Ukraine: an Informational and Propaganda War heating up out of control, and how we can foster a fair global digital dialogue instead.

As the war in Ukraine rages on, we all moved to the Internet to try to make sense of it.

After weeks of digging through, as many others, I came to realize even more that even my favorite media and even Wikipedia - while much better than the dictatorial and propaganda machine on the other side - are full of fundamental biases, omissions, distortions, partial accounts, and outright falsehoods.

These are fomenting deep artificial divisions, contestations, and escalations in language and actions - at all levels of society including their leaders - leading an intense Propaganda War that is becoming the main factor in rising alarmingly the risk of Nuclear War among great powers.

Only after Putin had invaded Ukraine last February 24th, most people learned that a war had been ongoing already since a 2014 in the eastern region of Donbas that had claimed 13,000 deaths.

The killings and battling started in 2014, after a “regime change” in Ukraine, the third after the fall of the Berlin Wall, that was and remained heavily contested. Was it a pristine democratic revolution, an uprising, a coup or a mix that and more?

Divisions on what happened grew in time instead of reducing, amidst insufficiently neutral and exhaustive judicial and media investigations, and intense propaganda and psychological operations on both sides.

No wonder peaceful dialogue within and across nations is not possible! How can it be possible when current media systems do not allow reasonable open persons to agree on even some basic facts?

How can we have a constructive dialogue to agree on basic facts, let alone find a middle ground, when citizens are forced into dominant social media systems that are designed to divide us, manipulate us, anger us, close us in filter bubbles - and when leaders and civil society on both sides, are unable to meet in person by 2 years of covid, and lack the interoperable digital means that can foster a fair, effective and confidential dialogue?

The Weaponization of Digital Media Systems

By the year 2000, it was a widely held opinion that digital media systems were surely going to make us more knowledgeable, wiser, and bring us closer in one happy global village. They just had to be made more widely available.

As exemplified by the US Capitol Attack and the Invasion of Ukraine, the contrary has happened. While economic development and enterteinment opportunities increased, we’ve seen an overall increase in disinformation, division, and conflict, within and across nations, among state leaders and ordinary citizens. As a result, we’ve seen a decisive regress of liberties and democracy worldwide, at a time when it is urgent nations come together in a critical mass to agree on enforceable commitments to tackle global challenges.

Truth is that, since WW2 - and ever more in the last two decades - digital media systems were weaponised by nations in order to foster Informational Superiority, spying on other nations’ most sensitive communications and protecting their own, and Propaganda Superiority, to prevail in influencing public opinion inside and outside their borders, with their own version of facts, however biased, partial, unbalanced or outright false.

An Informational Cold War

During WW2, with the rise of mass media and encryption machines, the Allies’ better propaganda and their ability to intercept German secret communications become key factors in their victory.

Given such success, at the onset of the Cold War, the main focus of great powers became to extend control over their editorial power and (in)security of digital communications, media, and social networks, for both citizens and diplomats - while also propping closer factions and parties in third countries with money, intelligence and weapons.

On the diplomatic front, Germany and the US used their hidden ownership of the Swiss company Crypto AG to affirm a standard for internal and external communications of many dozens of non-aligned countries, also through network effects. On the propaganda side, the US cultural industry, appealing social model and economic development gave a boost to them vis-a-vis Soviet Union.

An Informational Post-Cold War

Since the end of the Cold War, and the Internet Boom, a handful of US firms have acquired dominance and semi-monopolies in internet switches, app stores and operating systems, social networks, and mainstream secure mobile devices, like the iPhone.

This control has enabled the US to determine the private and governmental policies governing the dominant private digital messaging apps and social networks - even supposedly neutral ones as Wikipedia - and to weaken the security and privacy of all IT and all IT standards with plausible deniability, at all stacks levels and throughout the entire supply chain, to foster their informational superiority.

On the positive side, this control brought to the US, and its allies, an astounding informational and propaganda superiority against authoritarian regimes, criminals, and terrorists. It has also fostered advances in freedom of speech and freedom of assembly in democratic and authoritarian countries.

