Undermining The Gatekeepers of our Cybersecurity
Citizens expect their governments to keep them safe and secure. That is why we have a wealth of regulations governing everything from food and medicine safety, consumer goods, traffic, and almost every other aspect of daily life. Companies have an interest in keeping their customers safe as well, and in the digital sector, that often means protecting users from other users. “Gatekeepers” play an essential “gatekeeping” role, keeping bad actors out of their ecosystems. But the Digital Markets Act (DMA) seeks to change that, exposing users to security and safety risks for the sake of “contestable and fair” markets.
Privacy, Security, and Competition
Safety and privacy are core components of platforms’ added value. Instead of sharing your credit card details with dozens of merchants, app developers, or hotels each year, you can share them once, with your trusted gatekeepers of choice, and know that if there is ever a dispute, you will be taken care of. That’s what made these platforms successful at aggregating users. Whether it’s alerting users of email fraud, warning them of counterfeit goods, or scanning apps for malware and viruses, platform operators play an important role in keeping users safe.
The importance of security and privacy as an element of competition is confirmed over and over again. It’s been decades since Apple first distinguished itself from Windows by pointing to the latter’s susceptibility to viruses and malware. Most recently DuckDuckGo has won a growing user base by marketing its privacy focus. Experts at the OECD, the UK Competition and Markets Authority and the French competition authority have confirmed the role that competition plays in increasing privacy and security as well.
Security Concerns with the DMA
The DMA puts gatekeepers’ security measures at risk. In order to give users more “choice”, the DMA would open up platform infrastructure, exposing it, and making users vulnerable. Even worse, the DMA’s obligations on platform openness are heavy handed, and don’t make room for differentiation between platforms or business models. A cloud service, an operating system, and a mobile device must be made to be as open as a messaging service, an app store, or a marketplace. It might sound good in theory, but cybersecurity experts will tell you it could be a nightmare in practice.
Even worse, the DMA could prevent gatekeepers from taking active steps to protect users. For example, Article 5(a) would prohibit gatekeepers from using cross-service data analytics to identify threats or fraudulent activity. But analysing data from across different services is precisely how gatekeepers identify bad actors. Other obligations, like Article 6.1(f), would undermine gatekeepers’ security innovations, forcing them to share security technologies with the same bad actors who seek to find loopholes around them.
Unless legislators decide to put in some safeguards, the DMA could make it much harder for gatekeepers to do their job. The DMA could be “a cybercriminal’s best friend” at a time when cybercrime is entering a “golden era”, causing hundreds of billions of euros in damage despite gatekeepers’ best efforts. Tying gatekeepers’ hands by mandating openness and disabling security innovations seems to contradict both the European Parliament’s desire to increase Europe’s cybersecurity, and the European Council’s recent emphasis on “the necessity to reinforce action in the fight against cybercrime”.
How can legislators square the circle? Ambassador Wolfgang Ischinger, who chairs the Munich Security Conference, recently suggested “examining policies from every angle to ensure that they do not create unintended loopholes and problematic knock-on effects, or even increase the attack surface for those seeking to undermine the integrity and value base of liberal societies.” That means carefully balancing the desire to increase “choice” and the risk of increasing users’ vulnerability to cyber threats.
At the end of the day, most consumers aren’t cybersecurity experts; they expect companies, organisations, and governments to keep them safe. Failing to meet these expectations wouldn’t just undermine trust in the DMA, it would undermine trust in Europe’s digital economy. Policymakers should try to avoid that if they truly want a DMA that is fit for the digital age.