Drawing of a woman panicking at reading online news © GoodStudio/Shutterstock

© GoodStudio/Shutterstock

In Italy, similarly to other European countries, there is basically no structured initiative aimed at increasing the cybersecurity of the key actors of our democratic system. New measures are needed that do not entail increasing dependence on a small number of tech companies: cybersecurity in politics cannot exist independently of politics

10/12/2020 -  Giorgio Comai

In the business sector, there is a common understanding that good cybersecurity practices should be based on a cost/benefit analysis. Under most circumstances, this is a sensible approach, yet without some incentives to ensure better practices it can be problematic in a number of contexts. As highlighted by scholars in reference to cybersecurity, “standing at the ready for low-probability/high-consequence events can rarely be justified in market terms” (source). This is not specific to cybersecurity, and it is the reason why regulations mandate that individuals, enterprises, and public authorities stick to a given set of security or quality standards across a number of sectors. In Europe, regulation specifically targeting cybersecurity is still rather limited, and so far the development of a privacy protection framework both at national and European level has instead played a stronger role in pushing for better cybersecurity practices.

Wider-spread awareness about the risks posed by cyber vulnerabilities would be useful to contain disproportionate concerns, increase understanding of more common risks,and promote proportionate responses at all levels. Such guidance is particularly important in the case of cybersecurity, which in many domains can still be characterised as an “uncertain risk”: data that would enable accurate risk estimation are often scarce and difficult to understand for non-professionals.

Finally, similarly to what happens in other contexts, public perception of the threat is often associated with distant malevolent actors. Yet the increasing use of stalkerware, the role of digitally-mediated information in abusive relationships, and concerning practices such as image-based sexual abuse (commonly, if inappropriately, referred to as “revenge porn”) or cyber-bullying may well be more pressing concerns for many individuals.

Context matters

This brief introduction outlines a key issue at the core of any cybersecurity strategy and policy: cybersecurity concerns and responses vary significantly depending on context and the actors involved – in brief, the threat model. Defining one’s threat model and assessing its implications requires time and skills, or the resources to hire them: in a country such as Italy, where small and medium enterprises make for a considerable part of the economy, cybersecurity risk assessments seem to be beyond reach for most companies. Such considerations, however, are likely not even on the radar for most NGOs and no profits, and apparently have not been given adequate consideration even by Italy’s big political parties.

Should there be incentives to conduct such risk assessments and improve practices?

Increasing concerns about cybersecurity at policy level have led to the introduction of important policy measures aimed at protecting critical infrastructure and public authorities in a number of countries: in Italy, this is the “perimetro di sicurezza cibernetica” ("cybersecurity perimeter", introduced in late 2019 and not yet fully implemented). Besides, current obligations to ensure the privacy of customers have pushed some companies that are outside the scope of this legislation to take cybersecurity more seriously: further incentives to increase awareness among businesses of all sizes would likely be in the public interest.

However, beyond critical infrastructures and businesses, there are other fundamental components of what makes Italy a democracy, and they are structurally left out of such initiatives. Political parties, NGOs, activists, and journalists are central to democratic processes, and have proved to be vulnerable to cyber attacks. Their threat model and their capacity to mitigate cyber vulnerabilities differ substantially from enterprises'.

Political parties are a high-risk target: limited resources, decentralised structure, and a wide range of actors that may be interested in gaining access to their internal communication and documents, from foreign security services to domestic hacktivists.

NGOs, community organisers, and activists in social movements sometimes struggle in combining their efforts to expand their network and develop new forms of interaction, while ensuring privacy and private communications when needed.

Journalists, and in particular investigative reporters, need to keep high cybersecurity standards as they work on powerful actors and figures, and may have access to highly confidential information. Being public figures, they also have to confront the thin line between online violence and offline threats.

In brief, given the prevalence of digitally-mediated communication, and the ubiquity of digital devices, cybersecurity is a matter of concern well beyond public services, critical infrastructure, and businesses: central actors of contemporary democracies such as those listed above are often left out of ongoing efforts to improve cybersecurity standards in Western democracies.

Provide incentives and assistance to political organisations

The EU agency for Cybersecurity has three recommendations on this:

  • a legal obligation should be put in place requiring political organisations to deploy a high level of cybersecurity in their systems, processes, and infrastructures;
  • the cybersecurity expertise of the state should be used to assist political practitioners in securing their data and communications;
  • political parties should have an incident response plan in place to address and counter the scenario of data leaks and other potential cyberattacks.

These all seem to be relevant and valid, and thus a useful starting point for a substantive policy-oriented conversation. Each of these points, however, raises additional issues:

  • while it seems sensible that political organisations and official campaigns should be nudged towards better cybersecurity standards, additional requirements for political parties may come with the peril of disincentivising the registration of new political formations (as well as the risk of further abuses in less democratic contexts) – new requirements should instead come with incentives, including additional resources;
  • state authorities should provide their services to political organisations through training, early warning systems, and, in some cases, even direct assistance; however, security services should under most circumstances keep their distance and refrain from using provisions on cybersecurity of political organisations as a way to potentially gain access to their communication. Given the structural suspicion around security services in some countries, it is advisable to provide such support either through departments that are less likely to be perceived as politicised (e.g. the data protection authority, or some other technical department);
  • finally, political parties should not only have an incident response plan, but also pledge to tell the truth about what happened rather than spread inaccurate information in order to sow doubt about whatever comes out of the hack. Indeed, the GDPR now mandates a degree of transparency when private data are hacked; pretending that nothing (or almost nothing) happened, e.g. as Lega has done after it was hacked in 2018, would not be possible under current legislation. Political parties should appreciate that being as transparent as possible about what happened, and detailing the measures taken in the aftermath of the event, is the most sensible way to maintain trust.