On the negative side, the choice by the US, and indirectly its allies, to retain such control via the weakening of the security of mainstream IT devices, apps, and social networks - rather than via formal, controlled, transparent, and democratic processes - has produced huge abuse and huge collateral damages. 

It resulted in the empowerment of one set of unaccountable entities to deeply manipulate the majority to push onto them their products, candidates, opinions, and “alternative facts” - including by Putin’s Russia, US anti-democratic forces, and the US government  - and another set of unaccountable entities to deeply spy and control global civil society and elites, like journalists, elected officials, activists, and business leaders, by continuously and undetectably spying them or their close associates.

The result is that both citizens and diplomats are unable to agree on basic truths about important historical and current affairs facts - and unaccountable entities push biased and false version of reality, leading to failures of democracies and to war.

A digital infrastructure for fair global dialogue and understanding

So, therefore, an interoperable digital infrastructure is needed that enables a global dialogue that fosters the emergence and approximation of truth about relevant facts and events, and a fair and effective dialogue around those facts, ways to resolve disagreements, and co-draft plans cooperate and coordinate to solve disagreements and global challenges.

Any global dialogue will have to start from building a shared basis of facts. Wikipedia has much that can be learned from, though it suffers from a severe lack of sufficient neutrality and global representativity: most contributors and editors are from very niche demographics; anonymity enables abuses by disguised corporations and nations operatives; high-level governance is in the hands of a US entity with much US private funding. Such “new wikipedia” would be open to editing by nation state employees with a disclosed profile, like diplomats and journalists from state media organizations. Each page, say “War in Donbass”, would have a a version maintained by each nation state, a “shared inter-national” version, and one by any strongly authenticated third party. Each statement would need to bhave references.

In addition to open public discussion, democratic and constructive discussion requires also the equivalent off-the-record and ephemeral, as in hallways, back room, and lunch meetings, to have confidential dialogues. Such tools will need to be provided to provide sufficient security levels of the authenticity, confidentiality and pseudonymity of communications - while ensuring legitimate lawful access - as well as enabling effective deliberative discourse to enable confidential within nations and across nations.

Problems with Current Systems

Apps on mainstream client devices cannot provide the required security levels. While specialized ad-hoc solutions like the famous Red Phone for secure communication are in place between heads of state of great powers, and soon finally also among USA and China, secure client devices are available to top diplomats and governmental officials for communications within and across nations.

Yet, these solutions are limited in interoperability with a given geopolitical alliance, such as NATO or EU. Also, both their security against spying - and security of the necessary mechanisms for internal legitimate lawful interception - are built according to standards and certifications that are not fully transparent and comprehensive, that are developed mostly by one nations in a non fully transparent way, and so are not trusted by third nations and nations of third alliances, and often doubted even by members of the same alliance.

In fact, the shortcomings of such communication infrastructure, even those certified by EU and NATO countries for their highest levels of secrecy, are still not ensuring the levels of actual and perceived trustworthiness, that would be necessary and achievable to sufficiently mitigate both the risk of spying on such communications and the risk of the inability to intercept them if legitimately authorised to do so.

Unverified upfront trust should be eliminated, by moving from a “trust but verify” to ”trust or verify” approach.

Can Germany and a few EU nations lead the way?

Can we take inspiration from Crypto AG?

During the Cold War, and beyond, the company Crypto AG -based in neutral Switzerland and owned by a Lichtenstein holding - became recognized as the World leader in making encrypted communications devices for the most sensitive diplomatic, military, and intelligence communications.

It quickly became a standard for all nations except those near the Warsaw pact or aligns with the USSR. Over 130 nations used it in varying degrees, making it a de-facto standard. 

The security and wide adoption of such devices greatly aided the effectiveness, bandwidth of global dialogue, understanding, and information sharing. Whereby diplomats and heads of states had to rely only on travel for in-person meetings and emissaries to communicate, negotiate and exchange information, they could now complement that with instant text and voice communications.

