Why competition laws could increase the risk of blue screen attacks

Today’s digital and technological ecosystem is both more important and more complex than anyone could have imagined even just a few years ago.

People now use connected devices for everything, from paying for their morning coffee to ordering a car, to finding romance. That connectivity, its operating technologies as well as the data it stores and accesses, is also increasingly underpinning our economies and national security. But as we all rely on our connected technologies for more purposes, we also create more vulnerabilities that could lead to disruptions.

These vulnerabilities have been on clear display over the last couple of months, something policymakers need to take careful note of as they consider new technology policies. Unfortunately, we fear that well-meaning policymakers around the world including around competition regulation are heading in a direction that will make cybersecurity worse, not better.

Over the last couple of months alone, we’ve seen a string of activity in our respective countries, the US and Australia, and around the world which is quite alarming.

In August, US intelligence agencies confirmed that Iran was responsible for breaching accounts associated with the Trump-Vance campaign and unsuccessfully attempting to penetrate the Biden-Harris campaign, with haunting echoes of the 2016 election interference.

In July, there was a breach in Australia of approximately 12.9 million individuals’ health records, including their personal and health information, the latest in a series of concerning data breaches.

Perhaps most revealing of our collective digital vulnerabilities though, was the global IT shutdown that left planes grounded, hospitals stymied, and critical public services disrupted when a flawed security update hit computers around the world.

This was truly a global event with airports in South Korea, hospitals in Germany, and emergency services in the US all suddenly taken offline with almost every business sector impacted. If this had been the result of a malicious actor seeking to disrupt the global economy, they would have considered it a great success, and it would have surpassed the NotPetya event in June 2017 as the greatest malicious cyber event in the world to date.

We have spent our careers serving in our respective governments on the frontlines of security and diplomacy. In our experience, leaders must learn from every crisis and then actually implement policies and practices to ensure it never happens again.

How can we develop policies and legal frameworks that encourage a more secure digital ecosystem?

The global IT crisis was the result of a software update provided by CrowdStrike, a well-known and well-respected cybersecurity firm. This update should have been routine, but an error in its code conflicted with Windows and the defective update cascaded across computers running the Windows operating system.

One of the contributing factors was that Microsoft allows third parties – such as CrowdStrike in this instance – to have access to its “kernel”, which is the computer program at the core of a computer’s operating system, giving it control over everything in the system. This is why what started as a third-party software glitch quickly took down systems across the globe.

Just as important as what happened is what did not happen.

Fortunately, smartphones and Mac devices were unaffected by the crisis. This is because they are protected through a different architecture than computers operating on Microsoft. This architecture limits the errors that third parties may enable through a vetting and app store approval process and limits access to core system functionality.

Given this, policymakers considering how to advance a more trustworthy, dynamic, and secure technology ecosystem have important questions to answer. How can we develop policies and legal frameworks that encourage a more secure digital ecosystem? How can we create differentiation as a core cybersecurity component of this digital world rather than creating one that is dumbed down to a one-size-fits-all approach?

Allowing and encouraging operating systems with different design and operating characteristics can be an effective tool in our efforts to mitigate the impact of damaging cyber activity – while giving consumers multiple choices.

We approach these questions as career practitioners who look at cyber threats in today’s hyperconnected world through a global lens. And, unfortunately, the trend around the world is heading in the wrong direction.

A wake-up call

Over the years an ecosystem has emerged powered both by the private sector and the government that maintains the current level of security from inadvertent and intentional third-party risks. However, several competition laws around the world including the European Union’s Digital Markets Act (DMA) and similar proposals in other countries that are modelled after the DMA disrupt this system without instituting a reliable replacement.

The DMA mandates third-party access to the operating system, which would require smartphones and Macs to open themselves up to widespread third-party vulnerabilities just like what we experienced in the recent global IT outage.

The range of approaches to legislation, laws, and regulations around the world – even among closely aligned partner countries and entities – is creating a patchwork of competition and security measures, which can be incompatible, confusing and difficult to implement. These measures can leave gaping holes for malign actors to move through to affect ordinary users.

Recent cyber events should be a wake-up call to us all. Policymakers around the world need to be working on shoring up vulnerabilities. Unfortunately, many are heading in the wrong direction, but it’s not too late.