Submit your essay to the AI-Cybersecurity Essay Prize Competition by January 2, 2025.
The AI-Cybersecurity Essay Prize Competition

When tech markets fail, lemons prevail

EU legislation aims to tackle IT security but will be ineffective unless it addresses the market dominance of tech giants
Main Top Image
Image created with the assistance of Midjourney

It took government intervention for Microsoft to act. Only after the US government issued a report in March criticising Microsoft’s insufficient security culture did the Seattle-based company promise to make security its number one priority. The case illustrates that even big players are not immune to government intervention. It also reignites questions about whether the security market is failing, as it leaves government institutions and companies at the mercy of a few big service providers for a crucial part of their infrastructure.

Although the US authorities have managed to wring at least lip service from Microsoft, there are doubts that the EU can achieve the same. Can Brussels pull similar strings to promote the security of IT services and products vis-à-vis the major US  oligopolies? Or is the EU dependent on the US authorities to act? There is no shortage of EU legislative projects that aim to improve IT security. Yet all these efforts will be futile if the root cause of the problem is ignored: the ability of powerful market players to dictate security prioritisation.

IT security: a market for lemons

IT product security has never been a major market priority. First, security is not ‘fun’: it must be good enough to be ignored, while consumers can enjoy the actual quirks and features that spark joy or add to the product’s value. 

Second, consumers often have difficulty assessing the security of the products or services they purchase. IT security has, therefore, always been a ‘market for lemons’: the customers cannot assess the actual security, so they are not willing to pay a markup for more secure products. They do not know whether they are getting a ‘lemon’ or a ‘peach’. If no one is willing to pay for safe products, then no one is willing to produce them.

The limited profits have incentivised few companies to invest in developing sustainable and secure products or services. For example, Microsoft has demonstrated, at best, a lack of motivation to make meaningful improvements to its Active Directory service, a technical service to manage users, clients, and servers. Even when the company fixes old vulnerabilities, it is a mere patch rather than a structural overhaul, and it often leads to new problems.

Most successful ransomware attacks exploit basic security vulnerabilities. Worse, cyber risks are generally abstract, and the value of secure systems is often only appreciated once the ‘milk is already spilt’ after a successful ransomware attack, for instance. 

Several European regulations address this issue. Minimum security standards for products, such as those mandated by the Cyber Resilience Act or certification under the Cybersecurity Act, improve the transparency of product security. The EU-wide legislation on cybersecurity, the NIS-2 directive, also makes headway in this area by designating certain aspects of large IT service providers, such as cloud or data centre providers, as critical infrastructure. This means that these providers must implement ‘minimum standards’ for security in providing their services. 

NIS-2 also attempts to address the demand side. By obliging critical infrastructure operators to secure their information technology, the directive makes it necessary for these operators to purchase secure products and employ secure service providers. Thus, NIS-2 helps create demand for verifiably secure service providers and products, which, in theory, should also trigger supply.

EU regulation ignores market power

In principle, stimulating demand is not a bad idea. However, it will fizzle out relatively ineffectively if supply-side market power is ignored.

The market for most IT services is dominated by a few tech giants – an oligopoly. It is frequently impossible to choose another provider if you disagree with a major supplier’s security practices. For example, although operators of critical infrastructure must maintain certain security levels across all their service providers, they may not be able to enforce such requirements when up against large, near-monopoly suppliers like Microsoft and its Office-IT services.

Even for chief technology officers of medium-sized companies, negotiating contract terms with a large provider can be a humbling experience. An annual license volume in the mid-single-digit million-dollar range does not entitle you to privileged insights into actual security practices. Take it or leave it: Big Tech knows you have no alternative.

Admittedly, the tech giant also has a certain self-interest in implementing at least minimum security regulations. However, since large companies do not face significant market competitive pressure, it is ultimately up to them to decide whether or not to prioritise security. 

Getting Big Tech to play along

The issue, therefore, is how to get large manufacturers and service providers to play along.

‘Minimum standards’ such as those made mandatory by the Cyber Resilience Act or NIS-2 are a step in the right direction. Individual regulatory measures may help to foster some level of IT security. However, in a monopoly or oligopoly, this does not lead to quality competition but only to the provision of the necessary minimum. In the end, minimum standards are just that: minimum standards.

Washington and Brussels plan to extend the warranty and liability for manufacturers to increase incentives and pressure on them. The United States explicitly mentions manufacturer liability as a means of driving higher security standards in its cyber strategy. The EU also intends to expand warranty and liability rights in case of data loss, but only in business-to-consumer interactions. In the business-to-business market, it is generally possible to negotiate individual agreements. Yet once again, the more powerful market player dictates the terms (a current example would be the far-reaching exclusion of liability in the contracts of Crowdstrike).

Tech giants are here to stay

The EU is beginning to address the problem of market failure in ensuring IT security, but most initiatives only treat the symptoms. US tech giants have major footholds on the continent, and the EU has not been able to establish regional competitors. 

Even if there was a desire to revitalise traditional antitrust measures, their impact on multinational corporations would be limited because enforcement is restricted to the European domestic market. While tools such as vertical disintegration (the separation of two value-added services into independent legal entities) and fusion control (preventing the takeover of a competitor) could be helpful, international players have already established their market dominance abroad. 

The EU is content with applying the more benign part of the competition law toolbox, such as breaking up abusive tying practices. One example of this was forcing Microsoft to offer a 365 Office package without a Teams License. However, considering Microsoft’s overall market power, this step resembles a toddler trying to empty the ocean using a bucket.

Therefore, reliance on a few dominant market actors takes a lasting toll on national IT security. EU legislation already allows issuing official warnings for specific products, similar to how it is done in the United States. These warnings specifically target unsecure products used in sectors like critical infrastructure.  

The EU can certainly develop a more cumulative negotiating power as it did with comparable developments in the aftermath of the GDPR. However, the Commission and national authorities have found it difficult to act, partly to avoid distortions of competition. Of course, where there is no competition, there can be no distortion. While the Digital Market Act and similar regulation initiatives attempt to curb the misuse of market power by ‘gatekeepers’, they do not adequately tackle the underlying issue of the gatekeepers’ presence in the first place.

In situations where alternative options are scarce, an official warning would serve more as a polite request to the manufacturer. However, in the absence of functioning market mechanisms, there is no other option. Yet even with limited regulatory resources, the EU should not hesitate to act against tech monopolies. At least not until the fundamental problem of dependence on monopolists is addressed.

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by the European Cyber Conflict Research Incubator (“ECCRI CIC”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by ECCRI CIC.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants ECCRI CIC exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

ECCRI CIC, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify ECCRI CIC, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

ECCRI CIC reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond ECCRI CIC’s reasonable control impairs the integrity or proper functioning of the Competition, as determined by ECCRI CIC in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, ECCRI CIC reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.