The EU’s cyber policy and strategy has developed essential relevance to the EU’s security environment. This was highlighted in 2022’s Strategic Compass, which emphasises the importance of cybersecurity. In the grey zone between peace and armed conflict, state and non-state actors use cyber operations for espionage, ransom or sabotage. The 2022 ENISA Threat Landscape found a massive increase in cyberattacks targeting the EU. Notably, research and political publications tend to cite financial damage to companies when reporting on cyber operations. The ENISA report did not mention gender as a relevant element of the EU’s cyber threat landscape. Individuals and their security and insecurity in cyberspace remain under-addressed. Instead, cybersecurity is viewed through a state-centric lens. A feminist approach might help to provide a new perspective to cybersecurity.
The increasingly present policy approach of feminist foreign policy originates from the feminist movement and is based on multilateralism, human rights and the dismantling of unequal power relations. More and more European states are proclaiming the implementation of a feminist foreign policy. Belgium has recently joined Germany, Spain, France, Luxembourg and the Netherlands. A feminist EU cyber policy holds great potential for contributing to peace, security and justice worldwide; for achieving greater fairness in cyberspace; and for further integrating individual, national and international security. It also furthers recognition of cybersecurity for what it is: not a solely technical issue, but a policy, education and social issue.
A feminist perspective on structural inequalities
Gender is an important factor that determines how safe a person or group is in cyberspace, but it is important to note that gender is not synonymous with women. It is a category influenced by social norms and values. A feminist EU cyber policy must be intersectional, and it must acknowledge that individuals are disadvantaged or privileged by various identity factors, such as gender, race and class.
Why do we need a feminist approach?
- Gender specific harms exist in cyberspace; the discrimination and various threats that exist offline also exist online.
Chatham House found that while men are more likely to be the victims of cybercrime, women are more likely to be targeted by cyber stalking. Cybersecurity priorities, though, are informed by people, so they replicate biases – like the tendency to tackle cybercrime on a systemic level. It is also evident that women and members of marginalised communities – such as LGBTIQ+ persons – experience more identity-based violence, both offline and online. This includes hate speech, harassment and stalking, as well as data breaches. Often, these forms of cyber threats are not seen as cybersecurity issues in the first place. As they create insecurities for individuals, however, they should be.
For instance, the Russian Ghostwriter campaign particularly targeted Polish female politicians, using defamatory sexualised content. Eventually, the politicians resigned. More drastically, disinformation and hate speech targeted at the Rohingya population led to an increase in sexualised violence against Rohingya women. Misogyny is only exacerbated in cyberspace.
Consequently, specific awareness training and prevention mechanisms are needed to better address the link between offline and online violence. It is important not to view cyber threats as separate from those of the offline world. After all, it is people who shape and use cyberspace. Consequently, we need to tackle these issues with a variety of tools, mechanisms and policies. We have to educate vulnerable groups about how to protect themselves online, including, for example, how to safely store passwords, remove personal information and report online violence. We need to bring perpetrators to justice, including ensuring that tech companies better protect the rights and safety of their users. Additionally, we must invest in education and violence prevention. This includes strong anti-discrimination laws and policies that are intersectional, as well as long-term shifts in social norms to eventually eliminate cyber violence. It is therefore very important that the new EU directive against gender-based violence also takes cyber violence into account.
Capacity building is another element of cyber policy where a feminist perspective can be of use. Globally, women are more affected by digital threats, because statistically fewer of them are educated in MINT (math, informatics, natural sciences and technology) subjects and fewer work in cybersecurity. Only about 15 to 20 percent of ICT workers are women.
Because they lack exposure to them, women often recognise security threats less quickly than men. But instead of considering them the weakest link in cybersecurity, resources should be invested into digital education to include structurally disadvantaged groups in a more adequate way. Similarly, states and regions that are in a weaker position due to historical inequalities must be given greater support in capacity building. This is something the EU should recognise and actively address.
- A human security approach should be applied to cyber policy: ultimately, humans, not private companies, are the most affected.
In cyber policy, people and their lived realities play a subordinate role, even though individuals keenly feel the consequences of many cyber threats, including ransomware attacks, disinformation campaigns and the destruction of critical infrastructure. It is estimated that 82% of data breaches involved a human element. Consequently, people should be at the centre of efforts to ensure cybersecurity. This approach would have direct consequences for EU strategy and policy. Feminist cyber resilience, for example, must include adequate cyber hygiene; a high standard of critical infrastructure protection on the local, national and European level; stern opposition to cybercrime and a defensive cyber posture; and active engagement in international dialogue.
A feminist cyber policy identifies human security as the primary security goal. Practically, this means that we need a cyber policy which defines critical infrastructure through a human-centric lens – not a definition based solely on the security interests of EU Member States or private companies. The EU must aim for better protection of civilian infrastructure, such as hospitals, schools and women’s shelters. According to the ENISA Threat Landscape 2022, among all sectors, the public administration sector has faced the most incidents causing disruption of services or breaches of personal data. This threatens marginalised groups in particular.
