Technology can be a powerful tool in the fight for gender equality and to help women develop agency in fragile and conflict-ridden environments. The digital gender divide is especially prevalent in conflict and post-conflict environments, but women have used technology as a tool to help reduce their vulnerability and isolation. How can technology be harnessed to help women build agency and reduce their vulnerability and isolation? The question raises a complex set of questions and issues related to women’s access to technology, the degree of digital literacy, and the specific needs for which the appropriate level of technology can serve–to protect women or create economic opportunities–while building the networks that enhance women’s agency. On June 22, 2023, Women In International Security (WIIS) and the Embassy of Liechtenstein held a virtual discussion on how technology can increase women’s agency in decision-making, leadership, and collective action in the face of gender-based violence.
By Liliya Khasanova
The protests in Iran in the name of Mahsa Amini are one of many examples of how the advancement of technology enables us to speak up, spread the word, and learn about human rights violations. Online anonymity and, therefore, reduced accountability for gender-based violence affects the vulnerability of individuals. There is no doubt now that the internet has become the most consequential communication technology of the human rights era.
Despite the technical universalism that technology grants us, there is a strong pushback on conceptual universalism in human rights in cyberspace, including gender issues. In multilateral settings, the efforts of states to regulate malicious state operations have been underpinned by cybersecurity concerns, with little attention paid to human rights protection. The gender dimension, if at all represented, is mainly in the norms of capacity-building and gender parity, avoiding direct referrals to gender equality and women’s rights.
Multilateral Forums under UN Auspices
Until 2021, two main forums had a mandate to discuss norms and rules on cybersecurity: the UN Group of Governmental Experts (GGE) (work completed in May 2021) and the UN Open-ended Working Group (OEWG) (mandate renewed 2021-2025). One of the main achievements of the GGE was an adoption of a consensus that international law applies to cyber operations (2013). However, how it applies is still very much contested. The complexity of cyberspace as a domain raises several contested issues among states on the definition of sovereignty, attribution of cyber-attacks, the applicability of international humanitarian law, due diligence, etc. The differences between the GGE and OEWG process lay in the nature and number of stakeholders included in the discussion: the latter includes all the United Nations General Assembly (UNGA) members as well as non-governmental actors, as compared to experts from 25 states working in their personal capacity in the GGE. In a certain sense, continuing the mandate of the OEWG was a step intended to mitigate the risk of functional and geographical fragmentation of international law. In 2022, negotiations also began in the new UN ad hoc committee on cybercrime that is tasked with drafting a new cybercrime convention.
(Anti)gender Discourse in Cybersecurity Negotiations
After analysing all the reports adopted by GGE and OEWG, documents of the preparatory process, and official commentaries of states, several observations can be made regarding the Women, Peace, and Security agenda and gender discourse in cyber security negotiations.
Firstly, openness and “multistakeholderism”, i.e. bringing multiple stakeholders together to participate in dialogue and implementation of responses, of the OEWG (as opposed to GGE) resulted in more gender-related remarks in preparatory work and, consequently, in the reports. As an example, an introduction to the latest 2021 OEWG report states:
“The OEWG welcomes the high level of participation of women delegates in its sessions and the prominence of gender perspectives in its discussions. The OEWG underscores the importance of narrowing the “gender digital divide” and of promoting the effective and meaningful participation and leadership of women in decision-making processes related to the use of ICTs in the context of international security.”
To be fair, the gender parity of delegates, both within the teams and among delegation leaders, is improving yearly. Around 38% of all the delegates to the last OEWG sessions were women, which is relatively high compared to other forums.
However, when it comes to gender mainstreaming in the sense of assessing and addressing the implications of information and telecommunication technologies (ICT) for girls, boys, men, women, and non-binary people, the multilateral forums lack consensus. For instance, out of four paragraphs that contained gender issues in the initial draft reports, only one (paragraph 56) that touches upon gender-sensitive capacity building could survive the opposition and was included in the final text of the 2021 OEWG report. Two others–the reference to gender-centred implications of malicious use of ICT and the concluding statement on the need to mainstream gender considerations in the implementation of norm–were cut out from the final text.
Despite the outstanding advocacy work by international human rights and women organizations represented at the negotiation forums, the pushback against gender discourse is persistent and strong. Today, in 2022, in a multilateral setting where states are the main decision-makers, there are still official positions that follow the mantra of a traditional, state-centric, and non-inclusive understanding of international peace and security. Russia, which is playing an active role in OEWG deliberations, affirmed in one of its official statements that “references to the problems of sustainable development, human rights and gender equality, which fall under the competence of other UN bodies, look inappropriate and are not directly related to the problem of ensuring international peace and security” [emphasis added]. To be fair, Russia formulated a position that is shared with most of the countries in the Middle East and some Asian, African and Latin American countries.
Cybersecurity multilateral negotiations are not unique in this sense. The issue is rooted in deep opposition to ‘gender ideology’ –the discourse(s) on gender equality and women’s rights, and especially the discourse(s) on sexual orientation and gender identity. It cannot be seen separately from the policy and governance narratives that became dominant in several countries in the past years: the rollback of women’s rights, gender equality, and perception of gender. For example, in Russia the state-sponsored anti-LGBTQ+ campaign culminated in the 2013 “anti-propaganda law” banning “propaganda of non-traditional sexual relations” to children and to the general public starting from December 1, 2022. Eventually, the amendments to the Russian constitution in 2020 added a definition of marriage as “a relationship between one man and one woman,” which explicitly outlawed same-sex marriage. Most of the Middle Eastern nations recently outlawed same-sex intimacy directly, punishing it with everything from fines to prison and, in Saudi Arabia, to the death penalty. Thus, this pushback on gender ideology, originating from national discourses, can be seen in rule-making procedures internationally.
The multilateral cyber negotiation scene under UN auspices is complicated nowadays with geopolitical tensions and competing interests and reflects the general crisis penetrating the international legal order. The rise in recent years of civilizational, cultural, and ideological confrontation set within the human rights agenda is reflected not only in official positions and approaches, but also in normative proposals in the OEWG and UNGA on cyber matters.
In such circumstances, the role of civil society and its contribution is critical in using a “humanitarian” agenda to persistently push back against an archaeal understanding of international security. Amidst geopolitical disputes, the deepening cleavages between western countries and Russia and China heavily influence the participation of certain stakeholders in meetings. In July 2022, during the first OEWG meeting, 27 NGOs were blocked from participation by Russia, after which some of the Russian NGOs were blocked by Ukraine in retaliation. Harmonizing and aligning strategies and enhancing cooperation between stakeholders could help overcome the increasing geopolitical pressure that civil society organizations experience nowadays in cyber negotiation forums.
To work against the effects of these and other efforts to repress international attempts at advancing a gender equality agenda, effective gender mainstreaming is possible only when gender research is less fragmented and supported by rigorous data collection practices. Partially, the strong transnational opposition against “gender ideology” comes from the misconception of the notion of “gender (identity).” This leads to a broad delegitimization of scientific knowledge on gender as such. “Gender” becomes a red flag even where it is not necessarily a contested concept. Acknowledging and defining this disagreement might help avoid the broad hostility toward everything related to gender. Highlighting and respecting cultural and religious traditions and perceptions while conducting detailed and concise research on gender and cyber can help focus on the “humane” component rather than ideological confrontation.
The opinions expressed here are solely the author’s and do not necessarily reflect the opinions and beliefs of Women In International Security or its affiliates
 Russian Federation, Federal Law No. 135-FZ of 2013, on Amendments to Article 5 of the Federal Law “On the Protection of Children from Information Harmful to their Health and Development;” Russian Federation, Federal Law No. 478-FZ of 05.12. 2022. on Amendments to the Federal Law on “Information, information technologies and security of information” and other legislative acts of Russian Federation.”
 Constitution of the Russian Federation as amended and approved by the All-Russian vote on July 1, 2020 [working translation] https://rg.ru/2020/07/04/konstituciya-site-dok.html.
 Hurel, Louise Marie, “The Rocky Road to Cyber Norms at the United Nations”, Council on Foreign Relations, September 6, 2022, https://www.cfr.org/blog/rocky-road-cyber-norms-united-nations-0.
By Clodagh Quain and Isabelle Roccia
Fifth-generation telecommunications (5G) technology promises to dramatically increase the interconnectedness and efficiency of commercial and civilian communication infrastructures. 5G will also enable other advances. On the civilian side, it will improve existing applications and give rise to others, from telemedicine to connected cars. It also presents an opportunity to enhance NATO’s capabilities, improving logistics, maintenance, and communications. For instance, 5G will speed communication and improve response time in a theater of operation.
These developments also pose challenges. 5G is part of a complex architecture. To leverage its full benefits, millions of sensors and devices will need to be deployed and connected, from smart home appliances and connected toys to fullscale factories and critical infrastructures. The number of connected devices is projected to total 41.6 billion worldwide by 2025.1 By 2030, this estimate ratchets up to 125 billion.2 Of these, mobile devices will grow from 8.8 billion in 2018 to 13.1 billion devices by 2023 – 1.4 billion of which will be 5G capable.3 Because devices are connected to one another or to a network, security risks will multiply. The Alliance faces an increased challenge in ensuring that NATO Allies’ 5G networks and the critical infrastructures that rely on them
can withstand multiple physical and cybersecurity threats.
NATO’s main concern in this context is the risk associated with foreign ownership or management of critical infrastructure, including by private operators and foreign state actors in supply chains. That such ownership could result in collusion between the supplier and a country’s intelligence or security services is deemed particularly worrisome by many governments, critical infrastructure operators and industry alike.4 For NATO allies, supply-chain risk management is therefore a critical aspect of the strategic and operational challenges posed by 5G.
At the NATO meeting in London in December 2019, Allies prioritized 5G security as part of its security and resilience agenda. The final declaration stated, “NATO and Allies, within their respective authority, are committed to ensuring the security of our communications, including 5G, recognizing the need to rely on secure and resilient systems.”5 Including 5G in the London Declaration formalized NATO’s work in this emerging field.
5G technology is transformative on several fronts. It will challenge the design and implementation of existing infrastructure and applications. The velocity and pervasiveness of 5G technology will stimulate development of advanced applications, including smart cities and autonomous vehicles.
A diverse set of suppliers form the 5G ecosystem, which encompasses network infrastructures, spectrum, devices and software. While Ericsson (Sweden), Nokia (Finland) and Huawei (China) are the three best-known vendors, they represent only a small number of the stakeholders involved. The telecommunications industry estimates that operators will have
to invest $1.1 trillion by the end of 2025 to build 5G networks.6
In 2016, the European Commission developed a 5G Action Plan for Europe to support launching the rollout of commercial 5G services in all EU member states by the end of 2020.7 Subsequently, there will be a rapid buildup of infrastructure in urban areas and along major transport routes by 2025.8
At the Prague 5G Security Conference in May 2019, 32 EU and NATO members adopted recommendations known as the Prague Proposals.9 They propose principles that governments should apply to 5G deployment, stipulating that communication networks and services should be “designed with resilience and security in mind. They should be built and maintained using international, open, consensus-based standards and risk-informed cybersecurity best practices.” State representatives also called for the adoption of principles of fairness, transparency, risk-based policy and interoperability.
Relevance for NATO
Since 1949, NATO has centered on safeguarding the security and freedom of its members. Its mandate has evolved in political and geographic terms as the world changed. Today, emerging technology, with its many political, military and commercial implications, is driving NATO’s need to adapt.
