Black Hat Europe: ‘Failures in tech governance are eroding democracy’

An image of the keynote stage lit up at Black hat Europe 2021
(Image credit: IT Pro)

Public and private sector bodies in charge of governing the use of technology in society are “effectively condoning” attacks on democracy, a leading expert on cyber security has said.

Providing the opening keynote at Black Hat Europe 2021 on Wednesday, Marietje Schaake, international policy director at Stanford University’s Cyber Policy Centre, said the technology industry is witnessing an erosion of agency when it comes to dealing with cyber crime as a result of increasing dependence on the private sector.

The former MEP took aim at leading governments by claiming that placing governance and power in the hands of tech giants is essentially dismantling democratic principles and presents a serious challenge when it comes to assigning accountability for cyber abuses.

It’s a problematic situation, Schaake argued, adding that new democratic principles are needed to guide how the technological backbone of world-leading nations are governed and secured. Simply having private companies creating and controlling the critical infrastructure that drives public services presents a problem for the democratic balance of power, she added.

The way governments have handled high-profile privacy and security incidents were also called into question by the security expert.

Schaake said democratic governments have “barely acted” in the wake of some of the most devastating attacks, and every day these governments allow violent actors to use intrusive technologies like malware and spyware, they “effectively condone” attacks on democracy.

“This is a very problematic situation,” she said. “Democratic governments have barely acted, even as companies - or militias of states - can now access the technologies that can be used against stated policy goals and democratic values.”

The UN expressed concern last week about the growing use of ‘cyber mercenaries' hired by states around the world to provide military and security services including data collection, intelligence, and surveillance.

One of the most prominent private sector firms that falls under this category is the NSO Group, the most notable achievement of which is arguably developing the devastating Pegasus spyware tool.

Schaake pointed to democratic governments around the world that are purchasing these mercenary services and how the lack of transparency behind the outsourcing of offensive capabilities hinders public accountability. It also makes it more difficult for these nations to officially condemn the likes of NSO Group’s spyware and other similar systems elsewhere.


IT Pro 20/20: The future of IT infrastructure

Is UK net neutrality under threat and can using blockchain ruin your green credentials? Issue 22 of IT Pro 20/20 is out now


“Digitisation is blurring the lines between authoritarian states and democratic ones because, after all, when democratic governments are hiring the types of mercenaries we are discussing today - to go after suspected criminals or terrorists - they too are fostering the same businesses, their capacities, and their market share,” said Schaake.

“And these companies can then use credible contracts and good references to gain ground in the very countries where the same products and services in a very different context are not used to go after criminals or terrorist suspects, but after journalists and peaceful critics of state authorities.”

Steps towards a revolution

The democratic processes currently used offer weaker transparency than we would normally expect in the analogue worlds, according to Schaake. She recommended an overhaul of the democratic process concerning technology, offering a number of suggestions that could help work towards a better relationship between Big Tech and governments that puts the needs of the people front and centre.

Stronger transparency and auditing requirements

Democratic governments should implement transparency requirements over topics such as product procurement and cyber attacks that have been discovered. As it stands, we have to rely too much on “courageous whistleblowers and effective journalists” to uncover these truths, she said.

Better standards for information sharing between private companies, intelligence services, and governments are needed to strengthen public knowledge and incident response.

Placing bans on the most harmful systems

Transparency would ensure people know what systems are used by local law enforcement agencies and what systems are sold to authoritarian regimes, but this won’t stop the market itself. Democratic governments must prevent firms from selling invasive and harmful tools to the highest bidder when that bidder is often an enemy.

When challenged on this, Schaake said while there is an argument against a total ban, something that could push the tools further into the black market and into the wrong hands, she thinks banning is still the way forward because, for a start, it would set the liberal democracies apart from those who don’t ban said systems.

“There are countries in the world that respect universal human rights, there are those that don’t. There are countries that have the death penalty. There are countries that don’t. It always has to start somewhere if you want to try to raise the bar,” she said.

We must provide better incentives to build more secure products

In a world where criminals get paid for carrying out attacks without being punished and software companies don’t face punishments for code issues that lead to breaches, more stringent consequences and clearer guidelines over what makes a piece of software secure need to be introduced.

Mandatory updates

Public sector institutions like hospitals and schools often lag behind in updating systems due to the time and expense incurred. It’s a difficult one to tackle when budgets are limited. For example, an extra nurse is always going to be hired when a hospital needs one rather than paying to replace an outdated piece of software. But this presents significant cyber security challenges in the process despite the priority on patient care.

Stricter procurement standards

Schaake said the overall technology procurement process should mirror that of the banking or financial services spaces. Both are heavily regulated to ensure no technical glitches or exploitable bugs can impact the institution’s, or their clients’, financial performance. Less stringent requirements are placed not the procurement of technology outside of these industries but this needs to change to ensure every piece of tech controlling critical infrastructure is safe, and civilians’ data is too.

Attracting the best talent

The industry needs to incentivise working in the public sector and building public interest technology if it wants to stop losing the best people to private firms which offer better compensation and access to resources, research tools, and more.

Democratic collaboration framework

Schaake said the industry doesn’t see enough action taken by international democracies and nations should lead on a coalition to strengthen international law to create new rules and guidelines for independent oversights.

Such partnerships are essential in everything from punishing elusive hackers to successfully banning the sales of hacking technologies to authoritarian regimes, she argued.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.