This week, we dive into the White House’s new cybersecurity strategy, which marks a fundamental shift away from a decades-long environment in support of self-regulation. In other news, the European Commission has halved its antitrust investigation on Apple’s marketplace practices, whereas China and India announce new plans for development and non-personal data.
Stephanie and the Digital Watch team
// HIGHLIGHT //
USA’s new cybersecurity strategy: Big companies should take more responsibility for insecure software products and services
The White House’s new National Cybersecurity Plan, released last week, makes a major announcement: The US government will shift the burden of defending cyberspace to large tech manufacturers and software companies and away from individuals, small businesses, and local governments.
In essence, this means new laws – down the line – that will hold large companies accountable for failing to take reasonable precautions to secure their products and services. Down the line, because it’s not something that will be developed overnight. And with the presidential election in 2024, there’s only so much that can be achieved. (Let’s also wait for the strategy’s implementation plan to be published in a few months’ time).
And yet, this sets the tone for a fundamental shift away from a decades-long environment where the end users (you and me) have been facing the brunt of digital technologies vulnerable to viruses due to early releases or personal data breaches, which companies failed to adequately prevent. The idea is that companies that fail to meet specific standards will be held liable for any data losses or harm caused by cybersecurity errors that could have been avoided with more rigorous security. They will also be prevented from strong-arming their way out of liability just because they hold market power.
An updated cyber-social contract. This major shift in who should bear responsibility is what Kemba Walden, acting national cyber director, described as a change in America’s cyber-social contract. In a press briefing, Walden explained: ‘Today, across the public and private sectors, we tend to devolve responsibility for cyber risk downwards. We ask individuals, small businesses, and local governments to shoulder a significant burden for defending us all. This isn’t just unfair, it’s ineffective.’
Under this reimagined cyber-social contract, the division of tasks between governments and the private sector is quite clear. The strategy explains that ‘in a free and interconnected society, protecting data and assuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems.’
On the other hand, ‘government’s role is to protect its own systems; to ensure private entities, particularly critical infrastructure, are protecting their systems; and to carry out core governmental functions such as engaging in diplomacy, collecting intelligence, imposing economic costs, enforcing the law, and, conducting disruptive actions to counter cyber threats.’
The days of self-regulation are numbered. The strategy’s heavy stance on regulation signals a break from two decades of efforts to get companies – including those in critical sectors – to voluntarily strengthen all aspects of their cybersecurity, both internally and in their products, databases, and services.
Voluntary approaches to cybersecurity are no longer adequate, Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger explained during an event in Washington.
Coalitions for combating ransomware. You may all recall the Biden-Putin summit in Geneva in June 2021, which marked the start of cyber detente (we even ran a monthly newsletter on cyber detente). At the time, the two countries agreed to cooperate to deter ransomware criminal cells (of Russian origin or operating from Russia). Technical work was progressing, until it all went downhill just over a year ago.
In lieu of such cooperation, the USA is working with its allies (such as through the Counter Ransomware Initiative) to pressure Russia and other countries to disrupt malicious behaviour. Through the new plan, the USA also hopes to strengthen these partnerships and carry out what the USA-Russia cyber detente failed to do, especially in combating ransomware.
This was one of two complaints. The second – the so-called anti-steering practice, which restricts app developers from informing iPhone and iPad users of alternative music subscription services – is still a concern for the commission’s ongoing anti-competition investigation.
During an event last week, EU competition chief Margrethe Vestager said ‘We remain concerned about Apple’s anti-steering provisions and its impact on the music streaming market. But we refocused our competition concerns on the direct consumer impact.’
EDPB welcomes improvements under EU-US Data Privacy Framework, but concerns remain
The European Data Protection Board (EDPB), the EU’s data watchdog, wants to see the USA’s commitment to limiting US security agencies’ data collection activities not only on paper but also in practice.
The EDPB’s non-binding opinion on the Draft Adequacy Decision (published by the European Commission in December) welcomes the improvements introduced by a recent executive order, which limits data collection to what is necessary and proportional. However, ‘close monitoring is needed concerning the practical application of the newly introduced principles of necessity and proportionality. Further clarity is also necessary regarding temporary bulk collection and the further retention and dissemination of the data collected in bulk,’ the watchdog said.
