Policymakers Should Take Cybersecurity Advice From Our Top Cybersecurity Official

Recently, Jen Easterly, head of the Cybersecurity and Infrastructure Security Agency (CISA), spoke at an event at Carnegie Mellon University where she emphasized the “need for a system of security products that take the responsibility off of consumers.” Easterly named several companies to compare how they approach accountability and transparency for security practices differently. Specifically, she pointed to Apple’s decision to make multi-factor authentication (MFA) a default setting for iCloud, which has resulted in about 95 percent of users adopting MFA. In contrast, Twitter, which recently removed the capability for text messaging MFA for users who don’t pay for Twitter Blue, only has a 3 percent adoption rate. Notably, these comments happened on the same day the European Commission held its second workshop on the implementation of the Digital Markets Act (DMA), this time focusing on security and interoperability obligations of companies designated as gatekeepers.

The App Association has written various times about the consequences that laws like the DMA and proposals like the 117^th Congress’ Open App Markets Act (OAMA) and the American Innovation and Choice Online Act (AICOA) may have on privacy and security for both consumers and businesses. Antitrust regulation and investigations into competition in the mobile app ecosystem (e.g., antitrust bills in Congress, the National Telecommunications and Information Administration’s [NTIA] recent report on mobile app ecosystems, the DMA in the European Union and similar efforts underway in the United Kingdom) have taken the front seat in recent tech policy discussions. Unfortunately, some lawmakers continue to ignore the connection between the antitrust rules they are proposing and the impact these rules would have on the protection of consumer data and cybersecurity.

The DMA, for example, requires gatekeepers to offer free and effective interoperability with hardware and software features. Depending on the DMA’s practical implementation, interoperability requirements could potentially prevent added friction like MFA, which, as Easterly put it, allows a company to “take ownership for the security outcomes of their users.” Without sufficient safeguards, this provision could allow malicious actors to access sensitive device features, risking end users’ security and privacy. Similar to the DMA’s obligation for gatekeepers to enable sideloading, bills like OAMA and AICOA would upend software distribution platforms’ established app vetting processes. The bills would force the platforms to host apps that break privacy and other security rules, engage in unfair or deceptive practices, or otherwise harm consumers. Director Easterly’s comments highlight that tech legislation should incent and encourage businesses to take measures that protect consumers, rather than punish them for doing so. Proposals like AICOA and OAMA would weaken cybersecurity and consumer privacy, putting a disproportionate burden on consumers to protect themselves and introducing new, unjustified risks of decreasing trust in the tech ecosystem.

In a Foreign Affairs article from February 1, Easterly raises this point as well, stating that consumers now simply accept that the cybersecurity burden falls on them. She further made the point that regulatory frameworks must encourage companies to comply and set clear expectations for safety and privacy-by-design, making them top priorities. That article, interestingly, came out the same day that NTIA released its report on competition in the mobile app ecosystem, which notably ignored cybersecurity considerations in its recommendations. NTIA did emphasize the importance of Congress passing comprehensive privacy legislation, which we could not agree with more. A federal privacy framework could address some of the issues Easterly raises, such as mandating security, privacy-by-design, and data minimization requirements.

Ultimately, when it comes to CISA’s approach, the devil is in the details. The industries federal law treats as “critical infrastructure” operate under more stringent cybersecurity requirements CISA oversees. Generally, these industries proactively participate in and develop cybersecurity norms and standards specific to those sectors, but some advocates want additional cybersecurity liability layered on top of the existing, sector-by-sector landscape. Underscoring the trickiness of this issue, the White House itself is divided on whether or not Congress should impose new cybersecurity requirements across critical infrastructure sectors. However Congress and CISA proceed on this point, Director Easterly’s comments reinforce that requiring tech-driven platforms to provide open access to device and software features, as well as personal information, would undermine the Administration’s goal of encouraging these platforms to take on more accountability for the security and privacy of their ecosystems.

With DMA implementation underway in Europe and talk about federal antitrust regulation à la AICOA or OAMA returning in the 118^th Congress, the App Association appreciates the CISA director’s guidance toward better built-in security. That path should begin with federal privacy legislation and a careful case-by-case approach to antitrust enforcement rather than starting with penalties for privacy protections.