Antitrust Bills Empower America’s Adversaries Online
The Biden administration has issued several warnings to the American private sector about the potential of cyberattacks emanating from Russia, tied to the war in Ukraine. With a weakened economy, bogged-down conventional forces, and an unthinkable, last-resort nuclear option, this is a logical next step by Russia as a means to gain leverage. We have already seen it play out against Ukrainian infrastructure, as well as in a number of countries across the globe. The ability to wreak havoc on an enemy and its allies without deploying any forces is of potentially incalculable value. For example, less than a year ago, a cyberattack shut down the Colonial Pipeline, one of the most vital pipelines in the United States. As a result, fuel prices spiked and shortages occurred as panic and uncertainty spread.
Sadly, there are multiple bills working their way through both Congress and state legislatures that will strengthen our adversaries’ ability to launch cyber attacks against American interests.
The Cybersecurity and Infrastructure Security Agency (CISA) recently issued a “Shields Up” advisory to American companies and citizens alike. The advisory contained several recommendations for organizations to reduce risks of intrusions into systems and for consumers to “think before you click.” So while one part of the government, CISA, is saying “shields up,” legislators across the country are busy outlawing some of the most effective shields.
At the federal level, the American Innovation and Choice Online Act (AICOA) as well as the Open App Markets Act (OAMA) present unique threats. These bills are explicitly designed to force devices produced by Apple and Google, iOS and Android devices respectively, to allow greater access to software out on the open web. Both bills would blow up Apple’s “walled garden” approach to security, where only developers meeting stringent security requirements can list on Apple’s App Store and thus load software onto iOS devices. AICOA and OAMA force interoperability and “side loading,” allowing third party apps and independent app stores to bypass Apple’s security systems and load software, including malware, onto iOS devices. Bills emulating both the AICOA and OAMA are cropping up in state legislatures around the country as well.
In contrast to Apple, Google’s Android devices do allow side loading, with the tradeoff being greater access to available software for reduced device security assurances. As a result, Android devices are infected with malware at a rate that is anywhere from 15 to 47 times more than iOS devices. This tradeoff works for some who prefer a more open device, however, under AICOA and OAMA, users who prefer more secure devices would no longer have that option.
The bitter irony here is that both bills are being touted as enhancing consumer choice. The reality is that choice at the hardware level, where Americans make their most significant investment in the tech space, would be inherently limited.
Yet, the AICOA presents an existential risk to Android users as well. Its language intended to deter anticompetitive conduct is so broad that practices designed to increase consumer device security employed by Google and other firms could be assumed anticompetitive. The burden of proof would be shifted on to companies like Google to prove that their policies are not anticompetitive. Effectively, companies would be guilty until proven innocent. Coupled with crippling fines, the legislation creates a strong disincentive towards implementing anything beyond minimal security features.
The ability for companies to police their networks and software ecosystems has national security benefits beyond cybersecurity that Congress and state legislatures are failing to consider as well.
In response to Russia’s attack on Ukraine, many tech companies worked to limit the dissemination of Russian state-sponsored media on its devices. As NPR reported, “Google has booted Russian state media from its Google News service. Facebook, Instagram and Twitter are making posts from Kremlin-affiliated news outlets harder to find. TikTok, YouTube and Facebook are blocking two of the biggest outlets, RT (formerly known as Russia Today) and Sputnik News, across Europe. Apple, Google and Microsoft have pulled their apps from their app stores.”
However, if the bills being considered now were to pass, this effort from tech companies to yank Putin’s global soapbox out from underneath him would range from ineffective to illegal. Mandated side loading would allow apps created by hostile states to bypass the controls of app stores, even if they were banned by app store operators. Actions taken by tech companies to control the spread of misinformation and foreign propaganda could also open companies up to significant liability. The AICOA creates a strong disincentive against this kind of active content management, despite the fact it is unlikely that government officials would bring a case on behalf of Russia or another hostile nation under the law. The OAMA, however, would certainly create legal headaches for covered companies, as the bill contains a private right of action. This means puppet entities of Moscow, Beijing, and other hostile nations could immediately sue American tech companies in federal court for delisting their apps.
Proponents of the AICOA, OAMA, and other legislation of the same nature at the state and federal level explicitly state that these bills are about curbing the power of American tech companies. What the Russian invasion of Ukraine has brought into focus is that some of the power stripped away from American firms will undoubtedly wind up in the hands of bad actors, including foreign governments, seeking to wreak havoc online.
Published on March 22, 2022
Original Publication