Cyber Crime and Antitrust

One should consider the proposed antitrust legislation now pending in Congress not as a lawyer or academic, but as a hacker. For hackers, some provisions of the bills under consideration will be the gift that keeps on giving.

The riskiest provisions would require big app store operators to allow third-party apps to be offered in their stores without a security review, or allow any developer direct access to a customers’ mobile devices, a practice called “sideloading.” Some companies want this since it lets them to avoid paying fees to app store owners, which is understandable, but these changes would come with serious costs for cybersecurity.

Hackers know that one of the easiest ways to get access to a computer or cell phone is to get the victim to willingly download and install malicious software without knowing they have done so. Phishing, where an email encourages the reader to open an attached file, is the most common technique for this, but apps are a great delivery vehicle as well. It is next to impossible to know where an app came from, what is in it, who wrote it, or to whom the hackers might have subcontracted the coding. If this section of the bill becomes law, being able to put an unreviewed app on the market or letting people download apps from the “the wild” will become one of the most preferred methods for cybercrime. This would have implications not only for the usual fraud and robbery against individuals, but risks the creation of apps that, when loaded on a personal device, will provide access to corporate or government networks. Requiring companies to provide the technical data required for an app to work with a phone (such as operating system software) makes life easier for criminals and spies.

People are upset about the rise in spyware like Pegasus, which an attacker can remotely install on a program on a mobile device that provides covert access to contacts, content, and other data without the knowledge or consent of the victim. Writing programs and finding ways to install them without notice is hard, but getting someone to download and install via a poisoned app is easier and cheaper.

One important goal for hackers and spies is to get access to source code. This has been true for decades and usually requires some illicit action or difficult engineering. Source code is the commands that are compiled into computer programs and tell the device what to do. Being able to access source code can let an attacker discover exploitable vulnerabilities or to determine how to overcome defenses. But if companies create the right to demand access to source code, instead of having to work to acquire or reverse engineer the code, they can simply ask a company for it. Since many apps already have some kind of “call home” feature to harvest data from users, a malicious app may not be easily detectable. Once a hacker has gotten the victim to install an app or has gained access to source code, the task of circumventing any defense and gaining access to data or other networks becomes easier. Instead of being able to keep out apps whose trustworthiness they are unable to ascertain, app stores will be obliged to allow access to them.

To believe that only legitimate businesses will publish new apps or ask for source code is naive. Cybercriminals and spies are opportunistic, reacting immediately to new vulnerabilities like the ones this bill inadvertently supplies. There are already many malicious apps on the internet, and making a request for source code appear to be from a legitimate business requires a little skill. Creating a front company is not much of a burden since most app developers are small companies, sometimes only employing a few individuals, making it easy to create a false front. It is likely that if the bills pass, the United States can expect to see more fake online stores, front companies for sale or rent, and other circumventions appear in malware markets. The already energetic malware-as-a-service market will add front company or poisoned apps to the list of offerings.

There are other potential problems, since the bill as drafted would likely damage innovation or hurt the United States in the competition with China, but the harm to cybersecurity is the immediate problem. The primary motive for this is to allow companies to avoid app store fees (which admittedly were high—the industry average has been 30 percent) or allowing users to install apps from the wild without prior review. There are other charges of anticompetitive practices by app stores, such as copying an innovative app and then offering an in-house competitor. The “gatekeepers”—the EU term for tech giants, including app store owners with what the European Union describes as preponderant market power—are now paying the price for past practices.

But gatekeeper is a surprisingly apt description. since without gatekeepers, the gates will be wide open for anyone to pass through. The easiest modifications to the legislation are to allow app store owners to continue to review code before making it available for sale (charging an “at-cost” fee for the service) and to continue to block sideloading, a practice that cannot be made safe. Big tech needs to be regulated—there is no argument there—but not at the cost of making cybersecurity even worse than it currently is.

James A. Lewis is senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.  

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).  

© 2022 by the Center for Strategic and International Studies. All rights reserved.

James Andrew Lewis
Senior Vice President; Pritzker Chair; and Director, Strategic Technologies Program