Liberal nations must act now to ensure the digital ecosystem operates in a way that is conducive to democratic values. This was the message of Marrietje Schaake, international policy director at Stanford University’s Cyber Policy Center, speaking during the opening keynote session on day three of Black Hat Europe 2021.
She noted that most of the digital infrastructure is managed by the private sector, which has consequences from an accountability and freedom standpoint and cybersecurity. “Most digital infrastructure is now in the hands of private companies – it’s created, operated, protected by private companies, and I think that’s a problem,” commented Schaake.
A particularly pertinent example of how democratic norms are being eroded in the digital space is the practice of tech companies selling surveillance tools, such as Pegasus spyware, to authoritarian governments. These are subsequently used to attack fundamental liberal principles like press freedom and the right to assembly.
Currently, liberal governments are doing far too little to prevent this type of activity, and authoritarian nations are taking full advantage to suppress democratic values, according to Schaake. In fact, liberal governments often outsource offensive cyber tools themselves to target suspected criminals or terrorists, “making it harder for democratic states to condemn the use of NSO and other similar systems convincingly.” This is because they are “fostering the same businesses’ capacities and market share.”
Additionally, Western companies are often providing these types of technology to nefarious actors. Schaake expressed frustration at the “watering down” of the recently enacted EU Export Control Regulation, which partly aims to regulate the export of cyber-surveillance technologies.
As a result of these trends, “digitization is blurring the lines between authoritarian states and democratic ones.”
"Digitization is blurring the lines between authoritarian states and democratic ones"Marrietje Schaake
She pointed out that regarding physical warfare, there is democratic oversight in liberal nations; for example, a vote in a legislature to sanction military action. This at least ensures there is accountability for what occurs. However, no such process is in place regarding offensive cyber capabilities, such as spyware, as private companies operate it.
This is becoming an increasing problem, with digital technology and software spreading “to almost every part of our lives and economies.” As well as the democratic issues this raises, it also makes society more vulnerable to cyber-attacks, in Schaake’s view. This is because companies are not made accountable for vulnerabilities and other cybersecurity failings that lead to cyber-incidents.
She gave the example of the Colonial Pipeline ransomware attack earlier this year, which arose from an employee’s VPN credentials being compromised. She pointed out that the FBI actually assisted the company in making the ransom payment, which was even tax-deductible! This removes accountability and the incentives required to improve cybersecurity. In respect of Colonial Pipeline, Schaake said: “The public may never know what actually happened and how the attack could take place.”
To ensure the digital ecosystem is both more secure and adheres to democratic principles, Schaake outlined seven steps she would like liberal nations to adopt:
- Develop stronger transparency requirements – for example, showing which companies are selling offensive cyber tools to authoritarian nations and developing better information sharing between governments, intelligence agencies and tech companies.
- Ban the most harmful systems – Schaake advocated a ban on companies selling “invasive and harmful tools to the highest bidder,” such as Pegasus.
- Create better incentives to build safer products – Schaake said software companies are not properly incentivized to build safer software “because they don’t pay the cost of breaches.” There should be precise requirements for how to develop safer systems “and liability consequences when there is negligence.”
- Update requirements for critical organizations – Critical public sector organizations, like universities, schools and hospitals, “are often behind in terms of keeping their software and operating systems up to date,” according to Schaake. This provides numerous opportunities for exploitation for cyber-villains. Therefore, “we have to help public organizations to make the right decisions and be equipped to do so.”
- Enhance procurement rules – Schaake would like to see the stringent requirements placed on the financial sector regarding software procurement applied to other important industries. In other sectors, too often, we see that “vendors sell untested blueprints or hyped versions of their products, and that leaves the unaware customer too vulnerable for potential misuse.”
- Incentivize tech talent to join the public sector – Schaake noted that tech students generally seek jobs with big tech firms rather than government organizations due to the more significant opportunities in this path. As such, “we need specialized programs by governments and universities to help support and emphasize the importance of public interest technology,” as well as offer more attractive incentives to work in this area.
- 7. Democracies need to collaborate – Finally, Schaake highlighted the importance of democratic companies taking the lead and forging a framework “to create new rules and guidelines for independent oversight” of the digital space.