In a Guardian article today, Evgeny Morozov predicted that “technological sovereignty” will be the hottest digital theme for governments in 2015, as they’ll strive to protect the communications of their citizens, institutions and businesses from political and economic abuse from foreign states and criminals.

In an effort not to be confused with various actions by China and Russia aim at consolidating their autocratic regimes, many EU states, Brazil, and other democratic countries have announced and have pursued several initiatives to regain their technological sovereignty.

These have turned out to be severely misdirected. A November 2014 report, Technological Sovereignty: Missing the Point?, by Global Public Policy Institute and Open Technology Institute, has analysed the failure of such approaches, and in particular analyses “IT Security Made in Germany” attempts:

Initiatives such as “IT Security Made in Germany” suggest that domestically produced services and items are more secure and trustworthy than those produced abroad. However, like the location of data storage and routing, it is not the location of production and supply chains that guarantees protection from surveillance or espionage, but the actual security standards. Locally produced security products can include as many, if not more, vulnerabilities than those of foreign companies. While this measure will make it harder for foreign intelligence agencies to build in backdoors, it does not prevent local intelligence or law enforcement agencies from doing so. Any backdoor will increase the general insecurity of these products. These proposals, often labeled as especially secure, risk providing a false sense of security to customers, depending on their implementation.

If most finding of this report are true and fast becoming ecident, as we think they are, then time may be ripe for the promotion of new public-private international ICT security standards, standard-setting and standard-compliance organizations, and related ecosystems.

In fact, nor US, EU, a EU country nor Brazil could ever succeed in realizing and affirming such a standard alone. United States alone could not deliver or be trusted if it did, even internally (see NIST current huge credibility problems). In fact, too many pressures exist to make the processes flawed, and US agencies have lost trust of foreign and internal users. EU or any EU country would not be trusted abroad if they did, as they’ve had similar issues of abuse of surveillance, and also EU misses both a general-purpose secure CPU with free/open source microcode and user-verifiable fabrication oversight standards (says even European Defence Agency). Brazil, though hosting advanced secure and verifiable ICs design capabilities, misses local foundries that could deploy user-trustworthy oversight of critical IC fabrication, as well as other higher software stack and server-side services expertises.

Also, Brazil and Germany especially have enacted or modified “national crypto standards”, following US example with NIST (FIPS, etc.). Such standards have severe shortcomings, as they:(a) do not certify a complete service but just a device; (b) do not provide adequate standards for hardware design and fabrication phases of critical components; (c) are developed in opaque ways by standard organizational processes that are only very indirectly (and inadequately) user-accountable, and subject to various internal and foreign state security agencies’ pressures; (d) use crypto standards such, as custom elliptic cryptographic curves, that leave substantial doubts in regards to the ability of certain national agencies (and potentially others) to bypass them; (e) certify devices that necessarily having to rely on critical undue trust on several entities, often foreign; (f) they have very slow and costly certification processes.

Such new international cybersecurity standards setting and compliance processes will need to be:

• aimed at  constitutionally-meaningful levels of actual and perceive trustworthiness to end-user, and not just mere improvements.

• extremely effective and sustainably citizen- and user-accountable

• international and involve multiple states and relevant civil society organizations, because no nation or citizen will trust any other countries’ internal processes as it’s been the case till today. (Albert Einstein in 1953 made a similar case to enable transnational trust of compliance to nuclear weapons stockpiling agreements).

• enable constitutional – no more no less – criminal investigation, because much of the hesitations of nations to allow meaningful privacy has to do with the need and obligation to pursue criminal investigations for ordinary crime or state security.

The UVST International Standardization proposal that we coordinate could be the answer, or provide much inspiration. It will be proposed to the EU-Brazil EUB1 H2020 Call, and in other forms, following on the steps of our partner Sirrix 2008 European Multilaterally Secure Computing Base (EMSCB) project. In addition to the 15 world-class current public and private partners, we have very extensive ongoing negotiations at the highest executive levels in Italy and Brazil with the public agencies that have been delegated for the definition of new socio-technical IT privacy and security standards, AGID and SERPRO, roughly the equivalents of NIST in the US. Such agency has  been delegated to the definition of new IT security and privacy standards for the government in conjunction with the Military Advisor to the Prime Minister, according to the Prime Minister’s just released Digital Growth Strategy 2014-2020 (see page 43-44 of the pdf). While SERPRO has been delegated with the same task by President Rousseff with the clear goal of achieving spy-proof assurance.

Italy is heading in the right technological direction, albeit timidly and through notoriously-hard Italian legislative action rather than executive initiatives. During its Dec 11th event keynote, Stefano Quintarelli, the President of the Strategic Committee of AGID presented its legislative proposal (link) for “technological sovereignty” and mandatory “documented hardware“, which mandates that hardware (client and server) used for critical e-gov services standards of the lowest levels that mandate verifiability and adequate verification (albeit still shying away from requiring supply chain and fabrication oversight). Such proposal is direct reference to Richard Stallman-inspired legislative proposal that became law in 2012 in the Region of Puglia. Starting from such template, we lead a campaign that brought together 4 leading regional parties, Richard Stallman, and Flavia Marzano (in our board) of Stati Generali dell’Innovazione, to promote a similar proposal for a Region of Lazio proposal, but much extended to the entire UVST requirements, which was presented officially by the 2nd largest party on April 2014. The technical description of such legislative proposal was literally the older UVST definition.

United States has obviously a different approach to the issue. Nonetheless, after much political and media pressure NIST has to set to attempt to regain credibility after NSA successfully pushed for adoption of compromised standards. It established a  Visiting Committee on Advanced Technology (VCAT) to issue guidance on improving the cryptographic standards setting process. Bart Preneel, President of the International Association for Cryptologic Research, member of our UVST Scientific Board, and one of the very few non-US member of such committee has suggested to increase openness, transparency of process and expert community participation, even international.

Following on the steps of a Dec 11th 2014 Rome event, which we helped organise, we have formal availability of many of our partner and of EU EIT ICT Labs Privacy, Security and Trust Action Line Leader to formally co-organise in early 2015 in Berlin, Rome or Brussels a similar but less-public event, to be provisionally named Workshop “Technological Sovereignty: cyber-privacy meets public safety meets economic development.