Big Ideas: “The greatest threat to society is the loss of people’s confidence in the capacity of their governments to act in cyberspace” with Martin Schallbruch, Visiting Fellow at Stanford University

Martin Schallbruch is Deputy Director of the Digital Society Institute at ESMT Berlin and Visiting Fellow at the Hoover Institution, Stanford University. For more than 15 years he was Director General for Digital Society and Cybersecurity in the German Federal Ministry of the Interior.

Thank you so much for doing this with us! Can you share with us the story of how you decided to pursue this career path?

All my life I have been interested in information technology and law. Since studying computer science and law, I have spent my entire professional life at the nexus of the two fields — and made legal issues of digitization the focus of my work. Cybersecurity is a core and crucial issue of digitization: it combines personal trust in technology with the protection of our digitized society and global stability in cyberspace.

You have a huge amount of experience in German cybersecurity. Can you tell me what the biggest threats to business are?

The greatest threat for a company is the loss of controllability of its digitized business model. In the context of virtualization, mobile applications, and the introduction of machine learning, companies that can no longer assess which technology, which server in the network, or which provider they depend on. It thus gets harder and harder to protect themselves sufficiently against cyber attacks and maintain competitiveness and innovation.

And how about the biggest threats to society?

The greatest threat to society is the loss of people’s confidence in the capacity of their governments to act in cyberspace. The state’s weakness in dealing with digitization, its helplessness against cyber attacks, and the creeping takeover of state tasks by global digital platforms all promote state disenchantment and populism.

Data thefts appear to be becoming more common. What could the consequences of a widescale data leak be?

Data draws an ever more accurate picture of each individual, of all communication, of all actions, of all preferences. Data thieves can use data as a weapon: a large data leak, such as that experienced by top politicians in Germany at the beginning of 2019, can shatter confidence in a person and damage his or her reputation. Leaks of data from political decision-makers can also affect people’s trust in politics. The situation is similar for companies. The credibility of a company can be severely jeopardized by the publication of sensitive data.

The government wants to standardize 5G. How dangerous is Huawei for Germany?

The 5G network will require a new infrastructure that will last for decades and is one of the most critical infrastructures of all. The question of which technology will be used at the core of this infrastructure must be based on the highest level of trustworthiness. This also means that the relationship between the technology provider and foreign governments must be transparent and comprehensible. At least that is questionable for Huawei. Irrespective of concrete dangers, Europe should rely on existing European suppliers for such key technologies.

Why does the government not just ban Huawei?

Technologies and providers are developing rapidly in the telecommunications sector. It is therefore appropriate for the government not to exclude individual providers but to set clear criteria for all providers so that the market can follow these. Those could include, for example, a company’s headquarters and management be located in Europe, an audit of the security measures, a presentation of the legal obligations towards foreign governments, etc.

What are the alternatives?

Europe currently still has several suppliers of telecommunications equipment, such as Ericsson and Nokia. Their systems are used, for example, in the USA for the 5G installation.

Can you tell me about the most interesting projects you are working on now?

ESMT Berlin, home of the Digital Society Institute

Together with my Stanford colleague, Andy Grotto, I am currently working on a study called “Comparative Cybersecurity Governance U.S.-Germany”. We compare the different legislation and standardization of critical infrastructure cybersecurity. We see here a mixture of horizontal and sectoral regulation, as well as an ever stronger fusion of safety, security, and privacy regulation. Our goal is the preparation of proposals as to how we are to achieve transatlantic convergence here.

Another focus of my current work is the future of European antitrust law: As a co-chair of the German government commission “Competition Law 4.0”, I am working on recommendations for platform regulation, data access, and cooperation in digital ecosystems. It is our goal to modernize European competition and antitrust law to help European companies to increase innovation and competitiveness.

I’d like to know more about your book, Weak State in the Network, what’s it about?

As a government official, for more than 15 years I was responsible for core issues of digitalization policy in Germany. The book traces the development of network and digital policy in Germany since the year 2000, based on my sometimes very personal experience. The Key finding is that our democratic state with its institutions and procedures is struggling to find its role in the digital space. With my book, I try to work out the causes of the digital weakness of the state and to present specific proposals on how politics can maintain the effectiveness of the state — also in the digital world.

What are your predictions for cybersecurity over the next five years?

My expectation is that in the next five years we will experience a very contradictory development: on the one hand, the cyber-security regulation will increase more and more, the legislators will adopt new rules rapidly. On the other hand, cyber attacks will continue to increase in seriousness and frequency, especially in the area of critical infrastructures and safety-critical applications. We are still a long way from seeing security requirements having a comprehensive effect in practice. Technical development is much too fast for this.