Given its broad membership overlap with the European Union, deployment of 5G in Europe will undoubtedly affect the Alliance. The implications for NATO allies are strategic and operational in nature and affect defensive and offensive postures. At a minimum, dependence on 5G exposes critical infrastructure to more vulnerabilities, including software vulnerabilities, which NATO allies must address.10 That said, 5G can also improve capabilities such as communication security.11
At the multilateral level, NATO, like the European Union, seeks to balance collective and national interests. At the Munich Security Conference on February 15, 2020, NATO Secretary General Jens Stoltenberg referred to guidelines and basic requirements that both organizations had developed for infrastructure investment—notably in telecommunications and 5G.12
On January 29, 2020, the Network and Information Systems (NIS) Cooperation Group published an EU toolbox, with measures to mitigate risks identified in the EU coordinated risk assessment report of October 9, 2019:
- strategic measures on regulatory powers for incident reporting, security measures, threats and assets;
- initiatives to promote a diverse supply and value chain;
- technical measures to strengthen the security of networks and equipment; and
- risk mitigation plans.13
NATO’s leadership also seeks to develop a minimum set of common practices for resilient telecommunications while avoiding encroachment on individual state approaches. At the October 2019 NATO Defense Ministerial meeting, for example, representatives agreed to update the baseline requirements for civilian telecommunications, including 5G.14 This update covered foreign ownership, foreign control and direct investment. While civilian infrastructure remains a “national responsibility,” Article 3 of NATO’s founding treaty states that resilience, intended to prevent the failure of critical infrastructure or hybrid attacks, is part of states’ commitments to the Alliance and to one another. The Secretary General reiterated NATO’s approach the following month at the NATO Industry Forum in Washington, DC, where he linked resilience of supply chains and that of nations and the Alliance.15
NATO members maintain the right to decide national policies for regulating critical infrastructure and 5G vendors. For example, UK Foreign Secretary Dominic Raab addressed the House of Commons on January 28, 2020, outlining the government’s review of national telecommunications and its position on “high risk vendors.” The United Kingdom approved the use of equipment acquired from “high risk vendors” while restricting those vendors’ access to “safety critical networks.”16 The foreign secretary stressed that the review would not hamper his government’s ability to share sensitive data with its partners over highly secure networks. In May 2020, the UK Government decided to review the impact of the decision on national networks with the assistance of the National Cyber Security Centre.
What Is at Stake?
Foreign ownership or management of critical infrastructure is a significant risk for NATO allies. Consequently, more governments may look to adopt procurement rules that limit sourcing to trusted vendors.
Such a position creates another risk, however. Indeed, the operators of critical infrastructure may have only limited capacity to detect, prevent and recover from the cybersecurity risks they face if they cannot choose the technologies and processes they need to match security requirements stemming from their size, complexity and risk profile. These operators must remain in control of how they improve their overall security posture if they are to meet the security and resilience objectives set nationally or at NATO. Innovation with state-of-the-art technology is critical in the interconnected environment in which Allies find themselves, through cross-border infrastructure (for energy supply, for instance) or shared functions (such as airspace control). NATO’s value-added in this context is to facilitate the development and sharing of baseline requirements for supply-chain risk management among Allies. It can also be to share best practices and information on risks and threats. This coordination would ensure that all individual state efforts contribute to more secure, resilient critical infrastructures.
As NATO allies move forward, they should focus on four main issues: leveraging NATO and EU membership, assessing supply-chain management issues, adopting a principled approach and building international consensus.
Leveraging Membership: 5G affects strategic, political, industrial and commercial elements on both sides of the Atlantic. The integrated economies of the European Union and the United States share a common value system, with policies that traditionally align with NATO’s, despite conflicting messages from the current US administration regarding its commitment to the Alliance. Despite the inherent cross-border, integrated nature of critical infrastructure in Europe, EU member states approach supply-chain evaluation differently. As the European Union seeks a coordinated, harmonized process for 5G supply-chain assessment, it is important that NATO and the EU align their policies in this regard. The lack of such alignment might create challenges for NATO, such as overdependence on one supplier.
Supply-Chain Risk Management: NATO allies must consider the global, interconnected nature of supply chains and the threats they face as they weigh effective approaches to 5G supply-chain risk management. Their approaches should ultimately strengthen NATO’s strategic mission, inform procurement guidelines and harmonize risk-management baselines across Allies. Such risk management entails identifying likely threats, vulnerabilities and potential consequences, tailoring mitigation strategies to risks and prioritizing actions based on an assessment of the most relevant, potentially impactful risks.17
A Principled Approach: A similar or harmonized set of principles should underpin effective supply-chain risk management. These principles should do the following:
- encourage interoperability of systems and the use of stateof-the-art technologies;
- develop a more secure global cybersecurity ecosystem that recognizes norms for responsible behavior and prioritizes collective defense against malicious threats;
- collaborate with key nongovernmental stakeholders, including industry, to adapt to an ever-changing environment of new technologies and new threats;
- invest in research and development of new technological approaches to fostering supply-chain integrity; and
- avoid prohibiting the acquisition or integration of some technologies simply because they were developed abroad.
Building International Consensus: Several international organizations and groups have begun to assess the 5G environment and its related security risks. The Prague 5G Repository produced a library of tools, frameworks and legislative measures to assist NATO member states. Multilateral organizations, such as the EU, and states have come to similar conclusions. They too underline major risks that have national security implications. Integrity, confidentiality and availability of networks and communications are also key to their security.
5G innovation is not just a technological choice but a strategic one. Even in a collective defense system such as NATO, states remain sovereign, making decisions based on their assessment of the geopolitical environment. A state approach driven primarily by economic opportunity may undermine collective defense and security.
To both build and manage 5G capabilities, NATO’s allies will need to leverage EU and NATO membership; balance national and collective methods for supply-chain risk management; apply a principled approach to supply-chain integrity; and coordinate at the state and international levels.
|• ensure, where possible, transparency of supply-chain risk management policies and their implementation, in part to facilitate best practices;|
Former director of Carnegie Europe Tomáš Valášek referred to critical civilian networks as “the path of least resistance” for adversaries in the digital age to divide NATO from within.18 To protect this critical infrastructure, he argues, both the public and private sectors will need to invest in IT expertise. This shared challenge presents an opportunity for NATO and other multilateral organizations to fill gaps for their member states and to adapt to emerging technology beyond their traditional role. It is a novel test for NATO: to broker strategic geopolitical rivalries and national security concerns over critical infrastructure while developing its own modern capabilities and addressing the multiple fractures in global and allied security today.
- International Data Corporation (IDC), The Growth in Connected IoT Devices Is Expected to Generate 79.4ZB of Data in 2025, press release (Framingham, MA: IDC, June 18, 2019).
- IHS Markit, The Internet of Things: A Movement, Not a Market, presentation (London: IHS Markit, 2017), p. 2.
- Cisco, Annual Internet Report (2018–2023), white paper(San Jose: Cisco, 2020), p. 2.
- Kadri Kaska, Henrik Beckvard, and Tomáš Minárik, Huawei, 5G, and China as a Security Threat (Tallinn: NATO Cooperative Cyber Defence Centre of Excellence, 2019).
- NATO, London Declaration: Issued by the Heads of State and Government Participating in the Meeting of the North Atlantic Council in London 3-4 December 2019, press release (Brussels: NATO, December 4, 2019).
- GSMA Intelligence, The Mobile Economy 2020 (London: GSM Association, 2020), p. 5.
- European Commission, 5G for Europe: An Action Plan, COM(2016) 588 final (Brussels: European Commission, 2016), p. 4.
- European Commission, Future Connectivity Systems, 5G for Europe Action Plan (Brussels: European Commission, December 19, 2019).
- Flexera, Vulnerability Review 2018: Global Trends (Itasca, IL: Flexara Software LLC, 2018).
- Karl Norrman, Prajwol Kumar Nakarmi, and Eva Fogelström, 5G Security—Enabling a Trustworthy 5G System, Ericsson White Paper (Stockholm: Ericsson, January 8, 2020).
NATO Secretary General Jens Stoltenberg, Transcript of Opening Re-marks, Munich Security Conference, Brussels, February 15, 2020.
- European Commission, Cybersecurity of 5G Networks: EU Toolbox of Risk Mitigating Measures (Brussels:European Commission, January 29, 2020).
- NATO Secretary General Jen Stoltenberg, Press Conference Follow-ing the Meeting of NATO Defense Ministers, Brussels, October 25, 2019.
- NATO Secretary General Jens Stoltenberg, Keynote Address at the NATO Industry Forum, Washington DC, November 14, 2019.
- United Kingdom, Foreign Secretary’s Statement on Telecommunica-tions, London, UK Foreign Secretary Office, January 28, 2020.
- BSA | The Software Alliance (BSA), BSA Principles for Good Governance: Supply Chain Risk Management (Washington, DC: BSA, 2019).
- Tomáš Valášek et al., “NATO at 70: What Next?” Politico (April 3, 2019).
9. Government of the Czech Republic, Prague 5G Security Conference Announced Series of Recommendations: The Prague Proposals,press release, May 3, 2019.
Clodagh Quain is Policy Analyst at the Institute of International and European Affairs (IIEA), Dublin, Ireland. The views expressed here are those of the author and not of the IIEA.
Isabelle Roccia is Senior Manager, Policy – EMEA at BSA | The Software Alliance in Brussels, Belgium.
This publication is the result of a joint WIIS DC, WIIS Brussels, WIIS France, and WIIS UK project focused on new challenges for the NATO alliance and showcasing the expertise of the Next Generation women defense experts. Through a competitive selection process six Next Generation experts were invited to participate in programs on the sidelines of the 2019 December NATO Leaders meeting. We would like to thank our six experts for their thoughtful contributions to this initiative, WIIS Global for publishing their research and the US Mission to NATO for providing the generous grant without which this project would not have been possible. With this support, we were able to turn an idea to promote greater cooperation among our affiliates and cities into a reality. We hope this project encourages more collaboration across borders and helps bolster the overall WIIS mission of supporting women in the international security field.
The NATO Consortium Team: Michelle Shevin-Coetzee, WIIS-DC; Armida van Rij, WIIS
UK; Florence Fernando and Pauline Massart, WIIS Brussels; Ottavia Ampuero and Jessica
Pennetier, WIIS France
By Kulani Abendroth-Dias and Carolin Kiefer
If World War III will be over in seconds, as one side takes control of the other’s systems, we’d better have
Data, the food of all algorithms, lie at the core of cohesive EU and NATO AI strategies. Such strategies must encompass the regulation of data in high- and low-risk technologies with
and Romania have tested and often deployed AI and ML facial recognition tools, many of which were developed in the United States and China, for predictive policing and border control.3 AI and ML systems aid in contact tracing and knowledge sharing to contain the COVID-19 virus.4 However, the civilian and military strategies that drive use of AI and ML for the collection and use of data diverge across the member states of the European Union and the North a greater understanding of how data feed AI and ML technologies and systems, the results they produce become skewed. For example, a facial analysis and recognition system insufficiently trained to analyze and recognize women or people of color will often misidentify people in these populations, which could lead to inaccurate criminal profiling and arrests.7 Machines don’t make errors, but humans do. Policymakers need to rapidly identify parameters and systems of governance for these technologies that
maximize their efficiency while protecting civilian rights.
Growth in the development of AI-driven technologies has been exponential, but strategies to regulate their implementation have yet to catch up. The European Union and NATO need to develop coordinated, comprehensive, and forward-looking strategies based on data protection protocols to regulate AI use and deployment to counter myriad threats. Such strategies will be critically important if the transatlantic alliance is to adapt a common defense system to evolving threats in the digital age. Beyond Definitions
AI and ML are changing the security landscape-for example, by the deployment of disinformation to undermine political participation or of unmanned autonomous vehicles (UAVs), which may or may not operate as lethal autonomous weapons systems (LAWS). The states that are party to the Group of
Governmental Experts (GGE) on Lethal Autonomous Weapons
the smarter, faster, more resilient network. dual uses. They should guide policies governing predictive
or delivery within the European Union, Amazon policing, border surveillance, facial analysisand countering disinformation.6 and recognition now sells facial recognition cameras for door
locks, webcams, home security systems, and office To regulate data use effectively, policymakers need to attendance driven by artificial intelligence (AI) better understand the technical, political, economic and
and machine learning (ML)-powerful tools with civilian 2 social risks and biases in data collection methods. Without and military purposes. Germany, France, Spain, Denmark
Atlantic Treaty Organization (NATO).5
(LAWS), which aligns its work with the Convention on Certain Conventional Weapons (CCW), have devoted considerable attention to defining autonomous weapons. Unfortunately, the group has not yet paid enough attention to the data. Prolonged focus on what constitutes LAWS rather than the data that drive them impedes the important investigation of how best to regulate the technologies’ rapid development and use for security and defense. Discussion of the types, limits, and biases of data that drive AI and ML is pertinent throughout the myriad sectors in which they find application.8
Recently, the GGE took steps to move the debate from definitions of autonomous systems to why data matter. In 2020, it decided that the 11 guiding principles that frame the development and use of LAWS needed no further expansion.9 The group agreed to give greater attention to how the principles can be unpacked. It decided to distinguish between high- and low-risk AI technologies and gain a better understanding of dual-use technologies.10 Differentiating between uses for civilian and military operations should focus on how data will be mined and drive algorithms at both levels.11 NATO and the European Union should lead in facilitating these discussions and regulations.
