A Partner at NP Agency, Michael Morris, Esq. was the Assistant National Cyber Director for Public Affairs at the White House from 2022-2024.
Amid a lot of other news and noise, many Americans may not be tracking the developments in worldwide technology policy. Nor may we be cognizant of the truly unrelenting cybersecurity campaigns against our critical infrastructure and small businesses unless they affect our lives directly. However, I urge business leaders to take stock of the changing tech and cyber landscape at home and abroad, particularly as a new Washington D.C. takes shape.
The digital ecosystem that underpins our lives and businesses, allows us to collaborate and gives power to our ideas is only as strong as its weakest link. Changes to policies governing the tools we use to build, or the very tools we’re building, can have far-reaching and lasting implications.
The U.S. Cybersecurity Strategy
While I was working in the Office of the National Cyber Director in the White House in March of 2023, former President Biden released his National Cybersecurity Strategy. The document set forth a plan to build a more secure and resilient digital ecosystem over the next decade. The strategy, furthering similar ones before it, highlighted two major shifts in our approach to cybersecurity: First, it called for transferring the responsibility of defending cyberspace from individuals and small businesses to those better equipped for the task, including large tech companies, as well as the federal and international governments. Second, it emphasized the need to realign incentives to encourage greater investment in security.
Foundational to this vision was the understanding that earnest and relentless collaboration—among the public and private sectors, academia, civil society and international partners—is required to defend cyberspace. This was not simply a platitude either; we conducted meetings, discussions and reviews with stakeholders during its development and continued to do so throughout its implementation.
Some two years on, the work done has been prodigious, yet it’s contrasted with the reality of just how difficult it is to thwart our adversaries online. Further, the consistency and persistence with which our adversaries work continue to yield results for them, which interfere to varying degrees in our work and lives. At the same time, governments across the globe are changing their approach to technology policy and, in doing so, are impacting innovative cybersecurity protections and investments in security by design.
Changing International Regulations And Their Impact
For its part, the European Commission continues its implementation of the Digital Markets Act (DMA). The DMA’s goal is to make the technology marketplace more competitive, but some argue that its mandates primarily target American companies. The DMA includes interoperability and data usage requirements, as well as mandates that companies determined to be “gatekeepers” cannot rank their own products or services favorably compared to similar services offered on their platforms. It further requires gatekeepers to open their systems to third-party app stores and software, though the DMA also said gatekeepers can carry out “strictly necessary and proportionate” security measures.
More recently, the British government ordered Apple to build a backdoor to its encrypted global cloud platform. This platform holds messages, photos, individual files, personal and business records and backups for users worldwide. Rejecting the requirement, Apple turned off its most advanced encrypted security feature for users in the U.K., which weakened the cybersecurity of its users and many more unsuspecting people whose data may reside with others in that cloud environment.
End-to-end encryption, a cornerstone of modern digital security, is designed to ensure that only the sender and intended recipient can access the content of a communication. Introducing a backdoor fundamentally undermines (paywall) this principle and creates a giant bull’s-eye for our adversaries.
Furthermore, I believe a mandate on a global technology company risks creating a chilling effect on security by design in the innovation community. Companies may no longer develop and deploy strong encryption technologies if they fear being compelled to weaken them by governments seeking access to user data.
What This Means For Business Leaders
The EU’s goal of a more competitive marketplace and the U.K.’s goal of strengthening law enforcement tools are important ends, no doubt. However, any divergence from enhanced security and privacy can have enduring consequences on trust between and among governments, technology providers and citizen-consumers. I believe a balanced and nuanced approach is needed for cybersecurity-related decision making—one that prioritizes both security and privacy for the long term.
For our part, the business community and its leaders should follow these discussions and use the levers available to you to ensure your business, its innovations and your customers remain protected. Advocate directly with elected officials and regulators alike, raise these issues in your business associations and Chambers of Commerce, and participate in the public debate about security and innovation as it relates to your area of expertise.
Further, continue to have a place at the table for your internal and external security teams, engineering and development teams and other technical operations. They will likely intuitively understand how changes in regulation will affect your goods and services.
It is imperative that as business leaders, we understand how these changes to global policy affect us at home. Cyberspace knows no borders, and those setting the rules of the road in their own jurisdictions can impact our use of the very tools we use to connect to one another, build our organizations and enrich our lives.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here
