Address: Maison de la Paix, Chemin Eugène-Rigot 2D, 1211 Geneva, Switzerland
DCAF is dedicated to improving the security of states and their people within a framework of democratic governance, the rule of law, respect for human rights, and gender equality. Since its founding in 2000, DCAF has contributed to making peace and development more sustainable by assisting partner states, and international actors supporting these states, to improve the governance of their security sector through inclusive and participatory reforms. It creates innovative knowledge products, promotes norms and good practices, provides legal and policy advice and supports capacity‐building of both state and non‐state security sector stakeholders.
Cyberspace and cybersecurity have numerous implications for security provision, management, and oversight, which is why DCAF is engaged in these topics within its work. DCAF has implemented a cycle of policy projects to develop new norms and good practices in cyberspace. At the operational level, cybersecurity governance has become a prominent part of SSR programming.
Digital policy issues
Digitalisation and cybersecurity are the challenges of today and tomorrow. They have an overarching impact on the security sector and the role of the security sector and governance reform (SSG/R) in the digital space. In our recent study SSG/R in the digital space: projections into the future policy, we shed light on the complex intersection of digitalisation and security sector governance. It examines how security sector actors have adapted to the digital transition and the emergence of new actors within the security ecosystem. It also provides concrete recommendations on how to navigate the complexities of digital technologies and shape ethical technology use and robust digital governance frameworks.
For newcomers to the field, DCAF offers the introductory series SSR Backgrounders, with a special issue on the impact of digitalisation on good governance in the security sector. It is a first-stop resource to understand the challenges and considerations for best policy and practice.
DCAF implements projects that focus on improving cybersecurity laws and policies, increasing the capacity of cybersecurity actors, and strengthening accountability in cybersecurity. One of our priorities is to strengthen the individual and institutional capacities of national Computer Emergency Response Teams (CERTs). These teams are responsible for effectively and efficiently preventing and responding to attacks on national systems.
We also run the annual Young Faces research and mentoring programme, which helps to develop the next generation of cybersecurity experts in the Western Balkans. Each year, we select around 30 dynamic, forward-thinking young professionals to join the programme that enhances their knowledge of emerging trends in cybersecurity governance.
Research shows that women, girls, and LGBTQ+ people are the most affected by cybersecurity risks. Our publication and podcast series analyses how they have been pushed out of cyberspaces by abuse and discrimination, and what solutions exist to take a human-centred approach that considers everyone’s needs in cybersecurity.
In our Donors’ Talk podcast series, we spoke with DCAF’s Justice Advisor to draw on her 15 years of experience in justice sector reform to look at success stories, challenges, and what needs to be considered when supporting digitalisation projects related to justice reform. In Morocco, DCAF supported the National AntiCorruption Commission with training on the prevention and investigation of cyber-corruption and financial cybercrimes. The government commission digitalised its internal processes, resulting in more effective tracking and response to citizens’ data protection requests
DCAF’s three legal databases gather policies, laws, and decrees governing the security sectors in the Occupied Palestinian Territory, Libya, and Tunisia. Each database covers the main providers of security and justice, the formal supervision and management institutions, and the legislative and regulatory texts covering and authorising the work of informal control actors (political parties, media, NGOs, etc.).
A resource for legislators, the justice system, academia, and civil society, the databases offer both a current resource and a historical perspective on the evolution of security sector legislation in the respective countries.
Handbook on effective use of social media in cybersecurity awareness-raising campaigns
This handbook provides condensed and easy-to-follow guidance and examples for designing content strategies and the efficient use of social media towards effective public awareness raising on cybersecurity. It shares the do’s and don’ts of social media, and how to have a strategic social media presence to support better cybersecurity.
For more tools and resources on cybersecurity governance and the security sector, visit our website.
The third event in the ‘Policy meets tech’ series will be dedicated to cryptography. It will focus on unpacking cryptographic technology and discussing its policy implications.
The series is organised by Diplo, with the support of the US Permanent Mission to the UN in Geneva, and is dedicated to permanent missions in Geneva. This programme features a series of informative sessions for diplomats in Geneva, with the primary goals of demystifying the intricate realm of digital technologies, comprehending their capabilities and limitations, and delving into their policy implications in a manner that is both practical and pertinent for diplomats. From the intricacies of internet protocols to the intricacies of quantum computing, from cryptography to algorithms, these discussions will provide in-depth insights into the technical underpinnings of these technologies, their real-world applications, and the policy opportunities and challenges they present.
