Real Antitrust Cybersecurity Concerns Remain
Election season is over and Congress is returning to the nation’s capital for the last few weeks of the 117th Congress before new members are sworn in in January. This brief period – more commonly known as the “lame duck” session – is typically only used to square away any uncompleted work, such as ensuring government funding through the end of the year.
However, as with most lame duck sessions, opportunists are prone to come out of the woodwork, trying to get their desired agenda rammed through at the last minute. This Congress is no exception. This time, two antitrust bills targeting American tech companies are among the top priorities for those who desire an active lame duck. The two bills – the American Innovation and Choice Online (AICO) Act and the Open App Markets Act (OAMA) – have been hotly debated for the better part of the last year. Unfortunately most of that debate has occurred outside of official congressional hearings.
Neither of these bills has received a single legislative hearing, nor have the bill sponsors invited any expert witnesses to testify on the potential impacts of the legislation. They have had months to do so, but have seemingly opted to wait until the lame duck session to pressure reluctant senators into a do-or-die choice on the legislation.
It is apparent as to why this has been the strategy – especially in the case of OAMA. National security experts ranging from Trump National Security Advisor Robert O’Brien to Obama’s Secretary of Defense Leon Panetta have raised red flags about the cybersecurity implications of this bill.
In an open letter to GOP congressional leadership, a slate of former top Republican national security officials warned, “Unfortunately, certain legislation some of your colleagues have proposed to address Americans’ concerns about big tech – specifically, bills like the Open App Markets Act and the American Innovation and Choice Online Act (AICOA), including the revised version that Senator Klobuchar has just released – if enacted, will place U.S. companies at a structural disadvantage vis-à-vis China, leaving our tech industry weakened and vulnerable.”
Similarly, former top Democratic officials from the intelligence community and homeland security raised similar concerns in a letter of their own, saying, “In the face of these growing threats, U.S. policymakers must not inadvertently hamper the ability of U.S. technology platforms to counter increasing disinformation and cybersecurity risks, particularly as the West continues to rely on the scale and reach of these firms.”
Efforts by proponents of these two pieces of legislation do not exactly inspire confidence. In a letter that has become a rallying cry of sorts for AICO and OAMA supporters, Bruce Schneier – a professor of cybersecurity policy at Harvard – had this to say, “Yes, there is malware. Yes, there are attacks. But there is security and safety as well. Hundreds of companies innovate in this space, developing new security and privacy technologies that we are free to install if we choose.” Schneier also added, “App store monopolies cannot protect users from every risk.”
It is both telling and concerning that the best argument to quell concerns about the security implications of these two high profile bills essentially boils down to this: “Stuff is going to happen and if it does, you can always buy antivirus software.” This is a very plain admission that these bills will cause a number of cybersecurity problems down the line – if not immediately.
It is also important for lawmakers to understand that cybersecurity is not a black and white issue. Security exists on a spectrum. While current protections may not be perfect, even the smallest of new vulnerabilities become massive liabilities once they are exploited. It does not matter whether it comes from a state actor or a hacker in his or her basement. The best minds, with nefarious intent, will find the holes if lawmakers leave them open.
If that was not enough, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has explicitly recommended against practices that AICO and OAMA are designed to increase. For example, AICO and OAMA would greatly expand the practice of “side loading” apps on to mobile devices, referring to downloading software from the open web rather than official app stores. Yet, per an official CISA security tip: “Avoid potentially harmful apps (PHAs). Reduce the risk of downloading PHAs by limiting your download sources to official app stores, such as your device’s manufacturer or operating system app store.”
With Congress rushing to tackle several must-pass pieces of legislation to keep the government open and transition power to the new Congress, it is practically impossible to adequately review and address the legitimate cybersecurity questions with either AICO or OAMA, let alone both.
Published on November 16, 2022