Monday, April 09, 2018

How modern democracies face destruction if they can't stop building digital Maginot Lines

The recent revelations in the media about the collection of personal information from up to 87 million Facebook users by Cambridge Analytica and its use to influence political outcomes (successful or not), should be sending chills down the spines of everyone involved in information security, privacy and governance.

That people's data can be appropriated and used to manipulate democratic processes is a clear threat to the basis of democracies around the world - and governments appear to be flailing on what to do about this.

Now certainly corporations, such as Facebook and Google, have both legislative and business reasons to protect personal data. It's their lifeblood for making profits and without a sufficient level of public trust to keep people using these services these companies would largely disappear overnight.

However governments also have a responsibility to safeguard their citizens, and their own institutions, from external manipulations of their democratic systems - whether this come from foreign states, corporations or even particularly influential groups in society.

While Facebook is responsible for allowing a researcher to create an app that could such down the personal data of many people, even without their consent, it may not have been illegal for Cambridge Analytica to do this (although their subsequent use of this data for electoral manipulation may have been), and while Facebook may be investigated for privacy breaches, the consequences to Facebook and Cambridge Analytica appear to be more social than official to-date.

For me the spotlight is more on governments than the corporations involved. Laws exists to provide a legal basis for managing anti-social behaviour and power imbalances (such as between large organisations and individuals) such that the basic unit of the state, the individual citizen, has their personal rights protected and has clarity about their obligations as a citizen.

In this case governments did not have the laws and frameworks in place to detect, limit or even rapidly prosecute massive breaches of personal privacy or attacks on their own institutional validity.

Governments that cannot protect themselves or their citizens from external influences - whether these be physical or digital - do not remain governments for long.

I see the Cambridge Analytics scandals as another in a long series of examples as to how modern democratic governments have failed to put appropriate mechanisms in place to protect citizens and themselves from modern threats.

Like the Maginot Line built by France in the 1930s, governments are investing in expensive, unwieldy and inflexible infrastructures for past threats. And, like the Maginot Line in 1940, these infrastructures have proven again and again that they fail in the face of modern agile opponents.

Thus far the reaction by governments has largely been to acknowledge failure, promise to do better and then return to investing in legacy infrastructure, attempting to modify it as cheaply and as little as possible to address modern threats.

From the cascading series of security breaches at scale, rising digital interference in western elections and undermining of democratic institutions - I think the evidence is clear that the strategy is failing.

So what are governments to do? How do they adapt their approaches to address a threat that can come at any time, through any channel and often targets civilian infrastructure rather than state-controlled infrastructure?

The first step is to recognise that their current approach is not working. The political and commercial opponents seeking to weaken, influence, manipulate and destroy western states do not limit themselves to playing by western rules.

The second step is to recognise that this isn't a problem that governments can solve alone. Protecting government infrastructure is pointless if power grids and financial sectors are manipulated or destroyed. If a hacker wants to shut down a government office it is often easiest to cut their power or payroll than attack the government's servers directly. In the longer-term the public can be turned against a government through social media engagement using fake news and slanted reports.

The third step is to redefine what constitutes the state and what it values. Government is a tool used to govern a population. It is a component, but not the only, or even the most essential, in defining a nation's character or values.

Then, we need to rebuild our thinking from first principles. What do we value, and what do we not value? What conduct is appropriate, and by whom? How do we protect freedoms for citizens while defining their responsibilities? How do we educate citizens to understand that they have an active ongoing role and responsibility to help maintain our freedoms - that their obligation doesn't stop at a ballot box every few years? How do we redefine the role of corporations and other organisations (including government agencies) as good organisational citizens in a society? What are their rights and obligations towards citizens, stakeholders and shareholders?

This doesn't mean turning western democracy into security states. In my view the growth of state security apparatuses is a poor solution, part of the Maginot Line of centralised control that is failing so badly to protect democracy from a swarm of diverse threats. Indeed, the idea of decentralising security in favour of emphasising personal responsibility through education is, in my view, the best course to protect our nations' values.

We need an inclusive approach, backed by sound principles and collective values, that preserves what is important to our societies and inoculates us from unwanted external influences.

Without this we will lose who we are in protecting what we want - turning us into authoritarian states, the mirror of our enemies.

No comments:

Post a Comment