Controlling the Risks of the Cyber Society. A Task for State and Policy

The years of digital euphoria are over. The controllability of digitalisation is the major challenge of the coming de­cade. The risks are manifold, and state and policy have yet to find lasting answers. The law fails in face of the complexity of the digital world, cyber insecurity is spreading, digital platforms are competing with states, state authorities are failing to digitalise themselves. A new, holistic approach is needed to control the digitalisation process.

The Risk of Everyday Complexity

New data protection regulations have been in force since May 2018. With the European General Data Protection Regulation, Germany has entered into a new chapter of its history of more than forty years of data protection. Data privacy has been adapted to the new reality of a fully digitally connected world. Since May 2018, every citizen has submitted an estimated fifty to one hundred statements of consent on their smartphone, and confirmed with a few taps that WhatsApp, Apple, Google, their local bank, or sports club can use the data – in compliance with the new regulation – in the future. How many of them know what they have consented to, how the data are processed, what other data have been merged, and who the data have been shared with as a result of their consent?

Back in 2015, Apple calculated that iPhone users unlock their device eighty times a day. Every time, apps are called up. A closer look at the data protection consent of any individual smartphone app offers a sobering picture: every launch of the app triggers a wealth of data protection procedures – data storage, data transfers, and data uses. Every time, several companies are involved, and different laws apply every time. All companies use long-winded, hard-to-­understand privacy policies. For individual users, it is not clear which regulations work together, and how, in each specific case. Even data protection supervisory authorities need to conduct in-depth analyses before they can state with certainty what is allowed and what is not.

In the course of its existence, and in line with the advance of digital technology, data protection law has grown considerably in scope and importance. At the same time, it has lost its grip.

Far more serious legal transactions are by now less complex than data protection. The purchase of a vehicle or a property is based on a few provisions in the Civil Code. Everyone knows the legal framework, and most people have developed a sense of what is allowed and what is not. By 2030, every single action of our fully digitalised life will trigger a wealth of data processing operations.With data protection, things are quite different: the incredibly wide and diverse range of data protection regulations contrasts starkly with great uncertainty about what is allowed and what is not. Data protection law permeates our entire life, but is far removed from everyday reality. If we continue this development in its current form until 2030, the results are obvious: by 2030, every single action of our fully digitalised life will trigger a wealth of data processing operations; everything will be regulated by law, but the practical result will not be obvious to anyone, let alone ourselves.

It goes without saying that the consolidation of data collected from our increasingly digitalised everyday life, poses a risk to our personal rights. Yet the state and legislature have so far failed to find a way to manage and control this risk. Privacy debates about autonomously operating vacuum cleaners, networked drones, or the business practices of online platforms are not abating. A wealth of legislation suffocates the clear assignment of accountability and responsibility criteria for our digital lives.

The Risk of Cybersecurity

In May 2018, security researchers discovered eight new vulnerabilities in processors from the market leader Intel. They all allow attackers to perform illegal operations on the systems in question, circumvent security measures, manipulate systems, and steal data. The press took little notice of the report. After all, weaknesses in processors had already been discovered months before, with greater media exposure: the ‘Meltdown’ and ‘Spectre’ vulnerabilities also concerned chips from Intel and other manufacturers.

The public is jaded by the many reports of hardware and software vulnerabilities. We have become accustomed to the fact that hardware and software have shortcomings, that hackers can and will take advantage of them, and that computer systems are under constant attack worldwide. Cybersecurity poses a structural problem, for which there is currently no solution in sight.At the end of 2017, a dozen computers were hacked at the Federal Foreign Office. A few more or less confidential documents fell into the hands of Russian intelligence services. Even the highly secure German government network proved to be vulnerable, as had previously been the case with the network of the German Bundestag. Even one of the savviest cybersecurity organisations, the US National Security Agency (NSA), cannot protect itself adequately: in 2015, the data of twenty-one million US government employees was stolen from government systems, and in 2016, even the NSA’s most secret digital attack tools fell into the hands of a hacker group called ShadowBrokers.