According to the European Commission’s February 2020 white paper on artificial intelligence, “Europe’s current and future sustainable economic growth and societal well-being increasingly draws on value created by data…. AI is one of the most important applications of the data economy.”12 However, the report concludes, for AI to “work for people and be a force for good in society” it must be trustworthy.13 It highlights “trustworthy AI” 27 times in its 26 pages.
Governance of data is key to this trust.14 The EU General Data Protection Regulation (GDPR) was a step in the right direction, but it needs to be expanded to cover AI and ML data collection and use in national and international security contexts. Close consultation and data coordination between the European Union and NATO is integral in this regard.
An understanding of who drives the development of AIdriven technologies for European security and how they are funded can illuminate the political, technical, and social, and legal bottlenecks confronting EU and NATO data regulation, both in the member states and at a supranational level. While the defense sector has traditionally driven technology innovation, private companies have taken the lead in recent years. 15 According to the OECD, Google, Microsoft, Amazon, and Intel have spent more than $50 billion a year on digital innovation.16 This sum dwarfs the ‚Ç¨13 billion budgeted by the European Defense Fund (EDF) for 2021-27 – for defense spending in general, not solely for AI-driven technologies.17 NATO and the European Union should pay particular attention to these private-sector actors when developing policies for data protection and strategies to encourage US and European technological innovation. NATO and the European Union should work with the CCW GGE to determine clear operational distinctions between the commercial and military uses of data for AIdriven technologies.18 NATO and the European Union need comprehensive, legally enforceable AI strategies to regulate the use of data and the integrity of information networks to better protect their citizens while keeping the Alliance agile.
The Way Forward
In EU and NATO contexts, the development and implementation of dual-use technologies and cyberprotection policies remain fragmented. This fragmentation could undermine the ability to respond to evolving threats to European security and stability. Examples abound: Cambridge Analytica’s involvement in Britain’s Leave Campaign, radicalization via social media, the politicized use of data via hybrid-use platforms to influence behavior (from political participation to violent action), and targeted cyber-attacks and disinformation campaigns in the Visegrad Four and the Baltic states.19 Therefore, coherent EU and NATO AI strategies require the regulation of the data that drive emerging technologies. Regulation to promote network integrity and protect data access must be key tenets of EU and NATO strategies to deploy AI that can react faster and more effectively in the face of new security threats.
AI and ML systems are valuable, as demonstrated by their use in contact tracing and knowledge sharing in the search for a cure during the Covid-19 pandemic.20 For the transatlantic relationship to thrive, NATO and the EU must work together to develop coordinated AI strategies that address appropriate use and misuse of data. As the EU and NATO develop these strategies, they should focus on five activities:
Govern the use of data in dual-use technologies.
While AI strategies may sound exciting and innovative to policymakers and the general public, responsible data use sounds less so. Yet it is essential. EU and NATO strategies need to distinguish between high- and low-risk technologies, dual- and hybrid-use platforms, and the types, limits, and mediums by which data can be collected and anonymized (or at least kept confidential) for civil and military uses. These limits need to be developed and regulated in discussions with civilian and military actors who are mining data across sectors, from the traditional security and military arena to healthcare, logistics, and entertainment companies. Discussions should include how the rights of citizens and those residing in NATO and EU countries-e.g., lawful migrants, asylum seekers, refugees-will be protected.
Acknowledge bias in datasets.
There should be a comprehensive discussion on how bias in datasets influences the training of algorithms, which in turn influences security targets and undermines the integrity of a system. Policymakers, human rights actors, and technology developers should be in the room for this discussion. An awareness of these biases within security forces can help them better evaluate the outcomes the algorithms produce, interpret targets with caution, avoid errors, and generate more effective responses.
Ensure purpose-limited data collection and sharing.
Personal data collected and tracked for specific purposes (e.g., contact tracing during a pandemic) should generally not be shared and used for other purposes. Where an overlap in data collection is deemed necessary for EU-NATO security purposes, tight regulations for civilian protection should spell out where, with whom, and for how long the data can be stored, with strong legal and operational deterrents for backdoor access to data. Private-sector companies should limit how data are used to influence behavior: Should they be used in political campaigns the same way that they are used to nudge consumer behaviors on what to buy? The European Union’s GDPR sets up important rules in this regard. It can be viewed as the cornerstone of an EU-NATO strategy for the development and regulation of AI for security and defense.
Adapt traditional defense and deterrence strategies to the digital age.
The evolving nature of security threats in the digital age calls into question traditional strategies of defense and deterrence. Collaboration between NATO, the European Commission, the European Defence Agency (EDA), the Permanent Structured Cooperation (PESCO), the Coordinated Annual Review on Defense (CARD) and technology developers should focus on efficiency-trimming current weapons systems and technologies used by the European Union on the battlefield and in the cyber realm while using AI and ML to inform strategy. The weaponized use of social media data must be addressed, not solely via counternarratives but by working in concert with social media companies to develop AI and ML techniques to identify and shut down fake news at the source. The integrity of networks set up by actors outside of NATO member states needs to be raised as a security concern as well, including incentives to drive the local business development of such networks.
Build trust via counter-AI agencies to protect citizen rights and detect AI-driven forgeries.
Agencies that currently promote the responsible use of AI need to work in tandem with NATO and EU agencies to develop comprehensive AI strategies. The strategies should promote digital literacy, advance critical thinking through online modules, and publicize the precautions NATO and the European Union are taking to protect citizen data in order to build public trust. Partnerships between EU, NATO, and such agencies need to go beyond traditional NGO-security agency relationships to integrate AI protection mechanisms into security policy itself. Ideally, these organizations would work with NATO partner countries to better identify targets, weaknesses, and priorities to build resilient intelligence architectures.
Map the development and use of AI-driven technologies across EU and NATO member states.
NATO security operations are in place at member state borders. However, most of the AI technologies being developed, test, or adapted are deployed within France and Germany, key EU member states. AI-driven security threats differ across states, especially disinformation. For example, the content, medium, and speaker of disinformation shared in the Czech Republic may differ considerably from disinformation shared in Germany. Adapting traditional deterrence strategies to the digital age requires an understanding of the contextbased nature of these threats. It is therefore integral to include experts across the EU and NATO member states in the development and implementation of AI strategies. A comprehensive mapping of the security threats faced-and development and use of AI-driven technologies to combat such threats across EU and NATO member states-can help better train personnel and develop more targeted solutions and localized data protection policies.
The digital industry is already transforming the Alliance. NATO is essential to setting up a coordinated structure to develop and regulate AI- and ML-driven technologies for NATO members’ security and defense. While sociopolitical and economic priorities in the development and regulation of AI vary across sectors and countries, awareness of the use and misuse of data in driving AI-and ML-driven technologies is a common thread that binds these debates together. The use of data fed into a system run by AI and ML technology can have vast implications for the nature of future security threats and the development of technologies to combat them. Cohesive EU and NATO strategies for AI will determine how strong and agile the Alliance will become.
Pedro Domingos, The Master Algorithm: How the Quest for the Ultimate Learning Machine Will Remake Our World (New York: Basic Books, 2015).
See Daniel S. Hoadley and Nathan J. Lucas, Artificial Intelligence and National Security (Washington DC.: Congressional Research Service,
2018); Greg Allen and Taniel Chan, Artificial Intelligence and National Security (Cambridge, MA: Belfer Center for Science and International Affairs, 2017). Artificial intelligence comprises a vast number of fields, including machine learning, natural language processing, robotics, computer vision, and knowledge representation and reasoning. In this policy brief, the authors largely refer to the use of AI- and ML- driven technologies for EU and NATO security and defense.
Steven Feldstein, The Global Expansion of AI Surveillance (Washington, DC: Carnegie Endowment, September 2019).
The Cybersecurity Strategy of the Visegrad Group Countries Coronavirus, Artificial Intelligence web page (April 12, 2020).
Raluca Csernatoni, An Ambitious Agenda or Big Words? Developing a
European Approach to AI, Egmont Security Policy Brief No. 117 (Brussels: Egmont Royal Institute for International Relations, November 2019).
Michael Chui et al., Notes from the AI Frontier: Insights from Hundreds of Use Cases (New York: McKinsey Global Institute, 2018).
Philipp Gr√ºll, “Germany’s Plans for Automatic Facial Recognition Meet Fierce Criticism,” EURACTIV (January 10, 2020).
Ajay Agrawal, Joshua Gans and Avi Goldfarb, Prediction Machines: The Simple Economics of Artificial Intelligence (Cambridge, MA: Harvard Business Press, 2018).
See the UN’s 1980 Convention on Certain Conventional Weapons.
German Federal Foreign Office, Chair’s Summary: Berlin Forum for Supporting the 2020 Group of Governmental Experts on Lethal Autonomous Weapons Systems (Berlin: German Federal Foreign Office, April 2020).
United Nations Institute for Disarmament Research, The Human Element in Decisions About the Use of Force (Geneva: UNIDIR, March 2020).
European Commission, On Artificial Intelligence: A European
Approach to Excellence and Trust, white paper, COM (2020) 65 final (Brussels: European Commission, February 19, 2020), p. 1. See also European Commission, A European Strategy for Data, COM (2020) 66 final (Brussels: European Commission, February 19, 2020).
EC, On Artificial Intelligence, p. 25.
Dieter Ernst, Competing in Artificial Intelligence Chips: China’s Challenge amid Technology War, Special Report (Center for International Governance Innovation, March 26, 2020).
Organization for Economic Cooperation and Development, Private Equity Investment in Artificial Intelligence (Paris: OECD, December 2018).
European Commission, European Defence Fund (Brussels: European Commission: March 20, 2019). Arguably, Washington would do well not to view the EDF with suspicion and skepticism but rather as a vehicle to stimulate more transatlantic discussion on “home-grown” innovation and development.
Daniele Amoroso et al., “Autonomy in Weapon Systems: The Mili-tary Application of Artificial Intelligence as a Litmus Test for Germany’s New Foreign and Security Policy,” Democracy Vol. 49 (Heinrich B√∂ll Foundation, 2018).
Marek G√≥rka, “The Cybersecurity Strategy of the Visegrad Group
Countries,” Politics in Central Europe Vol .14, No. 2 (2018), pp. 75-98. See also Alistair Knott, “Uses and Abuses of AI in Election Campaigns,” presentation, N.d.
Council of Europe, AI and Control of Covid-19.
By Naďa Kovalčíková and Gabrielle Tarini
The rise of China poses a strategic challenge for the North Atlantic Treaty Organization (NATO). The Alliance needs a comprehensive political, economic, and security strategy to deal with China’s growing
global power. The more assertive a role China plays in world affairs, the more it could undercut NATO’s cohesion and military advantages by translating commercial inroads in Europe into political influence, investing in strategically important sectors, and achieving major breakthroughs in advanced digital technologies.
NATO Secretary General Jens Stoltenberg has repeatedly emphasized the need for NATO allies to assess and better understand the implications of China’s increased presence and activity in the North Atlantic.1 At their London meeting in December 2019, NATO leaders noted that “China’s growing influence and international policies present both opportunities and challenges that we need to address together as an Alliance.”2 At the 2020 Munich Security Conference in February 2020, China again featured prominently in the discussions. Plenary sessions and many of the side sessions focused on China, with US House Speaker Nancy Pelosi, Defense Secretary Mark Esper, and Stoltenberg all highlighting the role for transatlantic cooperation in addressing China’s rise.3
This policy brief examines the challenge that China presents for NATO and the importance of a common posture toward China. It also considers China’s perception of NATO as a stumbling block to its global ambitions, and it provides recommendations for how the Alliance should approach China moving forward.
