Benedikt Franke is vice-chairman and CEO of the Munich Security Conference.
“Prevention is better than cure.”
This phrase, attributed to Dutch philosopher Desiderius Erasmus, is as valid in today’s security environment as it was 500 years ago. It simply makes more sense to stop something bad from happening than having to deal with its consequences later.
Admittedly, this can often be easier said than done, particularly in the rapidly shifting world of international security — but not when it comes to formulating new rules, regulations and policies. Here, nothing should be stopping us from including security considerations from the very beginning.
So why aren’t we doing this, especially now that the threats to our democracies, societies and way of life are becoming more tangible by the day? This question remains front and center as we launch this year’s Munich Security Conference (MSC).
We’ve long argued that regulations and policies seeking to address new realities need to be “security proofed” before they’re passed. Just look at “climate proofing” — vetting policies for their overall effect on climate change has now become common practice. And there’s no good reason why a similar approach shouldn’t be taken when it comes to formulating policies on technology, rather than having to mitigate potential risks after codifying regulations.
We’re now faced with increasingly dire warnings regarding the growing risk of cyber threats, and clear indications that mastery of emerging technologies will be a key future battleground. Yet, when formulating technology policies, we continue to focus on certainly important but ultimately secondary concerns — such as taxation — rather than our own security.
For example, a recent European Commission tender, which requests technical guidance on assessing the security implications of regulations, suggests concerns weren’t sufficiently considered when legislation like the Digital Markets Act (DMA) were being developed.
Another recent case is the EU’s Cyber Resilience Act, which forces companies to report unpatched vulnerabilities in their products. But what seems like a good idea at first raises the blood pressure of many experts, as they fear that publishing such weaknesses may lead to leaks and increased awareness of possible attack opportunities among those who should be kept in the dark.
We can no longer afford to diddle around like this! And rarely has anything hammered home just how much we remain stuck in the harsh reality of centuries past as Russia’s invasion of Ukraine. It is, however, far from the only recent wake-up call as to just how far opponents of our liberal democratic order are willing to go, and how ready they are to exploit every weakness we show and every vulnerability we leave unpatched.
We simply need to embrace the fact that our autocratic challengers, as well as criminal elements around the world, weaponize absolutely anything they can — be it our smart phones or smart homes, critical infrastructure or resource dependencies. And if we want to win, or at least persist, we need to get better at accepting the fight where they take it — and that may be just about anywhere.
At its core, this means our political leaders must ensure all new policies and regulations add to our security rather than subtract from it, that they don’t weaken cohesion or increase vulnerabilities but close avenues of attack and boost resilience. Ideally, new policies and regulations can even give us an edge in conflicts to come.
This sounds like a no-brainer. After all, who would really want to implement a policy that makes them less safe?
Unfortunately, however, there remain countless examples of silo-thinking, a lack of cross-governmental coordination and false priorities both in Europe and across the wider transatlantic alliance, leading to policies with dangerous knock-on effects.
The DMA is a case in point. Ratified exactly one month after Russia’s invasion — but obviously negotiated long before President Vladimir Putin crossed the Rubicon — the DMA may be great from a competition or taxation perspective, increasing fairness across the board, but it hardly makes the EU and its citizens safer. On the contrary, there’s plenty of evidence that it comes with serious side effects, putting millions at risk by overriding central safeguards on the pretense of consumer choice.
While protecting European values and promoting Europe’s economic competitiveness are worthy goals — and even imperatives — our key point has been, and remains, that a conversation on how to ensure and, ideally, enhance security should have been layered on top of these goals.
But such a conversation won’t happen without somebody actively enforcing it, hence the importance of creating an overarching office within the Commission, dedicated to examining pending and future legislation.
Such a mechanism could run through the office of what former MSC Chairman Wolfgang Ischinger had called the “European Chief Security Officer.” This would be a position explicitly responsible for coordinating across the branches of the European policy-making, and ensuring that the goal of increasing security is kept at the heart of any developing legislation. And the forthcoming European election offers a timely opportunity to finally create and institutionalize this job.
Whoever would be nominated for this position would have their work cut out for them — not just because the threats continue to grow by the day, but also because of the speed of technological progress and the subsequent need to fashion fresh rules and regulations, not least when it comes to artificial intelligence.
As regulators try to keep up, somebody needs to ensure they don’t lose sight of the very purpose of the organization they serve — keeping Europe’s citizens safe.