The UK government must reform EU tech rules
You might think that preventing another disaster like July’s CrowdStrike-Microsoft outage would require more government oversight in digital markets or cybersecurity — but you would be dangerously wrong. As the UK competition regulator reviews feedback on how to enforce the new Digital Markets, Competition and Consumer Act (DMCCA), now is the time to reconsider the interoperability clause of the DMCCA which forces digital service providers to open up their platforms to be compatible with other service providers. Borrowed directly from the EU’s infamous 2023 Digital Markets Act (DMA), this requirement aims to protect consumers from uncompetitive practices by tech giants. But as we saw last month, such a strategy falls apart when scrutinised under the lens of cybersecurity.
July’s worldwide outage — which brought down 8.5 million Windows devices — exposed the folly of a regulatory requirement like interoperability. Although this compatibility requirement is designed to generate competition between service providers, having multiple integrations from different service providers increases the vulnerability of any system. One faulty update from cybersecurity firmware provider CrowdStrike impacted stock exchanges, public health systems, and airlines around the world that rely on CrowdStrike’s integration with Microsoft.
A post-Brexit UK, free to design competition regulation independently of Brussels, should be wary of imposing interoperability requirements on digital service providers. The UK digital markets regime should learn a cautionary lesson from the CrowdStrike-Microsoft fiasco before a cybersecurity attack or another bad code push results in critical downtime.
Earlier this year, Parliament passed the Digital Markets, Competition and Consumer Act (DMCCA) as the UK equivalent to the EU Digital Markets Act (DMA). In their drafting, MPs borrowed language directly from the EU. The DMA designates six far-reaching digital services providers, including Alphabet, Amazon, Apple, Meta, and Microsoft, as “gatekeepers” and dictates that these market-dominant firms must make their platforms interoperable with the services of competitors.
The DMCCA also requires interoperability, and will grant the UK competition regulator, the Competition and Markets Authority (CMA), the power to identify such “Strategic Market Status” firms. The DMA was drafted in the spirit of protecting consumer choice by allowing consumers to pick products or services outside of a tech giant’s ecosystem (see Apple permitting app downloads outside of the AppStore in the EU thanks to the DMA). But the DMA’s argument on interoperability should not be applied to integrations between third-party service providers and core services.
Such was the case with CrowdStrike-Microsoft. It is now known that July’s outage occurred due to a mismatched code update from CrowdStrike, a security firmware connected to the Microsoft operating system. The more third-party integrations an operating system or platform has, the more points of vulnerability exist whenever a change is made to any single moving part.
The CrowdStrike-Microsoft outage supports the age-old adage that Apple devices have superior security than their Microsoft/Android counterparts, precisely because of Apple’s closed ecosystems. If the UK continues to follow in the EU’s footsteps, it will open its businesses to class-action lawsuits just because businesses cannot control automated updates on the softwares they use.
A security workaround that still respects interoperability would be to give businesses control over when to deploy updates (which CrowdStrike says it would do). Yet, smaller businesses may lack the IT expertise to understand the content of updates in order to make such manual decisions. Businesses should be able to trust the IT services they run on with the assurance that there aren’t hidden backdoors. Interoperability undermines such trust, while security workarounds to interoperability places unnecessary burden on businesses.
With the King’s Speech proposing a new Cyber Security and Resilience Bill, now is the time for the UK to critically evaluate its digital markets regulation which has tangible implications for cybersecurity. The CrowdStrike-Microsoft outage shows that poor regulation could threaten cybersecurity as much as malicious actors. The government itself recognises that “existing UK [cybersecurity] regulations reflect law inherited from the EU”. The Labour government can throw off the shackles of EU regulation which has sacrificed security in the name of promoting consumer choice.
Xizi Daigle is a policy writer and political commentator with Young Voices UK. She is a graduate of the London School of Economics (LSE)’s Master of Public Administration (MPA) programme, where she specialised in Economic Policy. She previously worked with the UN, at a software start-up and in tech consulting, and on the Government Relations team of Canada’s largest life and health insurer.