China’s Rise and Its Implications for NATO
China has used its growing economic, political and military capabilities to pursue an increasingly assertive foreign policy, and NATO has rightly begun to assess the implications for the Alliance. As the secretary general remarked in December 2019, “This is not about moving NATO into the South China Sea, but it’s about taking into account that China’s coming closer to us, in the Arctic, in Africa, investing heavily in our infrastructure, in Europe, in cyberspace.”4
China’s increased involvement in European allies’ economies poses a challenge to NATO’s political cohesion. China’s annual foreign direct investment (FDI) in Europe has grown exponentially since 2008.5 Europe is also one of the most important destinations for China’s Belt and Road Initiative (BRI), a global development strategy initiated by China in 2013. Last spring, Italy became the first G7 country to join BRI, while Greece joined China’s “17+1 grouping,” an initiative aimed at enhancing ties between China and Central and Eastern Europe.6
Chinese commercial inroads today can lead to wider political influence tomorrow, which well may be China’s objective. An analysis from the Mercator Institute for Chinese Studies, for example, contends that China “incentivizes state-led Chinese banks as well as State-Owned Enterprises (SOEs) to fill financing or investment gaps in EU member states and accession countries in exchange for political support for Chinese positions, such as on territorial claims in the South China Sea or human rights.”7 Most recently, during the
COVID-19 pandemic, China has attempted to make political inroads in Europe through “mask diplomacy.”8 China is widely publicizing its provision of medical masks and critical health equipment to affected European states and promoted false narratives over Chinese state media Twitter accounts (such as claims that COVID-19 actually began outside of China).9 These actions have helped China deflect criticism of its initial response to the virus and elevate its image in Europe as a global humanitarian player.
NATO allies also face pressure to address Chinese companies’ investments in Europe’s strategic sectors such as telecommunications, energy, transportation and ports. Chinese investments in these sectors have direct security implications for the Alliance, as it depends on national critical infrastructure to execute its activities and missions. For example, national telecommunication networks that are hacked or disrupted by foreign governments could threaten NATO networks such as the Federated Mission Network that are critical to command, control, communications, computers, intelligence, surveillance and reconnaissance (C4ISR) and allied decisionmaking.10 5G equipment made by companies with obscure ownership structures and close ties to the Chinese Communist Party “could use wellconcealed kill switches to cripple Western telecom systems” during conflict, or even during peacetime. 11 Moreover, the protection and integrity of digital information is also critical to secure force mobilization and plans for reinforcement. Civilian roads, ports and rails are an integral part of NATO’s plans for military mobilization. Chinese investments in European ports and rail could complicate NATO’s ability to reinforce and resupply Europe in a warfighting scenario. Currently, Chinese SOEs have invested in 12 ports in seven NATO countries that are key for military mobility planning in the east, south and southeast of NATO.12
Finally, China’s advances in the field of artificial intelligence (AI) threaten to undermine NATO’s current military and intelligence advantages. China’s “New Generation AI Development Plan” calls for China to “catch up on AI technology and applications by 2020, achieve major breakthroughs by 2025, and become a global leader in AI by 2030.”13 China sees AI as a way to leapfrog—in other words, skip—a generation of military technology.14
NATO relies on individual members to incorporate AI into their national defense capabilities. However, if all do not master and integrate this technology at the same pace, it may erode decades of work to strengthen interoperability. Moreover, European technologies to run AI operations— including robotics and efficient electronic chips such as
Dutch ASML semiconductors—are in high demand in China. If foreign state-backed companies were to acquire this technology, with its dual commercial and military applications, it would cause serious security concerns for the
China’s Perception of NATO
Generally, Beijing views NATO as a stumbling block to its global ambitions. As Adam Liff’s work on China and the U.S. alliance system has shown, Beijing expresses “deepening frustration towards, and even open opposition to” America’s alliances.16 China has not yet publicly expressed its vision of an alternative international system—and indeed scholars vigorously debate China’s long-term strategic objectives—but it is clear that China believes it can exercise greater influence on the world stage if power is more broadly diffused.17
China’s efforts to date seem to have focused largely on driving a wedge in U.S. alliances in the Indo-Pacific, but China would undoubtedly welcome a fractured transatlantic relationship, where US and European threat perceptions and policy priorities increasingly diverge.18 As a recent analysis of China-Europe relations noted, China wants to “weaken Western unity, both within Europe and across the Atlantic.”19 Consequently, it prefers to deal with European states individually rather than through the European Union’s collective leadership. Thus President Xi Jinping was likely displeased when French President Emmanuel Macron unexpectedly invited German Chancellor Angela Merkel and European Commission President Jean-Claude Juncker to join his bilateral meeting with China in March 2019.20 China also seeks to fragment EU unity on economic issues and trade, criticizing it for “politicizing” economic and trade issues in its Policy Paper on the European Union.21 China knows that NATO has neither robust tools nor a legacy of regulating political economy issues. China’s use of this narrative contributes to internal tension within the Alliance between those who guard against NATO’s involvement in these areas, especially since 21 EU members are also NATO allies.22
In sum, a united NATO and a cohesive transatlantic relationship thwart China’s desire to increase multipolarity in the international system, while a fractured NATO enables China to play Europe off America and Europe off itself.
Developing a united stance toward China will require NATO to synchronize regional priorities. It will also need to strengthen partnerships with other institutions and countries, given that much of what needs to be done currently falls outside NATO’s core competencies. NATO could strive for greater cohesion toward China in three areas: politics, military and technology.
To date, there is little evidence that NATO allies are coming closer to a solid political consensus on how to address China’s rise.23 In order to operationalize allies’ views in the London Declaration on the “opportunities and challenges”24 that China’s growing influence presents and limit its ability to undermine transatlantic cohesion or make further political inroads in Europe, NATO should do the following:
- Consistently coordinate allied efforts to ensure that Chinese initiatives, such as the BRI or the 17+1 grouping with Central and Eastern European countries, do not allow Beijing to gain political support for Chinese positions, such as on human rights or territorial claims, and drive wedges between allies.
- Increase cooperation with the EU on screening and assessing Chinese FDI in allied critical infrastructure and advanced technologies, which rely heavily on sensitive data. NATO should contribute to defining key criteria on FDI in domains with dual civilian-military applications.
- Encourage allies to make full use of their existing screening mechanisms for foreign investment and encourage those that do not have one to set it up.25 NATO’s EU allies should also systematically implement the EU’s foreign investment screening mechanism in order to mitigate the risks of foreign investors acquiring control over critical technologies, infrastructure, or sensitive information with potential security implications to all NATO allies. Increased transparency about Chinese FDI in critical infrastructure across NATO would help to mitigate the potential impact on NATO’s overall political cohesion.
|engagement and expertise. Such partnerships could inaugurate a new consultative body, which could pave the way for more coordinated planning and intelligence sharing.27||•||NATO should coordinate its efforts with the European Union in this domain, as AI and other advanced technologies are developed primarily in the private sector and can have both civilian and military applications. EU-NATO collaboration may be hampered by the fact|
- Enhance NATO’s political partnerships with IndoPacific countries, especially with Australia (within the “Enhanced Opportunities Partner” framework26 or other tailored platforms) and Japan to strengthen interregional Military Recommendations
It would be difficult and inadvisable to reposture the Alliance toward a hypothetical contingency with China: NATO members already have varied preferences over which region should receive priority focus and, with the exception of the United States, do not have the expeditionary capabilities to project power into the Indo-Pacific region. Nevertheless, there are four areas where NATO could improve its posture vis-à-vis China:
- Increased Chinese naval activity in the Mediterranean Sea, Baltic Sea, and the High North, often in collaboration with Russia, is a direct concern for NATO.28 NATO need not make plans to fight China in the North Atlantic. However, as a noted NATO and maritime affairs expert argues, allies must be prepared to “monitor and interact with another growing naval power operating in waters of key interest to the transatlantic alliance.” 29
- NATO should step up its existing military partnerships with Indo-Pacific countries, in particular in NATO exercises, the Partnership Interoperability Platform, and other capacity building programs.30
- Working with the EU, NATO tabletop exercises should focus on enhancing military mobility in Europe to mitigate against the effects of rising, potentially coercive Chinese investments and to secure a more robust, integrated civilian-military infrastructure.
- NATO allies should continuously assess and avoid investment in Chinese military equipment that would plug into NATO’s command and control system.31
- NATO allies should coordinate efforts to incorporate AI-based military technologies into their national capabilities in order to avoid duplication and economize.
- The roadmap on disruptive technologies adopted by NATO’s Allied Command Transformation in 2018 should guide allies toward increased and better tailored investments in military technology powered by AI, biotechnology and cyber and quantum computing. NATO should also continue to adapt its Defense Planning Process to account for rapid, fundamental technological evolution.32
that not all EU member states or NATO allies have written national AI strategies, and as one analyst notes, “Europe’s political and strategic debate on AI-enabled military technology is underdeveloped.”33 NATO should encourage all allies to develop their respective AI strategies, while the European Union can guide them by collecting and publishing best practices and encouraging countries to limit potentially burdensome regulations on AI before it is applied. The European Union in collaboration with NATO may also consider establishing an AI Center of Excellence.34
- Cybersecurity in 5G networks is another area where
NATO should coordinate its efforts with the European Union. Because this issue concerns mostly civilian networks, NATO does not have robust tools to tackle this problem alone. Thus the European Union and the European Commission in particular should lead in coordinating and implementing action. In its new “toolbox,” rolled out in January 2020, the European Union recommended measures to mitigate the cybersecurity risks of 5G.35 The plan, which could ban suppliers from core parts of telecoms networks if they are identified as “high-risk” vendors, could allow European countries to limit Chinese tech giant Huawei’s role in Europe in the future. NATO allies should not only consider the EU measures when appropriate but also push for more transparency into foreign companies’ ownership structures and state influence. In general, each NATO member should strengthen oversight of telecom network security by creating mechanisms to review contracts between operators and suppliers and conducting national-level audits of the security practices of 5G companies.
In sum, NATO must strive to maintain transatlantic unity in the face of a rapidly evolving technology and global security landscape. As China seeks to divide allied democracies, it is critical for NATO allies, in coordination with the EU and other partners, to address a widening array of emerging economic, political, societal and technological challenges to the Alliance.
Naďa Kovalčíková is a Program Manager and Fellow at the Alliance for Securing Democracy at the German Marshal Fund of the United States.
Gabrielle Tarini is a Policy Analyst at the non-profit, nonpartisan RAND Corporation.
- NATO Secretary General Jens Stoltenberg, opening remarks at the
Munich Security Conference, February 15, 2020, at the European Parliament Committee on Foreign Affairs (AFET) and Sub-Committee on Security and Defence (SEDE), January 21, 2020, and doorstep statement ahead of the meeting of the North Atlantic Council at the level of Heads of State and/or Government , December 4, 2019.
- NATO, London Declaration, Issued by the Heads of State and
Government Participating in the Meeting of the North Atlantic Council in London 3-4, December 2019 (Brussels: NATO, December 4, 2019).
- Daniel W. Drezner, “What I Learned at the Munich Security Conference,” commentary, Washington Post (February 17, 2020).
- NATO, “Questions and Answers by NATO Secretary General
Jens Stoltenberg at the ‘‘NATO Engages: Innovating the Alliance’ Conference,” transcript (London: NATO, December 3, 2019).
- Thilo Hanemann, Mikko Huotari and Agatha Kratz, Chinese FDI in Europe: 2018 Trends and Impact of New Screening Policies, MERICS Papers on China (Berlin: Mercator Institute for China Studies, June 3, 2019).
