weight of foreign companies in key governance bodies in ETSI.
Yet: for highly sensitive and strategic standards such as those of sensitive human communications, isn’t there a major EU’s own governance problem whereby the veto of the 27 member states on key decisions, leads them to be very vulnerable to external pressures?
Can a few members states lead in the meantime? Italy recently allocate €620 mln of the EU recovery funds to cybersecurity split in 4 tracks. One of these is entirely aimed at “hardening of the technical capabilities for the evaluation and audit of the security of hardware and software“, and there is much call from state cybersecurity and intelligence leaders the need of Italy to have Italian or EU control of the full IT stack and supply chains, at least for the most sensitive systems. “Among EU member states it’s hilarious: they claim digital sovereignty, but they rely mostly on Chinese hardware, on US American software, and they need a famous Russian to reveal the vulnerabilities” stated the former Head of Information Superiority of EDA, Michael Sieber in 2015 at our 1st Free and Safe in Cyberspace, and not much as changed since then.
Yet, How much requiring that critical suppliers or staff be European really solves “control” and security, when hacking of supply chains is a favorite game of spy agencies? Can the security of critical software be sufficiently verified ex-post, when malicious and advanced skills intent enable the risk of critical vulnerabilities hidden even in “formally-verified” software like Sel4? Can the security of critical hardware be sufficiently verified ex-post when “trust cannot be added to integrated circuits after fabrication“, as the US Defense Science Board conclude already back in 2005?
Germany has recently acknowledged the weakness of even IT devices for the most sensitive governmental uses. by delegating the German Foreign Ministry, under the oversight of the BSI certification body, to build secure new communication devices for the most secure communications among ministries, which it plans to expand to the diplomatic communications among allies of Germany in a “Diplo Version”, and then on to the private market.
Yet, while Germany has built great and solid credibility for its engineering and commitments to democracy values – given recent history, the history of Crypto AG, and grave global anti-democratic trends democracy instability – can and should its allies and the private market trust solutions without having a completely transparent and international democratic process involved?
Can leading democratic nations come together to find a win-win solution to this grave challenges breaking out of the governance problem and regulatory stalemate by building new highly democratic and resilient transnational institutions to certify and govern critical human IT?