Network effects and lack of interoperability with other similar devices made Crypto AG devices indispensable to have and to us, even when more and more nations started doubting some powerful nations may be listening in. 

In fact, on Feb 13th, 2020 highly details reports and leaks surfaced that showed how the company was extensively influenced by and then owned by the CIA and its German equivalent the BND, since 1970, and then from 1992 till 2018 by the CIA only, which were able for decades to intercept and decode nearly every single communication that passed through those devices.

On one side, such operation had arguably a huge positive impact on the end of the Cold War, enabling a geopolitical block to prevail over a lesser democratic one. On the other, it was also a huge breach of faith, deception, and breach of sovereignty on behalf of so many nations.

How can this operation be of inspiration for what we propose?

First, the Crypto AG operation provided further proof that IT can be made resisting even the most powerful attackers at relatively moderate R&D costs, and very low marginal costs per device, as it can be evinced by the employee count and revenue numbers of the company. 

Secondly, it also arguably demonstrated that 3rd-party access to encrypted data and communications, for ultra-secure IT systems, can be reliably restricted to intended parties - contradicting widely shared ideas about the impossibility in all cases of a secure-enough "front-door”, as cogently argued by the top US/UK IT security experts and activists, possibly blinded by technically and politically unrealistic libertarian zeal and ideological stance.

Can we learn from Crypto AG experience to build such ultra-secure IT systems and make them available in an affordable and user-friendly way to all law-abiding citizens and private organizations?

Can their model be changed so that both their security levels and their “front-door” mechanisms are specified and certified not surreptitiously by two intelligence agencies, but in a transparent, democratic, international, and multilateral way, to radically mitigate its potential abuse both by users to commit crimes and by nations for illegitimate spying?

Could we replace the hidden role of those intelligence agencies with a new ultra-resilient international democratic IT security standards-setting certification body for human communications, operating across more neutral countries and within existing national and international laws?

Such a body would enact time-proven and novel extreme socio-technical safeguards - down to the hardware fabrication - to ensure both ultra-high levels of user security and privacy AND the resilience of a procedural in-person "front-door" mechanism - involving highly resilient and representative international judges and citizen-jury processes. 

Such a body will commit to evaluating cyber-investigation requests submitted by participating nations in return for their binding commitment to disclose to such body, and only such body, the vulnerabilities they find in those systems.

App-based Security for German elected officials and citizens 

It was revealed last month that Wire App, an open-source end-to-end encryption secure messaging app was used as the de-facto standard for mobile communications for the security of coalition government negotiations, and was also endorsed by the German IT security standardisation body, BSI. 

It is one of the World's leading open-source end-to-end encryption secure messaging apps. As opposed to its competitor Signal, and similarly to its Swiss competitor Threema, it provides server-side management and logging - and for enterprise and governmental control, compliance and lawful access use to ensure both security and accountability. 

Although its public security track records and history are significantly less solid and clear than Signal. Concerns have emerged in the past from known external security reviews. Its claim for security levels does not come from adherence to some high-level security standards, but mainly by its being open source, being suggested by BSI, and from being moderately adopted in the market, especially in Germany. Originally based in Zug, Switzerland, the same city as Crypto AG, their development moved to the US, and over the last few years mostly in Berlin. Meanwhile, over the years ownership moved from Zug to the US and then to Germany in 2020. Ownership and funding are also hard to understand.

Nevertheless, Wire App - similarly to Threema and Signal - seems to be a very solid open-source basis for Germany to build sovereign app-based IT for its institutions, politician, and citizens if supported by suitable, certifications for such IT that are deep and trustworthy in their governance, and are not just ex-post but also include the life-cycle of the apps, ownership, history, and more. 

Other network protocols and stacks may be based on open source Matrix/Element, already the base of the French military Tchat and German military BwMessenger, which has been called by the German Data commissioner as a possible new secure messaging platform base for Europe (and for the USA?!). Their Matrix/Element top management has been exploring and working for a solution to manage legitimate lawful access.

