Today we are publishing 'Assessing Cyber Security Export Risks' in conjunction with the Cyber Growth Partnership and the Institute for Human Rights and Business.
This is the first tech sector guidance of its kind in the world. It provides cyber security companies of all sizes with actionable advice, to help identify and manage the risks of exporting their products and services. It gives detailed background information and a framework to help companies develop their due diligence processes, manage human rights risks and identify national security risks. This reduces the likelihood of a buyer being able to use their technology to help perpetrate human rights abuses. It also reduces the likelihood of reputational damage to British companies.
Cyber security capabilities are used around the world to strengthen the integrity of critical national infrastructures, prevent the theft of corporate and personal data, and tackle fraud. Their export presents the UK with a significant economic opportunity. HM Government has recognised this and is working with industry through the Cyber Growth Partnership to help companies realise this growth, with the aim of increasing UK cyber security exports to £2bn by 2016.
Most often cyber security capabilities are used only to defend networks or disrupt criminal activity. However, some cyber products and services can enable surveillance and espionage or disrupt, deny and degrade online services. If used inappropriately, they may pose a risk to human rights, to UK national security and to the reputation and legal standing of the exporter.
Ruth Davis, Head of Cyber, Justice and Emergency Services, techUK said: "Cyber security technologies are crucial for us to enjoy the benefits brought by the internet but some also have the potential to be misused. We need to prevent them falling into the wrong hands, leading to human rights abuses or the undermining of UK national security. Businesses have a responsibility to protect human rights and uphold national security. The Cyber Growth Partnership has produced this guidance to help UK companies fulfil this responsibility as they work for growth overseas."
She continued: "We want British companies to take the lead on protecting human rights and driving innovation in cyber security. The advice in this document is designed to help companies reduce reputational risk and to have confidence in the deals they make. We believe that ethical business practice is key; human rights and a vibrant British cyber sector are two sides of the same coin."
The Guidance sets out a risk assessment process that helps companies to:
Look at the capabilities of the product or service they want to export and how it could be used by purchasers
- Examine the places where they are exporting to including their political and legal frameworks, the state's respect for human rights and potentially vulnerable people
- Assess who the end purchaser of the product is and how they intend to use it
- Evaluate potential business partners and re-sellers
- It also provides advice on how to mitigate and build risk management clauses into the contract
Ed Vaizey the Minister for Culture and Digital Industries and co-chair of the Cyber Growth Partnership said:"techUK's guide is a valuable and accessible tool which will help British companies respond with confidence to opportunities in the global cyber security market. I am grateful to all those who have contributed and I am proud to endorse this guidance, the first of its kind in the world."
Gavin Patterson, CEO of BT Group plc and co-chair of the Cyber Growth Partnership said: "BT is delighted to support the work being undertaken by the Cyber Growth Partnership to promote UK business selling cyber abroad."
Dibble Clark, Cyber Lead at 3SDL, a Malvern Cluster cyber security company commented: "Recent events have put the human rights responsibilities of cyber export companies in the spotlight and there is particular scrutiny on our sector, both from governments and NGOs. The responsibility to respect human rights is something no company can ignore, whether large or small. This guidance is a valuable tool in guiding companies to the most appropriate human right due diligence policies and processes. 3SDL welcomes this guidance and was delighted to be able to support it. We look forward to contributing to further discussion on the challenges and opportunities in respecting human rights in the future."
Rt. Hon Baroness Anelay, Minister of State for Foreign and Commonwealth Affairs said:"I welcome this initiative by techUK in collaboration with the Institute for Human Rights and Business. The UK's Action Plan 'Good Business' – to implement the UN Guiding Principles – represents the Government's commitment that the promotion of business and respect for human rights should go hand in hand. This groundbreaking guidance will help cyber security businesses manage human rights risk by adopting effective due diligence policies and enable them to respect human rights wherever they operate."
Lucy Purdon, Project Lead ICT at the Institute of Human Rights and Business said: "IHRB welcomes this very important initiative from techUK and the Cyber Growth Partnership. Cybersecurity companies have a critical role as key players in the human rights discourse. On the one hand they strive to improve security and the enjoyment of human rights; on the other they must act to prevent harm to human rights arising through misuse of their products and services. During the industry consultation there was a high level of engagement among participating companies which provided thoughtful insights into the challenges they face and their possible courses of action. As a result, this guidance is a valuable contribution to the human rights and technology debate.
On behalf of the Cyber Growth Partnership techUK would like to thank BT, 3sdl and Lockheed Martin for their generous sponsorship of this Guidance and for their support in developing it.