No Accountability Without Liability
An Initiative by
Marietje Schaake
International Policy Director, Stanford University Cyber Policy Center
At the White House cybersecurity summit in August 2021, US President Joe Biden made a revealing acknowledgement: most critical infrastructure is now in the hands of private companies. This dramatic reality evolved almost unnoticed over the past decades and has accelerated during the Covid-19 pandemic. The combination of an unprecedented dependence on technology and new methods of cyberattacks have made systemic cyber vulnerability an urgent problem.
Software is used everywhere: in personal devices; in cars, factories and universities; in agriculture, business and government. Most people blindly trust that data and infrastructure are protected. Unfortunately, often they are not.
The entry point for attackers is almost always software vulnerabilities. The US software company SolarWinds was the subject of an extensive cyberattack in 2020, which also gave attackers access to Microsoft systems. Only because of the publicity around the attack, the public realised SolarWinds provided integrated digital elements, and even the largest companies could not protect its systems. This shows that awareness of the interwoven nature of technologies and the lack of security is too limited, and responses generally come after harm has been inflicted. We need to shore up prevention.
Faced with growing damage from cyberattacks, President Biden looked to Silicon Valley for solutions. The tech giants gladly offered to invest billions and promised to help governmental organisations. But such moves will only exacerbate the imbalance between private and public interests. They will not empower public authorities or raise public awareness of how technologies work and the dangers involved in using them. The risk is even more dependence on for-profit companies whose goals and responsibilities are not anchored in democratic principles.
Yes, the criminals and intelligence services that access people’s devices stealthily, or wreak havoc by attacking hospitals, are the bad actors. But it is now almost a cliché to say that software will never be hackproof. Holding companies liable for the products they make is a logical step towards greater security.
Governments worldwide will spend hundreds of billions of dollars on IT this year. They can leverage the power of public purse. Here are five key steps towards encouraging greater responsibility in technology companies.
- Develop stronger auditing and transparency requirements
Clarity and transparency in the relationship between governments and private companies are needed. It is a widely known dirty secret that governments hire mercenaries to do illegal jobs for them. We have seen private armies without sufficient oversight, such as Blackwater, operating with great power and little accountability. Now similar companies populate the digital battlefield as well.
Intelligence-grade capabilities are sold to whomever can afford it. The investigative journalism initiative the Pegasus Project revealed a proliferation of systems marketed for countering terrorism and crime that end up being used to target journalists, dissidents and civilians.
While intelligence services and other government authorities are often scrutinised strictly when they engage in offensive capabilities, the same cannot be said for private companies. When exactly does ‘cybersecurity’ bleed into ‘cyberoperations’?
In banking, procurement processes often require bidders, suppliers and contractors to offer the right to inspect accounts, records and general audits. Similar requirements for technology companies providing offensive and defensive software only makes sense.
- Ban the most harmful systems
A recent ban on stalkerware company SpyFone will hopefully open the door to banning other highly invasive systems that violate people’s rights by design. Edward Snowden offers a useful analogy when he reminds us that there is no market for biological weapons for good reason. While other sectors have been regulated in the interests of public safety, fairness or human rights, spyware and ransomware providers often operate unconstrained by public or regulatory scrutiny.
- Create incentives to build safer products
How do you make crime costlier for criminals, and defence less onerous for public institutions? Tech companies that build software and hardware lack commercial incentives to prioritise safety in their product designs. They are rarely responsible for the costs of a breach, and so often get away with selling inadequate and fallible systems. In countries where insurance covers cyberattacks, it is easier to pay the criminals than to ensure good security measures. In the United States, there are even tax incentives for ransom payments. The cost equation needs to be reversed by no longer rewarding ransomware gangs, adopting clear security standards and increasing the sanctions for corporate negligence.
- Update legacy systems and patching obligations
Public institutions typically lack the resources and rights to upgrade operating systems and software, let alone remedy vulnerabilities in existing systems. This makes them easy targets. Cyberattacks exploit weaknesses in unpatched systems. Outdated hardware and software are incompatible with best-practice security measures such as multi-factor authentication and encrypted communication channels. When such systems are used in public institutions, such as hospitals, schools or local governments, the risks are obvious.
We should consider requirements for companies to upgrade outdated systems that pose a national security risk, or taxing technology companies to fund security solutions to mitigate risks for which there is no commercial incentive.
The costs from poorly protected commercially made hardware and software should not weigh solely on the public.
- Collaborate with like-minded states
When it comes to international agreements on accountability, private companies are comfortably waiting out the arduous process of negotiations. Unfortunately, in today’s polarised world, global agreement on the application of international law is unlikely. Democratic countries should therefore seize the initiative and forge new coalitions. They should not only share information and work to strengthen international law, but also develop rules, guidelines and protocols to ensure oversight of the private sector.
In July 2021, Edward Snowden wrote, ‘The greatest danger to national security has become the companies that claim to protect it.’ He is right. Tech companies are currently on the frontlines of safeguarding the homeland, and they must do better. Liability and accountability are two sides of the same coin, and they both deserve more attention if we are to get ahead of criminals and states making a battlefield out of the internet and of weak devices.