Cybersecurity Measures are Inadequate

Cybersecurity poses a structural problem, for which there is currently no solution in sight: we are becoming more dependent on digital systems every day, and their quality and security have been decreasing rather than improving for many years. The rate of weaknesses in conventional software is continuously at a high level. Complexity and vulnerabilities together provide exactly what hackers love: so-called attack vectors. The increasing dependence on digital systems ultimately ensures that these vectors are actually used. Pacemakers are equally vulnerable to attacks as are petrol stations, steel mills, or government networks. Wherever we have made ourselves digitally dependent, there is something for attackers to obtain: operators can be blackmailed, information can be monetised or utilised, hijacked systems can be used for hackers’ own purposes – ranging from crypto-­mining and denial-of-service attacks to the spread of spyware. A vicious circle.

Already in 2015, each minute four million posts were published on Facebook.

Our capacity to adequately protect unstable systems cannot keep pace with the rate at which we digitalise, network, and increase complexity. The attacker only needs one vulnerability, whereas the defender has to seal all weak spots. This logic has been in effect for more than twenty years. There is no indication that the trend is reversing and that by 2030 we will have a substantial solution to security issues in cyberspace. All IT security and cybersecurity measures – ranging from the certification of devices and the legal regulation of critical infrastructure security to strengthening the capabilities and powers of security agencies – are certainly demonstrating positive effects. But they do not change much about the underlying issue. The pace of innovation and the immense increase in complexity associated with ubiquitous networking constantly override these mea­sures. We have to prepare ourselves for many years of cyber insecurity and cyber instability.

The Risk of Platforms

Already in 2015, each minute four million posts were published on Facebook, three hundred and fifty thousand tweets were sent on Twitter, and three hundred hours of video were uploaded to YouTube. Such digital platforms are now part of our daily lives. Births are streamed live and deaths are reported on digital platforms even before the closest loved ones gain knowledge of them. A mother from Berlin had to take Facebook right up to the Federal Court to gain access to the digital estate from the profile of her daughter after her suspected suicide.

How we deal with digital platforms has proven to be a vital question of digitalisation, as platform operators and their business models, conditions of use, and algorithms determine our digital coexistence quite decisively. In doing so, they not only challenge the state, but they simultaneously compete with states by asserting and enforcing the law – globally, and without any democratic control. Evgeni Morozov calls the platform operators “the new feudal lords” and sees humanity on the road to a new age of feudalism. A fundamental problem in the relationship between states and platforms is apparent, and no consistent solution has yet been found.

While politicians on the one hand want to curtail the power of platforms through data protection, competition, or even tax regulation, they on the other hand expect platforms to assume social responsibility. One example is the fight against ‘hate speech’ and other illegal online content. With the ‘Network Enforcement Act’, Germany demands that platforms, under penalty of fines, quickly delete unlawful contents. ‘Obviously unlawful content’ should be deleted within twenty-four hours, and all other content within a week. This refers to all forms of glorification of violence, Nazi propaganda, calling for and approval of criminal offences, dissemination of child pornography, insults and slander, as well as the secret dissemination of highly personal images.

However, the decision on the illegality of content is far from simple and touches our fundamental rights in the core. At the hearing on the bill, a representative of Google cited as an example the video with the poem that German satirist Jan Böhmermann had published about Turkish President Erdogan. YouTube did not block the poem, even though Erdogan had reported the satirist for slander. Nowadays, after the entry into force of the Network Enforcement Act, they would decide otherwise, so as not to be fined.

If Internet platforms adopt an ‘if in doubt, delete’ approach to every complaint about their content, then the platform becomes the censor of its users. Instead of government agencies or independent courts, the deletion departments of the Internet companies decide what is illegal. The state does not enforce its own, democratically legitimised right on the platforms, but ultimately accepts the normative power of the platforms.

