Well intentioned lawmakers risk weakening existing digital security protections
You can’t read the news without seeing another story about a ransomware attack and its consequences, like lines of bumper-to-bumper cars waiting for gas after the Colonial Pipeline attack. Just weeks ago, JBS, one of the world’s largest meat processors temporarily closed its American plants and paid hackers $11 million, an excruciating decision the company felt was necessary to preserve the data integrity of its operations and its customers. You likely read these stories on your phone, a personal computing device that is another highly attractive target for attackers.
As bad actors increasingly seek to compromise our privacy and security through cracks in the internet, what power do we have to stop them?
In May, the Center for Cybersecurity Policy and Law, a nonprofit dedicated to developing sound cybersecurity and related technology public policy, addressed this question in a discussion paper titled, “Mobile Future: Pathways to Continued Improvement in Mobile Security and Privacy.” As a former colleague once said, ‘cybersecurity is a team sport,’ and this paper is a true reflection of that objective.
The Center convened top experts from industry, research and academic institutions, civil society, and current and former government officials to discuss mobile security and the policies that would best protect the privacy of mobile apps, the app stores that support them and, of course, the end users who have seamlessly integrated these apps on their devices and their daily lives.
While cybersecurity experts struggle to keep pace with ever-evolving threats such as nation states exploiting vulnerabilities to threaten critical infrastructure, mobile security has improved. Take for example the iPhone. The App Store has spurred a vast app-based economy of more than 2 million software applications, available for instant download directly onto users’ smartphones. All iPhones are built with automatic end-to-end encryption to defend against hacking, and the App Store conducts extensive machine and human review to filter out misleading software. Consumer-focused decisions that protect them against risk are part of the reason why smartphones like the iPhone are now in the hands of almost 70 percent of the global population, according to data from 2019.
Building mobile platforms and apps with security and privacy in mind is the best way to reduce risk to users from the outset. Consumers are loyal to the brands they trust, and where technology is involved, to the devices they trust. The most successful app stores are dedicated to building secure ecosystems for mobile devices, contributing to their exponential global adoption. For example, advances in automated scanning tools have significantly reduced the number of malicious apps on major app stores. Having one central distribution point for software also filters out nefarious or manipulative apps.
As technology has advanced, security threats and corresponding attacks have also become more sophisticated. Many in the mobile industry already understand that most users cannot defend themselves effectively. Speaking at a conference in June, Apple’s Chief Privacy Officer Jane Horvath said the company’s focus is on making privacy something that consumers do not have to worry about. “We’ve made it so it’s part of the consumer experience,” she said, using the automatic encryption of iPhones as an example. Users simply set a passcode; the rest is done for them.
The risks to connected devices are as complex as the technology itself. It is therefore unrealistic to expect millions of users to fully understand the layers of security involved in their own protection, despite their importance.
Unfortunately, in their hurry to produce results and protect constituents, well-intentioned lawmakers risk unraveling the progress that industry experts have made in the privacy space.
Policies aimed at competition are venturing into dangerous territory by mandating open operating systems, where users can download third-party software that has not been reviewed, a process known as sideloading. This practice selectively ignores clear evidence that the majority of malware on mobile devices stems from third-party sources that do not perform security checks of applications.
Simply put: Any discussion of sideloading or app store competition must account for the potential risks to users’ privacy and security.
It is more important than ever that the public and private sector unite to reinforce security barriers to prevent cybersecurity threats. Policymakers should avoid inadvertently weakening existing protections. The security tools on the mobile devices and applications we have come to depend on can serve as a reliable roadmap, helping to make the internet a safer resource for our mobile future.
Megan Stifel is global policy officer at the Global Cyber Alliance. For over two decades she has worked at the intersection of technology and national security, having previously served at the White House as cybersecurity adviser to the National Security Council and at the U.S. Department of Justice as director for cyber policy in the national security division and as counsel in the criminal division’s computer crime and intellectual property section.