IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Black Hat Europe: ‘Failures in tech governance are eroding democracy’

Stanford University’s Marietje Schaake claims those in power ‘effectively condone’ attacks on democracy every day strong regulations aren’t introduced

Public and private sector bodies in charge of governing the use of technology in society are “effectively condoning” attacks on democracy, a leading expert on cyber security has said. 

Providing the opening keynote at Black Hat Europe 2021 on Wednesday, Marietje Schaake, international policy director at Stanford University’s Cyber Policy Centre, said the technology industry is witnessing an erosion of agency when it comes to dealing with cyber crime as a result of increasing dependence on the private sector.

The former MEP took aim at leading governments by claiming that placing governance and power in the hands of tech giants is essentially dismantling democratic principles and presents a serious challenge when it comes to assigning accountability for cyber abuses. 

It’s a problematic situation, Schaake argued, adding that new democratic principles are needed to guide how the technological backbone of world-leading nations are governed and secured. Simply having private companies creating and controlling the critical infrastructure that drives public services presents a problem for the democratic balance of power, she added.

The way governments have handled high-profile privacy and security incidents were also called into question by the security expert.

Schaake said democratic governments have “barely acted” in the wake of some of the most devastating attacks, and every day these governments allow violent actors to use intrusive technologies like malware and spyware, they “effectively condone” attacks on democracy.

“This is a very problematic situation,” she said. “Democratic governments have barely acted, even as companies - or militias of states - can now access the technologies that can be used against stated policy goals and democratic values.”

The UN expressed concern last week about the growing use of ‘cyber mercenaries' hired by states around the world to provide military and security services including data collection, intelligence, and surveillance.

One of the most prominent private sector firms that falls under this category is the NSO Group, the most notable achievement of which is arguably developing the devastating Pegasus spyware tool

Schaake pointed to democratic governments around the world that are purchasing these mercenary services and how the lack of transparency behind the outsourcing of offensive capabilities hinders public accountability. It also makes it more difficult for these nations to officially condemn the likes of NSO Group’s spyware and other similar systems elsewhere.

Related Resource

IT Pro 20/20: The future of IT infrastructure

Is UK net neutrality under threat and can using blockchain ruin your green credentials? Issue 22 of IT Pro 20/20 is out now

IT Pro 20/20: IT infrastructure in 2021 and beyondDOWNLOAD NOW

“Digitisation is blurring the lines between authoritarian states and democratic ones because, after all, when democratic governments are hiring the types of mercenaries we are discussing today - to go after suspected criminals or terrorists - they too are fostering the same businesses, their capacities, and their market share,” said Schaake. 

“And these companies can then use credible contracts and good references to gain ground in the very countries where the same products and services in a very different context are not used to go after criminals or terrorist suspects, but after journalists and peaceful critics of state authorities.”

Steps towards a revolution

The democratic processes currently used offer weaker transparency than we would normally expect in the analogue worlds, according to Schaake. She recommended an overhaul of the democratic process concerning technology, offering a number of suggestions that could help work towards a better relationship between Big Tech and governments that puts the needs of the people front and centre.

Stronger transparency and auditing requirements

Democratic governments should implement transparency requirements over topics such as product procurement and cyber attacks that have been discovered. As it stands, we have to rely too much on “courageous whistleblowers and effective journalists” to uncover these truths, she said.

Better standards for information sharing between private companies, intelligence services, and governments are needed to strengthen public knowledge and incident response.

Placing bans on the most harmful systems

Transparency would ensure people know what systems are used by local law enforcement agencies and what systems are sold to authoritarian regimes, but this won’t stop the market itself. Democratic governments must prevent firms from selling invasive and harmful tools to the highest bidder when that bidder is often an enemy.

When challenged on this, Schaake said while there is an argument against a total ban, something that could push the tools further into the black market and into the wrong hands, she thinks banning is still the way forward because, for a start, it would set the liberal democracies apart from those who don’t ban said systems.

“There are countries in the world that respect universal human rights, there are those that don’t. There are countries that have the death penalty. There are countries that don’t. It always has to start somewhere if you want to try to raise the bar,” she said.

We must provide better incentives to build more secure products

In a world where criminals get paid for carrying out attacks without being punished and software companies don’t face punishments for code issues that lead to breaches, more stringent consequences and clearer guidelines over what makes a piece of software secure need to be introduced.

Mandatory updates

Public sector institutions like hospitals and schools often lag behind in updating systems due to the time and expense incurred. It’s a difficult one to tackle when budgets are limited. For example, an extra nurse is always going to be hired when a hospital needs one rather than paying to replace an outdated piece of software. But this presents significant cyber security challenges in the process despite the priority on patient care.

Stricter procurement standards

Schaake said the overall technology procurement process should mirror that of the banking or financial services spaces. Both are heavily regulated to ensure no technical glitches or exploitable bugs can impact the institution’s, or their clients’, financial performance. Less stringent requirements are placed not the procurement of technology outside of these industries but this needs to change to ensure every piece of tech controlling critical infrastructure is safe, and civilians’ data is too.

Attracting the best talent

The industry needs to incentivise working in the public sector and building public interest technology if it wants to stop losing the best people to private firms which offer better compensation and access to resources, research tools, and more.

Democratic collaboration framework

Schaake said the industry doesn’t see enough action taken by international democracies and nations should lead on a coalition to strengthen international law to create new rules and guidelines for independent oversights. 

Such partnerships are essential in everything from punishing elusive hackers to successfully banning the sales of hacking technologies to authoritarian regimes, she argued.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download


Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
16 ways to speed up your laptop

16 ways to speed up your laptop

13 May 2022
How full-stack observability can accelerate IT innovation

How full-stack observability can accelerate IT innovation

3 May 2022