only recently that multilateral processes on cybersecurity started to include official statements drawing attention to the gendered dimensions of cybersecurity governance. Notably, several delegations participating in the UN Open Ended Working Group on developments in the field of ICTs in the context of international security (hereafter, OEWG) have stated the need for gender mainstreaming into cyber norm implementation and gender-sensitive capacity building, as well as a better understanding of the linkages between cybersecurity and gender equality frameworks.
The OEWG second ‘pre-draft’ of the report, issued in May 2020, recognized the importance of ‘effective and meaningful participation and leadership of women’ in cybersecurity governance processes. In addition to gender balance, other gender-related considerations were reflected in that report. As the OEWG approaches its final stages and move forward with the drafting process, we highlight some of the main topics raised by delegation thus far and propose concrete ideas to advance gender considerations in cybersecurity processes.
Unpacking gender references in the OEWG
Mainstreaming gender perspectives into norm implementation
‘Norm implementation’ in the OEWG text refers to eleven voluntary and non-binding norms on responsible state behaviour in cyberspace endorsed unanimously by the UN General Assembly in 2015. This phrasing highlights that the aim is not necessarily for the cybersecurity policy community to generate new ‘cyber gender norms’ in addition to the eleven agreed (partly because these norms are already subject to significant contestation), but to focus first on norm implementation: to mainstream considerations of gender equality and equity into existing cyber norms.
Providing gender-sensitive capacity-building
There is a wide range of capacity-building efforts in cybersecurity, separate from norm implementation, although they overlap in several ways. Gender-sensitive, inclusive, and non-discriminatory cybersecurity capacity building requires taking a comprehensive view of where cybersecurity policy should incorporate a gender perspective, how it should do so, who should decide, and what, from a policy perspective, this would involve.
Overcoming the gender digital divide
The gender digital divide is the gap in access to, and ‘intensity of use’ of, digital technologies between women and men, girls and boys. Many international and regional bodies, including the UN Office of the High Commissioner for Human Rights, the Organisation for Economic Co-operation and Development, and the European Union have noted the negative effects of the gender digital divide and proposed measures to reduce it. The OEWG text is part of this broader movement towards digital gender equality.
Establishing links with the Women, Peace, and Security agenda
A recent report by UNIDIR shows that the Women, Peace, and Security (WPS) pillars of participation, prevention, protection, relief and recovery offer a useful structure for gender-responsive arms control. This research provides a path for identifying more specific connections between the WPS agenda and cybersecurity governance at the UN.
Turning goals into reality
A key prerequisite for achieving the goals outlined above is the development of a gender and cybersecurity toolkit for all cybersecurity stakeholders. This toolkit would provide a practical introduction to gender as an element of policy, tailored to cybersecurity, ensuring that gender expertise is a foundational and respected aspect of cybersecurity professional practice and policymaking.
States participating in the OEWG could support and fund the development of the toolkit. Non-state actors in academia and, particularly, civil society could contribute expertise in toolkit development, while corporate actors could implement modified versions and use commercial leverage to ensure others do so as well (e.g. through cyber insurance policies).
This toolkit would build on current best practices, such as the Gender and Security toolkit designed by the Geneva Centre for the Democratic Control of the Armed Forces (DCAF) (although it does not address cybersecurity in detail). Other forms of feminist and gender-focused training and guidance on cybersecurity, such as the IWPR Cyberwomen training and Tactical Tech’s gendersec curricula for experts, can be adapted for the international policy focus of this toolkit.
Secondly, to improve understanding about gendered patterns of engagement in cybersecurity, States should collect data on cybersecurity policies and practices to assess for gendered assumptions and impacts. Given the current lack of systematic data on gender and cybersecurity, this is the first step towards gender-sensitive cybersecurity policy.
To enable gender analysis, states should ensure that their cybersecurity technologies, policies, and practices are as transparent as possible, require gender-disaggregated data from public sector organizations and private sector contractors, and fund research based on this data. States should also assist other states in doing the same as part of capacity-building cooperation.
Non-state actors, including academia, industry, and civil society, can facilitate gender analysis by contributing expertise and developing new ways to research gendered impacts in cybersecurity and ensuring diverse perspectives as incorporated; corporate actors and regional and international organizations can also provide relevant data. Current best practices include gender analysis guides such as Gender-Based Analysis Plus (GBA+), empirical research such as University College London's Gender and IoT project, and work by Access Now and the Association for Progressive Communications (APC).
Finally, actions on gender should be subject to monitoring and oversight. All States should issue regular reports on measures undertaken to overcome gendered harms stemming from cybersecurity practices (or failures). Non-state actors, such as academia and civil society, can contribute expertise in writing these reports and to assist on relevant recommended actions.
A non-cyber example of such a report is the OSCE’s “Making Laws Work for Women and Men: A Practical Guide to Gender-Sensitive Legislation”. States could involve gender and cybersecurity groups at national and transnational levels, including those focusing on related sexuality and intersectional issues, in writing these reports.
Whatever format UN cybersecurity processes take after the conclusion of the current OEWG, gender considerations will – and should – be part of the discussions. Adopting these recommendations be a means to improve the security of people of all gender identities and expressions through its crucial efforts to improve cybersecurity at the level of international security policy. Ultimately, the two goals cannot be separated.
Dr. Katharine Millar is an Assistant Professor of International Relations at the London School of Economics and Political Science.
Dr. James Shires is an Assistant Professor at the Institute for Security and Global Affairs, University of Leiden, and a fellow with the Cyber Statecraft Initiative at the Atlantic Council.
Dr. Tatiana Tropina is an Assistant Professor in Cybersecurity Governance at the Institute of Security and Global Affairs at Leiden University.