By Chris Strohm
Efforts by Google Inc. (GOOG), Microsoft Corp. and Amazon.com Inc. (AMZN) to be excluded from U.S. cybersecurity rules may become moot under a European Commission proposal that could force them to report attacks and make their products more secure.
E-mail providers, search engines, social networking websites and companies specializing in electronic commerce would have to comply with cybersecurity requirements to sell products and services within the 27 countries of the European Union under a directive proposed Feb. 7.
President Barack Obama’s administration exempted products like Google’s Gmail, Apple Inc. (AAPL)’s iPhone software and Microsoft’s Windows operating system from a February executive order aimed at improving cybersecurity in the U.S.
“Some EU member states may enact stricter standards than what the EU as a whole requires,” said Sanford Reback, director of global business for Bloomberg Government, which released a study today on the topic.
“Some U.S. companies may decide to comply with the strictest EU standard adopted rather than have the operational headache of trying to fine-tune their cybersecurity measures for different markets.”
Internet companies that successfully fought to be excluded from Obama’s cybersecurity order aren’t giving in without a fight in Europe. The European directive is “very challenging,”Paul Nicholas, a senior director for Microsoft (MSFT), said in a phone interview.
Microsoft is lobbying European governments and plans to convene a cybersecurity summit in June to discuss the issue, he said.
“When you create these types of specific requirements country by country it tends to discourage people from building global products and services,” Nicholas said. “Over time, that can erode innovation and it also limits economic opportunities. It reduces the number of markets that you can participate in.”
The U.S. and European governments are advancing cybersecurity policies to prevent electronic attacks from disrupting banks, utilities, telecommunications networks and financial services.
Internet companies lobbied the White House to carve out an exception for them when developing the executive order. The Internet Association, a trade group whose members include Google, Facebook Inc. and Amazon urged the White House and Congress to “ensure that all Internet services are not subject to regulation,” the group’s president, Michael Beckerman, said in an e-mailed statement.
The European Commission’s approach “seems overly proscriptive,” said David LeDuc, senior director for public policy at the Software & Information Industry Association in Washington, which represents major companies like Oracle Corp. (ORCL),International Business Machines Corp. (IBM) and Adobe Systems Inc. (ADBE)
“These types of policies would be exactly what you would implement if you were trying to stifle innovation,” LeDuc said in a phone interview. “It makes tons of sense in theory but it’s a lot harder than it actually sounds.”
The threat of cyberattacks has become a greater concern than terrorism, James Clapper, the top U.S. intelligence official, told the House Intelligence Committee during an April 11 hearing. An April 23 hacking attack on the Associated Press’ Twitter Inc. account that erroneously said there were explosions at the White House caused the Standard & Poor’s 500 Index to briefly lose $136 billion in market value before recovering.
Europe has had its share of cyber crime, too. The Czech Republic’s central bank said its website was temporarily knocked offline March 6, and the European Commission cited a report that the London Stock Exchange experienced a serious cyber attack in 2010.
The European Commission proposal includes Internet companies “because it is absurd to work to protect critical Internet infrastructure without obliging such companies to take responsibility for their wider role in this ecosystem,” the commission said in a Feb. 7 statement.
Internet and technology companies would face security requirements under the proposed directive because they provide services and products vital to governments and the economy, and are often targeted by hackers, the commission said.
LeDuc said companies believe the security standards will constantly change, leading to uncertainty. “It takes quite awhile to go through a process and identify what those standards are,” he said.
Google is watching the process in the European Commission and hasn’t taken a formal position on its proposed directive, a spokeswoman, Samantha Smith, said in an e-mail. Calls to Amazon weren’t returned. Steve Dowling, an Apple spokesman, declined to comment.
The directive will be vetted by European governments in the coming months, James Lewis, technology program director at the Center for Strategic and International Studies in Washington, said in a phone interview.
“The chance for these things to fall off the rails is always high,” Lewis said.
Debate over how to improve cybersecurity also continues in the U.S. Telecommunication companies like Verizon Communications Inc. (VZ) have questioned why the Obama administration didn’t include information technology products and consumer information services as critical U.S. infrastructure.
Obama’s order “is not about Netflix, Twitter, Facebook, and Snapchat,” White House spokeswoman Caitlin Hayden said in an e-mail at the time. It’s aimed at power grids, telecommunications, pipelines and other vital infrastructure whose incapacitation from a cyber attack would have national security and economic implications, she said.
“If e-mail went away this afternoon, we would all come to a stop,” said Marcus Sachs, vice president of national security policy at Verizon, the second-largest U.S. phone company. “Hell yeah, e-mail is critical.”