An adequacy decision will ultimately confirm that the data of European citizens can be transferred to the USA without additional safeguards.
Digital India Bill to introduce rules for non-personal data sharing
A public consultation on the basic guiding principles and architecture of the upcoming law will take place on 9 March. Once the consultation process is concluded, the government will release a final draft for consultation. The law will replace the decades-old Information Technology Act.
Was this newsletter forwarded to you, and you’d like to see more?
Under this new plan, China will apply digital technology more seriously to the economic sector, as well as to the agriculture, manufacturing, finance, education, medical services, transportation, and energy sectors.
On the global front, China also plans to continue participating in multilateral forums, and to cooperate on developing new international rules such as those related to cross-border data flows.
Chinese experts have said that more efforts were needed to strengthen the private sector’s role in the semiconductors sector and to cultivate globally competitive high-tech enterprises.
// METAVERSE //
‘It is already time’, says EU competition chief
Speaking during a public event, EU Commissioner for Competition Margrethe Vestager hinted that European policymakers are already looking into metaverse policy.
She said: ‘digital markets have not fulfilled their promise for small businesses to achieve scale and greater reach with fewer physical barriers to get in their way. We have certainly not been too quick to act – and this can be an important lesson for us in the future. We need to anticipate and plan for change, given the obvious fact that our enforcement and legislative process will always be slower than the markets themselves. For example, it is already time for us to start asking what healthy competition should look like in the metaverse, or how something like ChatGPT may change the equation.’
// AI //
Can an AI machine be granted a patent for an invention?
This is the question which UK Supreme Court judges are deliberating after hearing arguments brought forward on appeal by American inventor Stephen Thaler.
The case involves two patent applications for two inventions which Thaler says were created by an AI machine he owns called Dabus (an acronym for Device for the Autonomous Bootstrapping of Unified Sentience). The case has already been dismissed by the High Court and the Court of Appeal, which ruled that patents cannot be awarded in cases where the inventor is not a natural person.
The UK’s Supreme Court is expected to hand down a final judgement in the coming months.
The week ahead (6–12 March)
6 March: The EU commission’s next technical workshop with stakeholders on how to comply with the new Digital Markets Act will address app store-related aspects, including alternative in-app payment systems, steering (a practice which allows developers to inform users about other purchasing options) and sideloading (the process of installing an app which did not come from one of the two main app stores).
6 March: The 19th Annual State of the Net conference, taking place in Washington DC, will bring together internet stakeholders in government and in the private sector to talk about connectivity, cybersecurity, AI developments, and children’s privacy.
6–7 March: The Council of Europe and the Moroccan Ministry of Justice are jointly organising an international conference on strengthening cooperation on cybercrime and e-evidence in Africa.
6–10 March: The UN Open-Ended Working Group (OEWG), tasked with studying existing and potential threats to information security and possible confidence-building measures and capacity development, will hold its 4th substantive session in New York. Deeper discussions on the points of contact (PoC) directory are expected. There will be quite a few side events too.
10–12 March: The 2nd session of the European Commission citizens’ panel on the metaverse and other virtual worlds will ask people to identify, discuss and prioritise values and principles that should guide their development.
10–16 March: The ICANN76 Community Forum, to be held in Cancún, Mexico and online, will bring together ICANN supporting organisations, the advisory committee and the broader ICANN community to discuss ongoing issues on domain name system (DNS) management. Preparatory meetings took place last week.
EU Cyber Resilience Act: Enforcing cyber norms far beyond Europe
A new article by our colleague Anastasiya Kazakova looks at the extra-territorial effect that the EU’s upcoming cybersecurity law, the Cyber Resilience Act, will have on products and services developed by the private sector for citizens (these points are also potentially applicable to new US laws imposing liability for cybersecurity flaws once they materialise). Assuming that companies decide not to lower the bar for non-EU users, the new rules will mean that users worldwide will benefit from these stricter requirements. Moreover, EU member states adopting these rules will also contribute to implementing at least three of the norms on responsible state behaviour.