At the same time, more and more actual power is migrating towards digital platforms, especially when it comes to public services: the most up-to-date maps on routes, traffic signs, and lanes on German roads are not provided by the state, but by Google and HERE. Public transport data, the timetables of buses and trains nationwide, can only be obtained from digital platforms. The state is lagging behind in the digitalisation of services in the common interest. Google holds more digital books than the largest German library has in its (paper) inventory. This development of the privatisation of digital services of public interest will continue to spread until 2030. Whether healthcare or education, it is highly likely that in other areas of the digitalisation of our public infrastructures, private platform providers will be faster and more consistent than the state is capable to be. In the UK, the National Health Service (NHS) has already transferred 1.6 million sets of patient data to Google, to take advantage of Google’s algorithms and computing capabilities.

As responsibility is increasingly transferred to Internet platforms, and given the weaknesses of state presence in the digitalisation of social spheres for which it is responsible, the state essentially pushes even more responsibility and power onto the “feudal lords” of technology companies – to refer to Morozov’s characterisation once more. The state pursues its own disempowerment.

The Risk of the Digital State

Year after year, the federal authorities, the sixteen Federal States, and the eleven thousand municipalities in Germany spend twenty billion euro on their own digitalisation. Yet, the digital state in Germany resembles a mirror image of Google: highly fragmented databases of multifarious authorities at the federal, state, and local level. Addresses of citizens are stored in many different places, with accompanying painstaking data matching. The state registers are highly prone to errors. There is no Federal Citizen Register. Even the internal data landscape of authorities is fragmented. In 2013 alone, the Federal Criminal Police Office operated eighty different files for security and prevention purposes, which are now to be successively merged.

The reasons for the digital fragmentation of German administration lie in our complicated state and administrative organisation as well as in data protection law, which digitally consolidates this organisational structure. The state is only permitted to store and use data for strictly defined purposes, which prevents data merging and retention for possible future issues (in the vein of Google). This can be illustrated using the example of ‘predictive policing’, a big data-based method of forecasting potential future offences, to facilitate better planning of preventive police measures. Laws must be modified for potential future use of such measures, and the organisation and technology of the fragmented police IT systems will need to be adapted – an effort that takes many years.

Other areas of public responsibility, such as healthcare, show similar conditions. It is undisputed among professionals that many diseases could be better combatted by merging health research data from a wide range of healthcare sectors, and analysing it using big data analysis methods. Even this merger has so far succeeded only in elaborately defined and arranged individual cases – there is no general, comprehensive solution.

One reason for the fragmentation and weakness of the digital state lies in the heterogeneity of the technologies used. One reason for the fragmentation and weakness of the digital state lies in the heterogeneity of the technologies used. Unlike large corporations, which for de­cades have been investing great effort into ‘consolidating’ their IT landscape by reducing it to just a few types of IT systems and software, the state’s IT landscape is still extremely diverse. In 2013, the federal authorities alone operated 96 data centres and 1,245 server rooms for almost 500,000 federal employees. Currently, the Federal Government is trying to conflate this diverse landscape to a few IT service providers. This will probably have been achieved by 2030, but it is unlikely that the fragmented landscape of public databases will have dissolved by then.

While digital platforms are constantly collecting, evaluating, and providing new data about our entire lives, increasingly penetrating into areas that have previously been the domain of the public sector, the state is lagging behind in the digitalisation in its area of responsibility – and thus risks losing influence and opportunities for formative action in important areas of life.

