Adam Golodner:
Is the European Commission cyber serious—and are executives tracking the cyber future?

This op-ed was originally published in Fast Company.

Executives and boards today must pay attention to global public policies and act to protect their interests, customers, and trust in their brand. Proposed laws or policies that seem to be far-afield often carry provisions that can cut to the heart of your ability to drive innovation, security, and markets. It is vital to systematize a process of staying ahead of the public-policy curve.

I have written before about the cyber security pickle the European Commission has gotten itself into by passing the Digital Markets Act. The DMA was passed under the banner of a “competition law,” which predictably has the unintended consequence of undermining cyber security in enterprise, critical infrastructure, consumer, military, and intelligence networks and data across Europe.

Disregarding warnings from security experts before passage, the DMA would force mobile phone producers to assist with the “side loading” of millions of unvetted apps onto phones and grant those apps core access to underlying software, hardware, and data residing on the device. Simply put, opening up hundreds of millions of mobile devices to maligned actors in the midst of ongoing global cyber conflict is a problem.

The EC arguably now publicly acknowledges this problem and has issued a tender for a report studying the issue. What is yet to be determined is whether the study will ask and answer the real and deep cyber security issues with the mobile device provisions of the DMA, or whether the EC will drive a results-driven study meant to paper over the fundamental problems.

EIGHT QUESTIONS FOR AN EFFECTIVE STUDY

The Euro 300,000 tender is to do a six-month study about the “possible” security issues and “solutions to mitigate” the risks. An effective study should ask and answer the following primary questions:

1. Will these DMA mobile device requirements undermine security in enterprise, critical infrastructure, consumer, military, or intelligence networks and data?

2. If yes, why shouldn’t the EC prohibit implementation of these provisions pursuant to DMA Article 10 which gives the EC discretion not to require actions that would harm the public security of the EU?

3. In what ways are the national security agencies of multiple countries (including the NSAGCHQEUROPOLIndia CERTNZ CERTFTC) wrong when they say users should only use vetted and maintained apps from the official app stores, and how would the agencies’ concerns be addressed?

4. Have the solutions or mitigations the paper suggests been tested in real-world environments using actual specific devices and subject to actions of maligned actors, and if not, why would you inject them into or onto all EU devices?

5. Who has run red-teaming against any proposed mitigations, and are the full results of that red-teaming public in the study?

6. Have the risks and proposed mitigations been assessed for each of the substantially different risk and consequence categories—enterprise, critical infrastructure, consumer, military, and intelligence networks and data? And how are the risks different?

7. How did the authors assess the DMA impact on devices without having access to source code, low-level design, security offense and defense history, trade secrets, supply chain practices, or maligned actor playbooks?

8. Have Member State national security agencies fully reviewed, stress-tested, and agreed with the content of the study?

Addressing all of these—and being qualified to address and execute against these—are minimum requirements to whether the study is clueful and worth considering.

A BIG PROBLEM WITH A USEFUL LESSON

Having said this, the EC’s apparent public recognition that it has a big security problem leads us to a useful lesson: Policymakers should do a conclusive security screen upfront before legislation is proposed or passed—not after it is passed. 

In the DMA use case, there is an irony. One must ask: Is the EC harming security for all the wrong reasons? The EC proposed the DMA to address perceived “competition” issues. However, the only court to have addressed whether the requirement to use official app stores violated the antitrust laws found it did not, and given the security benefits and associated market differentiation, found it is procompetitive.

Lessons countries considering DMA-like legislation under the guise of “competition” (including AustraliaBrazilCanadaIndiaJapanTurkey, and the U.K.) should also learn are:

1. Creating and maintaining a differentiated secure official app ecosystem for customers is, as the Ninth Circuit said, actually procompetitive.

2. Do not incorporate DMA-like requirements for “side-loading” thinking the security will be OK, or you can fix it later, or paper over it with a study. Core cyber national security in today’s world just matters too much. Like the U.S. Congress did when it rejected DMA-like legislation, look at the security impact first, then refuse to undermine security.

FIVE ACTIONS FOR CORPORATE EXECUTIVES

What should corporate executives do to avoid outcomes like the DMA or other proposals that might seem far-afield but really are core? Five things:

1. Recognize every company today is an information technology company, and your business, customers, and investors need a safe and secure IT environment—just ask the U.S. Securities and Exchange Commission, which is bringing actions over security.

2. Track global policy initiatives. Recognize there are economic and political interests pushing policies for their own reasons that will impact you and can undermine security and trust.

3. Ask your Chief Information Security Officer to review policy proposals for security and trust impacts.

4. Engage and inform policymakers. Don’t leave impacts on your business in the hands of others. This includes the DMA-like laws now being debated globally.

5. Recognize that in a world where emerging technologies like AI, quantum, and autonomy meet global cyber conflict, you should act to both secure your future and ensure policymakers do not make the ecosystem worse.

As leaders, we each have a responsibility for the development of the technology future and the policies that shape it. Engage, and help drive that future.

Adam Golodner is the Founder and CEO of Vortex Strategic Consulting and the Co-Chair of Trusted Future