Enhanced security, greater resilience and accelerated information sharing between emergency response teams and the policy level in the case of a cyber incident are needed. These priorities should be mainstreamed into major EU cyber policy, such as the Network and Information Security (NIS2) Directive and the upcoming Cyber Resilience Act, and should also inform political crisis management at the Commission. In practice, this also means that the Cyber Posture approved by the European Council in 2022 must focus on strengthening resilience and capacities through education as well as through defensive means, and should also prioritise human security in its comprehensive crisis management. Another consequence is that, in the case of a cyber emergency, the use of Article 42.7 TEU and of Article 222 TFEU must be applied in a human-centric approach. Taking human rights seriously means showing solidarity with those affected and laying the foundations for them to feel safe and secure online and offline.
In addition to increased protection of critical infrastructure, a feminist EU cyber policy aims for peace and disarmament instead of military capacity building. Feminist foreign policy considers itself a transformative political approach moving towards policymaking that prioritises human security and human rights, as well as just and peaceful international relations. Disarmament is thus also at the core of this approach, as it intends to increase human security in a preventative manner, and places diplomacy over military conflict, thereby avoiding what is considered a masculine approach to politics in feminist theory. With offensive cyber operations, states further normalise the use of violence and perpetuate militarised masculinities. Disarmament in cyberspace could include policy that actively counters the militarisation of cyberspace by limiting the use of offensive military cyber operations that reach the threshold of hackbacks. In the case of hackbacks, it is often unclear whom cyberattacks will ultimately harm, as secondary damage is likely due to the interconnectedness of global digital infrastructure. Spillover effects from a hackback might affect civilian infrastructure, such as hospitals or energy suppliers, and thus endanger human lives. This secondary damage has occurred in major cyberattacks in the past: the 2017 WannaCry attack forced hospitals in the UK – which were not its main targets – to close wards and emergency rooms. While there is no record of secondary damage related to hackbacks, it is likely to occur too.
Furthermore, an offensive approach to cyberspace increases the risk of conflict escalation. So far, there is no clear indication that state capacities in cyberspace either act as deterrents or escalate conflict. Both are possibilities. Likewise, a conflict can escalate if the very complex attribution process blames the wrong actors, or if conventional weapons are used in the response. The central policy approach of a feminist cyber policy would consider diplomacy instead of offensive measures, and would therefore try to prevent escalation.
Instead of offensive cyber operations, defensive measures should be prioritised. For example, commitments to security by design and end-to-end encryption, and a promotion of two-factor authentication, can build confidence and increase digital resilience at the same time. These measures are often largely civilian and therefore prevent a militarisation of cyberspace – and they can be made widely available to society and civil society. In terms of military responses to cyberattacks, the EU should strengthen reactive measures such as vulnerability management and patching, active threat hunting, the use of open source intelligence, deactivating botnets, and taking over domains through law enforcement agencies.
- A feminist cyber policy means more diverse representation: towards a feminist multistakeholder engagement.
In cyber diplomacy, the EU is committed to upholding the United Nations norms for responsible state behaviour in cyberspace and supports confidence building measures for greater cybersecurity within the Organization for Security and Co-operation in Europe (OSCE), the G7 and the G20. It has reiterated the need to promote an EU vision in cyberspace as well as cooperation through its 2022 Cyber Posture. This commitment should be extended with a clear commitment to digital rights, such as the rights to privacy, data protection and freedom of expression. Current events in Iran clearly show how important digital infrastructure is for the feminist commitment to democracy and the protection of human rights. Therefore, the EU should also clearly position itself against internet shutdowns and define a people-centred cyber diplomacy. In addition, the EU should actively advocate the implementation of the norms and thus advance the further development of peace-making measures, including in times of conflict, by setting a positive example. This also includes following up on breaches of its citizens’ privacy, as well as those of people across the world. Currently, the use of the spy software Pegasus is being investigated by the European Parliament. And while espionage is per se not prohibited by cyber norms, the Commission and the EU’s diplomatic service (EEAS) should not only foster the investigation but should publicly express opposition to this form of indiscriminate widespread surveillance.
Cyber diplomatic negotiations are also predominantly male, with women accounting for an average of 20 to 40 percent of participants. The EU should strive for parity and encourage other states to do so. The Women in International Security and Cyberspace Fellowship (WIC), sponsored by the Governments of Australia, Canada, the Netherlands, New Zealand, the United Kingdom and the United States, can serve as a role model. However, the goal here is not only to bring more women to the negotiating table in quantitative terms. A greater diversity of people should be involved, especially those who can contribute the perspectives of structurally disadvantaged groups and thus advance a more equitable EU cyber policy. To ensure this, the EU must continue to support a multistakeholder approach that includes (feminist) digital rights groups, academia, critical infrastructure providers and the private sector – and they must be an essential part of the political processes.
Conclusion
Cyber policy and strategy is a vast field in the context of the European Union. While we cannot discuss every piece of legislation and strategic output in detail, we seek to provide a new lens through which existing output can be interpreted, and through which upcoming output can be formulated. In order for feminist foreign policy to unfold its transformative potential, all policy areas, including cyber foreign policy, must be influenced by it. It is therefore high time that its advocates pursue a feminist cyber policy and advance it together at the EU level.