The Controllability of the Digital World

Digital action permeates our entire life, and will be inextricably linked to every ordinary daily activity by 2030. The four risks of cyber-society mentioned above no longer only touch upon the periphery, but upon the core of our coexistence. This raises the formidable question of the controllability of the digital world: each and every one of us has only a marginal understanding of, and control over, the complexity of our digital world. Global digital platforms set their own rules and obey their own business logic. They are no help to us, neither when it comes to data protection nor cybersecurity. Our polity and the democratic state have not yet managed to weapon themselves to master the challenges in cyberspace. Neither the transparent allocation of legal responsibility, nor the lasting establishment of cybersecurity, or even the adequate digitalisation of government services, has been successful.

The experience of recent years shows that Europe’s winning strategy in digital economics will not revolve around the fastest diffusion of technologies.

The state is weak in its control of digital spaces. The weakness of the state is associated with major risks. The ability of the state to organise the community through law, as well as to enforce these laws, is at stake, as is the ability to use democratic decision-­making processes to shape essential areas of society such as healthcare, transport, education, or the media landscape. Morozov’s question is justified: do we surrender our common goods to the new feudal lords of the digital platforms? Do we transfer control over who sets and monitors these rules to the platforms? Can we ever get this control back again?

Without effectively functioning state structures, the rule of law, welfare state, and democratic decision-­making are mere window dressing. The state and its organs are manifestations of our joint will to shape and develop our country. As digital life evolves ever more beyond the state’s reach, scope of influence, and realm of effect, we lay the axe to the roots of our community.

Hardly any state and policy objective could be more comprehensive than developing a programme to control digitalisation. It requires consistent action and a long-term perspective while combining several approaches to recover sovereignty and controllability. It combines technological design, legislation, and organisational reform with a change in political governance and administrative implementation. Five proposals could form the cornerstones of such a programme.

Demanding Secure Technology

A decade of cyber insecurity lies ahead. Cyberattacks have become the preferred means of carrying out inter-state conflicts and criminal activities. Most cybersecurity measures so far focus on the use of IT or the reaction to cyberattacks, instead of addressing the root of the problem, the weak points in the systems. Hardware and software manufacturers fail to commit to more discerning product safety standards. Any ‘smart’ light bulb, pacemaker, and digitally controlled car is vulnerable to attacks, potentially turning into a springboard for attackers. Therefore, the basic security of digital technology must be effectively increased to raise the level of cybersecurity in the long term.

Germany, as a country of inventors and engineers, as a pioneer of technical standards and high product safety, can lead the way: manufacturers must be required by law to adhere to quality criteria. These include quality assurance in software development, the avoidance of known vulnerabilities, a high level of transparency in security features, the disclosure of identified weaknesses and countermeasures taken, as well as long-term support of their own products. Updates and patches must be made available throughout the duration of deployment. Special care is warranted where lives are at stake: be it in medical technology, self-­driving cars, or the field of weapon systems – digital security must be based on proven, secure solutions. Basic technologies for demonstrable safety are already in place, but their use in critical systems must be promoted – and demanded.

The state is weak in its control of digital spaces. The weakness of the state is associated with major risks.

The commitment to robust product safety will naturally make hardware and software more expensive, and slow down innovation. We must shoulder this burden if we want to free ourselves from cyber-insecurity. The experience of recent years shows that Europe’s winning strategy in digital economics will not revolve around the fastest diffusion of technologies or offering the lowest prices; however, the continent can score points when complexity is at stake. The same applies to security: Europe should advocate for high quality and reliable safety. Complexities and dependencies will continue to increase. Mastering cybersecurity will nevertheless offer a decisive competitive edge.

Principled Digital Law

Data protection constitutes just one example of the complexity of our digital law. The same increasingly applies to IT security. Attempting to divide the integrated offerings of an Internet platform like Google into components of telecommunications services, telemedia services, broadcasting services, digital infrastructures, and digital services – all legal concepts of German law – will leave one gasping for air.

