THE CHALLENGE

In recent months, a solid consensus has arisen around the is desperate need for better standards and certifications for digital human communications and social networking, in order to protect civil freedom and democracy itself, against persistent attacks by adversary nations, criminals, or internal subversive political factions. Current standards and regulations enable these anti-democratic entities, on one side, to undetectably and illegally spy on nearly all  of the most sensitive members of society on mobile devices by using widely available state-grade spyware hacking to hack on their mobile devices.

Paradoxically, on the other side, they make it very difficult to detect and counter pedophile rings and subversive political groups that engage in illegal forms of assembly on dominant messaging and social networks, like Facebook or Telegram.

It is a lose-lose situation, whereby we have very insufficient security and privacy for law-abiding users, while law enforcement prevents fully countering extreme criminal and even subversive activities.

The European Union, in a recent press release announcing the new EU Standardization Strategy, chose to enphasize via its Vice-President and Commissioner: “Ensuring that data is protected in artificial intelligence or ensuring that mobile devices are secure from hacking, rely on standards and must be in line with EU democratic values“, and there is strong recognition to the problem the disproportionate

weight of foreign companies in key governance bodies in ETSI.
Yet: for highly sensitive and strategic standards such as those of sensitive human communications,  isn’t there a major EU’s own governance problem whereby the veto of the 27 member states on key decisions, leads them to be very vulnerable to external pressures? 

Can a few members states lead in the meantime? Italy recently allocate  €620 mln of the EU recovery funds to cybersecurity split in 4 tracks. One of these is entirely aimed at “hardening of the technical capabilities for the evaluation and audit of the security of hardware and software“, and there is much call from state cybersecurity and intelligence leaders the need of Italy to have Italian or EU control of the full IT stack and supply chains, at least for the most sensitive systems. “Among EU member states it’s hilarious: they claim digital sovereignty, but they rely mostly on Chinese hardware, on US American software, and they need a famous Russian to reveal the vulnerabilities” stated the former Head of Information Superiority of EDA, Michael Sieber in 2015 at our 1st Free and Safe in Cyberspace, and not much as changed since then.
Yet, How much requiring that critical suppliers or staff be European really solves “control” and security, when hacking of supply chains is a favorite game of spy agencies? Can the security of critical software be sufficiently verified ex-post, when malicious and advanced skills intent enable the risk of critical vulnerabilities hidden even in “formally-verified” software like Sel4? Can the security of critical hardware be sufficiently verified ex-post when “trust cannot be added to integrated circuits after fabrication“, as the US Defense Science Board conclude already back in 2005?

Germany has recently acknowledged the weakness of even IT devices for the most sensitive governmental uses. by delegating the German Foreign Ministry, under the oversight of the BSI certification body, to build secure new communication devices for the most secure communications among ministries, which it plans to expand to the diplomatic communications among allies of Germany in a “Diplo Version”, and then on to the private market.
Yet, while Germany has built great and solid credibility for its engineering and commitments to democracy values – given recent history, the history of Crypto AG, and grave global anti-democratic trends democracy instability – can and should its allies and the private market trust solutions without having a completely transparent and international democratic process involved?

Can leading democratic nations come together to find a win-win solution to this grave challenges breaking out of the governance problem and regulatory stalemate by building new highly democratic and resilient transnational institutions to certify and govern critical human IT?