Lokke Moerel: Digital Sovereignty and the Changing Landscape of AI & Privacy Laws

As we enter the second half of 2021, it’s becoming evident that societies worldwide embrace digital transformation as part of their everyday lives. This is backed by the fact that half of the world now uses social media and at least 4.66 billion people around the world now use the internet.

However, as societies become more digitized, the vulnerabilities that come with it also increase. From malware attacks that rose by 358% to a significant increase of risk of successful ransomware attacks due to remote working during Covid-19, to difficult to combat online conspiracy theories of the anti-vax and anti-5G movements, stimulated by Russian infiltration.

Lokke Moerel, professor of Global ICT Law at the Tilburg University and member of the Dutch Cyber Security Council, shares her insights into the need for digital sovereignty within the EU and how AI and privacy laws are changing rapidly due to digitization.

Accelerating Digital Sovereignty across Europe

In today’s increasingly digitalized landscape, more and more users feel the need to keep their data safe and are willing to leave popular platforms, such as Whatsapp, based on a change of privacy terms.

With 92% of Western data being kept in the US, EU nations have realized the need to adopt a joint strategy on how data is controlled and shared. While fostering the Digital Single Market is needed for innovation to thrive, effective safeguards must be placed to protect users in a data-driven world.

Lokke goes into detail about how the current situation has exacerbated the need for digital sovereignty in the EU, particularly for the Netherlands as advised by the Dutch Cyber Security Council.

Europe has been focusing on digital sovereignty and recently, the Dutch Cyber Security Council issued public advice that the digital sovereignty of the Netherlands is under pressure. What does digital sovereignty mean?

We are one of the most digitalized societies and this has been accelerated by the Corona crisis. Within no time, people worked from home, and children were schooled online. It was amazing to see how quickly we were up and running again. However, every upside has downsides and we saw new vulnerabilities and dependencies. 

• A tremendous increase in the activities of cyber criminals abusing the vulnerabilities due to remote access to systems when people worked from home.
• Foreign states stealing COVID-19 research
• Flaws in privacy and security of video tooling.
• More data of children are in the clouds of non-EU providers due to the increased use of digital teaching tools.
• The dependency of the Netherlands on social media platforms for combating misinformation and the lack of control from the government to combat it.

The core message of the public advice of the Council is that our digital dependencies are now so great that the digital sovereignty of the Netherlands is under pressure. This goes further than guaranteeing the cybersecurity of our critical IT systems and the data generated with these systems. We also need to maintain control over our essential economic ecosystems and democratic processes in the digital world.

Can you give us examples of how digital sovereignty (or lack of it) can affect the economic ecosystems and democratic processes?

Examples of essential eco-systems:

Lack of control over critical technologies will result in new dependencies. For example, without proper encryption, we will not be able to protect the valuable and sensitive information of our governments, companies, and citizens. Current encryption will not hold against the computing power of future quantum computers.

We will therefore have to innovate now to protect our critical information also in the future. This is not only relevant for future information, but also current information. Do not forget that foreign states systematically intercept and preserve encrypted communications in anticipation that these may be decrypted at a later stage. 

To be able to make large-scale use of data analysis using AI, enormous computing power is required (which requires cloud computing) as well as access to large quantities of data, which will require combining data in specific industry sectors (such as health), which is currently difficult.

Efficient access to harmonized data and computing infrastructure will become the foundation for the Dutch and European innovation and knowledge infrastructure. Maintaining control over this is an essential part of our strategic autonomy.

Examples of democratic processes: When the state is not in control over the election process, due to targeted misinformation and systematic infiltration of social media by foreign states to influence citizens, our digital sovereignty is at stake.

We see that digital sovereignty is very high on the EU’s agenda. For our neighbour Germany, for example, it is Chefsache. In the Netherlands, however, we mainly respond to cyber threats in a technical and reactive manner. We respond in crisis mode. 

The council thinks it is high time for a more coordinated and proactive approach, starting with ensuring three basis facilities: sovereignty-respecting cloud for secure data storage and data analysis, secure digital communication networks, and post-quantum cryptography.

CISO and Their Roles in Digital Sovereignty

At the core of digital sovereignty issues is the need to safeguard information assets for European countries.