In order to control digitalisation, the central task of digital law must above all consist of the comprehensible assignment of responsibility, and the definition of fewer standards and principles, which are as general as possible and apply to all areas of digital life. Controllers of personal data must act in the fairest and most transparent manner. Providers of digital services or producers of digital products that affect our existence, must protect them from failure and attacks according to the state of the art. Online content distributors must fight illegal content, while taking their importance and capacities into account. Operators of monopolistic platforms must enable the state to fight crime through, and organise the reconciliation of interests on, these platforms.

The legislator should start at this level, and develop new digital legislation that people in Germany understand, without resorting to small print. Such an approach requires change, political will in Parliament, and a Federal Constitutional Court that is willing to let go of the reins, refraining from pushing for highly concrete rules as it has in the past. Fundamental rights are not properly protected by barely comprehensible, detailed legislation that is overtaken by technology at breakneck speed. Fundamental rights and values are better protected by translating them into general principles for cyberspace – and through effective enforcement by public authorities and courts. Such principles could also include a duty of consideration, which the then-Federal Minister of the Interior Thomas de Maizière already brought into the discussion in 2010, analogous to the duty of consideration in road traffic law. Technological developments can be responded to more quickly if the legislator takes a step back, and authorities and courts are strengthened.

New comprehensive digital legislation will not be developed over one legislative period. Merely deciding on the fundamentals by 2030 could be considered a substantial achievement. Coming to terms with digitalisation through law will take generations. The German Civil Code – drafted between 1874 and 1896 – shows that more fundamental approaches to regulation might take a long time to develop, but can then unfold long term effects. The Civil Code became an export success – which Germany can perhaps repeat with modern digital legislation.

Redistributing Duties in Federalism

Much of the difficulty in mastering digitalisation is rooted in the state’s internal organisation, in the distribution of competencies, resources, and responsibilities. We need to reorganise the state if we want to improve its abilities as an actor in the digital space. A lot has been written in recent years, and some practical mea­sures implemented. All previous approaches have above all managed one thing: they further increased complexity. Which is exactly what should be reduced in the first place.

The relationship between federal, state, and local governments must be completely reorganised. The previous federal reforms have been too cautious, only further increasing the formal or informal interlocking of the federal and state governments. Controllers of personal data must act in the fairest and most trans- parent manner. We should turn this process around: where the Federal Government is responsible for legislation, it should also provide centralised IT systems – housing allowance, parental allowance, child benefit, registration records –, with open and interoperable interfaces that the states and municipalities can and must use to structure their services. Where the economy collaborates digitally with the state, the Federal Government should define the interfaces uniformly, similar to economic legislation, which applies uniformly throughout Germany. Wherever duties of different states are closely linked on a national scale, which is the case with the police or taxation, compulsory uniform systems must be created. Global digital platforms must be monitored by the Federal Government, whether in matters of data protection or taxation.

At the same time, decision-making power must be decentralised: decisions on how we live and work in a municipality, where a swimming pool is built, which street is renewed, which housing allowance paid, or how schools are equipped should be made locally. Uniform digital services from state-run, nationwide platforms provide support to the municipalities – but decisions are made locally and strengthen the digital sovereignty of our polity.

Opening up Administration for Cooperation and Staff

The challenges the state and administration are facing in controlling digitalisation are enormous. The various changes to the economy and the world of work, new security problems, regulation of powerful global platforms, or even complete digital transformation of its own work: all areas of state administration are confronted with fundamental changes to their tasks, self-image, and effectiveness. They are not sufficiently prepared for this. The state’s digital specialists are usually not as well trained as their colleagues in business. The salaries of state IT professionals are typically below the salary levels of the private sector. Even in federal ministries, middle management salaries are significantly lower than in companies.

State and business must work more closely together to control digitalisation.

The road from business to the state usually only leads one way. When returning to employment at a company later on, attractive benefits such as civil servants’ pensions cannot be taken along. Specialists have to accept lower salaries to then change to state employment forever. Hardly anyone with more than a few years of professional experience will opt for this. Unlike in France or the US, a precious few switch between the state and business. This isolation of the civil service results in a lack of cooperation between the state and business in matters of digitalisation. While the separations between public and private in online digital platforms are becoming increasingly blurred, and the state is transferring public tasks to private platforms, the authorities are continuing to isolate themselves.

