It’s fairly obvious that selling guns to foreign powers carries heavy ethical concerns, and can land the seller in a lot of trouble if not conducted in accordance with the law. But what about cyber security products? Could the sale of web filters and monitoring software lead to a breach of human rights?
It is this very question that has prompted techUK, in collaboration with the Cyber Growth Partnership, to release the first tech sector guidance providing ‘detailed background information and a framework to help companies develop their due diligence processes, manage human rights risks and identify national security risks.’ This guide attempts to give UK-based companies that are engaged in, or planning to expand towards, international business a way to assess whether their trade across the border would violate any human rights, and as a consequence cause harm to their reputation.
Because of the push towards providing cyber security services as part of the UK National Cyber Security Strategy, companies are starting to see the value in exporting their services – which are already seen as high quality, high value – around the world. However, without due care given to possible use case of the service or product, and an assessment of the procuring organisation and country, cyber security companies could unwittingly be giving a helping hand to oppressive regimes.
There have already been cases where a lack of due diligence has caused repercussions for the exporter. UK-based Gamma International has been the subject of a complaint by human rights group Privacy International, and an investigation by HM Revenue and Customs, for the alleged supply of monitoring software to the Bahrain government. FinFisher, a software suite that can monitor computer calls through Skype, as well as collect credentials and extract data, has been found on computers in 34 countries, with some of the infected computers belonging to Bahraini pro-democracy activists living in the UK. The complaint alleges that the sale of this software has allowed the Bahraini authorities to track activists, some of whom have then been detained and tortured for their views.
To counter incidents such as this, the guide provides a framework to assess possible issues arising from commercial activities. There should be a continuous process throughout the project stages, from the earliest development, through bidding on an export deal or upgrading an existing deal, all the way to post-sale monitoring of the situation in the destination country to which the product has been exported. When Blue Coat discovered that their web filter appliances has been resold to the Syria government without their knowledge, the company took steps to disable updates to any devices that were connecting from this country.
One of the Cyber Growth Partnership’s aims is to increase the export market for UK companies, so the guidelines are not just concerned with preventing illegal and unethical trade, but also in promoting safe trade. As such, the document includes a list of countries that are considered ‘out of concern’ and where cyber security capabilities are safe to be exported without the need for a thorough assessment. The countries where such exemptions are considered safe are the European Union countries, Australia, Canada, Japan, New Zealand, Norway, Switzerland and the United States.
By taking the time to follow the guidelines, a company can not only reduce the risk of its products being misused for malicious activities, but can also improve and grow their customer base. Conducting business in an ethical and transparent manner that does not contradict internationally conventions on human rights can only be beneficial for long term growth and brand recognition.
As an international company providing cyber security services to countries throughout Europe and beyond, Commissum welcomes this framework as a means of ensuring the legitimacy of business across UK borders, which is in line with our internal process of client engagement.
Read the full details here: TechUK.