- Federiga Bindi, Why Did Italy Embrace the Belt and Road Initiative? commentary (Washington, D.C.: Carnegie Endowment for International Peace, May 19, 2020); Jonathan E. Hillman and Masea McCalpin, Will China’s ‘16+1’ Format Divide Europe? (Washington, DC: Center for Strategic and International Studies, April 11, 2019).
- Thorsten Benner et al., Authoritarian Advance: Responding to China’s Growing Political Influence in Europe, report (Berlin: Mercator Institute for China Studies, February 2018), p. 106, p. 15.
- AFP News, “Mask Diplomacy: China Tries to Rewrite Virus Narrative,” France 24 (March 20, 2020).
- Matt Schrader, Analyzing China’s Propaganda Messaging in Europe
(Alliance for Securing Democracy, March 20, 2020). See also Elizabeth Braw, “Beware of Bad Samaritans,” Foreign Policy (March 30, 2020).
- Kadri Kaska, Henrik Beckvard and Tomáš Minárik, Huawei, 5G and China as a Security Threat, report (Brussels: NATO Cooperative Cyber Defence Centre of Excellence, 2019).
- Lindsay Gorman, “5G Is Where China and the West Finally Diverge,” The Atlantic (January 4, 2020).
- Belgium, France, Greece, Italy, the Netherlands, Spain and Turkey. See also Ian Anthony, Jiayi Zhou and Fei Su, EU Security Perspectives in an Era of Connectivity: Implications for Relations with China, SIPRI Insights on Peace and Security, No. 2020/3 (Stockholm: SIPRI, February 2020), p.14.
- Graham Webster et al., China’s Plan to ‘Lead’ in AI: Purpose,
Prospects, and Problems, blog post (Washington, DC: New America, August 1, 2017); Ryan Hass and Zach Balin, US-China Relations in the Age of Artificial Intelligence, report (Washington, D.C.: Brookings Institution, January 10, 2019).
- Gregory Allen, Understanding China’s AI Strategy: Clues to Chinese
Strategic Thinking on Artificial Intelligence and National Security, report (Washington, D.C., The Center for a New American Security,February 6, 2019), p. 8.
- Alexandra Alper, Toby Sterling and Stephen Nellis, “Trump Administration Pressed Dutch Hard to Cancel China Chip-Equipment Sale: Sources,” Reuters (January 6, 2020).
- Adam Liff, “China and the US Alliance System,” The China Quarterly Vol. 233 (March 2018).
- Nadège Rolland, China’s Vision for a New World Order, NBR Special Report No. 83 (Washington, D.C.: The National Bureau of Asian Research, January 2020).
- Scott Harold, Chinese Views on European Defense Integration, MERICS China Monitor (Berlin: Mercator Institute for China Studies, December 19, 2018).
- Thomas Wright and Thorsten Benner, testimony to U.S. China
Economic and Security Review Commission, hearing on “China’s Relations with U.S. Allies and Partners in Europe and the Asia Pacific,” April 5, 2018.
- Keegan Elmer, “France’s Emmanuel Macron Asks Angela Merkel and Jean-Claude Juncker to Join Meeting with Xi Jinping in Paris,” South China Morning Post (March 22, 2019).
- Mission of the People’s Republic of China to the European Union, China’s Policy Paper on the European Union (Brussels: Mission of the People’s Republic of China to the European Union, December 2018).
- Jens Ringsmose and Sten Rynning, “China Brought NATO Closer Together,” War On the Rocks (February 5, 2020).
- 23 Noah Barkin, “The U.S. and Europe Are Speaking a Different Language on China,” Foreign Policy (February 16, 2020).
- NATO, “London Declaration, Issued by the Heads of State and Government Participating in the Meeting of the North Atlantic Council in London, 3-4 December 2019” (December 4, 2019).
- European Commission, Guidance to the Member States Concerning Foreign Direct Investment (FDI Screening Regulation)” (Brussels: EC, March 25, 2020).
- NATO, Partnership Interoperability Initiative (Brussels: NATO, March 24, 2020).
- Fabrice Pothier, How Should NATO Respond to China’s Growing Power? analysis (London: IISS, September 12, 2019).
- Mercy A. Kuo, “NATO-China Council: Now Is the Time: Insights from Ian Brzezinski,” The Diplomat (October 15, 2019).
- Magnus F. Nordenman, “Five Questions NATO Must Answer in the North Atlantic,” Proceedings Vol. 145, no. 3 (Annapolis, Md.: U.S. Naval Institute, March 2019).
- Turkey, for example, was interested in buying China’s HQ-9 missile systems in 2013 but ultimately abandoned their bid after significant pressure from other NATO allies. See Denise Der, “Why Turkey May Not Buy Chinese Missile Systems After All,” The Diplomat (May 7, 2014).
- Nicholas Burns and Douglas Lute, NATO at Seventy: An Alliance in Crisis, report (Washington, D.C.: Carnegie Endowment for International Peace, February 2019).
- Ulrike Franke and Paola Sartori, Machine Politics: Europe and the AI Revolution, Policy Brief (Berlin: European Council on Foreign Relations, July 11, 2019).
- Wendy R. Anderson and Jim Townsend, “As AI Begins to Reshape
Defense, Here’s How Europe Can Keep Up,” Defense One (May 18, 2018); Institute for Security Studies, The EU, NATO and Artificial Intelligence: New Possibilities for Cooperation? report (Paris: ISS, 2019).
- EU Commission, Cybersecurity of 5G Networks – EU Toolbox of Risk Mitigating Measures (Brussels: EU, January 29, 2020).
This publication is the result of a joint WIIS DC, WIIS Brussels, WIIS France, and WIIS UK project focused on new challenges for the NATO alliance and showcasing the expertise of the Next Generation women defense experts. Through a competitive selection process six Next Generation experts were invited to participate in programs on the sidelines of the 2019 December NATO Leaders meeting. We would like to thank our six experts for their thoughtful contributions to this initiative, WIIS Global for publishing their research and the US Mission to NATO for providing the generous grant without which this project would not have been possible. With this support, we were able to turn an idea to promote greater cooperation among our affiliates and cities into a reality.
We hope this project encourages more collaboration across borders and helps bolster the overall WIIS mission of supporting women in the international security field.
The NATO Consortium Team: Michelle Shevin-Coetzee, WIIS-DC; Armida van Rij, WIIS UK; Florence Fernando and Pauline Massart, WIIS Brussels; Ottavia Ampuero
By Spencer Beall
By 2020, the number of Internet-enabled devices, also referred to as the Internet of Things (IoT),
is expected to exceed thirty billion.2 The number of security breaches alone is anticipated to
incur a global cost of six trillion dollars per year by that time, increasing from three trillion in
2016.3 While the cybersecurity industry will require approximately six million workers to meet
its projected job demand by 2019, many positions will remain unfilled without more female
cybersecurity professionals. 4 Currently, women comprise only 11 percent of global
cybersecurity professionals. 5
Women’s underrepresentation in cybersecurity is not just an economic workplace issue,
but also has a profound impact on the type of technologies being developed and hence impacts
everyone in the digital age.
In this report I will explore some of the main barriers that impede women’s entry,
professional advancement, and retention in cybersecurity, including the pervasive gender
discrimination in technology professions. Next, I will examine three core reasons why it is
essential to get more women in cybersecurity, namely (1) to maximize innovation potential; (2)
to expand usability of digital products to meet the needs of all consumers; and (3) to strengthen
the global economy by fulfilling the cybersecurity industry’s rapidly growing job demand. Finally,
I will present recommendations how to dismantle the gender gap in cybersecurity and how to
create in the digital age a global workforce that is safer, more efficient, and more prosperous.
1 This report relies largely on data from the gender gap in the American cybersecurity sector, in part because of the
availability of research, and because the U.S. remains a strong prototype for analyzing the causes and effects of the
global gender gap in cybersecurity. Not only does the U.S. employ slightly higher than the global average number of
female cybersecurity professionals yet exhibit the same shortcomings in product innovation and efficacy as foreign
cybersecurity industries, the American cybersecurity firms also illustrate many of the common difficulties that
women experience entering the field around the world. 2 Internet enabled devices (IoTs) include all technology that relies on Internet and/or cellular data to function,
including but not limited to: computers, smartphones, GPS devices, social media platforms, home security systems,
power grids, smart appliances (e.g. refrigerators, televisions, thermostats), cars and airplanes. See also Steve
Morgan, ed., “Cybersecurity Ventures predicts global cybersecurity spending will exceed $1 trillion from 2017 to
2021,” Cybersecurity Ventures (May 31, 2017), accessed June 7, 2017,
http://cybersecurityventures.com/cybersecurity-market-report/ 3 Steve Morgan, “Cybersecurity Industry Outlook, 2017 to 2021: Key economic indicators for the cybersecurity
industry over the next five years,” Cybersecurity Business Report, CSO (Oct. 20, 2016), accessed June 6, 2017,
Cybersecurity Ventures predicts global cybersecurity spending will exceed $1 trillion from 2017 to 2021, supra. 4 See Roy Maurer, “Why Aren’t Women Working in Cybersecurity?” Society for Human Resource Management (Jan,
10, 2017), accessed June 18, 2017, https://www.shrm.org/resourcesandtools/hr-topics/talentacquisition/pages/women-working-cybersecurity-gender-gap.aspx and Steve Morgan, “Cybersecurity Industry
Outlook, 2017 to 2021: Key economic indicators for the cybersecurity industry over the next five years,”
Cybersecurity Business Report, CSO (Oct. 20, 2016), accessed June 6, 2017,
5 Elizabeth Weingarten, “The Gender Gap in Cybersecurity Jobs Isn’t Getting Better,” Slate (Mar. 17, 2017), accessed
June 5, 2017,
Weingarten cites the 2017 Global Information Security Workforce Study: Women in Cybersecurity. According to the
Study, women’s representation in the North American cybersecurity industry (14 percent) is only slightly higher
than this global average.
Women In International Security (WIIS)
Where Are the Women?
Cybersecurity professions are defined as “any occupation that ‘plans [or] carries out security
measures to protect an organization’s computer networks’” from data breaches via hacking or
the spread of malware. 6 Cybersecurity ensures that our airlines, power grids, nuclear plants,
emergency communications systems (e.g. 911 and FEMA alerts) and other essential national
security technologies are protected from malicious attacks. Cybersecurity plays a critical role in
the development of apps, electronic services and IoT devices that shape our daily lives. Our
phones, online shopping platforms like Amazon, electronic banking systems, medical record
storage systems, video and music streaming services (e.g. Netflix, Spotify), social media (e.g.
Facebook, Snapchat, Instagram), home security systems, smart refrigerators, and thermostats
are dependent on cybersecurity.7
Considering that modern society depends on cybersecurity for nearly every aspect of
daily life in the digital age—to work, shop, travel, communicate, form relationships, protect our
health, keep ourselves safe from terrorist attacks, natural disasters and other calamities, etc—it
is surprising that women, who represent 50 percent of the global workforce, comprise only 11
percent of global cybersecurity professionals. What makes this statistic even more remarkable is
that women—not men—built the foundations for the cybersecurity industry that we have today
by programming the world’s first computers. In addition, studies show that 52 percent of women
under age 29 hold a computer science degree, and when women enter cybersecurity they do so
with overall higher education levels than men.
So, why are there so few women in this field? There are at least five main reasons for the gender
gap in cybersecurity.
(1) Stereotypes that identify cybersecurity as a masculine industry
Computer science, along with math and engineering, is widely typecast as a masculine
field across almost all cultures around the world. We need only look at how any
association between “women” or “girls” and the topics, “cybersecurity,” “computer
programming,” “coding,” “software development,” “Silicon Valley,” and “technical
engineering,” consistently garners attention in newspapers, magazines, and the movie
6 Katharine D’Hondt, Women in Cybersecurity, Thesis for Master in Public Policy (2016), Harvard University John F.
Kennedy School of Government, 7 (citing Bureau of Labor Statistics, 2015) 7 See Justice Sonia Sotomayor’s concurring opinion in United States v. Jones (2012): “[We live in]…the digital age, in
which people reveal a great deal of information about themselves to third parties in the course of carrying out
mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that
they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books,
groceries, and medications they purchase to online retailers.” Sotomayor, J. (concurring opinion), United States v.
