This op-ed was originally published in Fast Company.
In September, I moderated a discussion in Brussels for the Munich Security Conference focusing on tech regulation in a time of strategic rivalry. The focus was on the very distinct and different approaches to regulating tech between the U.S. and the EU and the geopolitical implications of these policies.
The MSC brought together senior officials from the European Commission, European Parliament, EU Member States, the U.S. Executive Branch, NATO, and industry to discuss the issue. It was a deep and meaningful discussion and helped clarify issues and move the needle.
THE EU APPROACH
A top-line concern was the security and strategic rivalry impact of a continuing line of European Commission commercial regulation of technology that has or will unintentionally undermine national security.
In addition, the pending Cyber Resilience Act would require technology companies to report unfixed product vulnerabilities to EU governments within 24 hours. This would open the door to active exploitation of systems and create a vulnerability that could be exploited by maligned actors or governments themselves.
THE U.S. APPROACH
In contrast, the U.S. approach is focused on efforts to prevent regulatory roadblocks that could stifle agile security solutions and has sought to harness innovation as a national security advantage. To that end, the U.S. Congress has invested in innovation and rejected proposals like the DMA, cloud localization, and government-mandated product and services design given the non-trivial and predictable adverse impacts on commercial and national security.
In my mind, five takeaways emerged from the discussion:
- The U.S. and the EU should keep geopolitics at the forefront and understand and drive policies through that lens.
- The security impacts of legislation, even legislation proposed for a non-security purpose, matter and need to be completely and clearly understood.
- The EU would benefit from a chief security officer who could apply a “security screen” for all new EU proposals.
- The U.S. and EU should create a new action group—what I’m calling the Transatlantic Security Action Group—of high-level officials to create substance-based objective principles to security screen any new policies on both sides of the Atlantic.
- Keep it simple. Legislation should not make security worse.
So, what can be done to have an immediate impact?
- Form the Transatlantic Security Action Group (TSAG) by December, co-led by a U.S. official and an EU official. These officials should have authority over both national security and economic issues (perhaps the White House Chief of Staff and the EC Justice Commissioner). TSAG should include Committee leaders from the Legislative Branch, leaders of the national security agencies (including from Member States), and active industry outreach and engagement.
- Task the TSAG with creating guiding principles for legislation and regulation affecting technology by June 2024—then implement them. I have been concerned about the growing “trifurcation” (U.S-China-EU) of technology and networks given the EU’s regulation path, and one foundational principle should be to reverse the growing U.S.-EU bifurcation.
- Get ahead of and stem ongoing policy streams that could undermine commercial and national security. One area that needs immediate attention is the spread of DMA-like “competition” laws (that, like the DMA, would unintentionally undermine the security or mobile devices used in consumer, enterprise, critical infrastructure, and government networks) under consideration in countries like Australia, Brazil, Canada, India, Japan, Turkey, and the U.K.
In October—a year after the DMA became law—the EU issued a tender for a study to examine the non-trivial security impacts of forcing mobile phones to accept millions of unvetted apps. A real security review would reverse this policy. The time for being concerned about national, enterprise, and consumer security is before passing legislation—not after.
- National Security officials in those countries looking at DMA-like legislation should immediately engage with policymakers and competition officials to avoid the serious adverse security consequences of opening up the smartphone device to all comers. A good place to elevate this discussion is before, during, and after the G7 Joint Competition and Policy Makers Summit in Tokyo in November 2023.
HOW BUSINESS LEADERS CAN TAKE ACTION
So what can executives do about all this? Here are five things:
1. Have a board discussion
Have a board discussion on the state of geopolitics (including U.S., China, EU) and probe how geopolitics is impacting your business and what to do about it.
2. Stage a tabletop exercise
Test what you would do if geopolitical tensions escalated and your supply chain, markets, and/or people were impacted.
3. Test your cyber security readiness
Have a second tabletop exercise to test what three functions your company must be capable of sustaining in the face of a major cybersecurity incident that takes out all your IT systems and data. How could you keep these functions going?
4. Create a policy review and action team
Create a team led by C-Suite colleagues to formalize the review of pending policy proposals that affect the business and set an action plan to change course if needed.
5. Meet policymakers personally
Having intermediaries carry your message forward should be part of any engagement strategy. However, just as you already meet with your most important customers, you (and your key product and business leaders) should also meet one on one with policymakers.
The state of trust and security of the network and data, and the state of the geopolitical discussion among countries, will define markets and lives for decades to come. In my view, these are the defining issues for the next decade and more. Make this a topic for your next board of directors and leadership meetings, and then act.
Adam Golodner is the Founder and CEO of Vortex Strategic Consulting and the Co-Chair of Trusted Future.