The event is only open to permanent missions in Geneva. For details, please contact Ms Sorina Teleanu, Director of Knoweldge, at email@example.com.
In this talk, researchers from the Geneva Academy will shed light on the different examples of cyber operations (e.g. Stuxnet, NotPetya, and SolarWinds) allegedly conducted or sponsored by states to explicate their geopolitical effects and challenges to international law. As the importance of ICT grows in the modern world, cyber operations have become an integral part of state and non-state actors’ strategies against other states and actors. Researchers will present their findings as part of the project on disruptive military technologies.
For more information, and to register, please visit the official page.
The International Geneva Welcome Centre (CAGI) and the CyberPeace Institute jointly curated an all-day cyber skills event for NGOs. The uptake of cloud-based technologies and storage of valuable donor and beneficiary data have made NGOs a frequent target of cyberattacks. The reality for NGOs is that they have to safeguard their cybersecurity as much as private businesses do. The event invites local government representatives, cybersecurity experts, and NGOs to partake in testimonial drafting, roundtable discussions, and awareness raising for boosting NGOs’ cyber skills.
For more information, and to register, please visit the official page.
Address: 3 rue de Varembé, 1211 Geneva 20 , Switzerland
Stakeholder group: International and regional organisations
The IEC is the world leader in preparing international standards for all electrical, electronic, and related technologies. A global, not-for-profit membership organisation, the IEC provides a neutral and independent institutional framework to over 170 countries, coordinating the work of more than 20,000 experts. We administer four IECConformity AssessmentSystems, representing the largest working multilateral agreement based on the one-time testing of products globally. The members of each system certify that devices, systems, installations, services, and people perform as required.
IEC International Standards represent a global consensus of state-of-the-art know-how and expertise. Together with conformity assessment, they are foundational for international trade.
IEC Standards incorporate the needs of many stakeholders in every participating country and form the basis for testing and certification. Every member country and all its stakeholders represented through the IEC National Committees has one vote and a say in what goes into an IEC International Standard.
Our work is used to verify the safety, performance, and interoperability of electric and electronic devices and systems such as mobile phones, refrigerators, office and medical equipment, or electricity generation. It also helps accelerate digitisation, artificial intelligence (AI), or virtual reality applications, protects information technology (IT) and critical infrastructure systems from cyberattacks and increases the safety of people and the environment.
The IEC works to ensure that its activities have a global reach in order to meet all the challenges of digital transformation worldwide. The organisation covers an array of digital policy issues.
Digital policy issues
Artificial intelligence and the internet of things
AI applications are driving digital transformation across diverse industries, including energy, healthcare, smart manufacturing, transport, and other strategic sectors that rely on IEC Standards and Conformity Assessment Systems. AI technologies allow insights and analytics that go far beyond the capabilities of legacy analytic systems.
For example, the digital transformation of the grid enables increased automation, making it more efficient and able to integrate fluctuating renewable energy sources seamlessly. IEC Standards pave the way for the use of a variety of digital technologies relating to intelligent energy. They deal with issues such as integrating renewable energies within the electrical network but also increased automatisation.
In addition, IEC Safety Standards are an essential element of the framework for AI applications in power utilities and smart manufacturing. IEC Conformity AssessmentSystems complete the process by ensuring the standards are properly implemented.
SC 42 addresses some concerns about the use and application of AI technologies. For example, data quality standards for ML and analytics are crucial for helping to ensure that applied technologies produce useful insights and eliminate faulty features.
Governance standards in AI and the business process framework for big data analytics address how the technologies can be governed and overseen from a management perspective. International standards in the areas of trustworthiness, ethics, and societal concerns will ensure responsible deployment.
The joint IEC and ISO technical committee also develop foundational standards for the IoT. Among other things, SC 41 standards promote interoperability, as well as architecture and a common vocabulary for the IoT.
The IEC develops standards for many of the technologies that support digital transformation. Sensors, cloud, and edge computing are examples.
Advances in data acquisition systems are driving the growth of big data and AI use cases. The IEC prepares standards relating to semiconductor devices, including sensors.
Cloud computing and its technologies have also supported the increase of AI applications. The joint IEC and ISO technical committee prepares standards for cloud computing, including distributed platforms and edge devices, which are close to users and data collection points. The publications cover key requirements relating to data storage and recovery.
