This paper has argued that gendered cyber harms are cascading and compounding: hate speech and data breaches can each inflict further harm on people who are already victims of the other, and both can be exacerbated by state overreach, inattention and discrimination. This insight enhances the existing literature on gender and cybersecurity by highlighting the need to connect different areas of research and advocacy in order to better understand and combat gendered cyber harms in a holistic way. By identifying the connections between gendered cyber harms, state policy and practice can better counter and mitigate those harms.
The paper has demonstrated the cascading and compounding nature of gendered cyber harms through illustrative examples from a selected group of countries. The analysis highlights how gendered cyber harms cascade between misinformation and disinformation and data misuse due to failings to ensure robust privacy protections for sensitive personal data. It shows how LGBTIQ+ communities are particularly exposed to cascading and compounding gendered cyber harms from hate speech, data breaches and state overreach, highlighting the vulnerability of personal devices to malicious spyware and the physical and digital insecurities of online dating apps. And it argues that gendered cyber harms can occur because of – or, in the case of Brazil, despite – state legislation designed to improve or enhance cybersecurity and gender equality.
Overall, the discussion demonstrates four key points:
- The scope of cybersecurity is larger than just the technical security of computer systems; it encompasses the experiences of everyone who uses computer systems, and the perceptions of safety and security that users attach to these technologies and systems. Such experiences and perceptions are impossible to dissociate from an individual’s identity, and ultimately impact how digital technologies affect their life and contribute to their security. The case studies in this paper have shown how experiences and perceptions of security and insecurity in cyberspace can be shaped by factors beyond purely technical ones.
- The relationship between gendered harms offline and gendered harms in cyberspace is mutually reinforcing. Offline harms give rise to online harms, which in turn have offline and online consequences. All the case studies discussed in this paper have demonstrated cascading harms, whereby harms in one area give rise to other harms.
- Cybersecurity is inherently gendered because it is derived from and built on a set of political, social and security beliefs and assumptions that are gendered. If national and international security does not consider gender security to be a security matter, cybersecurity will continue to exacerbate gendered harms. This is demonstrated by, for instance, the use of ‘morality clauses’ in some countries’ cybercrime laws.
- Gendered cyber harms – and, by extension, the gendering of cybersecurity – are a global problem that manifests differently depending on social, political and security contexts.
This study, which itself draws on extensive work by others, points to the need for still further research. The analysis in Chapter 4 focuses on illustrative examples of the connections between different kinds of gendered cyber harms in six countries, selected to demonstrate that cascading and compounding gendered cyber harms exist worldwide, across varying social and political contexts. While this approach is sufficient for demonstrating the global nature of cascading and compounding gendered harms, and the need for international attention and cooperation, further in-depth research into connected gendered cyber harms in specific country contexts is required.
Furthermore, the paper – and the policy recommendations that follow – focus on the actions of and security conditions created and nurtured by states. With hate speech, data breaches and state overreach, technology design, ownership and operation occur largely in multinational companies, and these organizations are crucial stakeholders in a rapidly evolving landscape. While this paper does not consider their role further, a second paper in this series will focus specifically on technology companies and their role in furthering a gender-responsive and gender-transformative approach to cybersecurity.
Policy recommendations
The case studies in this paper underscore the important role that state actors need to play in encouraging an empowering and gender-sensitive cyber landscape, and fostering a robust and gender-transformative interpretation and vision of cybersecurity. Globally, more states are developing an awareness of, or acknowledging, gender dimensions in cybersecurity. This is demonstrated in national strategies, international initiatives and multilateral forums. However, more work needs to be done to tackle gendered cyber insecurity, ranging from updating legislation to working with international partners on building capacity to better understand and combat gendered cyber harms. This paper concludes by addressing the question of what states – irrespective of national gender norms – can and should do to address the gendered harms that emanate from cybersecurity risks and vulnerabilities, and sets out general recommendations for how the different kinds of gendered harms can be connected and addressed holistically.
Recommendation 1: Combine technical, social and individual factors when analysing cyber threat and risk
Gendered cyber harms are technological, social and psychological. As such, states’ analyses of cyber threats and risks should take into account their impact on technologies, people and communities, incorporating considerations based on gender and other intersectional identities. Risk analysis should incorporate a full understanding of the cascading and compounding nature of gendered cyber harms as a key component of risk management and mitigation. Vulnerability analysis should avoid victim-blaming or attributing cyber incidents excessively to the ‘human factor’. For example, while phishing links are a common vector for malicious software, and users often agree to vastly complex social media terms and conditions without reading them, these are symptoms of systemic problems, rather than failures on the part of individuals. Because gendered cyber harms arise from a combination of technical, social and individual factors, an equally holistic approach is necessary to counter them. From a state perspective, this combination of analyses might entail cross-governmental initiatives and research, or diversifying the expertise and analyses of those responsible for devising and implementing policy solutions.