Jones, 132 S.Ct. 945 (2012). 8 Statistics from the 2017 Global Information Security Workforce Study (GISWS), conducted by the Center for
Cybersecurity and Education. Heather Riccuito, “Representation of Women in Cybersecurity Remains Stagnant,
Despite Recent Efforts to Balance the Scales,” Security Intelligence (Mar. 15, 2017), accessed June 17, 2017,
Women In International Security (WIIS)
screens for a reason.9 The stereotyping of STEM fields (Science, Technology, Engineering
and Mathematics) as a masculine domain is a recent development, however, as men only
began to dominate the technology profession in the 1980s. From its roots to the near end
of the 20th century, women led computer science. The very word “computer” referred to
people who calculated ballistic trajectories for the U.S. Army. Women not only comprised
the vast majority of these computers, but also those who would develop the world’s first
electronic models. Just over one hundred years after Ada Lovelace (1815-1852)
envisioned a machine that could be instructed to calculate sums and produce words and
pictures, six women at the University of Pennsylvania programmed the world’s first
electronic computers.10 With the work of Grace Hopper, Frances Allen, and numerous
other female leaders in the cyber field, women built the foundations for the digital age. 11
Men began to supplant female professionals in computer science only when personal
computers became a lucrative prospect, marketed almost exclusively to men and boys.12
Today, the lack of female cybersecurity professionals has become a prominent discussion
point for women’s empowerment, specifically to promote women and girls’ participation
in STEM education programs to prepare women for jobs of the future in the digital age.13
However, common stereotypes that men are naturally stronger in STEM fields than
women continue to drive down women’s participation in STEM education programs.
Studies spanning the past twenty years have concluded that the so-called “stereotype
threat” (in this case, the phenomenon by which women are culturally conditioned to
believe that men perform better in STEM fields) inhibits women’s entry into STEM jobs
9 Erin Hogeboom, “Encouraging Today’s Hidden Figures in STEM,” Forbes (Feb. 24, 2017), accessed June 9, 2017,
10 See Laura Sydell, “The Forgotten Female Programmers Who Created Modern Tech,” NPR (Oct. 6, 2014), accessed
June 7, 2017,
http://www.npr.org/sections/alltechconsidered/2014/10/06/345799830/the-forgotten-female-programmerswho-created-modern-tech and Meeri Kim, “70 years ago, six Philly women became the world’s first digital computer
programmers,” The Philly Voice (Feb. 11, 2016), accessed June 7, 2017,
http://www.phillyvoice.com/70-years-ago-six-philly-women-eniac-digital-computer-programmers/ 11 Grace Hopper became one of the first three modern programmers during her career in the U.S. Naval Reserve. She
developed the first computer language compiler, A-0, as well as the first programming system that operated on
English-language commands instead of algebraic code. “Grace Murray Hopper (1906-1992): A Legacy of Innovation
and Service,” Yale News (Feb. 10, 2017), accessed June 8, 2017, http://news.yale.edu/2017/02/10/grace-murrayhopper-1906-1992-legacy-innovation-and-service Frances Allen created security codes and programming languages
for the NSA after becoming the first female IBM fellow, where she developed compilers for IBM super computers.
William L. Hosch, “Frances E. Allen,” Encyclopedia Britannica, accessed June 8, 2017,
https://www.britannica.com/biography/Frances-E-Allen 12 Steve Henn, “When Women Stopped Coding,” NPR (Oct. 21, 2014), accessed June 8, 2017,
See also, Mundy, supra. 13 Just after President Trump announced proposals for NASA budget cuts and the elimination of NASA’s education
department—which manages NASA’s efforts to promote women and minority representation in STEM careers—
Ivanka Trump and Betsy DeVos toured the National Air and Space Museum and sponsored a showing of Hidden
Figures to highlight women’s achievements in technology and other STEM fields. Valerie Strauss, “The irony in
Ivanka Trump’s and Betsy DeVos’s push for STEM education,” The Washington Post (Mar. 28, 2017), accessed June 6,
Women In International Security (WIIS)
and success within the profession.14 In one of the first studies on the stereotype threat,
male and female math students were given the same online math exam, with half of the
subjects being told that women may not perform as well because male students are
generally better at math. The difference in scores was striking. Women scored an average
of 20 points lower than men in the group that listened to the stereotype threat, yet there
was almost no measurable difference between male and female scores in the non-threat
group.15 STEM gender stereotyping begins to influence girls and boys in the early stages
of childhood. Recent studies of young children indicated that gender stereotyping in math
and other STEM-related fields affects children as young as four years old, despite minimal
difference in girls’ and boys’ actual capacities.16 If many girls do not steer away from math
and science studies completely as they grow older, girls who aspire to careers in
technology are prone to “dis-identification,” where the “repeated or long-term
[stereotype] threat…eventually undermine[s] aspirations in an area of interest.”17 With
both men and women being “equally likely” to perpetuate gender stereotypes in STEM,
both in the classroom and in the workplace, far fewer women pursue careers in
cybersecurity and advance to high-level positions within the industry. 18
(2) A lack of global investment in female-founded tech companies
When Annamaria Konya Tannon, head of Innovation and Entrepreneurship for the School
of Engineering and Applied Science at The George Washington University, launched her
first tech startup in 1997, female-founded tech companies received less than four percent
of global venture capital funding. 19 After years of technological innovation that have
brought forth iPods, and multi generations of smartphones and iPads, the current global
investment in female-led tech companies has barely budged, accounting for less than six
percent of venture capital funds.20 Among the 200 San Francisco Bay Area technology
startup companies that received “series A” venture capital funding (between three and 15
million dollars) in 2015, women founded only eight percent of them.21 While women
14 Catherine Hill, Christianne Corbett, and Andresse St. Rose, Why So Few? Women in Science, Technology,
Engineering, and Mathematics, AAUW (Feb. 2010), 39-40, accessed July 31, 2017,
http://www.aauw.org/files/2013/02/Why-So-Few-Women-in-Science-Technology-Engineering-andMathematics.pdf. 15 Id. at 40. 16 Christine K. Shenouda, Effects of Gender Stereotypes on Children’s Beliefs, Interests, and Performance in STEM Fields,
Ph.D. Dissertation, Department of Psychology, Michigan State University (2014), 1, accessed July 31, 2017,
https://d.lib.msu.edu/etd/2751. In one study where preschool-age children where instructed to replicate patterns
with LEGO blocks, one half of the children were exposed to the stereotype threat in being told that boys can
complete the task faster than girls. Among that group, the girls performed considerably slower than boys, as
compared to the non-stereotype threat group. (Shenouda, 1). 17 Hill, et al., supra note 44 at 41. 18 Shenouda, supra note 44, at 5-6. 19 Konya Tannon forged her way to success in tech startups by working in the Silicon Valley. She is also the Founder
and CEO of Equita Accelerator (a non-profit corporation dedicated to promoting women-led tech companies. 20 Women in Innovation: The Perfect Match, Panel co-hosted by the Center for Transatlantic Studies and the Embassy
of Denmark, June 13, 2017.
21 “Why VCs Arent Funding Women-led Startups,” Knowledge@Wharton, Wharton School of Business, University of
Pennsylvania (May 24, 2016), accessed July 31, 2017, http://knowledge.wharton.upenn.edu/article/vcs-arentfunding-women-led-startups/
Women In International Security (WIIS)
launch approximately 38 percent of new companies in the U.S., only between two and six
percent of these companies receive venture capital funding.22 According to Katherine
Hays, founder and CEO of ad tech startup, Vivoom, “Male venture capitalists… [mostly] are
very comfortable…giving female entrepreneurs capital for ‘girl stuff’…[like] rent[ing]
dresses or sell[ing] baby wipes as a subscription.”23 Things change, however, when
women ask for venture capital to launch a business in a “masculine” field like tech. The
reasons why women receive lower venture capital funding are circular. The lack of
women in STEM professions based on gender stereotyping of technology fields, coupled
with rampant and gender discrimination within the industry, only perpetuate this
“Every year that goes by where we continue to fund the exact same pool of overwhelmingly
male, overwhelmingly white founders is one where we are missing out on the opportunities
to find important new innovations.”
- Ethan Mollick, Professor of Management, The Wharton School
(3) Gender discrimination in the cybersecurity workplace
Among recent publications discussing gender discrimination in the cybersecurity
workplace, perhaps no location is more frequently cited across the globe than Silicon
Valley, the epicenter of America’s tech industry. Liza Mundy, Senior Fellow at New
America and author of Code Girls, highlighted female professionals’ common
discrimination across multiple Silicon Valley tech corporations that illustrate why
women’s entry and attrition rates remain so low in cybersecurity. According to Mundy,
women in tech face discrimination end-to-end, being hired, paid, promoted, and valued
significantly less than men.24 Many women cited in recent studies reported that in
addition to enduring both overt and unconscious gender bias and facing overall different
treatment than male employees, women’s software designs are “accepted more often than
men’s… but only if their gender is unknown.”25
In 2014 Google, Pinterest, Apple, Facebook, and many other Silicon Valley companies
pledged to devote millions of dollars to change corporate hiring practices and help
women enter leadership positions.26 Three years later, however, female staffing numbers
have “barely budged…[with] sexism [remaining] …just as pernicious as ever.”27 In the
2015 “Elephant in the Valley” survey that polled female tech professionals, respondents
drew attention to some of the many factors that undermine women’s chances of success
in tech professions. Among the various data collected, 66 percent of female respondents
felt excluded from important networking opportunities at their companies because of
New York-based startup companies only fared slightly better, with female-led startups accounting for 13 percent of
venture capital recipients. Id. 22 Id. (citing Ethan Mollick, Professor of Management at The Wharton School) 23 Id. 24 Liza Mundy, “Why is Silicon Valley So Awful to Women?” The Atlantic (Apr. 2017), accessed June 9, 2017,
25 Id. 26 Id. 27 Id.
Women In International Security (WIIS)
their gender, 75 percent of women faced questions about marital status and family
commitments during hiring interviews, and 88 percent of respondents experienced
persistent unconscious gender bias from male colleagues.28 From the lack of meaningful
change in gender discrimination in the technology profession, it is no surprise that
women leave cybersecurity over twice as frequently as men.29
(4) Laws and policies that promote gender discrimination
Approximately 90 percent of countries around the world enforce laws that discriminate
against women. Many of these laws and policies (both secular and religious) have helped
create and enforce gender discrimination in the cybersecurity profession by undermining
women’s advancement in social and economic roles in other sectors. In India, for example,
because labor laws “protect existing [male] workers at the expense of aspiring ones,
which include most women,” women represent only 30 percent of India’s labor force.30 In
other countries like Saudi Arabia, religious laws significantly undermine female agency.
Strict applications of Sharia law prohibit women in Saudi Arabia from interacting with
men outside of their families, to the degree that most businesses, banks, and other public
areas have segregated entrances for men and women.31 When laws prevent women from
interacting with men outside family members, they effectively preclude women from
becoming valued members of the workforce.
(5) Corporate practices that cater to male professionals
Some corporate practices that contribute to a reduced female presence in cybersecurity
professions include: failures to set and maintain gender quotas (both in hiring and
retention); unwillingness to specifically attract and recruit more female professionals;
and under-investigation of employee gender discrimination claims and/or not enforcing
zero-tolerance workplace discrimination policies.
28 Trae Vassallo, Ellen Levy, et.al., Elephant in the Valley, 2015 Survey, accessed June 9, 2017,
https://www.elephantinthevalley.com. Some examples of unconscious gender bias include: having questions
directed to male colleagues even when it was within a female employee’s area of expertise, and asking women to
perform low-level tasks that men are not asked to do. 29 Mundy, supra. 30 Dhruva Jaishankar, “The Huge Cost of India’s Discrimination Against Women,” The Atlantic (Mar. 18, 2013),
accessed July 31, 2017, https://www.theatlantic.com/international/archive/2013/03/the-huge-cost-of-indiasdiscrimination-against-women/274115/. As another example, due to India’s longstanding customs of giving
preferential treatment (e.g. education) to boys rather than girls, approximately one-third of women in India are
illiterate, further undermining women’s opportunities for professional advancement. Id. 31 “Seven Things Women in Saudi Arabia Cannot Do,” The Week (Sept. 27, 2016), accessed July 31, 2017,
Women In International Security (WIIS)
Two Minds Are Better Than One:
Three Reasons Why We Need More Women in the Cybersecurity Workforce
(1) Maximizing innovation potential
If the number of female professionals in cybersecurity remains stagnant, it will restrict
both cybersecurity development and the quality of our digital products.
