National Security Agencies—Time to Weigh-In on Legislation Affecting Security (U21b)
Countries around the world are considering and passing legislation that affects networks, data, and critical infrastructure. Even when the main thrust of the proposals is not security but other policy goals like competition, these ‘civil’ laws impact national security as they often affect commercial IT products that are the same products in critical infrastructure and national security systems. Examples include the EU’s Digital Markets Act (DMA) and its ongoing implementation, the EU’s Digital Services Act (DSA), Japan Fair Trade Commission’s draft competition law, India’s draft competition law, Australia’s e-safety draft regulations, the EU’s Cyber Resiliency Act (CRA), the U.S. draft competition law, the U.S. Child Online Protection Act, and various consumer protection and antitrust enforcement actions. These proposals often do not align with Common Criteria requirements or best practices and are often in direct conflict with CC requirements, affecting CC Certified products. For example, the DMA requiring mobile devices to accept sideloaded apps from China and Russia is the exact opposite of stated best practices by the national security agencies of the U.S., Japan, India, Interpol, and the Common Criteria Protection Profile. Should and when should expert cyber national security agencies and Member States in the EU weigh in on ‘civil’ actions that can undermine national security? And how should they weigh in? Is cyber and national security important enough to join the ‘civil’ discussion? The answer proposed is yes, national security agencies and militaries should track these developments and seek to inform ‘civil’ policymakers about proposals that can affect national security networks, data, and critical infrastructure. The state of cyber conflict requires experts to share predictable outcomes.