Better incentives to build secure products needed, former MEP tells conference

Former MEP Marietje Schaake opened the Black Hat Europe conference with a call for tighter restriction on the sales of surveillance software

Tighter restrictions against digital weapons and a reframing of the economics of cybersecurity are needed to stop the erosion of democratic institutions and values, delegates at Black Hat Europe heard today (November 10).

Marietje Schaake, international policy director at Stanford University’s Cyber Policy Center, warned that the way the digital infrastructure currently operates is eroding democratic principles in ways that and leave us vulnerable to cyber-attacks.

During her keynote addresses – entitled Securing the public, who is in charge? – the former Member of European Parliament (MEP) argued that democratic principles should lead the governance of security.

Digital warfare

The US government applied sanctions to NSO Group at the start of November after deciding that sales of its controversial Pegasus spyware ran contrary to US national security or foreign policy interests.

The move will make it harder for US security researchers to sell vulnerabilities to NSO Group, whose surveillance tools have been used against journalists and human rights activists.

But NSO Group and other sanctioned companies are far from an isolated case, according to Schaake, who criticized the rise of what she described as “mercenaries in cyberspace”.

Read more of the latest news and updates from Black Hat

“Intrusive tools are no longer in the hands of NSA [alone]… There’s a growing market of intrusion-as-a-service and targeted surveillance,” Schaake said.

The politician-turned-academic warned that these technologies were undermining press freedom, privacy, freedom of assembly, and other human rights.

Despite this, “democratic governments have barely acted” according to Schaake, who criticized European tech firms for selling to repressive regimes in Tunisia and Egypt during the Arab Spring uprisings of 2010-11.

EU export control laws were recently tightened up but these “watered down” provisions do not nearly go far enough not least but they do little to restrict imports. “There’s a lack of openness about the outsourcing of surveillance capabilities,” according to Schaake.

Marietje Schaake is the international policy director at Stanford University's Cyber Policy CenterMarietje Schaake is the international policy director at Stanford University's Cyber Policy Center

Securing the supply chain

While accepting that software can never be secure, the risks need to be more effectively mitigated to deal with the growing threat posed by zero-day vulnerabilities and software supply chain attacks.

“Ransomware attacks [are] like a pandemic of their own,” she added.

US gas supplier Colonial Pipeline, a recent, high-profile victim of a ransomware attack, may be able to claim a subsequent ransomware payment is tax deductible, a rule that could act to effectively incentivize payments to cybercriminals and fuel a growing problem, Schaake argued.

This could leave cybercriminals are other attackers in positions of power, though “not even the best functioning responsible disclosure programs have not tilted that scale”, according to Schaake.

While accepting that there are “no easy answers”, the director concluded her talk by offering a seven-step action program towards improving cybersecurity. Shaake said that government should:

  1. Apply stronger transparency requirements and improve information sharing to strengthen incident response
  2. Ban the worst systems – at minimum, “Pegasus should not be accessible to human rights abusers”
  3. Introduce stronger incentives to build more secure software through best practice guides and negligence rules
  4. Make firms update outdated systems by better patching and improved authentication controls
  5. Make security a requirement for winning government software contracts
  6. Introduce changes to make the public sector a more attractive place to work
  7. And improve cross-border collaboration.

Schaake concluded the keynote presentation with an appeal to the community to both help build and advocate for more secure products and services.

YOU MAY ALSO LIKE Two charged with deploying REvil ransomware attacks, targeting US gov't and businesses