International Standards play an important role in increasing trust in AI and help support public and private decision-making, not least because they are developed by a broad range of stakeholders. This helps to ensure that the IEC’s work strikes the right balance between the desire to deploy AI and other new technologies rapidly and the need to study their ethical implications.
The IEC has been working with a wide range of international, regional, and national organisations to develop new ways to bring stakeholders together to address the challenges of AI. These include the Swiss Federal Department of Foreign Affairs (FDFA) and the standards development organisations, ISO, and the International Telecommunication Union (ITU).
More than 500 participants followed the AI with Trustconference, in-person and online, to hear different stakeholder perspectives on the interplay between legislation, standards and conformity assessment. They followed use-case sessions on healthcare, sensor technology, and collaborative robots, and heard distinguished experts exchange ideas on how they could interoperate more efficiently to build trust in AI. The conference in Geneva was the first milestone of the AI with Trust initiative.
The IEC is also a founding member of the Open Community for Ethics in Autonomous and Intelligent Systems (OCEANIS). OCEANIS brings together standardisation organisations from around the world to enhance awareness of the role of standards in facilitating innovation and addressing issues related to ethics and values.
The IEC develops cybersecurity standards and conformity assessments for IT and operational technology (OT). One of the biggest challenges today is that cybersecurity is often understood only in terms of IT, which leaves critical infrastructure, such as power utilities, transport systems, manufacturing plants and hospitals, vulnerable to cyberattacks.
Cyberattacks on IT and OT systems often have different consequences. The effects of cyberattacks on IT are generally economical, while cyberattacks on critical infrastructure can impact the environment, damage equipment, or even threaten public health and lives.
When implementing a cybersecurity strategy, it is essential to consider the different priorities of cyber-physical and IT systems. The IEC provides relevant and specific guidance via two of the world’s best-known cybersecurity standards: IEC 62443 for cyber-physical systems and ISO/IEC 27001 for IT systems.
Both take a risk-based approach to cybersecurity, which is based on the concept that it is neither efficient nor sustainable to try to protect all assets in equal measure. Instead, users must identify what is most valuable and requires the greatest protection and identify vulnerabilities.
IT security focuses equally on protecting the confidentiality, integrity, and availability of data – the so-called CIA triad. Confidentiality is of paramount importance and information security management systems, such as the one described in ISO/IEC 27001, are designed to protect sensitive data, such as personally identifiable information (PII), intellectual property (IP), or credit card numbers, for example.
Implementing the information security management system (ISMS) described in ISO/IEC 27001 means embedding information security continuity in business continuity management systems. Organisations are shown how to plan and monitor the use of resources to identify attacks earlier and take steps more quickly to mitigate the initial impact.
IEC 62443 for OT
In cyber-physical systems, where IT and OT converge, the goal is to protect safety, integrity, availability, and confidentiality (SIAC). Industrial control and automation systems (ICAS) run in a loop to check continually that everything is functioning correctly.
The IEC 62443 series was developed because IT cybersecurity measures are not always appropriate for ICAS. ICAS are found in an ever-expanding range of domains and industries, including critical infrastructure, such as energy generation, water management, and the healthcare sector.
ICAS must run continuously to check that each component in an operational system is functioning correctly. Compared to IT systems, they have different performance and availability requirements and equipment lifetime.
Conformity assessment: IECEE
Many organisations are applying for the IEC System of Conformity Assessment Schemes for Electrotechnical Equipment and Components (IECEE) conformity assessment certification to verify that the requirements of IEC 62443 have been met.
IECEE provides a framework for assessments in line with IEC 62443, which specifies requirements for security capabilities, whether technical (security mechanisms) or process (human procedures) related. Successful recipients receive the IECEE industrial cybersecurity capability certificate of conformity.
International standards such as IEC 62443 and ISO/IEC 27001 are based on industry best practices and reached by consensus. Conformity assessment confirms that they have been implemented correctly to ensure a safe and secure digital society.
Address: Campus Biotech Innovation Park, 15 avenue de Sécheron, 1202 Geneva, Switzerland
Stakeholder group: NGOs and associations
The CyberPeace Institute is an independent and neutral non-governmental organisation (NGO) that strives to reduce the frequency, impact, and scale of cyberattacks, to hold actors accountable for the harm they cause, and to assist vulnerable communities.