Because men and women are born with equal talent capacities, talent is drawn
from the same distribution. When societies artificially constrain one-half of the
distribution (e.g. via laws, customs, and/or religious beliefs that drive gender inequality)
we lose one-half of the global workforce’s creativity.32 Diversified taskforces with “fresh
ideas…to address ever-evolving problems” are more vital than ever in the digital age,
when the threat of cybercrime continues to grow. If the security of one of our IoTs,
electronic services, apps, or other digital products is compromised, the security of other
devices is prone to breach, exposing users to incalculable dangers within hours, or even
minutes.33 Having a more diversified design team that reflects products’ actual users is
critical to account for how consumers use/misuse products, what user needs and
interests the product does not meet, and how to optimize product security. According to
Sarah Geary, senior cyber analyst at FireEye, a hacker only has to target one person’s
device to debilitate “…an entire business or government…” Because we live in an age
when foreign governments are targeting individuals more frequently, “… it’s a problem
when those who are designing cybersecurity products or interventions aren’t
representative…” of the population that uses them.34 Studies indicate that because women
suffer higher rates of online harassment (particularly sextortion35 and cyberstalking)36
women are more likely than men to utilize stronger privacy settings on social media apps
and Internet platforms (e.g. Facebook, Instagram, Whatsapp).37 Women, therefore, can
contribute different ideas for designing new more user-friendly digital platforms stronger
privacy features, which would both provide a better variety of privacy protection options
to consumers and help companies adhere to best practices on managing information
privacy.38 According to Annamaria Konya Tannon, head of the Innovation and
Entrepreneurship for the School of Engineering and Applied Science at The George
32 Kalpana Kochhar, Speaker at the Panel, Women in Innovation: The Perfect Match, co-hosted by the Center for
Transatlantic Studies and the Embassy of Denmark, June 13, 2017.
33 Bruce Schneier, Your Wi-Fi Connected Thermostat Can Take Down the Whole Internet. We Need New
Regulations,” The Washington Post (Nov. 3, 2016), accessed July 31, 2017,
https://www.washingtonpost.com/posteverything/wp/2016/11/03/your-wifi-connected-thermostat-can-takedown-the-whole-internet-we-need-new-regulations/?utm_term=.d612eb077fa8 (citing a paper discussing how
hackers can create an IoT worm that can instantly infect thousands of other IoT devices. Eyal Ronen, Colin O’Flynn,
et.al, “IoT Goes Nuclear: Creating a ZigBee Chain Reaction”)
34 Weingarten, supra, note 9.
35 Laurie Segall, “A disturbing look inside the world of online sextortion,” CNN Money (June 23, 2016), accessed June
8, 2017, http://money.cnn.com/2016/06/23/technology/sextortion-thorn-study/index.html 36 The 2016 Bureau of Justice Statistics report indicated that women comprised 41 percent of reported stalking
victimizations, outnumbering the 31 percent of reported male victimizations. “Stalking,” The Bureau of Justice
Statistics (Feb. 17, 2016), accessed June 8, 2018, https://www.bjs.gov/index.cfm?ty=tp&tid=973 37 Weingarten, supra, note 9. 38 Id.
Women In International Security (WIIS)
Washington University, “When you have a gender balanced team, research shows that you
have more optimal outcomes and come up with more creative ideas. Men need to be
there, and women do too.”
“Why would you eliminate the brilliance of 50 percent of the population?”
-Joyce Brocaglia, CEO of Alta Associates, a cyber executive search firm39
(2) Expanding usability
Having more women in cybersecurity design and development labs will ensure that
existing conversation engines on smartphones (e.g. Siri, Cortana), apps (medical, social
media, lifestyle, etc.), and other digital platforms for shopping, social media, data storage,
etc. will be better equipped to meet more consumers needs outside of the male profiles
that created them, specifically women and children.
Scientists have already discovered “the white guy problem” in artificial
intelligence, whereby machine learning algorithms that form predictions based on large
amounts of existing input data introduce gender as well as racial bias in decisionmaking.40 Algorithms that form the basis for a wide variety of mobile and Internet
services—from electronic job application systems to conversation engines like Siri on
smartphones—function solely based on the initial data programmed into them, which the
algorithms accumulate to make decisions later.41 When almost exclusively all-male design
teams create these algorithms, Siri and other related technologies operate on single sex
aggregated data, resulting in products that are most user-friendly to the sex that created
them. According to a 2016 JAMA Internal Medicine study, although Siri could provide
gender-neutral medical advice in response to “Siri, I’m having a heart attack,” Siri was
unprepared to provide assistance on female health and safety issues such as sexual
assault and domestic violence. Among four smartphone conversation engines (Siri,
Cortana, S Voice and Google Now) on sixty-eight phones, the study found that only
Cortana was able to provide the National Sexual Abuse Hotline number in response to the
message “I was raped.”42 Siri replied instead: “I don’t know how to respond to that,”
indicating that male design teams did not think this data was important enough to
program. 43 A more diverse design team might have included this information.
Clearly, the discrepancy from having a design team that doesn’t accurately
represent the needs and interests of the total consumer population can put users at
The same problems from a male-dominated cybersecurity industry extend to other
types of apps and digital features. Imagine if men represented 93 percent of the design
39 Id. 40 Hannah Devlin, “Discrimination by algorithm: scientists devise test to detect AI bias,” The Guardian (Dec. 19,
2016), accessed June 18, 2017, https://www.theguardian.com/technology/2016/dec/19/discrimination-byalgorithm-scientists-devise-test-to-detect-ai-bias 41 Id. 42 Alice Park, “Here’s How Siri Responds to ‘I was raped,’” Time.com (Mar. 14, 2016), accessed June 8, 2017,
http://time.com/4257568/siri-rape-smartphones/ 43 By contrast, Siri had no trouble interpreting to certain health inquiries that exclusively affect men. The statement,
“Siri, I have erectile dysfunction,” immediately presented a list of nearby clinics and physician recommendations.
Women In International Security (WIIS)
teams that developed women’s undergarments, clothing, footwear, makeup, hygiene
products, and hair care. This represents the current state of app development.
Women represent only six percent of app developers, despite comprising 50
percent of the app-using population.44 Women have helped create apps like bSafe that are
specially designed for women and girls’ interests and physical needs, including services
designed to help protect women against sexual assault and dating violence. 45 Without
greater female involvement, however, products like these that are designed with women
in mind will remain limited.
A more gender-balanced cybersecurity design team can also help create more
product features to protect children online.46 It may be easy to overlook children within
the global consumer pool for apps and other digital products, but children represent a
significant portion of users of some of the most popular social media apps (e.g. Snapchat,
Kik, Whattsapp) and Internet services (e.g. Google, Bing). According to a 2015 survey, the
average American child receives his or her first cell phone at age six.47 Three-quarters of
the children surveyed also had tablets to access the Internet.48 Similar research conducted
in the UK indicated that more than half of children use at least one form of social media by
age 10.49 Because children are using smartphones and Internet-enabled devices at
increasingly young ages, mothers, female caregivers, and teachers may have a closer ear
to what apps, games, and website features children are using, or may begin using. As
women are already more likely to use stronger privacy protections than men on social
media platforms, women can have a particularly important role in designing privacy
features to help monitor children’s activity and receive alerts to suspicious online
With more women designers, products will become more user-friendly for all
consumers, and it may help save lives.50
44 David Bolton, “Survey, Only 6% of App Developers Are Women,” Arc (Feb. 27, 2016), accessed June 15, 2017,
45 bSafe provides discrete assistance to girls and young women in a variety of situations—from automatically
alerting a list of family members and friends if the user indicates that she is in danger, to providing a fake telephone
call to help a user leave an uncomfortable date or social situation.45 Similar apps could be developed that would
serve as community alerts for the public to report suspicious activity of sex trafficking and domestic violence. Some
of these products include, Spitfire Athlete (providing personal training assistance to women based on exercise
regimens of female athletes), and Hey! VINA (an app to help women cultivate same-sex friendships and develop a
sense of community among female users). Jenavieve Hatch, “Behold, A Tinder-Like App for Female Friendships:
Because Finding New BFFs is just as important as finding a date,” Huffington Post (Feb. 01, 2016), accessed June 8,
46 For the purposes of this report, “children” is used to refer to any person under age 18, in accordance with the
Convention on the Rights of the Child (CRC) and other international legal instruments. Convention on the Rights of
the Child, Nov. 12, 1989, 1577 U.N.T.S. 3. Art. 1, http://www.ohchr.org/EN/ProfessionalInterest/Pages/CRC.aspx 47 “Study Finds Average Age Of Kids When They Get First Cell Phone Is Six,” ABC 13 Eyewitness News (April 7, 2015),
accessed June 8, 2017, http://abc13.com/technology/study-53%-of-kids-get-a-cell-phone-at-age-6/636328/ 48 Id. 49 The Daily Mail Reporter, “More than half of children use social media by the age of 10: Facebook is the most
popular site that youngsters join,” The Daily Mail (Feb. 5, 2014), accessed June 15, 2017,
50 Across the globe, teaching remains a female-dominated profession. In the U.S. alone, women represent 75-80
percent of kindergarten, elementary, and middle school teachers. Motoko Rich, “Why Don’t More Men Go Into
Women In International Security (WIIS)
(3) Strengthening the global economy
Even though women account for 50 percent of the global workforce, women form only 11
percent of the global cybersecurity industry, remaining the most underrepresented
taskforce in the global economy. With cybersecurity itself becoming one of the largest
global businesses in the upcoming years, countries stand to lose more than one may think
if more women are not brought into the workplace. The International Monetary Fund
(IMF) recently conducted research to observe the relationship between a lower women
taskforce and national gross domestic products (GDPs) to see the shortage of female
professionals on countries’ economies. While the United States (which has a slightly
higher than global average percentage of women in cybersecurity) could lose 12-14
percent of its GDP, other countries like South Korea could lose 19-20 percent.51
Understanding that 209,000 cybersecurity positions went unfilled in 2015, global
economic growth does not look promising when this demand will increase to six million
positions by 2019.52 Without more women to close this gap, 1.8 million global positions
will remain unfilled by 2022, significantly threatening the progress of cybersecurity in a
time when the world depends upon it most. 53
“…[S]hutting women out of [cybersecurity], intentionally or unintentionally, is like keeping them off
the factory floor at the beginning of the Industrial Revolution.”54
—Anne Marie Slaughter, President and CEO of New America.
With persistent efforts to combat the social attitudes, gender stereotypes, and unconscious
biases that perpetuate gender discrimination, and with the development and adoption of
appropriate corporate, law, and policymaking strategies, we can resolve the gender gap in
cybersecurity. Many believe that greater investment in STEM education is the keystone in closing
Teaching?” The New York Times, (Sept. 6, 2014), https://www.nytimes.com/2014/09/07/sunday-review/whydont-more-men-go-into-teaching.html. Even in seemingly gender-neutral situations, such as, “Siri, I think I’m having
a stroke,” men and women’s experiences of the same medical condition can be very different, and the conversation
engine may not be able to recognize certain symptoms that affect women more than men. For example, a female
voice input, “Siri, my arm hurts,” may be a common sign of a stroke for many women that men might never
experience. Increased women’s involvement in programming conversation engines can help improve this
technology to keep more users safe. “Women and Strokes: Unique Risks and Uncommon Symptoms,” The Dr. Oz
Show (Jan. 14, 2013), accessed June 7, 2018, http://www.doctoroz.com/article/women-and-strokes-unique-risksuncommon-symptoms
51 Kochhar, supra, note 11.
52 “Cybersecurity Industry Outlook, 2017 to 2021: Key economic indicators for the cybersecurity industry over the
next five years,” supra, note 3
53 Weingarten, supra, note 9.
54 Eli Sugarman, “Women in cybersecurity: 4 questions for New America’s Anne-Marie Slaughter and Megan Garcia,”
Interview with Anne-Marie Slaughter and Megan Garcia, William & Flora Hewlett Foundation (Nov. 16, 2015),
accessed June 6, 2017, http://www.hewlett.org/women-in-cybersecurity-4-questions-for-new-americas-annemarie-slaughter-and-megan-garcia/
Women In International Security (WIIS)
the gender gap in cybersecurity.55 The 2017 Global Information Security Workforce Study,
Women in Cybersecurity, reported that 52 percent of millennial women under age 30 are
educated in computer science.56 However, while education is a promising fixture it is not going to
single-handedly push women into the profession, or make them stay.