Support open source alternatives

The Cybersecurity Campaign Playbook published by the Belfer Center for Science and International Affairs, Harvard Kennedy School in 2017 remains perhaps the most accessible and comprehensive starting point with practical advice on cybersecurity for political campaigns. It is filled with excellent advice, yet some of it may be unpalatable to political organisations, in particular their explicit advice to rely on established cloud providers such as Google and Microsoft (both of which provide additional security options for political campaigns). As a rule of thumb, their argument that such services “will be much more secure than anything you can set up” may well be mostly accurate, but cybersecurity is not the only (nor the main) priority for political campaigners: being consistent in their choices may be no less important. Relying on U.S. based tech giants may be unpalatable for political organisations of different persuasions, and create an unhealthy dependence on a small number of foreign private companies, something which is inherently problematic also for public authorities, as highlighted for example in a report commissioned by the German government. The share of desktop computers that rely on the operating system and software packages provided by a single U.S. based software vendor in public institutions are clear evidence of over-reliance on a quasi-monopolist. As institutions and organisations move to cloud services, they again mostly rely on one among an extremely limited pool of U.S. based companies, as has appeared most apaprently in 2020 due to the ongoing pandemic. Ensuring that secure alternatives are available should therefore be part of the wider conversation on cybersecurity and pluralism, particularly in support to civil society actors that cannot otherwise be easily protected via a targeted policy.

This line of thinking may be contentious in terms of cybersecurity, as in the short-term alternatives may be less secure than the services provided e.g. by Google (again, depending on your threat model). This is one more reason why we insist on raising this issue in the context of debates on cybersecurity for political campaigns: cybersecurity in politics cannot exist independently of politics.

Given the prevalent dynamics in Silicon Valley, open alternatives are unlikely to emerge independently. Accepting the current state of affairs because there are no alternatives is a self-defeating argument: alternatives need to be built, promoted, and supported. The European Union’s own “Open source software strategy 2020-2023” sets ambitious objectives for progressing towards digital autonomy for Europe, but contains few concrete provisions to actually enable such progress. Realistically, without bold action, the dependence on a small number of big corporations will only keep increasing.

Support open source libraries

When talking about cybersecurity, a lot of the conversation is related to inadequate password management or other poor security practices by individuals or companies. However, a number of cybersecurity vulnerabilities exist much lower in the software stack: if there is a vulnerability that can be exploited in a library or protocol used by millions of servers that run the services we all use, having good passwords and cybersecurity hygiene may not help much. There are pieces of software and computer libraries that – knowingly or not – all of us regularly use, as they form part of core components used in the servers that power the Internet as we know it, allow widespread software to function as expected (e.g. media players), or are part of the operating systems that power our mobile devices. Vulnerabilities in these libraries have emerged in the past, in some instances impacting a large part of the Internet, and will definitely emerge in the future. This is due to a combination of factors, but part of it is that many of the pieces at the core of widespread technologies are significantly underfunded, with little resources dedicated to maintenance and security audits. Initiatives such as European Union’s FOSSA address this issue, but remain only a drop in the bucket. Authorities who rely on these pieces of software, which are by all intents and purposes public goods, should sponsor such initiatives more generously.

The big issue

Cybersecurity is not only a technical matter, but inevitably part of a broader social and political conversation. Efforts targeting specific actors central to our democracies or approaching technical issues should happen on top of awareness campaigns and trainings widely and freely offered by governments. On the section of its website dedicated to combating foreign influence, the FBI promotes its own cybersecurity initiative, Protected voices (“The FBI’s Protected Voices initiative provides tools and resources to political campaigns, companies, and individuals to protect against online foreign influence operations and cybersecurity threats.”); given the reputation of invasive surveillance that the U.S. security apparatus has earned itself, looking at it unironically may not be easy, but it remains a commendable initiative. The UK’s National Cyber Security Centre offers information materials on cybersecurity for various types of organisations and has education initiatives for school children and teenagers.

Given the pervasiveness of digital tools and technologies, cybersecurity awareness initiatives targeting all age groups should be promoted. Individuals that may be particularly exposed but would not be covered by other initiatives mentioned above, such as journalists, should be offered additional trainings and resources. There is a need for a broader, more politically aware cybersecurity strategy that goes beyond critical infrastructure and technical matters.

 

This publication has been produced within the project ESVEI, supported in part by a grant from the Foundation Open Society Institute in cooperation with the OSIFE of the Open Society Foundations. The contents of this publication are the sole responsibility of Osservatorio Balcani e Caucaso Transeuropa.