Munich Security Conference Brings Together Tech Experts and Policymakers in Brussels for a Roundtable on Cyber Security and Tech Regulation

Hyperlinked: Uniting European Cybersecurity Efforts

The first discussion, which focused on cyber security, began with establishing the difficulty of regulating and safeguarding the cyber domain. Threats can come from within and beyond national boundaries and there is less distinction between war- and peacetime attacks. The sudden rise of AI-backed malware and cyberattacks has exacerbated an already challenging threat landscape.

As all aspects of life and politics become more digitally connected, participants agreed that the biggest security risk always emanates from the weakest link, be that humans in a corporation or one single, tiny piece of military equipment that is connected to all others and becomes a vector for attack. The omnipresence of cyber risks and the respective vulnerabilities require democracies to act. For example, participants stressed the crucial role of technology education to increase the resilience of the general population. Additionally, one crucial step many participants highlighted is the need to security-proof all legislation efforts. Instead of only prioritizing trade and competition, policies and regulations need to be assessed based on their security impact to avoid unintended consequences that weaken democracies.

Indeed, to bolster transatlantic democracies against adversaries, the participants called for better coordination between the EU and NATO. The two institutions can complement each other in the technology realm as NATO brings a military security perspective to technology-related issues while the EU has legislative power to implement laws that tackle these security threats. Additionally, the idea of creating the position of a Chief Security Officer within the EU was raised to ensure clear responsibility of one person tasked with integrating security and geopolitical considerations in all EU efforts.

Participants also emphasized the importance of fostering a more open dialogue between policymakers and the industry. Several participants criticized the EU, which was ironically referred to as "the Silicon Valley of regulation," for its recent legislative efforts in the cyber domain. An often-cited example for misguided policies pertains to requirements that force companies to report unpatched security risks early to authorities within a narrow time frame. One participant likened it to "leaving the apartment door unlocked and informing robbers about it." Many participants agreed that this kind of legislation may decrease rather than increase security and companies prefer to first patch these security risks before informing a wider audience about them for fear of leaks or espionage.

Other participants defended the EU's efforts and commended its progress in some technology sectors, but also acknowledged the lack of personnel and resources needed to enforce the ongoing regulation efforts. Still, participants agreed that what matters most is impact. They called on the transatlantic partners, but especially European countries, to enhance their coordination efforts within and outside of Europe, to share intelligence about cyber threats more openly, and to invest more in staff to implement regulations effectively. On top of that, many participants warned that the EU cannot "regulate its way to leadership" for new technologies like AI, but instead needs to foster innovation and research to develop these technologies responsibly itself, preferably with allies across the Atlantic.

Save the Data: Tech Regulation in Times of Strategic Rivalry

The second session started with the question whether there actually is strategic technology rivalry at the moment and between whom. Participants broadly agreed that this was the case between the transatlantic partners and China. Perspectives on the relationship between the EU and the US were more nuanced. Several participants stressed that there should be no security competition between the US and the EU but that economic competition between them is normal and even healthy.

A few participants reiterated their criticism on the security implications of EU tech regulations, such as the requirement to report security vulnerabilities under the EU's Cyber Resilience Act. Many others, however, countered by emphasizing that regulation is necessary nonetheless. They admitted that transparency requirements like these might have negative security implications, but argued that many aspects of the tech sector were completely unregulated before. An initial legal structure, which can serve as a basis for a more comprehensive framework, was therefore deemed necessary. Several participants also pointed out that leaving the tech sector solely to market dynamics carries security risks, arguing that the private sector primarily has an incentive to innovate and generate profit rather than putting security first. One participant reminded the room that the regulation of ever more powerful AI models is paramount.

The participants agreed on the importance of further transatlantic cooperation on tech regulation but also acknowledged the many challenges that come with it. Some participants stressed that the US and the EU have very different governance structures and approaches to tech regulation, noting that several EU regulatory bodies do not have US-counterparts. There are also differences in terms of process. In Europe, tech regulation is primarily shaped by lawmakers whereas US regulations and standards also emerge through litigation as product liability is much more extensive there.

The event concluded with a dinner, which focused on the technology-related lessons from the Russian war against Ukraine. It was noted that Ukrainians show great innovative spirit in engaging with new technologies on the battlefield. The war also serves as a stark reminder that the cyber space will play a crucial role in future conflicts and that democracies need to band together to prepare for the transformation of warfare ahead of time.