The Institute works in close collaboration with relevant partners to reduce the harm from cyberattacks on people’s lives worldwide, and provide assistance. By analysing cyberattacks, it exposes their societal impact and how international laws and norms are being violated, and advances responsible behaviour to enforce cyberpeace.
At the heart of the Institute’s efforts is the recognition that cyberspace is about people. It supports providers of essential services to the most vulnerable members of society, ultimately benefitting us all, like NGOs and the healthcare sector. Attacking them can have a devastating impact on beneficiaries and patients, putting their rights and even lives at risk.
To deliver on this mission, the Institute relies on donations and the generosity of individuals, foundations, companies, and other supporters. This support enables it to assist and support vulnerable communities, including NGOs, to enhance their resilience to cyberattacks.
The Institute also provides evidence-based knowledge and fosters awareness of the impact of cyberattacks on people, to give a voice to and empower victims to highlight the harm and impact of cyberattacks. It reminds state and non-state actors of the international laws and norms governing responsible behaviour in cyberspace, and advances the rule of law to reduce harm and ensure the respect of the rights of people.
Created in 2019, the Institute assesses the impact of cyberattacks from a human perspective, focusing on the rights of people. It grounds its analysis on evidence and the impact on human well-being, telling the story of people, linking with the technical reality of cyberattacks, and assessing it against the violation of laws. The Institute advocates for an evidence-based, human-centric approach to the analysis of cyberattacks as essential to the process of redress, repair, and/or justice for victims. It works collaboratively in its research, analysis, assistance, mobilisation, and advocacy. It engages with vulnerable communities to understand their needs for cybersecurity support and provides free and trusted cybersecurity assistance to vulnerable communities.
The CyberPeace Institute
assists NGOs and other vulnerable communities to prepare for and recover from cyberattacks.
investigates cyberattacks targeting vulnerable communities, analysing these attacks to provide alerts and support and for accountability.
advocates to advance the rule of law and respect for the rights of people.
anticipates threats to people associated with emerging and disruptive technologies.
Examples of operational activities
Assisting humanitarian and other NGOs with free and trusted cybersecurity support.
Analysing cyberattacks and highlighting their impact on people and how they violate the rule of law.
Documenting violations of international laws and norms and advocating for strengthened legal protection in cyberspace.
Offering expertise and support to states and civil society in relation to responsible behaviour in cyberspace.
Digital policy issues
Cyberattacks against critical infrastructure have been on the rise, from attacks against hospitals and vaccine supply chains to attacks on the energy sector. When such disruptions occur, access to basic services is at risk. It is vital that there is an increase in the capacity and ability to improve resilience to cyberthreats in critical sectors, such as healthcare. The CyberPeace Institute urges stakeholders in diplomatic, policy, operational, and technical areas to increase their capacity and resilience to cyberthreats.
The Institute advocates for capacity building aimed at enabling states to identify and protect national critical infrastructure and to cooperatively safeguard its operation. This includes capacity building, implementation of norms of responsible behaviour, and confidence building measures. In strengthening efforts to protect critical infrastructure, the Institute calls for the sharing of lessons learned between countries to assist those with less capacity and fewer capabilities.
NGOs in civilian-critical sectors, for example water, food, healthcare, energy, finance, and information, need support and expertise to help them strengthen their cybersecurity capabilities. While these NGOs provide critical services to communities and bridge areas not covered by public and private actors, they lack the resources to protect themselves from cybersecurity threats.
Examples of the Institute’s work in this regard:
Calls to governments to take immediate and decisive action to stop all cyberattacks on hospitals and healthcare and medical research facilities, as well as on medical personnel and international public health organisations.
Capacity building is essential for achieving cyber preparedness and resilience across sectors and fields, and activities focus on providing assistance and capacity building to NGOs that might lack technical expertise and resources.
Monitoring and analysing how cyberattacks and operations are and have been, targeting critical infrastructure and civilian objects in the armed conflict between Ukraine and the Russian Federation through the publicly accessible CyberAttacks in Times of Conflict Platform #Ukraine. The information on cyberattacks can be used to identify developments or clarify the law in relation to the use of cyber operations in armed conflicts, and for accountability in any future judicial proceedings.
NGOs play a critical role in ensuring the delivery of critical services, such as the provision of healthcare, access to food, micro-loans, information, and the protection of human rights.
