This op-ed was originally published in Fast Company.
Last fall, I gave a talk at the annual global meeting of national security agencies working to ensure information technology products are secure and can be trusted.
My talk was entitled “National Security Agencies: Time to Weigh in on Legislation Affecting Security.” I knew it was a bit risky to urge the world’s technical security experts to get involved in big policy issues. Thankfully, given the explained adverse impact non-security legislation was having on national security, the talk was well received.
In February, I participated in the Munich Security Conference and co-hosted a side-event dinner on the cyber operations happening in northern, central, and eastern Europe—all increasingly targets given Russian aggression against Ukraine and Russia’s desired spheres of influence. During and after the Munich event, representatives of the United States government made it clear that they are pivoting away from security alliances with Europe, rolling back U.S. support of Ukraine, and looking for Europe to increase its own defense and security spending and operations.
This makes my charge to security agencies—particularly in the 27 member states of the European Union—to get involved and bring their expertise to civil legislation and regulation even more critical and timely.
U.S. cyber and counterterrorism intelligence sharing has been critical to member states’ defense and deterrence, and this dramatic change in defense posture in Europe demands attention from business executives. Executives and chief information security officers must work with national security agencies and the European Union to change the direction of pending EU laws and enhance new sources of cyber information sharing.
The EU’s Cyber Dilemma
If the U.S. reduces cyber intelligence operations against Russia, as it announced, or pulls back from joint U.S.-EU and U.S. member state cyber military and intelligence activities, as EU leaders fear, the EU could face limitations. This would leave member states more isolated, especially if the EU itself restricts sharing with the U.S. over security concerns. This means the EU and member states have to up-level, not undermine, cybersecurity across devices, networks, and data.
As I’ve written before, the European Commission has given preference to non-security policy goals, such as restructuring the technology marketplace in Europe and unintentionally undermining the security of critical infrastructure, enterprise, consumer, and military networks and data through new laws like the Digital Markets Act. The DMA is forcing open the mobile device “box” and requiring device providers to allow unvetted mobile apps from all sources—hostile nation states, criminals, privacy abusers, and pornographers—onto the box, and forcing device providers to grant those actors deep interoperability with the underlying operating system, with no attention to security.
This forced opening of the mobile device box to all comers not only undermines security in the mobile ecosystem, but also introduces vulnerabilities into EU-based businesses.
Instead of using mobile devices with security built in, these security-depreciated devices would now invite malware and surveillance to be bolted on by maligned actors. This would make the devices in all executives’ and employees’ hands vectors for cyber exploitation—including the theft of sensitive data, tracking, bricking devices, and granting footholds into corporate networks.
As best practices from multiple national security agencies and the Common Criteria itself— including the Protection Profile for Mobile Devices—have made clear, this is just bad security. Period. Full stop.
It’s Time to Weigh In
What makes this situation even worse is the flawed DMA policy combined with uncertainty about the future scope of U.S.-EU information sharing about Russian cyber operations.
Member state national security agencies need to weigh in now with the European Commission and change the direction of the implementation of the security-affecting portions of the DMA. If the Commission won’t resolve these urgent security concerns with the DMA, the “break glass” Article 10 provision in the DMA can be pulled to stop these national-security-undermining provisions dead in their tracks.
The Role of Executives in the Future of Cyber Policy
Business executives can help by doing these four things:
1. Create security-focused industry organizations. Executives and CISOs can drive changes in these non-security policies that undermine security by creating new industry policy organizations to make clear that non-security policies should not undermine the security of their enterprises and customers.
2. Push for “security first” DMA implementation. Executives and CISOs should execute a strategy with EU Member State security agencies to ensure the EC changes course and implements the DMA with a “security first” implementation. If that can’t be achieved, member states should “break glass” and force a DMA Article 10 prohibition against moving forward.
3. Replace lost U.S. cyber intelligence with strategic partnerships. Right now, CISOs should plan for a partial loss of the U.S. cyber intelligence that has flowed through member state agencies to help protect their EU operations. CISOs should create enhanced industry-based info-sharing partnerships or try to replace government sources with commercial services.
4. Safeguard businesses and customers from damaging laws. Executives and CISOs should create and execute an industry-wide global strategy to track, weigh in on, and tweak or stop “civil” law proposals that undermine enterprises and customers.
Aligning Security and Legislation Before It’s Too Late
The need for the world’s leading executives and government national security experts to weigh in on non-security “civil” legislation stands on its own as an imperative. The convergence with the MSC has made it unthinkable for executives and member states’ national security agencies not to weigh in.
Executives, set two meetings today: one with a member state security agency and one with the European Commission to get the DMA on the right security track. Let’s take care of it now, before it becomes even too late to “break glass.”