From Crypto AG to cyber democracy, liberty and peace

A case for leading nations to participate in the creation of a new Swiss-based democratic transnational governance body that can certify IT systems for both utmost security and legitimate lawful access.

_____________________________________________________________________________________

The market for critical vulnerabilities in IT systems and their exploits is exploding into a hybrid Cyber Cold War, heating up in an obscure mess of nations, their private proxies, and hackers of all kinds.

For decades, nations have invested billions every year to discover, purchase, and insert vulnerabilities at birth in all IT and standards, just in case access may be needed for such systems. They had and have no other choice, to defend against criminals and adversary nations. 

It is an accelerating spiral running out of control that is fast eroding trust and accountability within and between nations, just as humanity is faced with unprecedented global challenges. 

Any prospects for accountability for irresponsible cyber behavior, or enforceable cyber treaties, are proving to be a pipe dream because the attribution and impact assessment of the most sophisticated hacks are nearly impossible to ascertain or prove - given how complex and broken-by-design even critical ITs are, and how sophisticated and persistent some attackers are.

Through their Crypto AG project, the CIA and its German equivalent provided further proof that IT can be made ultra-secure, i.e., resisting even the most powerful attackers at relatively moderate R&D costs. They also proved that 3rd-party access to encrypted data and communications - solely for such ultra-secure IT systems - can be reliably restricted to intended parties - contradicting widely shared ideas about the impossibility in all cases of a secure-enough "front-door.” 

For years, this arrangement among western allies and similar ones played a crucial role in enabling a more democratic geopolitical block to prevail over a lesser one.

Can we learn from that experience to build such ultra-secure IT systems and make them available in an affordable and user-friendly way to all law-abiding citizens and private organizations?

Can their model be changed so that both their security levels and their “front-door” mechanisms are specified and certified not surreptitiously by two intelligence agencies, but in a transparent, democratic, international, and multilateral way, to radically mitigate its potential abuse both by users to commit crimes and by nations for illegitimate spying?

Could we replace the hidden role of those intelligence agencies with a new ultra-resilient international democratic IT security certification body for human communications, operating across more neutral countries and within existing national and international laws?

Such body would enact time-proven and novel extreme socio-technical safeguards - down to the hardware fabrication - to ensure both ultra-high levels of user security and privacy AND the resilience of a procedural in-person "front-door" mechanism - involving highly resilient and representative international judges and citizen-jury processes. 

Such body will commit to evaluate cyber-investigation requests submitted by participating nations in return for their binding commitment to disclose to such body, and only such body, the vulnerabilities they find in those systems.

Key benefits for participating nations would be to foster the availability of much more trustworthy ITs for their most sensitive systems, public and private ,while retaining their ability to access when there is a legitimate need or mandate. 

Participating nations would also enable their politicians, journalists, activists, and elected officials, with the utmost protection against all attackers, foreign and domestic, to protect national sovereignty and democracy.

Participating nations could eventually extend those certifications as preferred or mandatory for the critical subsystems of the most sensitive public and private systems - such as elections systems, critical infrastructure and dominant social media platforms - to further protect democracy and national security.

Since those certifications will not only ensure much higher security, but also embed “by design” requirements to achieve very high forensic-friendliness - participating nations would also ensure a much improved and internationally-recognized cyber attribution capability for eventual hacks to such critical systems. 

As an additional benefit, in the longer term - as the number of participating nations increase and more of their critical systems are certified to such standards - those nations would realistically be able to engage in enforceable cyber treaties and/or in fair and responsible retribution for grave violations of international norms.

Yes, under this scheme, powerful participating nations would loose their arbitrary ability to hack into such IT systems. Yet, arguably, their cyber-investigation capability would overall improve because cyber-investigation requests by participating nations for such IT systems would be ensured to timely produce the data of a legitimate suspect or criminal, and produce evidence that is much more attributable, and likely to stand as valid evidence in the highest courts. Requests could be processed within 1-2 hours, in urgent cases.  

The Trustless Computing Association will be finalizing the governance and principles and establishing such a body next June 24th in Geneva with its 8th Edition of the Free and Safe in Cyberspace conference series. 

A longer case for nations to join the TCCB governance with more details of the benefits is available in this recent long post. titled ”Why building a new democratic digital media platform is key to protect and enhance our democracies, and how we can do it.”

A deeper analysis of why such a body would increase both privacy and legitimate lawful access is detailed in this other long post, titled “Calls for lawful access mechanisms, the need for much better IT security, and the Trustless Computing Certification Body initiative”

For details of the TCCB initiative, see meta web page at Trustless Computing Certification Body, and follow the links to its TCCB Paradigms, TCCB Cloud and TCCB Fab processes, and its all-important TCCB governance. For more background details and a detailed academic case, see our publication and research sections.

Author: Rufo Guerreschi is the founder and executive director of the Trustless Computing Association, and CEO of its spin-off startup TRUSTLESS.AI, leading coordinators of the Trustless Computing Certification Body initiative.