About the author: Chuck Brooks is president of Brooks Consulting International, and is a professor in the graduate Cyber Risk Management program at Georgetown University.
Congress recently introduced bipartisan antitrust legislation that has raised concern in the national security and cybersecurity communities. Large tech companies are claiming that the legislation may undermine user cybersecurity and privacy if they can download applications straight from the internet onto devices.
Congress is considering two pieces of legislation. Sens. Richard Blumenthal (D., Conn.), Marsha Blackburn (R., Tenn.), and Amy Klobuchar (D., Minn.) introduced the Open App Markets Act. It is designed to “promote competition and reduce gatekeeper power in the app economy, increase choice, improve quality and reduce costs for consumers.” Sens. Klobuchar and Chuck Grassley (R., Iowa) sponsored the American Innovation and Choice Online Act, which would prohibit tech platforms from “favoring their own products or services, disadvantaging rivals, or discriminating among businesses that use their platforms in a manner that would materially harm competition on the platform.” These would bring significant changes to smartphone users, notably requiring iPhones and Androids to allow competing app stores on their phones.
Attorneys and various policy interest organizations have weighed in and offered ample arguments in support of, and in opposition to, the proposed legislation. Antitrust law considerations are at the forefront of the debate. However, cybersecurity and national security concerns arise as well. Some companies have even claimed that significant changes allowing access on proprietary digital platforms would increase the risk of malware attacks and privacy breaches. They argue that opening their proprietary mobile operating systems up to third-party alternatives would allow insertion of malware and infiltration by hackers and foreign companies that can potentially jeopardize intellectual property and consumer safety.
Is reducing gatekeeper platform power a wise security action? The proposed legislation’s provisions that mandate equal access to user data do raise valid cybersecurity concerns—and therefore warrant thorough examination.
From an objective cybersecurity perspective, we are now facing an exponential growth in risk and frequency of breaches in the evolving digital ecosystem. Attacks on businesses, organizations, and government agencies are at an all-time high. Moreover, the sophistication and coordination of adversary state actors and criminal gangs is alarming, particularly in their ability to threaten critical infrastructure and vital service verticals such as health, telecom, finance, and energy. Against that challenging backdrop, it is appropriate to assert that security policy concerns need to be elevated to address ever-evolving cyber threats.
Technically speaking, companies’ security concerns aren’t off base. It is quite possible for malware, especially ransomware now commonly used by hackers, to exploit any walled garden operating system. Nothing is invulnerable. As we have witnessed in a series of high-profile hacks during the past year, including Solar Winds and Colonial Pipeline, cybersecurity is more of a quest than a certainty. Adversaries are always seeking vectors to compromise targets and are now automating attacks using advanced technologies such as artificial intelligence and machine learning to find vulnerabilities and execute breaches.
Installing any software application nowadays poses a cybersecurity threat from undiscovered misconfigurations, zero day vulnerabilities and clever spoofs. Adding unverified third party access and interoperability to operating system platforms on both Google and
Apple products would make centrally orchestrating security and preventing downloading of malicious apps a more difficult task.
The interoperability focus of allowing third party apps to be sideloaded is a viable cybersecurity concern. The term sideloading means adding an application that has not been approved by the developer of the device’s operating system. Such apps can be cyber risky, especially if they are not been rigorously vetted and penetration tested by the developers and the platform host. Sideloaded apps may contain code that can grant hacker privileges that can be used to steal personal data or download malware to devices.
Many of the applications that would be introduced by small- and medium-sized companies in an open system would lack the proprietary and advanced cybersecurity tools and solutions used by larger tech companies that have developed software and processes to identify and discover gaps that can leave data and user privacy insecure. These larger tech firms have already made considerable investment in medium and small companies that work within their networks as partners. According to the research firm CB Insights, big tech companies invested approximately $2.5 billion into supporting cybersecurity companies that develop products which protect everything from login credentials, credit card information, and social security numbers.
The proposed legislation does not force Google, Apple, and others to add unscreened apps to their products. However, in order to comply with the proposed legislation, Google, Apple,
Amazon, and other companies would need to allocate the time, budgets, and especially expertise to screen third party applications added to their platforms. That activity itself can be challenging, and costs could be passed on to consumers, which would in turn limit any consumer economic benefits the proposed legislation would generate. Paradoxically, in an effort to promote competition, the proposed legislation may result in the unintended consequence of diminishing user privacy and security.
Broader national security concerns also need to be prioritized. The fact is that as cybersecurity has become a component of asymmetrical warfare, adversaries have become adept at preying on the commerce of open societies. The geopolitical and digital threat matrix is now quite complex and, accordingly, policies that may increase risks need to be debated for national security concerns as well as economic ones.
The Brookings Institution recently hosted a roundtable on “protecting national security, cybersecurity, and privacy while ensuring competition.” The participants recognized that “foreign actors such as China do not share our commitment to competition as a fundamental rule of law principle and may well try to take advantage of any antitrust outcomes that limit what U.S. tech platforms can do…. As such, it is important to guard against any foreign actors who may take advantage of code sharing or interoperability requirements to facilitate malware attacks, data breaches, surveillance, or economic espionage.” A takeaway from the roundtable was that “it is still possible to legislate—and litigate—outcomes that both facilitate competition and set up guardrails against national security threats.” That can only be true if legislation is thoroughly evaluated for security concerns and to promote joint research and development.
More debate and extended investigation into the impact of legislation would be a desirable choice. The Department of Homeland Security, Department of Defense, and the Intelligence Communities, and other relevant national security committees in the House and Senate should be called upon to determine what implications the proposed legislation and other antitrust legislation may have on morphing cyber-threats. Those institutions could also provide pathways to coordinated strategies and standards with all industry for both the public and private sectors to be competitive and yet secure.
Guest commentaries like this one are written by authors outside the Barron’s and MarketWatch newsroom. They reflect the perspective and opinions of the authors. Submit commentary proposals and other feedback to [email protected]