Last week, I attended Borderless Cyber Forum 2015, hosted by the World Bank and organized in collaboration with OASIS, a non-profit, international consortium that creates interoperable industry specifications based on public standards. This week, the UN adopted Goal 16, Target 10, of the Sustainable Development Goals on public access to information. Could these two weeks be more contrasting? Both security and public access to information are integral to promoting peaceful and inclusive societies in support of poverty reduction and economic development.
Very often, public access to information and Cyber Security are portrayed in opposition to one another. Right to Information laws – also called Freedom of Information and Access to Information laws, which are now in place in over 100 countries worldwide – provide legislative guarantees of public access to information. Frequently, they are seen as being only about opening up government information to citizens. In reality the picture is more nuanced, and there are ways in which Right to Information laws can be seen as an effective means of supporting Cyber Security.
First of all, Right to Information laws have never been about indiscriminate openness. These laws typically contain exemption provisions that allow for legitimate non-disclosure of information. Protection of personal privacy and national security or prevention of harms that would outweigh the public good of making information available are examples of acceptable areas of non-disclosure. The benefit of these exemptions is that they allow governments to focus their attention and often limited resources on what really requires protection, and to open up the rest.
Secondly, Right to Information laws come into being through legislative processes that allow for open debate and dialogue between government and citizens. Though this is not universally true and is dependent on country context, open discussion of what constitutes the right balance of openness and transparency, on the one hand, and non-disclosure, on the other hand, means that exemption provisions in Right to Information laws reflect a country’s values and tolerance to risk and, as such, have greater legitimacy than actions pursued without following legislative processes. Greater legitimacy builds greater trust in government, with citizens having a better understanding of why governments may need to keep some information secret.
And thirdly, Right to Information laws also establish and require a host of institutional arrangements that enable public access to information. Among these are policies and procedures on records and information management (RIM), which includes identification, classification, retention and destruction of government information resources. Cyber security is also dependent on control of information resources to achieve confidentiality, integrity and availability of data. When governments do not know what sensitive information they have, it is impossible to protect it. When governments keep everything to themselves, scarce resources are wasted protecting information that could be disposed of. Thus Right to Information laws can bring Cyber Security practitioners into a closer dialogue with related disciplines concerned with risks to data, such as RIM, to achieve greater efficiency and effectiveness.
So, although a week in which the UN adopted SDG 16.10 on public access to information and a week focused on Borderless Security 2015 may seem very far apart in terms of their goals, in reality, like two weeks that are side-by-side, they are actually closely linked and logically connected.
From this perspective, Right to Information could be Cyber Security's Best Friend.