As the Netherlands continues to build upon its Dutch Digitalisation Strategy 2.0 and integrate more cloud-based technologies within its economic ecosystems and democratic processes, it is up to chief information security officers (CISO) to be aware of what it all means for an organization and how it affects its cloud strategies.

What does digital sovereignty mean for the CISO?

Most governments and companies will have a corporate cloud policy. I see that these policies really try to address the direct requirements of a specific cloud project. 

When deciding whether to bring services to the cloud, the company will weigh up the benefits of public cloud (better security, better functionalities) on a project-by-project basis against the specific dependencies and security issues in the project in question.

However, considerations of loss of sovereignty are not taken into account. As a result, for each project, the decision can be justified, but ultimately these decisions together do threaten our sovereignty, where in the future you want to be able to process data across cloud solutions for example (an example of The Tragedy of the Commons).

I think it is important for CISO’s to be aware of all the EU initiatives to increase our digital sovereignty.

What should they be aware of in terms of initiatives?

GAIA-X: many people think that the GAIA-X project, is about setting up a European cloud infrastructure. GAIA-X is, however, not about creating Europe’s own vertical cloud hyperscalers. It is also not about keeping the non-EU cloud services providers out or keeping all data within the EU. It is about achieving interoperability between cloud offerings by setting common technical standards and legal frameworks for cloud infrastructure and services. 

This form of interoperability goes beyond the portability of data and applications from one vendor to another to prevent vendor lock-in; it really concerns the creation of open APIs, interoperability of key management for encryption, unambiguous identity, and access management, full control over storage and access to data, etc.

Worth keeping track of I would say.

European Data Spaces: data spaces intended to unlock the value of European data for innovation. 

The aim is to create common data spaces for certain sectors with common interests (e.g., for health data and governments) so that the scale of data required for innovation for this group can be achieved.

Looking Into AI and Its Purpose in Cyber Security

As remote working conditions and digital processes continue to become the norm for users and organizations, cyber attacks are becoming increasingly prevalent. 95% of cybersecurity breaches are a result of human error and as the information security market expected to reach $170 billion in 2022, the cost of digital attacks can be enormous.

AI has always been seen as a silver bullet for organizations to combat cyber-attacks and increase resilience in areas where a majority of human error lies. However, Lokke describes the potential and possibilities of AI as both good and bad, depending on how it is utilized.

What scares you the most regarding the seemingly endless possibilities of AI?

Like all technology: AI is not good, it is not bad, but it is also not neutral. 

To start with, AI is as good as the purpose for which it is used. In the cyber context, this means that we really should keep ahead of the bad guys. 

New technologies play an increasingly crucial role in cyber resilience. If we are not on top of new technologies like AI and encryption, this will result in new vulnerabilities and dependencies. An example here is that with AI, bad actors can detect and exploit vulnerabilities automatically and on a large scale.

However, AI is also expected to make it possible to automatically detect and patch vulnerabilities. I am currently involved in a research project, to investigate what options there are to facilitate real-time security patching by suppliers.

Privacy Laws in The EU and Its Future

With digital sovereignty being top-of-mind for EU nations and the increased awareness for data privacy within the public, governments and regulators understand that there is a need for comprehensive privacy laws that protect both users and businesses.

From California Privacy Rights Act to the ever-evolving GDPR, more and more data protection acts are being introduced and implemented across the globe. Moerel shares her views on how privacy laws will continue to shift and change in order to adapt to the new digital landscape and what the global privacy laws mean for an organization.

In what ways do you see privacy laws changing in the future?

Every week there is a new privacy law being adopted somewhere in the world. By now there are about 130 countries with omnibus ‘GDPR style’ privacy laws. Everybody heard about the Californian Privacy Rights Act, but less well known is that by now, 20 other U.S. states have introduced privacy bills. 

In the EU we now have the draft proposal of the European Commission for an AI regulation and it is not a risky prediction to say that – like happened with GDPR – other countries will also look at this draft and start preparing their own legislative proposals.

The way to deal with a myriad of global rules is to implement a very robust company-wide security and privacy protection program. After all, compliance with the law is a baseline where you cannot go under. Do a proper job and you do not have to worry about compliance. 

In the end, it is about trust more than compliance.