Russia’s invasion of Ukraine shows that Europe’s defenses are fragile. The EU must learn and give more weight to security, including cybersecurity.
In the wake of the Russian invasion, European plans to regulate technology look like a relic of a bygone era. There is an urgent need to rethink the assumptions and purposes of the Digital Markets Act (DMA), the Digital Services Act (DSA) and the AI Act (AIA) – in fact, the entire Europe’s digital sovereignty agenda.
The problem? These European plans and proposals for technological regulations put security aside.
Although serious security issues have already been raised, European policymakers have found it easy to dismiss them as exaggerations or as mere excuses for “Big Tech”. The spirit of “we must do something” undermined security. This cost may seem justifiable in a world where full-scale war in Europe was unthinkable. But that’s not the world we live in anymore.
Security protections in DMA and DSA boil down to little more than waving your hand and hoping for the best. New regulations impose legal obligations that somehow expect tech companies to “nerd harder” and address risk. If something goes wrong, tech companies can always be blamed.
The inconvenient truth is that the level of protection offered by Google, Apple or Facebook is hard to match. Public servants, the military, and influential journalists use publicly available services such as social media, mobile messaging, and email. If their accounts are compromised, it could be a great price for a hostile power. This is not speculation, as evidenced by attempted attacks on Facebook and the email accounts of Polish officials. Faced with a cyber attack, it is no coincidence that the Ukrainian Embassy in London migrated to Gmail accounts.
So what if major social media platforms or messaging services were legally forced to “interoperate” with competing services, including potentially Russian rivals such as Yandex and VKontakte? Under the new European DMA, the platforms would be obliged to provide them with data on Ukrainian users’ clicks, views and query rankings.
It will be trivial for Russian agents to establish more or less real “rival” services, even using EU-based servers or even EU-registered companies. They will be able to prompt users to “consent to interoperability”. Attackers will be able to rely on a large arsenal of well-established methods ranging from dark schemes to phishing. Once they receive their consent, they will have access to both the information already in the account and the ability to use that account to attack others or spread misinformation.
If interoperability can be done in complete safety, it requires means of excluding unreliable players. In other words, security is expensive. Therefore, DMA faces a trade-off between reducing the cost of market access for all and preserving user security. None of the publicly available DMA amendments strike the right balance.
Another risky idea in DMA is limiting the combination of personal data from different services. Effective cybersecurity requires combining information from many sources. For example, third-party security services may be required to detect security issues in incoming emails. While just looking at an email can provide clues, attackers can generate bait emails that will go undetected.
Like DMA, DSA deals with security after the fact. Large platforms will be needed to allow researchers to access their data. Even assuming that no bad actor will be granted such access, it is unrealistic to expect academic researchers or others to maintain the same level of data security as applied internally by the largest online platforms. line. The platform’s transparency may be “nice to have,” but it’s unclear whether the benefits of this solution will outweigh the risks.
“Digital sovereignty” may seem like a proposition to enhance security. If EU data is kept within the EU and not stored with non-EU services, this might appear to strengthen EU resilience. But the Internet builds resilience through decentralization: a network that continues to function even if part of it succumbs to an attack.
By forcing data localization, this key security feature is overridden. Data localization is like putting all your (data) eggs in one basket. While it may be reassuring for French users to know that they are protected against US intelligence services accessing their data, a global attack on French networks could compromise all of their data.
Taken to its logical extreme, data localization means that virtually no digital services can be delivered to the EU from the US and other rights-respecting democracies. This includes state-of-the-art cybersecurity services of which the United States is a major provider. Denying access to these services is irresponsible.
America’s biggest tech companies have so far demonstrated greater security resilience than even some critical infrastructure providers (witness the Colonial Pipeline attack). Due to their size and market penetration, they are convenient partners for national security authorities. If EU policies target ‘greatness’, then we need to have an open conversation about the costs of security. A competitive but fragmented market is not necessarily more resilient.
We should reconsider whether EU policies aimed at promoting the competitiveness of European businesses are proportionate given what we now know about the level of risk to our security. The new assessment must recognize the significant security benefits of sharing technology and information with our democratic allies. Besides pure economic protectionism, this exchange is now threatened by impending European technology regulations. Russia’s invasion of Ukraine shows that we cannot be indifferent to these risks.
Dr Mikołaj Barczentewicz, Fellow at Stanford Law School, Research Associate at Oxford University, Senior Fellow at the International Center for Law and Economics, Research Director of the Surrey Law and Technology Hub.