Beyond app-based security: “Made in Germany” hardware-based secure communications for all?

As promising as such plans are for secure messaging apps, It is however widely known that a secure app can never be more secure than the device it runs on. And it is now widely known that innumerable actors that acquire such capabilities or rent them can undetectably compromise such communications. 

In fact, the need for more secure hardware solutions for German Foreign Service communications was strongly denounced by Sandro Gaycken, the Chief Scientist of Hensoldt Cyber AG, the spinoff of Airbus, building the ultra-secure open-source CPUs and OS for the most critical EU IT infrastructure.

In acknowledgment of such truth, last October 2021 it was announced that the IT department of the German Foreign Service was charged with procuring a new HW-based solution, inclusive of dedicated client devices suitable for video conferences, text editing and calls, for everyday secret and classified communications of German diplomats and other ministries, starting from management and then lower staff. 

The plan includes later in 2024 a "Diplo Version" where “representatives of other countries will be provided with the solution for direct protected communication”.  Then in 2025, there will be a "company version" for the private market in Germany, and then presumably abroad. There will be a private procurement for such solutions, under the guidance of BSI.

The article above reads (in its google translate version): "An expansion beyond the federal authorities is already firmly planned. In 2024, participants from abroad are to be involved in the “Diplo version”. The vision: Representatives of other countries will be provided with the solution for direct protected communication. This would enable the federal government to confidently and independently set up confidential channels with partners and allies around the world.". 

Challenges of “Made in Germany” international IT security standards

Why is the German government creating a “Diplo Version” hardware device for secure diplomatic communications, and seeking to “provide” it to its allies, instead of pursuing EU solutions through EU standards, using mechanisms like the EU Cybersecurity Certification Framework or SOGIS.org, or via NATO? Why go at it alone?

Evidently, after many years of trying in such fora, the German BSI and its EU equivalents were unable to do so, due to their governance constraints (consensus decision-making and distortions in the bureaucratic process) have proven to be unfit to achieve the actual and perceived IT trustworthiness levels of the IT systems that are needed for the most demanding IT systems for communications - and mechanism for managing their legitimate lawful access. 

This is exactly what we told the President of BSI in its office in September 2019 when we were invited to Bonn to present our Trustless Computing Certification Body, and he concluded they were going to pursue similar goals through the newly established EU process. 

It is therefore very understandable how Germany, in the face of seemingly unfixable inadequacy of such international institutions, may be planning to "go it alone", in order to provide itself and its allies, and EU citizens, with the IT that they urgently need to sustain democracy. 

Crypto AG and German international leadership

Germany's history during the World Wars and the more recent Crypto AG intelligence operation, stands as proof to the World of German prowess in IT security, but also of the need for external oversight.

It is I would argue very unlikely that Germany's allies nations and their citizens, and even their own German citizens, would sufficiently trust and widely adopt the resulting standards and technologies as planned by Germany, unless they will equally, democratically, and fully be involved in the governance of such certifications. 

By Crypto AG scandal we refer to the fact that last February 13th, 2020 it was revealed, that in the year 1970 the German secret service BND and the CIA secretly became 50/50 owners of the Swiss company Crypto AG, the World's leading company selling secure IT systems that were selling the most widely IT used for the most secure communications by heads of state, top diplomats and intelligence agencies of third countries, and many German allies. Crypto AG was based in the small city of Zug, the same as the original and current headquarters of Wire App, mentioned above.

It sold to over 130 nations, becoming a de-facto standard which forced even those not trusting it to use it, by leveraging the network effects, similar to what happens today with most citizens being basically forced to use WhatsApp as everyone else does.

The Crypto AG demonstrated that IT can be made ultra-secure, i.e., resisting even the most powerful attackers, at relatively moderate R&D costs and low marginal costs. It also proved that 3rd-party access to encrypted data and communications - solely for such ultra-secure IT systems - can be reliably restricted to intended parties - contradicting widely shared ideas about the impossibility in all cases of a secure-enough "front-door. 