This certainly does not lead to greater efficacy in the control of digital space. Government and business should cooperate closely. A cyber defence centre should not only consist of civil servants, but also of experts from the private sector. Digitalised transport infrastructures are a joint effort of public and private sectors, and should be managed together. Civil service law that promotes staff exchanges between government agencies and businesses facilitates mutual understanding and collaboration in controlling cyberspace. Germany has a great deal of experience with the cooperative approach of regulating large areas of society – from collective bargaining to healthcare. We should apply these lessons to cybersecurity and digitalisation.

Organising New Digital Policies

At the beginning of 2018, 244 units in 76 departments within the Federal Government dealt with questions of digital policy. Already during the last parliamentary term of the German Bundestag, the government pursued a total of 271 digital policy projects, as evidenced by the Digital Agenda. More or less all of them relate to the question of controlling the digital space. These projects concern changes in agriculture, the modification of job profiles and forms of work, and challenges facing health, energy, or transport policy. Their commonality lies in the continued function of digital law, platforms, data protection, security, or even the use and further development of digital infrastructures. They are all answered predominantly along the line of specific political problems, but rarely comprehensively.

What we lack today is an elaboration of the comprehensive issues of controlling digitalisation: the role of the state in the digital world, its responsibilities in the provision of general digital services, the basic questions of new digital legislation – the processing of all these issues lacks political visibility and prominence. However, it is precisely here that the state and politics have to fulfil a mandate that requires stamina, clever and well-trained experts, and intensive social dialogue.

Digital policy is not specialised in the same way transport and health policy are, which only affect certain areas of life. It affects our whole life. It is much more comparable to two other interdisciplinary issues: money and law. For both cross-sectional issues, we have appropriate ministries that take care of the political strategy, but at the same time provide other policy fields with substance. That is what we need for digital policy as well. In 2018, strategy was bundled in the Federal Chancellery. This represent a first step. In the long term, we will need a digital ministry to promote as well as control digitalisation.

Digital Policy

How We Must Act

With the digitalisation of all areas of life, the risks associated with this cyber-society threaten our entire lives. They threaten the sovereignty of individuals and the capacity for action of our democratic state at large. Germany must counteract the risks across all political fields:

  • The security and reliability of digital technologies must be significantly improved. Responsibility for secure systems needs to be shifted to manufacturers through new liability rules. Only demonstrably safe systems may be used in critical areas.
  • We need comprehensive digital legislation that defines requirements of responsibility, security, trustworthiness, and transparency. It must build on principles that are independent of individual technologies and systems.
  • Digital transformation of our lives requires digital transformation of our state. Tasks must be redistributed across federal, state, and local governments, the deadlock between these levels must be dissolved, and important state tasks such as public security in digital space must be organised more effectively.
  • Public administration needs to open up and connect. To achieve greater exchange between the private and public sectors, joint state and economic institutions – as can be found in the field of cybersecurity – are just as crucial as changes to civil service law.
  • Similar to financial or legal policy, digital policy is interdisciplinary policy geared towards the long term. We need to organise the comprehensive content of digital policy more effectively and establish a digital ministry.

Martin Schallbruch (53) is one of the most seasoned experts in German digital policy. As a computer science graduate with additional legal training, he has been shaping Germany’s emerging network and digital policy for more than ten years as IT Director and Head of Department at the Federal Ministry of the Interior. He is the author of the books “Schwacher Staat im Netz” (“Weak State on The Net”) and “Cybersecurity in Germany”, both published by Springer. As Director at the Digital Society Institute of the ESMT Berlin, he researches, teaches, and advises on issues of digitalisation strategy, cybersecurity, and the cooperation between state and business in digitalisation.