Over the past year we’ve written here about the European Union’s implementation of the Digital Market Act (DMA). As the biggest experiment in government restructuring of the technology industry, understanding both the intended and unintended consequences of this new law is critically important. Europe is not only a gigantic market, but legislation modeled after the DMA is spreading around the world.
One of the main issues that we – and many others – have been concerned about are the third party requirements of the DMA. As we wrote last year, “It seems impossible to square the circle between allowing any and every unvetted app onto devices and maintaining or ensuring the security and privacy of consumer, enterprise, critical infrastructure, and government users, networks, and data.” Today’s modern infrastructure is hyperconnected, we all use our devices seamlessly with most facets of our personal, professional, and economic lives. Problems on a network can spread quickly and expansively.
This week’s global IT outage that grounded planes, stymied hospitals, and disrupted critical public services exposed the depth of the global economy’s interconnectedness. The outage was caused by a third party software glitch that took down systems across the globe. While the global IT outage was not the result of bad actors or malware, it demonstrates how small errors from third parties can ripple into large consequences around the globe.
Fortunately, smartphones were unaffected by the global IT crisis. They are better protected because they employ a different architecture that limits the errors that third parties may enable through a robust vetting and app store approval process – and by limiting access to core operating system functionality. However, these existing protections from third party vulnerabilities are the very same protections that the DMA is upending in Europe and that similar legislation is threatening around the world. Making matters worse, European regulators are now being encouraged to implement the DMA in a way that prevents vetting, notarization and review of third-party code – opening up our mobile ecosystem to an even wider range of new mandatory vulnerabilities.
By undermining the system designed to protect against both inadvertent and intentional third-party risks, the DMA could unintentionally open the door to widespread third-party vulnerabilities to mobile devices – for example increasing the risk of a faulty update affecting tens of millions of devices around the globe.
This week’s global IT crisis affecting businesses around the world should be a wake up call to us all. DMA requirements for mandatory third party access to the operating system will make personal smartphones and tablets vulnerable to new and currently unimaginable emerging threats. This means that the devices that individuals – who unlike most businesses do not have their own CTO – use for personal and sensitive purposes ranging from healthcare, to finance, to education would be at risk.
So instead of enabling cascades of chaos to keep rippling around the globe, we need smarter and more trustworthy approaches to secure our digital ecosystem.
Our recommendations for considerations and questions for policy makers, as well as recommendations for executives can be found here.