This op-ed was originally published in Fast Company.
By Adam Golodner
Recently, I attended the annual Munich Security Conference and came away with a deepening concern about what I’m calling the “trifurcation” of the global technology ecosystem. The trifurcation is a further balkanization of the technology ecosystem as the West and China pull away from each other’s products and services, which is causing a bifurcation of global networks and data flows. The balkanization trend is based on the lack of trust in the products, services, and use of data by the other. The European Union is now adopting policies with the unintended consequence of causing a U.S.-China-E.U. trifurcation, but I believe there is still time for the E.U. to pause, understand the consequences, and course-correct.
THE CONSEQUENCES OF UNDERMINING SECURITY
My trifurcation concern is based on recent policy initiatives of the European Commission, including the Digital Markets Act and the proposed Cyber Resilience Act. Both would create Europe-specific technology requirements and have the unintended consequence of undermining the security of products and services used in consumer, enterprise, critical infrastructure, military, and intelligence networks in Europe.
I believe the European Union, and each of the Member States, should recognize the consequences of unintended trifurcation and undermining of security, and find a path forward that avoids these consequences—particularly at a time when like-minded democratic countries are rallying around the importance of preserving an open, safe, secure, and interoperable global network.
The recently passed Digital Markets Act is intended to be an economic competition policy regulation that restructures the rules by which large technology companies can do business in Europe. One of the provisions would force smartphone producers to allow millions of unvetted apps onto their products. This would be instead of, and in substitution of, only apps from official app stores that have been vetted for security and privacy, subject to removal for maligned activity, and required to be safely patched and updated to protect the user.
Device producers have the incentive to ensure the safety and security of the device and ecosystem, and this is one reason why national security agencies around the world (including the NSA, GCHQ, EUROPOL, India CERT, NZ CERT, FTC) set as a best practice only downloading apps from official app stores. Further, the DMA would force the phone producer to allow these unvetted apps to interoperate with the underlying software and hardware of the device. As one would imagine, both these requirements would be a maligned actor’s dream and greatly expand the attack surface of the device.
THERE IS STILL TIME TO ACT
While the European Commission did not intend to undermine the security and privacy of every user in Europe (the same device is used in consumer, enterprise, critical infrastructure, military, and intelligence networks), the predictable consequence of these provisions would. Currently, the Commission is undertaking a process to determine how to implement the provisions of the DMA, and there is still an opportunity to pause implementation (under Article 10 of the DMA) until the national and public security issues can be resolved. As the Member States reserve the “competency” (jurisdiction) over national security issues, I believe they should exercise that inherent power here.
A similar European-specific, unintended security consequence situation exists with the European Commission’s proposed Cyber Resiliency Act. The CRA would create a Europe-wide technology product certification scheme that would require most products sold in Europe (including routers, browsers, mobile operating systems, network interfaces, public-key infrastructure, high-risk AI systems, and many others) to be designed, developed, and produced as specified by the European Commission pursuant to a highly regulatory structure giving broad discretion the European Commission to set the requirements.
Although the CRA indicates that the Commission may accept product certifications from other countries, it is left to the Commission to decide whether any such alternative certification is acceptable. As set out above, the same commercial products that are used in consumer networks are used in enterprise, critical infrastructure, military, and intelligence networks, and the import of the CRA is that Brussels will design and develop products used in all these networks.
WHERE DO WE GO FROM HERE?
Besides slowing down innovation and security through the creation of a heavily regulated environment and creating trade barriers, I believe fundamentally having European Commission agencies design, develop, and create production requirements for complex commercial products will have the unintended consequence of making us less, not more, secure. This is another area where Member States, which retain national security “competency” and whose national security agencies already participate in the global Common Criteria product evaluation scheme (based on “protection profile” criteria developed by industry and approved by the agencies), might weigh in to curb any trifurcation and adverse security effects.
The European Union, and each of the Member States, should pause and recognize this unintended trifurcation and undermining of security consequences, and course correct the paths forward on these initiatives. United States policymakers have considered and rejected DMA-like initiatives. They should take on board the lessons learned from these European initiatives, ensure they apply a security and trust screen to any proposed legislation or regulation, and urge their European partners not to trifurcate, or make less secure, global networks—particularly in the face of current grand geopolitical challenges. U.S. and European interests are aligned here and reinforce each other. An unintentional trifurcation of global networks and loss of security would be counterproductive.
I believe technology producers and users should likewise weigh in with the European Commission and each of the Member States, urging them to course-correct and not further balkanize products and networks or undermine security and trust. Technology has never held greater promise to benefit the world, but in my opinion, that promise will only be fully realized when we have trust in the products and services we use today and tomorrow.
Adam Golodner is the Founder and CEO of Vortex Strategic Consulting and the Co-Chair of Trusted Future.