Senior Vice President, International Regulatory Affairs & Antitrust, U.S. Chamber of Commerce
May 04, 2022
As recent events have emphasized, the United States must lead the world in cybersecurity. On a daily basis, both public and private institutions face cyberattacks from hostile foreign actors as well as from routine cybercriminals. Security experts caution that Russia soon may ramp up cyberattacks against the United States and its allies.
Unfortunately, our cyber defenses are now under assault from another source: proposals in Europe and elsewhere that would compromise the ability of our technology companies to protect their cyber infrastructure from bad actors, to update their security systems, and to shield sensitive consumer data from unfriendly foreign governments. In response, Washington must defend the ability of American companies to protect the nation’s cybersecurity – and that includes leading by example.
In Europe, the new Digital Markets Act (DMA) threatens to compromise the world’s cyber defenses. Set to take effect next year, the DMA would allow developers to circumvent current security systems and place their software applications directly onto platforms with fewer security constraints. These provisions would also prohibit the platforms from restricting or downgrading these applications, including those with links to foreign governments often hostile to American interests.
Moreover, the DMA would require the platforms to share data more freely with their competitors, again including foreign competitors. As a result, foreign companies may gain access to sensitive consumer data, thereby making consumers more vulnerable to identify theft, phishing attacks, and other breaches of their privacy. Unfortunately, as former national security officials have pointed out, the DMA passed “without any consideration of national security repercussions” or “potential cybersecurity risks.” Indeed, some European policymakers appear not to care about security; a few days after revelations that spyware had infected the phones of many European public officials, Europe’s top digital regulator shrugged that her phone contained only “boring” information.
Other countries may follow Europe’s lead. Japan, India, Australia, South Korea, the United Kingdom, and other nations are becoming more assertive in terms of regulating the tech platforms, often, as in Europe, with a heavy focus on American companies. Within Europe itself, the European Commission must determine to how aggressively to enforce the DMA and how much deference to afford the security concerns (for instance, regulators are still working out the details of mandatory interoperability).
Leading by example
Against this backdrop, it is imperative that Congress reject proposals here at home that would further weaken our global cybersecurity. Like the DMA, the American Innovation and Choice Online Act (AICOA) and the Open App Markets Act would require American companies to share sensitive data with their foreign counterparts. For example, AICOA would forbid covered platforms from “materially restricting” a business’s access to interoperate with the platform’s features that are available to the platform’s own products, or to “materially restrict” a business from accessing data generated on the platform by the business’s activities. Remarkably, AICOA also constrains a company’s ability to update its own software, in ways that could deter the company from addressing security concerns.
On both sides of the aisle, many senators have highlighted some of these security concerns. At a markup on the bill, Senator Diane Feinstein pointed out that, “this bill would prevent companies … from taking steps to ensure that an app is safe before you download it from your phone. This makes no sense. We're requiring companies to take down protections that are in place today and instead allow hackers, and those looking to steal personal data and to access the devices.” Senator Alex Padilla worried that “consumer privacy and cybersecurity don't seem to be consideration or priority in the bill.”
Turning to national security, Senator John Cornyn noted that the bill would facilitate “the relentless ability and willingness of the Chinese Communist Party and the People's Republic of China to vacuum up private data and use it for its own purposes.” Senators Patrick Leahy, Chris Coons, Jon Ossoff, and others all raised similar concerns about the bill’s harmful impact on privacy, cybersecurity, and national security.
With the Biden Administration, the national security team also may share these concerns. For instance, although the Justice Department recently issued a letter that sets out qualified support for AICOA, neither the Department’s National Security Division nor its Criminal Division signed onto the letter. Moreover, during the markup on AICOA, Senator Feinstein asserted that “federal agencies have concerns about these provisions.” Indeed, President Biden himself recently pointed out that the United States is facing an extraordinary threat from Russian cyber-attacks, and the private sector “must accelerate efforts to lock their digital doors.”
If enacted, however, these proposals would compromise our defenses at home and our ability to encourage cybersecurity around the globe. The United States would have less ability to persuade foreign governments to maintain tight cyber defenses if Congress is undermining those defenses here at home.