Malicious actors are already targeting NGOs in an effort to get ransoms and exfiltrate data. Often these NGOs do not have the budget, know-how, or time to effectively secure their infrastructures and develop a robust incident response to manage and overcome sophisticated attacks.
With this in mind, the Institute launched its CyberPeaceBuilders programme in 2021, a unique network of corporate volunteers providing free pre- and post-incident assistance to NGOs supporting vulnerable populations.
This initiative brings support to NGOs in critical sectors at a level that is unequalled in terms of staff, tools, and capabilities. It assists NGOs with cybersecurity whether they work locally or globally, and supports them in crisis-affected areas across the globe.
The Institute believes that meaningful change can occur when a diversity of perspectives, sectors, and industries work together. To address the complex challenges related to ensuring cyberpeace, it works with a wide range of actors at the global level including governments, the private sector, civil society, academia, philanthropies, policymaking institutions, and other organisations. The Institute contributes by providing evidence-led knowledge, emphasising the need to integrate a genuine human-centric approach in both technical and policy-related projects and processes, and by highlighting the civil society perspective to support and amplify existing initiatives.
To contribute to closing the accountability gap in cyberspace, the Institute seeks to advance the role of international law and norms.
It reminds state and non-state actors of the international law and norms governing responsible behaviour in cyberspace, and contributes to advancing the rule of law to reduce harm and ensure the respect of the rights of people.
Contribution to UN processes
In 2021–2022, the Institute contributed to and commented on various UN-led processes (notably the United Nations Group of Governmental Experts on Advancing responsible state behaviour in cyberspace in the context of international security (UN GGE) and the Working Group (WG) on the use of mercenaries as a means of violating human rights and impeding the exercise of the rights of peoples to self-determination).
The Institute has closely followed the work of the UN Open-Ended Working Group (UN OEWG) on developments in the field of information and telecommunications in the context of international security, advocating recognition of the healthcare sector as a critical infrastructure and raising concerns about the lack of commitment towards an actionable and genuine human-centric approach.
In the Open-Ended Working Group on security of and in the use of information and communications technologies 2021–2025 (OEWG II), the Institute set out three key action areas and related recommendations, and is contributing its expertise in relation to the protection of humanitarian and development organisations from cyberattacks.
Participation in international initiatives: The Paris Call Working Groups
The work of this group led to the Final Report published during the Paris Peace Forum 2021. It presents a methodology to facilitate understanding of how the implementation of normative, legal, operational, and technical measures, or the lack thereof, contribute to stability in cyberspace and ultimately to cyberpeace.
At the World Economic Forum meeting in Davos, in May 2022, the CyberPeace Institute joined AccessNow, the Office of the High Commissioner for Human Rights (OHCHR), Human Rights Watch (HRW), Amnesty International, the International Trade Union Confederation (ITUC), and Consumers International to call on decision-makers to take action and initiate a moratorium limiting the sale, transfer, and use of abusive spyware until people’s rights are safeguarded under international human rights law.
This is in addition to a call made in 2021, in which the Institute joined more than 100 civil society organisations calling for a global moratorium on the sale and transfer of surveillance technology until rigorous human rights safeguards are adopted to regulate such practices and guarantee that governments and non-state actors don’t abuse these capabilities.
Digital technology plays an important role in conflict mediation and global peacebuilding. It can extend inclusion, allowing more women or people from marginalised groups to take part in or follow a mediation process. It can make mediation faster and more efficient and can allow mediators to draw on resources from around the world.
However, digital technology brings risks, too. It can increase polarisation, for example, and allow disinformation to spread to more people, more quickly. It can increase vulnerability to malicious actors, spying, and data breaches. These risks can undermine trust in the process.
As part of the integration and engagement with the stakeholder ecosystem in Geneva, the Institute is a member of the Geneva Chamber of Commerce, Industry and Services (CCIG). Various academic collaborations are ongoing through participation in conferences, workshops, and lectures, namely with the Ecole Polytechnique Fédérale de Lausanne Centre for digital trust EPFL (C4DT), the University of Geneva (UNIGE), and the Graduate Institute (IHEID). In 2020, the Institute formed a strategic partnership with the SwissTrust Valley for Digital Transformation and Cybersecurity.
The Institute maintains a website providing alerts, blogs, articles, and publications on key issues related to its mission for cyberpeace, and shares video materials and discussion recordings on its YouTube channel.