New U.S. Tech Laws Play Russian Roulette With Cybersecurity | Opinion

Fifteen years ago, the Estonian government that I Ied decided to move a statue.

Unveiled by the Soviet regime in 1947, the Bronze Soldier was originally called "Monument to the Liberators of Tallinn." But for Estonians, Red Army soldiers were not liberators. They were occupiers. And the Bronze Solider in the center of our capital city was a symbol of Soviet oppression.

So in 2007, I approved the removal of the Bronze Soldier from the center of Tallinn to a cemetery on the outskirts of the city.

The decision sparked outrage in Russia. It led to the first known state-level cyberattack, a modern form of hybrid warfare. Online services of Estonian banks, media groups and government agencies were taken down by massive waves of spam that overwhelmed our servers. Cash machines and online banking services were put out of action, government employees were unable to communicate with each other, and newspapers and broadcasters could not deliver the news.

The fallout was seismic.

Fast-forward to the present day, we see the West embroiled in what is effectively a proxy war in Ukraine. As a result, European and American digital infrastructure has never been under greater threat from Russia.

It is troubling to see both the European Union and the United States passing digital legislation that is likely to increase the vulnerability of Western democracies at the precise moment Moscow is using non-military, coercive measures online, far away from the traditional battlefield.

I am sure that the legislation in question, the recently agreed Digital Markets Act (DMA) in Brussels and the imminent American Innovation and Choice Online Act (AICOA), did not intend to damage our cybersecurity. However, the laws will allow the downloading of apps on all our smartphones without any security vetting, increasing the risk of cyberattacks on individuals, communities, businesses and governments.

The increased risk of cyberattacks that will be encouraged by the legislation is widely known. It has been flagged repeatedly by senior security officials—including by the European Union (EU) itself. ENISA, the EU's own cybersecurity agency, detected 230,000 new malware infections per day in 2019. In early 2020, it warned that "users should not sideload applications if they do not originate from a legitimate and authentic source."

A recent open letter signed by numerous U.S. defense, intelligence and security officials stated that, in light of the rise of authoritarianism and the exponential increase in cybersecurity threats, "it is imperative that the United States avoid the pitfalls of its key allies and partners," adding that the EU's DMA was "passed without any consideration of national security repercussions."

The DMA and the AICOA, introduced by Senator Amy Klobuchar (D-Minn.) and Representative David Cicilline (D-R.I.), both aspire to give users greater freedom of choice, including the ability to download apps from almost any third-party platform. However, this opens the door to unwitting providers with poor security, and also enables malign actors who could exploit users' private data or even intentionally mislead people into downloading malware.

This type of freedom will encourage millions of us to play Russian roulette with our cybersecurity.

If left unchecked, these laws will give cyberattackers more opportunities to prey on individuals who, through no fault of their own, lack the technical knowledge to evaluate risks presented by downloading apps. They will be powerless to protect themselves and their devices. The dangers are numerous. A meaningful evaluation requires the matching of an app's self-professed description against its functionality and code—clearly something almost no one knows how to do.

Soon the real technical experts, including technology companies that have heavily invested in the security of their systems, will be unable to exclude apps that trick consumers or contain malware. Unfortunately, once these apps are allowed on one smartphone, they can spread to others through that phone's contacts list. This will harm individual consumers, but also affect corporate networks through their employees' mobile phones.

Regulation of digital competition and consumer choice is important. But this effort also needs to reflect the concerns of security experts and be more aligned with current crises, such as the war in Ukraine and in cyberspace. In Europe, enforcement of the DMA should include cybersecurity experts from agencies such as ENISA and Europol who can provide technical assistance. The alternative is that these new laws transform the existing diverse and resilient security ecosystem of the West into a "one-size fits all," lowest common denominator model. Attacking that kind of system is far easier for our enemies than having to navigate the different styles and approaches to security that the market currently provides.

Policymaking rarely benefits from being conducted in silos, without serious effort to avoid unintended consequences. Cyberattacks from unimpeded sideloading of apps on smartphones, and from uncontrolled interoperability between messaging services, should not be the legacy that lawmakers behind the DMA and the AICOA leave for themselves—or the rest of us. Rather, lawmakers should ensure implementation of these new laws deliver real freedom of choice for technology under conditions that benefit Western democracies more than those wishing to harm us and our way of life.

Toomas Hendrik Ilves is the former president of Estonia.

The views expressed in this article are the writer's own.