Home Nonmilitary action New US tech laws play Russian roulette with cybersecurity

New US tech laws play Russian roulette with cybersecurity


Fifteen years ago, the Estonian government that I formed decided to move a statue.

Unveiled by the Soviet regime in 1947, the Bronze Soldier was originally called the “Monument to the Liberators of Tallinn”. But for Estonians, Red Army soldiers were not liberators. They were occupiers. And the bronze soldier in the center of our capital was a symbol of Soviet oppression.

So, in 2007, I approved moving the Bronze Soldier from the center of Tallinn to a cemetery on the outskirts of the city.

The decision sparked outrage in Russia. This led to the first known state-level cyberattack, a modern form of hybrid warfare. Online services of Estonian banks, media groups and government agencies were blocked by massive waves of spam that overwhelmed our servers. ATMs and online banking services were shut down, government employees were unable to communicate with each other, and newspapers and broadcasters were unable to disseminate information.

The fallout was seismic.

Fast forward to the present day, we see the West embroiled in what is effectively a proxy war in Ukraine. As a result, European and American digital infrastructures have never been so threatened by Russia.

It is disturbing to see the European Union and the United States passing digital legislation that could increase the vulnerability of Western democracies just as Moscow is using non-military and coercive measures online, away from the traditional battlefield.

I am sure that the legislation in question, the recently passed law Digital Markets Act (DMA) in Brussels and the imminence US Online Innovation and Choice Act (AICOA), did not intend to harm our cybersecurity. However, laws will allow apps to be downloaded to all our smartphones without any security checks, increasing the risk of cyberattacks against individuals, communities, businesses and governments.

Home office with keyboard, mouse and laptop.
AFP via Getty Images

The increased risk of cyberattacks that will be encouraged by legislation is well known. It has been repeatedly reported by senior security officials, including the European Union (EU) itself. ENISA, the EU cybersecurity agency, has detected 230,000 new malware infections per day in 2019. In early 2020, there warned that “users should not download apps if they are not from a legitimate and authentic source”.

A recent open letter signed by numerous U.S. defense, intelligence, and security officials said that, given the rise of authoritarianism and the exponential increase in cybersecurity threats, “it is imperative that the United States avoid the pitfalls of their key allies and partners,” adding that the EU’s DMA was “adopted without any consideration of national security implications.”

The DMA and AICOA, introduced by Sen. Amy Klobuchar (D-Minn.) and Rep. David Cicilline (DR.I.), both aspire to give users greater freedom of choice, including the ability to download applications from almost any third party. Platform. However, this opens the door to unwitting vendors with poor security and also allows malicious actors to exploit users’ private data or even intentionally mislead people into downloading malware.

This kind of freedom will encourage millions of us to play Russian roulette with our cybersecurity.

If left unchecked, these laws will give cyberattackers more opportunities to prey on individuals who, through no fault of their own, lack the technical knowledge to assess the risks presented by downloading apps. They will be powerless to protect themselves and their devices. The perils are many. Meaningful evaluation requires matching an app’s self-proclaimed description with its functionality and code, something almost no one knows how to do.

Soon, true tech experts, including tech companies that have invested heavily in the security of their systems, will be unable to rule out apps that mislead consumers or contain malware. Unfortunately, once these apps are allowed on a smartphone, they can spread to others through that phone’s contact list. This will harm individual consumers, but will also affect corporate networks through their employees’ mobile phones.

Regulation of digital competition and consumer choice is important. But this effort must also reflect the concerns of security experts and be more aligned with current crises, such as the war in Ukraine and in cyberspace. In Europe, DMA enforcement should include cybersecurity experts from agencies such as ENISA and Europol who can provide technical assistance. The alternative is that these new laws transform the West’s existing diverse and resilient security ecosystem into a “one size fits all” model, with the lowest common denominator. Attacking this type of system is much easier for our enemies than having to navigate through the different styles and approaches to security that the market currently offers.

Policymaking rarely benefits from being conducted in silos, without serious effort to avoid unintended consequences. Cyberattacks resulting from the unhindered sideloading of apps on smartphones and unchecked interoperability between messaging services should not be the legacy the lawmakers behind DMA and AICOA leave to themselves – or to the rest of them. between us. On the contrary, lawmakers should ensure that the implementation of these new laws provides real freedom of choice for technology under conditions that benefit Western democracies more than those who wish to harm us and our fashion. of life.

Toomas Hendrik Ilves is the former President of Estonia.

The opinions expressed in this article are those of the author.