Since it took effect earlier this year, the European Union’s (EU’s) Digital Markets Act (DMA) has had a significant impact on the digital economy, and digital security, across Europe. While intended to make the digital economy fairer, it has obliged changes across digital markets—perhaps most notably in mobile devices, where it has, among other changes, compelled the opening of devices, such as iPhones and Google phones, to alternative app stores and even the ability to install applications from the open web.
Unfortunately, such changes create new security challenges, prompting Apple and Google to implement new security measures, and fees, to provide an additional level of protection to end users from potentially malicious apps. It is unclear how successful these measures will be and what will be the long-term security implications for end users. As other countries, such as Japan, India, and even the U.S., consider similar legislation they should pause and see what the security implications are, particularly in light of increasing mobile device threats from Chinese, Russian, and even European actors.
What is uncertain is not if, but how much of a security impact the DMA’s changes to app acquisition and installation will have on consumers. Ultimately the changes imposed by the DMA increase the attack surface facing mobile devices—more app stores and a greater ability to install apps directly from the web will definitionally lead to more users clicking on links in their browsers and messages to install free or discounted apps and an increased chance that users will install malicious apps.
Poorly regulated and curated app stores are havens for malware-laden apps, something we’ve seen in China for years. Further, it is unclear what security provisions will be in place in emergent EU app stores, such as human review, especially given the limited number of requirements in the DMA. This is concerning given the constant stream of threats we’ve observed from bad actors, nation states and otherwise. These perpetrators leverage multiple vectors to push malware and spyware to mobile devices. These efforts ultimately rely on end users installing malicious apps or clicking on malicious links, such as those promising a free app.
Paradoxically, the DMA’s negative impacts on the security of devices seem contradictory to the EU’s own digital security efforts, including the recently approved Cyber Resilience Act. This act, the EU’s largest effort to enhance cybersecurity across the digital ecosystem, was meant to enhance the very device cybersecurity that the DMA seems to weaken.
Unfortunately, the DMA may be part of a larger pattern in which the EU deprioritizes cybersecurity as it pursues other policy goals, a trend observed by the Munich Security Conference’s CEO, Benedikt Franke. This approach seems particularly unhelpful considering the serious threats posed by existing flaws in our devices, like those exposed in March in the XZ backdoor that was nearly incorporated undetected into two of the largest Linux distributions in the world.
The potential consequences of such security flaws inevitably impact everyday users, but can have a much greater impact on activists, politicians, and other high-profile individuals. Recent campaigns from bad actors have targeted the mobile devices of EU parliamentarians, Indian embassy staff, U.S and British government staffers, and Middle Eastern human rights advocates. These campaigns not only compromise sensitive government data but imperil the lives of activists and opposition figures who may be targeted by authoritarian regimes like those in Russia and China.
In this environment, countries considering their own version of the DMA should be cautious and learn from the EU’s efforts before acting. Just as we in the U.S. often refer to the states as “laboratories of democracy,” I would encourage us to look at the EU as today’s digital market and security laboratory, an opportunity to understand how regulations like the DMA ultimately impact cybersecurity.
The EU, technology providers, and non-governmental organizations can and should collect data on the impacts that the DMA, and other regulations, have on device cybersecurity in Europe, and share this data to inform other governments considering similar actions.
Key questions should include: what regulations are necessary for online marketplaces? Are the app validation and verification measures put in place by Apple and Google working? Are user behaviors changing in ways that make them more vulnerable? Do DMA-related changes to messaging platforms impact the volume of phishing and malware threats?
The DMA’s impact on device security seems counterproductive in an increasingly fraught threat environment and contradictory to stated aims to enhance cybersecurity across Europe. Those countries considering following the EU’s lead would be wise to look to the real-world outcomes of the DMA before choosing to follow suit. The EU should also reevaluate its approach to security through the DMA as its real-world impacts play out.
Michael Chertoff is executive chairman of the Chertoff Group, a security and risk-management firm with clients in the technology sector, some of whom have an interest in this topic. He served as the second U.S. Secretary of Homeland Security, 2005-09. He is the author of Exploding Data: Reclaiming Our Cyber Security in the Digital Age.
Read Full Article »