Ukraine Invasion Brings Hypothetical Security Issues with Tech Bills Close to Reality
By Patrick Hedger
Vladimir Putin thought he was taking advantage of a world too divided to do anything about his heinous vision to rebuild the evil empire the was the Soviet Union. So far, it seems like he grossly miscalculated. Much of the world has banded together to respond to the utterly egregious invasion of Ukraine by Russia. The response has not been limited to governments, however. In crises of this scale, as the Covid-19 pandemic proved as well, an all-hands-on-deck effort is required with government, civil society, corporations, and average citizens all playing a part. This robust, largely voluntary response to calamity is what makes the Western world, particularly American society, so formidable and resilient. It’s something to which we should continue to aspire.
Yet, at the economic frontier of our society that is the tech sector, policy winds are blowing in a direction that will hamstring the ability for American companies to do their critical part in the face of future crises. This problem is no longer theoretical or abstract, and Russia’s war on Ukraine, and indeed the idea of Western, liberal, democratic, market-oriented society itself, proves it. There are multiple bills working their way through both Congress and state legislatures that will strengthen our adversaries’ ability to launch cyberattacks, push propaganda and disinformation, and even gain an upper hand on the battlefield as well.
In the years leading up to the offensive by Russia’s conventional forces, Ukraine sustained repeated cyberattacks, targeting their military, government services, banking sector, power grid, etc. We’ve also already seen relatively concerning attacks materialize against the German energy grid, Toyota production in Japan, and major freight services provider Expeditors, all coinciding with the launch of the invasion. With a weak economy, bogged-down conventional forces, and an unthinkable, last-resort nuclear option, we should expect a greater emphasis on cyber warfare by Russia as a means to gain leverage. China may find itself in a similar situation if it moves against Taiwan someday. The ability to wreak havoc on an enemy and its allies without deploying any forces is of potentially incalculable value. If the Russia/Ukraine example is insufficient, just look at the damage done by the Stuxnet attack on the nuclear capabilities of Iran.
In response to the obvious cyber threat, the Cybersecurity and Infrastructure Security Agency (CISA) recently issued a “Shields Up” advisory to American companies and citizens alike. The advisory contained several recommendations for organizations to reduce risks of intrusions into systems and for consumers to “think before you click.” Yet, in Congress, and many state legislatures, bills are advancing that would create unnecessary cybersecurity risks for Americans’ personal devices.
At the federal level is the American Innovation and Choice Online Act (AICOA) as well as the Open App Markets Act (OAMA). These bills are explicitly designed to force devices produced by Apple and Google, iOS and Android devices respectively, to allow greater access to software out on the open web. Both bills would blow up Apple’s “walled garden” approach to security, where only developers meeting stringent security requirements can list on Apple’s App Store and thus load software onto iOS devices. The bills force interoperability and “side loading,” allowing third party apps and independent app stores to bypass Apple’s security systems and load software, including malware, onto iOS devices.
In contrast to Apple, Google’s Android devices do allow side loading, with the tradeoff being greater access to available software for reduced device security assurances. As a result, Android devices are infected with malware at a rate that is anywhere from 15 to 47 times more than iOS devices. This tradeoff works for some who prefer a more open device. Yet, the AICOA presents an existential risk to Android users as well, as its language intended to deter anticompetitive conduct is so broad that practices designed to increase consumer device security employed by Google and other firms could be assumed anticompetitive, with the burden of proof shifted onto companies to prove their practices are beneficial to consumers. Effectively, companies would be guilty until proven innocent. Coupled with crippling fines, the legislation creates a strong disincentive towards implementing anything beyond minimum security features.
So while one part of the government, CISA, is saying “shields up,” another is busy outlawing some of the most effective shields. Bills emulating both the AICOA and OAMA are cropping up in state legislatures around the country as well.
The ability for companies to police their networks and software ecosystems has national security benefits beyond cybersecurity that Congress and state legislatures are failing to consider as well. In response to Russia’s attack on Ukraine, tech companies that produce both devices and provide online services, from Apple and Microsoft to Meta and Twitter, took swift action to combat Russian propaganda. As NPR reported, “Google has booted Russian state media from its Google News service. Facebook, Instagram and Twitter are making posts from Kremlin-affiliated news outlets harder to find. TikTok, YouTube and Facebook are blocking two of the biggest outlets, RT (formerly known as Russia Today) and Sputnik News, across Europe. Apple, Google and Microsoft have pulled their apps from their app stores.” Under many tech-focused bills being considered at both the state and federal level, these efforts by American companies to yank Putin’s soapbox out from underneath him would be illegal, strongly discouraged, or dramatically less effective. As discussed above, the AICOA and OAMA’s insistence on open access software ecosystems and vague standards for anticompetitive conduct would likely have prevented Apple, Google, and Microsoft from taking action against Russian propaganda apps. At the very least, there would be nothing these companies could do to bar these apps from being side loaded, reducing the ability for American firms to exert leverage directly on Putin’s regime.
Legislation undermining the often maligned and rarely understood law known as Section 230 would have similarly deterred or outright prevented action against the proliferation of Russian lies online. Section 230 is the law that empowers online platforms to moderate content, consistent with their First Amendment rights of speech and association, without immediately assuming liability for any and all other content posted to their sites. Proposals to modify Section 230 vary in scope. Some proposals would force companies to carry all content that is lawful under the First Amendment. Others would scrap the law altogether. Either way, online service providers would find themselves unable to do anything to curb the spread of the Kremlin’s crap, as foreign propaganda is protected speech and moderating it out would open up catastrophic liability risks without Section 230 in place.
The national security risks presented by ill-considered tech legislation are not limited to the homeland. Secure, encrypted communications are critical to the ability for Ukrainians to mount an effective resistance against Russia and report information securely to journalists, friends, and family outside of the country. Yet, Congress is steaming forward on the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act. Countless groups across the political spectrum have raised serious concerns about this legislation, as well intended as it may be. The bill effectively bans companies from offering end-to-end encrypted communication services by creating a significant legal liability for doing so. We know encrypted communication is critical to those on the ground in hostile areas. This is why Meta announced it is offering expanded encrypted communication services in Ukraine and Russia in response to the invasion. Is this voluntary action to bolster American interests abroad by Silicon Valley firms really something Congress wants to penalize?
Until just days ago, it was easy for many supporters of the kinds of legislation above to write off the associated national security concerns as problems to address another day. The horrifying reality of an all-out Russian invasion of a sovereign European nation pierces right through that ambivalence. The immense challenges of international security of the 21st Century are here. American technology companies are invaluable assets for protecting American interests and values, near and abroad, as hypothetical horrors, such as a Chinese attack on Taiwan, become reality. Elected officials cannot continue their indifference towards the security tradeoffs of haphazard regulation of the tech sector if we are to face these challenges with the full strength of our society.
Published on March 7, 2022