The Crypto AG intelligence operation was likely very influential enabling a more democratic geopolitical block to prevail over a lesser one. Right after the Cold War, Germany gave or sold its stakes in such a company to the CIA, likely because the main mission was achieved, and therefore its continued involvement in such an operation would be incompatible with its role in the EU project. 

Germany's internal fight against authoritarianism

But then any substantial or radical increase in the level of IT security of communications of German public officials and citizens can have very serious consequences in favoring terrorism, political extremism, or other grave crimes unless means to intercept them are available in case end users are found by a civilian judge to be suspect of grave crimes.

Given the rise of far-right in the US, and in Germany - and repeat German oversight failures or “failures” of illegal or potentially illegal far-right phenomena - it is understandable how the new German government has elected Ms. Nancy Faeser to the post of Ministry of Interior, who stated at the inception of her acceptance speech “The fight against right-wing extremism has brought me personally into politics”.

It may in fact be a good idea if German democratic processes could have more visibility when authorized by a civilian judge, the parliament or Federal Office for the Protection of the Constitution concludes there is "probable cause", to keep on check suspected German citizens, and groups, and public officials, especially elected and security agency ones - to mitigate the risk of their abuse of encrypted apps or devices to attempt to subvert democracy.

Could Germany, instead of going at it alone, co-lead in the creation of a multilateral democratic venture to foster secure and democratic IT for all?

The initiative by the German government to fill in a void of secure and sovereign human communications for its institutions, its citizens and that of its allies, is highly commendable. 

Yet, the constraints highlighted above point to the fact that it may be much easier to achieve such goals in a multilateral and transparent manner, leading to the creation of a new open international certification body (not a treaty), rather than going at it alone, or relying on existing multilateral institutions.

Instead of being driven only by the German Foreign Service IT Department, influenced by a wide web of national agencies, lead by the BSI technical guidance through the Ministry of Interior - the definition and governance of such standards and certification, and their future governance could be delegated in a to-be-create new democratic and transparent transnational body, lead by a few like-minded democratic and neutral nations, and eventually open to all nations on equal terms.

Such a body would set standards, certify and services and devices that are suitable both for secure and accountable diplomacy, as well as for secure and democratic citizen digital communication and social networking, as well as take the responsibility to govern the resulting digital sphere of communications, as democratic nations have been doing for communication in public spaces for centuries, taking on the kind of decisions that Facebook Oversight Board (but mostly Mr. Zuckerberg) does for the digital space created by Facebook. 

Both citizens and officials will have a choice to go for certified  “App & Cloud” solutions or “Device & Cloud”, depending on computing use cases, and the levels of their actual or perceived risk profile. The app and cloud components can be based on EU and German technologies like Wire and Hensoldt Cyber, (Germany-based spinoff of Airbus) which are in turn based on high-security open-source technologies like Signal, Sel4, and Risc-V.  Such technologies are also widely used by the USA via DARPA and Galois, as well as by China, whereby billions are invested in Risc-V in China and Chinese nationals are part of the Sel4 Foundation, so that the most critical low level computing base can be made trusted to them

Given today's semiconductors miniaturization, such devices can be conceived in the form of thin tablets that can be used in desktop formats and be carried in a users laptop bag, or as 2mm-thin minimized mobile device to be carried in the user's leather wallets or encased in the back of every citizens smartphone. 

Provided that the socio-technical principles and the governance of such a body are appropriate - and healthy safeguards against multi-state overreach - such an arrangement could greatly increase the foreseeable acceptance and wide international private and governmental adoption of such new standards and ITs for secure communications and social networking.

Such standards, governance and IT could become the basis of the first democratic transnational human and social computing infrastructure, on top of which private persons and firms can innovate, within a democratic frame directing innovations towards the global public good.