Recommendation 2: Ensure that the security of at-risk, marginalized and minoritized groups is treated as seriously as that of other national security assets and interests
Explicitly, this entails improving data protection, privacy rights and cyber hygiene for everyone. The speed of technological development and the adversarial nature of many cyber threats means that specific countermeasures are likely to become outdated quickly. It also means that new targets and victims become vulnerable in new and more ways. States should seek to implement and encourage broad privacy protections for personal data, along with easy-to-implement cyber hygiene measures, with additional protections for at-risk groups such as minoritized or disproportionately targeted communities, politicians, journalists, human rights defenders and activists. To take cybersecurity risks to LGBTIQ+ communities as an example, improved cyber hygiene for LGBTIQ+ people to help them safely navigate cyberspace (e.g. through education on what information (not) to share online, how to use location services, etc.) is, in isolation, insufficient to increase their cybersecurity substantially; it also places the responsibility for security or safety on the victim, often without proportionate efforts to discourage and deter perpetrators. While this is not a gender-specific recommendation, it advances gender equality indirectly by ensuring that protecting at-risk groups is a priority on par with protecting national assets and infrastructure (or traditional security priorities). Unless online abuse and hate speech are addressed as – and elevated to – a cybersecurity concern, improving cyber hygiene alone will not reduce gendered insecurity or gendered cyber harms.
Recommendation 3: Adopt a gender-sensitive and human-centred approach to cybersecurity and cybercrime
Appropriate cybersecurity and cybercrime strategy, policy and implementation is crucial to ensuring victims of gendered cyber harms can access justice and receive appropriate care. This paper has shown that state anti-cybercrime actions can – at times unintentionally – exacerbate or introduce new gendered harms. States should draw on resources such as the Association for Progressive Communications’ (APC) assessment tool for assessing the gender impact of national cybersecurity strategies, together with Chatham House’s Strategic Approach to Countering Cybercrime (SACC) framework and its associated Integrating gender in cybercrime capacity-building toolkit. These approaches include the adoption of feminist methodologies and principles in designing cybersecurity protections. Feminist methodologies and principles acknowledge and seek to counteract structural inequalities (economic, class and others) and power imbalances between gendered and other groups. Using such approaches in cybersecurity necessitates centrally incorporating the perspectives of victims of cyber threats, as well as people and/or groups who might use technologies in unexpected or undesigned ways, and addressing wider dependencies between different technologies and social relationships.
Recommendation 4: Increase knowledge and coordination across different agencies and organizations working on cyber
States should work both domestically and internationally to institutionalize coordination between organizations, departments, agencies and teams working on technical cybersecurity, cybersecurity legislation, gender policy and measures to counter disinformation. This can help states identify where gendered cyber harms extend across these different specialist areas, and to avoid contradictions in state policy and practice. For example, setting up regular exchanges and mechanisms for information-sharing between teams working in or on each of these areas can improve awareness of interconnected gendered harms and the cybersecurity risks and vulnerabilities that lead to and exacerbate these harms, both offline and online. Across the illustrative examples of gendered cyber harms in this paper, better coordination across the monitoring and countering of online abuse and hate speech, data protection and legislative tools could have led to a better understanding of the threat landscape for vulnerable people and groups, leading to more effective protections.
Final remarks
In sum, cybersecurity is better, more inclusive, more resilient and more effective when it actively and deliberately considers the threats and risks that people might face, because of their gender, when they interact with cyberspace and digital technologies. Gendered cyber harms are a core cybersecurity problem: digital platforms, devices and technologies all have characteristics and functionalities that can amplify gendered harms, and gendered harms are exacerbated by cybersecurity measures and tools that fail to consider a gendered threat landscape. The existence of these harms contributes to national and international insecurity, inhibiting the development of a secure, safe, responsible and peaceful cyberspace for everyone. Understanding gendered cyber harms as cascading and compounding shows how offline and online gendered harms interact, intersect and reinforce one another to create a cyberspace that is inequitably insecure. Broadening states’, institutions’ and individuals’ understanding of what constitutes cybersecurity, and how insecurity in cyberspace manifests, and is experienced and perceived, can lead to better policy responses and a more secure digital future.