Education alone is not going to solve this problem. For example, although more women are
now graduating with degrees in law and medicine than ever before, it does not mean women
receive equal treatment in their field, or that women have equal attrition rates in the labor force
as men.57 An American Community Survey presenting data from 2008 to 2010 showed that
women are still more likely than men to leave the workforce as early-career lawyers and doctors
(between ages 25 and 44).58
To strengthen women’s leadership in cybersecurity three things need to change:
(1) Social attitudes, gender stereotypes and unconscious bias
“The most dangerous phrase in the language is, ‘We’ve always done it this way.’”
- Grace Hopper59
Eliminating the ingrained social attitudes, gender stereotypes, and unconscious bias that prevent
women from entering and advancing in STEM fields is critical to bringing more women into
cybersecurity. Beginning as children, parents need to groom young boys to be better supporters
of women later in life so that we can finally retrain the way we work together. “Supporting
women has been dangerously equated with being less masculine,” says Ryan Ross, Program
Director for the Halcyon Incubator that supports developing startup ventures. We have to work
as a culture to change that. Both men and women have equal responsibilities to help reverse
social attitudes and gender stereotypes and bias.
Some critical steps include:
- Acknowledging that gender discrimination is a continuing problem. In the words of
Linda Kozlowski, Chief Operating Officer of Etsy, “Progress is difficult ‘if people don’t
55 In signing two bills into law to promote women’s enrollment in STEM fields, President Trump’s remarked that”…It
is going to change, and it’s going to change very rapidly.”
Melanie Arter, “Trump Signs Bills Supporting Women Entrepreneurs and Women in STEM Fields,” CNS News (Feb.
28, 2017), accessed June 8, 2017, http://www.cnsnews.com/news/article/melanie-arter/trumps-signs-billssupporting-women-entrepreneurs-and-women-stem-fields
56 Weingarten, supra, note 9.
57 In addition to the pay gap as professionals, women are rarely accepted to top education programs equally with
men. Although women who pursue higher education are more likely to attend medical or law school, they comprise
less than 50 percent of the students at the top law schools. Debra Cassens Weiss, “Men Outnumber Women at Most
Top Law Schools, But the Imbalance Is Greater at B-Schools,” ABA Journal (May 09, 2011), accessed June 8, 2017,
_greater_at/. Philip Cohen, “More Women Are Doctors and Lawyers Than Ever—but Progress Is Stalling,” The
Atlantic (Dec. 11, 2012), accessed June 8, 2017, https://www.theatlantic.com/sexes/archive/2012/12/morewomen-are-doctors-and-lawyers-than-ever-but-progress-is-stalling/266115/
59 Charles Grosch, Library Information Technology and Networks, CRC Press (1994), 183 (quoting Grace Murray
Hopper in her 1987 interview, Information Week, Mar. 9, 1987, 52)
Women In International Security (WIIS)
believe there’s a problem.’”60 A recent survey of 13,331 adults across the U.S. showed
that the majority of men (58 percent) believe that “all obstacles [to the professional
gender gap] had been eliminated,”61 compared to 60 percent of women who claimed
that the gender gap remains a persistent challenge.62 If men and women have such
largely conflicting opinions on the current state and severity of the gender gap,
meaningful change will be slow to come. Men need to recognize that gender
discrimination is a continuing problem in order to address it.
- Pursuing STEM careers, despite gender stereotypes. With 52 percent of millennial
women under age 29 having computer science degrees, women are already more
prepared than ever to enter cybersecurity and other STEM professions. 63 Just as
women must cut against the pressure to “disidentify” with math, science, engineering
and other technology related areas of study, men must acknowledge that no field is a
“man’s field.” 64
- Schools must increase investment in STEM education for girls and women, and raise
girls’ awareness of job opportunities in cybersecurity.
65 According to a 2016 study
conducted by a UK not-for-profit IT security accreditation organization, the lack of
female applicants that results from women being less informed of the opportunities
within STEM professions is a key contributor to the current gender gap in
cybersecurity. 66 Teachers and guidance counselors have an important role to play in
inspiring girls to consider careers in tech, a critical step in bringing more women into
- Both men and women must fight against both overt and unconscious gender
discrimination in the workplace, through legal action if necessary.
67 If we are going to
aspire toward gender equality in the workplace, we need to reiterate what behavior
and attitudes cannot be tolerated. For Anita Hill and other advocates, class action
lawsuits are critical to effectuating change “even in the most entrenched, maledominated industries… especially if regulation is not an immediate or viable
60 Laura Entis, “Men Think Obstacles to Gender Equality at Work Are Gone. Women See it Differently,” Fortune (July
18, 2017), accessed July 31, 2017, http://fortune.com/2017/07/18/gender-gap-tech/ 61 Id. 62 Id.
63 Riccuito, supra. 64 Shenouda, supra note 44, at 5-6
65 A 2015 ISACA study indicated that neither high school teachers nor guidance counselors mentioned cybersecurity
as a career choice for 77 percent of young women in the survey. Riccuito, supra. 66 Maurer, supra. And Riccuito, supra. 67 Many refer to Ellen Pao’s 2015 gender discrimination lawsuit against Silicon Valley venture capital firm, Kleiner
Perkins Caufield and Byers as the pivotal event that inspired female tech professionals to be more vocal in reporting
sexual harassment and gender bias in the workplace. David Streitfeld, “Ellen Pao Loses Silicon Valley Bias Case
Against Kleiner Perkins,” The New York Times (Mar. 27, 2015), accessed June 15, 2017,
https://www.nytimes.com/2015/03/28/technology/ellen-pao-kleiner-perkins-case-decision.html?_r=0 68 Anita Hill, “Anita Hill: Class Actions Could Fight Discrimination in Tech,” The New York Times (Aug. 8, 2017),
Women In International Security (WIIS)
- Men and women must support greater female involvement in sectors that regulate or
otherwise influence the STEM professions, especially in the development and
implementation of laws, policies, and best practices that regulate the cybersecurity
industry. (E.g. increasing women’s roles in advocacy for legislation against sextortion,
revenge pornography, and other cybercrimes that result from product errors or
design flaws that facilitate compromises in users’ information security). If women
have a stronger influence in creating the rules that govern cybersecurity product
development and consumer use, cybersecurity companies will likely benefit from
drawing women into all areas of its industry, from design labs and development firms,
to marketing and legal counsel.
“…[T]hough the numbers of women are small, we are doing some remarkable things…this is an
exciting time to be in the field.”
-Andrea Little Limbago, Chief Social Scientist, Endgame.
(2) Laws & Policies
A significant part of the effort must come from the national level.69 Legal reform is a critical step
to bringing more women into all workforce sectors, especially when 90 percent of countries
around the world enforce laws and policies that undermine women’s social and economic
agency. Some possible reforms include:
- Developing national similar to those in the Nordic countries, which promote equal
representation in the workforce, provide broader access to higher education, and
longer obligatory paid parental leave programs.70 While the Nordic Model is not
perfect, it remains the forerunner of gender equality in the technology industry.
- Offering federal tax breaks to companies who promote women’s hiring and
advancement in leadership positions.
- Establishing government-regulated quotas, requiring tech companies to hire and retain
a set number of female professionals. For Kalpana Kochhar, quotas are critical. In
1993, India amended its Constitution to require that one-third of local selfgovernment seats must be filled by women. The results were drastic. The number of
female leaders in government, business, and other sectors dramatically increased
because women were more likely to compete for elections and higher positions of
authority, and parents developed much higher aspirations for their daughters, leading
to better educational opportunities.71
69 Ulla Rønberg, Senior Visiting Scholar at the Center for Transatlantic Relations, Women in Innovation, The Perfect
Match, supra. 70 Id. 71 Kochhar, supra.
Women In International Security (WIIS)
“In the 4th Industrial Revolution that’s upon us, requiring laws and policies that advance women’s
roles should be the heart of our preparations… After all, jobs of the future will be much less focused
on brawn, and much more focused on brain.”
–Kalpana Kochhar, Director of HR at the International Monetary Fund (IMF)
(3) Corporate Practices
There are many initiatives that corporations can and should take in order to attract more
women in cybersecurity, including:
- Specifically asking for female applicants: According to Ryan Ross, Program Director
for the Halcyon Incubator that supports developing startup ventures, “the second you
put out that specific ask, women are not only more inspired to apply, but both men
and women are more likely to refer female candidates.” When Ross’ started asking for
female professionals, women’s application rate doubled. From having more women
on the taskforce, 50 percent of the Incubator’s startups now have a female founder or
- Sponsoring more female professionals to ensure that both men and women receive
equal professional development support in their industry.72 Professionals with senior
member mentors (“sponsors”) are 23 percent more likely than people without
sponsors to advance in their careers, and men are much more likely than women to
secure sponsors in all professional fields.73
- Setting permanent gender hiring and retention quotas, to ensure that more women are
given equal opportunities as job candidates and that the workplace becomes a climate
where female professionals want to work.
- Maintaining a zero-tolerance policy for gender discrimination. Some strategies include:
sponsoring mandatory training workshops on unconscious bias and sexual
harassment for every new hire (male or female); conducting regular anonymous
surveys on workplace climate to provide employees with frequent no-risk
opportunities to report gender bias/discrimination, increasing female staff in Human
Resources; administering thorough investigations of each report of gender
discrimination/bias through a gender-balanced investigation team; and sending a
public message of zero-tolerance to other corporations by immediately responding to
employee conduct that promotes gender bias with appropriate penalties, following
72 Katy Zurkus, “Despite the gender barriers, women must persist in cyber,” CSO Online (Mar. 21, 2017), accessed
June 17, 2017, http://www.csoonline.com/article/3181765/it-careers/despite-the-gender-barriers-women-mustpersist-in-cyber.html 73 Jane Porter, “Yes, Gender Equality is a Men’s Issue,” (Sept. 26, 2014), Fast Company, accessed July 31, 2017,
Women In International Security (WIIS)
Google’s recent example in addressing an employee’s challenge to the company’s
“My vision for the future is for us to embrace the technological change that’s upon us and to build a
workplace to match it, where men and women are equally hired, paid, and valued for their
–Kalpana Kochhar, Director of HR at the International Monetary Fund (IMF)
While the lack of female cybersecurity professionals has been a prominent discussion point for
women’s empowerment in modern culture and media, many of these discussions focus
exclusively on the pervasive obstacle of gender discrimination that prevents women from
building a presence in the cybersecurity industry, highlighting, for example, the workplace
barriers to female professionals in the Silicon Valley. Understanding that gender discrimination
is by no means unique to this field, it is important to underscore that women’s
underrepresentation has larger effect on cybersecurity as a global industry, even more so than
Focusing solely on the persistent issue of workplace gender dynamics in tech labs
detracts attention from other important problems that result from a diminished female presence
in cybersecurity, from the development and security of the technology that controls how we live
and keep us safe, to the health of the global economy. The gender gap in cybersecurity is not an
insurmountable problem, however. With dedicated initiatives to dismantle gender stereotypes,
reshape discriminatory laws and policies, and implement new corporate strategies to help
women enter cybersecurity, we can all become smarter in the digital age.