The initiative would be inspired by the goals of previous multinational and certification initiatives, such as the GSM initiative in EU - which provided the EU a unique competitive advantage through mandatory interoperability for mobile text and voice communications that enabled it to lead the industry globally in the 90 and early 2000s - and ARTE - the channel created by the German and French state/public broadcaster to promote cultural education and harmonizations among cultures that bitterly fought each other through centuries. 

It would also be inspired by the creation of after WW2 state/public broadcasters in EU social democracies - to provide a unified basis of basic facts and education for citizens, unbiased from commercial interests - and of the US Federal Aviation Administration - created in 1929 provide extremely high levels of safety, that became both a protection and a huge enabler for adoption and innovation in the commercial airline industry.

We are pursuing something in those lines with our Trustless Computing Certification Body and the resulting Seevik Net. 

Trust ultimately resides in the governance 

Although the original socio-technical paradigms guiding the certification and governance of the resulting media sphere are important, the trustworthiness of compliant IT systems ultimately resides entirely on the current and long-term governance, and the design of the constituent processes that will lead to its fully operational phase.

We have carefully conceived a constituent process and planned governance whereby Germany and a few other nations can initiate a constituent process aimed to sustainably maximize democratic accountability, competency, and resilience from state pressures.

We have also analyzed in detail the advantages for a nation like Germany to be among the early governance partners of such an initiative.

We’ll be hosting our 9th Edition of the Free and Safe in Cyberspace to promote such an initiative, and as a way for Germany and/or other pioneering nations to bring together other interested nations.

Key Benefits for Participating Nations

Key benefits for participating nations would be to foster the availability of much more trustworthy ITs for their most sensitive systems, public and private while retaining their ability to access when there is a legitimate need or mandate. 

Participating nations would also enable their politicians, journalists, activists, and elected officials, with the utmost protection against all attackers, foreign and domestic, to protect national sovereignty and democracy.

Participating nations could eventually extend those certifications as preferred or mandatory for the critical subsystems of the most sensitive public and private systems - such as elections systems, critical infrastructure and dominant social media platforms - to further protect democracy and national security.

Since those certifications will not only ensure much higher security but also embed “by design” requirements to achieve very high forensic-friendliness - participating nations would also ensure a much improved and internationally-recognized cyber attribution capability for eventual hacks to such critical systems. 

As an additional benefit, in the longer term - as the number of participating nations increase and more of their critical systems are certified to such standards - those nations would realistically be able to engage in enforceable cyber treaties and/or in fair and responsible retribution for grave violations of international norms.

Under this scheme, powerful participating nations would loose their arbitrary ability to hack into such IT systems arbitrarily. Yet, arguably, their cyber-investigation capability would overall improve because lawful requests for such IT systems would be: (a) ensured to timely produce the data of a legitimate suspect or criminal; (b) produce evidence that is much more attributable, and (c) stand as valid evidence in the highest courts (where Italy, Germany and France do not accept evidence acquired via Trojans). Also, requests can be processed within 1-2 hours, in urgent cases.  

What about China and Russia?

Given the current shifting geopolitical context, with Russia and China on one side, the EU and US and other social democratic countries on the other, such initiative will initially be advanced by and among the latter - as a dual-purpose initiative constituting at once a joint defense capability building initiative and a digital platform for global dialogue - but remaining always open for joining by such nations on a later stage on totally equal basis. 

In the meantime, Russia and China would be represented till then by proxies, such as former Russian or Chinese lawmakers or persons that are chosen to as much as possible represent their current governments, as opposed to their citizens who will be already represented via random-sampled citizens, from abroad and from their country, and other means to approximate representativity.

Next Steps

Visit our website at www.trustlesscomputing.org. for our plans for a Trustless Computing Certification Body and Seevik Net to realize the above proposal. Join us in Rome next September 16-18th during our 9th Edition of the Free and Safe in Cyberspace to help us bring a few nations that have shown interest to sign on and commit. Contact us, if interested to join as volunteer, advisor or partner.