As of May of 2023, the European Union is set to implement the provisions of the Digital Markets Act (DMA), which is a set of requirements that details particular rules for any technology company that falls under its oversight and is mainly targeted at large technology companies (e.g., Apple, Google).
Under the provisions, organizations must comply with rules set forth to ensure complete interoperability and, essentially, freedom of choice for consumers using services and devices marketed by these tech giants. As an example, people that use an Apple iPhone will, under the new requirements, have the ability to install applications from any app store they choose, and not just the one owned and operated by Apple. You can read more about the DMA here.
Ok, on its face, this looks like a win for consumers of technology. It certainly seems like an excellent opportunity for developers to develop all popular platforms and for consumers to have the freedom to choose to use whatever they like. However, what seems to be lacking is any actual auditable security requirements, and that looks like it could end up being a nightmare.
Let me start by saying that all technology companies can do better regarding cybersecurity, but some companies seem to do a better job than others. The ones doing better are primarily companies that have been forced to address cybersecurity issues pointed out and exploited by enterprising hackers worldwide.
Apple has dealt with cybersecurity professionals like Dr. Charlie Miller and others who have taken it upon themselves to prove that Apple was not doing as good a job as they could be securing their applications and devices. As a result, Apple has spent much time and effort improving security because of this.
Moreover, because they so tightly control their app store and devices, it is much easier for them to manage and address security issues as they arise. It's just easier to keep malware and bad actors out of a system that is carefully monitored and managed. To use a biological analogy, it is easier to keep sick people from polluting the population if you tightly control who gets in and who stays out.
Implementing these requirements without having specific security audit requirements in place is sure to cause significant security issues to arise. We track many malware-infected mobile devices in the Arctic’s early warning service. If and when it becomes easier for people to install mobile apps that are vehicles for malware by virtue of less controlled platforms, these numbers are likely to increase. The question is how to deal with the consequences that are likely to occur.
This presents a unique opportunity to create better security requirements and cybersecurity interoperability, which will serve as an essential first step in creating a globally managed cybersecurity center for digital disease control that I have been talking about for the last year or more. If the European Union does not immediately act on this opportunity, there is a genuine possibility that this can lead to cybersecurity failures.
This is an ongoing issue in the world of technology and regulators. Despite years of discussions, we still deal with a lack of building security into these regulations. It's time to do better while we still can.