You can’t read the news without seeing another story about a ransomware attack and its aftermath, like lines of bumper cars waiting for gasoline after the colonial pipeline attack. Just a few weeks ago, JBS, one of the world’s largest meat processors, temporarily shut down its U.S. factories and paid hackers $ 11 million in an atrocious move the company deemed necessary to preserve the data integrity of its operations and customers. You are probably reading these stories on your phone, a personal computing device which is another very attractive target for attackers.
As bad actors increasingly seek to compromise our privacy and security through breaches in the Internet, what power do we have to stop them?
In May, the Center for Cybersecurity Policy and Law, a nonprofit dedicated to shaping sound public policy in cybersecurity and related technologies, addressed this issue in a discussion paper titled “Mobile Future: Pathways to Continued Improvement in Mobile Security and Privacy ”. As a former colleague put it, “Cyber security is a team sport,” and this document faithfully reflects that goal.
The Center brought together experts from industry, research and academic institutions, civil society, and current and former government officials to discuss mobile security and policies that would best protect the privacy of mobile applications, stores apps that support them and, of course, the end users who have integrated those apps seamlessly into their devices and everyday life.
As cybersecurity experts struggle to keep pace with ever-evolving threats, such as nation states exploiting vulnerabilities to threaten critical infrastructure, mobile security has improved. Take for example the iPhone. The App Store has boosted a vast application-based economy of over 2 million software applications, available for instant download directly to users’ smartphones. All iPhones are built with automatic end-to-end encryption to defend against hacking, and the App Store does a thorough review of machines and humans to filter out deceptive software. Consumer-centric decisions that protect them from risk are part of the reason why smartphones like the iPhone are now in the hands of nearly 70% of the world’s population, according to 2019 data.
Building mobile platforms and applications with security and privacy in mind is the best way to reduce risk to users from the start. Consumers are loyal to the brands they trust and, when technology is involved, to the devices they trust. The most successful app stores are dedicated to building secure ecosystems for mobile devices, contributing to their exponential global adoption. For example, advances in automated scanning tools have dramatically reduced the number of malicious apps on major app stores. Having a central distribution point for software also filters out harmful or manipulative applications.
As technology has advanced, security threats and the corresponding attacks have also become more sophisticated. Many in the mobile industry already understand that most users cannot defend themselves effectively. Speaking during a conference in June, Apple’s chief privacy officer Jane Horvath said the company’s goal is to make privacy something consumers don’t have to worry about. “We made it part of the consumer experience,” she said, using the automatic encryption of iPhones as an example. Users simply set a password; the rest is done for them.
The risks to connected devices are as complex as the technology itself. It is therefore unrealistic to expect millions of users to fully understand the layers of security involved in their own protection, despite their importance.
Unfortunately, in their rush to deliver results and protect voters, well-meaning lawmakers risk undoing the advances made by industry experts in the area of privacy protection.
Competition policies venture into dangerous territory by enforcing open operating systems, where users can download third-party software that has not been reviewed, a process known as sideloading. This practice selectively ignores the obvious evidence that the majority of malware on mobile devices comes from third-party sources that do not perform application security checks.
Simply put: Any discussion of sideloading or app store competition should consider the potential risks to user privacy and security.
It is more important than ever that the public and private sectors come together to strengthen security barriers to prevent cybersecurity threats. Policymakers must avoid inadvertently weakening existing protections. Security tools on mobile devices and the apps we depend on can serve as a reliable roadmap, helping to make the internet a safer resource for our mobile future.
Megan Stifel is Global Policy Officer at Global Cyber Alliance. For more than two decades, she has worked at the intersection of technology and national security, having previously served in the White House as a cybersecurity adviser to the National Security Council and in the US Department of Justice as as Director of Cyber Policy in the National Security Division and as Legal Advisor to the Computer Crime and Intellectual Property Section of the Criminal Division.