Fred Roeder, a German health economist and the managing director of the Consumer Choice Center, proposes Estonia to lead the European Union to a coherent cyber security strategy in order to protect consumers and businesses not only from cyberattacks from Russia but also from potentially much larger attacks and espionage from China.
Within the past twelve years, Estonia has emerged as a leading nation in the field of cyber defence and security. The cyberattacks of 2007 made Tallinn much earlier aware of the massive threat of online attacks compared with its larger NATO allies.
Especially under EU commissioner, Andrus Ansip (nominated by Estonia, Ansip was the European Commissioner for Digital Economy and Society from 2014 until July 2019 – editor), Estonia has been a driving force behind the European Commission’s new cyber security agenda. Estonia now needs to lead the European Union to a coherent cyber security strategy in order to protect consumers and businesses not only from cyberattacks from Russia but also from potentially much larger attacks and espionage from China.
The adoption of Internet of Things solutions and the highly anticipated rollout of very fast 5G networks will make consumers’ privacy even more vulnerable. The recent events in Hong Kong and the Chinese Communist Party’s reluctance to keep its commitments towards the rule of law are reasons why we must heed caution.
Some governments and manufacturers tend to be mostly concerned about competitiveness through low prices, which is important for consumers. However, we also care about privacy and data security. Therefore, a smart policy response is needed that would incentivise market players to give enough weight to consumer data security in Europe, all the while achieving that goal without undue market distortions and limiting of consumer choice.
In more than just one instance, the Chinese leadership has put legal or extra-legal pressure on private firms to include so-called backdoors in their software or devices, which may be exploited either by government agents alone or with a manufacturer’s help. As a response to threats like this, countries like Australia and the US went so far as to ban the Chinese network equipment manufacturer, Huawei, from its 5G networks.
Pressure on non-European suppliers to adopt the security-by-design approach
While some governments see bans as the best way to protect national security and consumer privacy, we know there is no single silver bullet solution for safeguarding privacy and data security. A mix of solutions is needed, and this mix will likely change over time.
Healthy competition between legal jurisdictions and between private enterprises is the best mechanism for the discovery of the right tools. But those working on cybersecurity solutions should also consider consumer interests. Keeping new regulation technology-neutral, and thus not deciding by law which technological solution is best, allows an agile framework for consumer privacy.
The EU’s current legal rules, like the General Data Protection Regulation, for example, do not provide sufficient clarity regarding liability of network operators for privacy violations made possible by hardware vulnerabilities. Thus, a clear standard of supply chain security must be defined.
Emphasising liability rules for using or reselling software or devices with vulnerabilities would give those rules more teeth and thus incentivise telecommunications operators and others to think about their customers’ privacy during their procurement decisions. This should, in turn, put pressure on non-European suppliers to adopt the security-by-design approach and to take pains to show that they have done so.
Smart regulation needed to prevent autocratic governments from spying on us
In solving the problem of unclear and ineffective legal rules on data security, we must take into account that technical standards should be as technology neutral as possible. Manufacturers from countries that are under scrutiny – such as China – might want to provide purely open-source technology in order to rebuild trust in their products.
Instead, the rules should be focused on outcomes and be as general as possible while still providing sufficient guidance. These standards should be possible to identify and adopt not just by the biggest market players who can easily devote significant resources to regulatory compliance. A certification scheme must be thorough in order to minimise the risk of any backdoors or other critical vulnerabilities.
The debate around 5G reminds us how vulnerable consumers are in a technologically and politically complex world and that cyber threats originate usually in autocratic countries.
Therefore, smart regulation is needed in order to protect consumers from data breaches and to prevent autocratic governments from spying on us. By continuing the legacy of commissioner Ansip’s leadership and strengthening the liability of network operators for technological vulnerabilities, both consumer choice and privacy can be ensured. Blunt instruments like total bans based on country of origin or regulators picking the technological champions should be seen as measures of the last resort.
The opinions in this article are those of the author. Cover: A Huawei phone (the image is illustrative, courtesy of Kārlis Dambrāns/Wikipedia).