Microsoft, Oracle and Facebook, along with 31 other companies, onTuesday signed the Cybersecurity Tech Accord, an agreement aimed atdefending against cyberattacks, whether coming from rogue hackers or nation-states. The 34 tech firms committed to stronger defenses, no offensive attacks, capacity building and collective action.
The accord is designed to protect the integrity of the 1 trillion connected devices that could be in use around the world within the next 20 years. Security remains a major issue in the tech world, with economic losses expected to reach US$8 trillion by 2022, according to Juniper Research.
The companies that signed the Cybersecurity Tech Accord plan to hold the first meeting during the security-focused RSA Conference taking place thisweek in San Francisco. The meeting will focus on capacity buildingand collective action.
The companies agreed to mount a stronger defense againstcyberattacks, regardless of the motivation underlying them. They also pledged not to help governments launch cyberattacks against innocent citizens or enterprises. They promised to protect their products and services from any tampering or exploitation that could enable their use in such attacks.
The signatory companies plan to do more to empowerdevelopers, as well as the people who use technology products, to improvetheir capacity to defend against attacks. This could include joint work on developing stronger security practices.
Finally, the Cybersecurity Tech Accord companies aim totake collective action to establish formal and informal partnerships with industry, civil society and security researchers, to improve collaboration that will ensure the disclosure of vulnerabilities and other threats. The goal is to minimize thepotential for the introduction of malicious code.
Not Fully Binding
The Cybersecurity Tech Accord is very much a work in progress — onethat the companies noted remains open to consideration of new privatesector signatories. However, one key takeaway from Tuesday’sannouncement is that the companies have the option to adhereto some or all of the principles.
That could mean the companies still could do what is in their bestinterests rather than adhere strictly to the principles of the agreement.
“It will be very interesting to see how this plays out, since manydevils lurk in the details,” said Jim Purtilo,associate professor in the computer science department at theUniversity of Maryland.
“Some companies signing this accord actively collaborate withgovernments in development or manipulation of technologies that arecommonly part of cyberattacks,” he told TechNewsWorld.
“Will they no longer participate in those projects, on the theory thattheir efforts could result in deployment of an attack? Or will theyout the white hat (ethical) hackers who help friendly governmentsunderstand the digital battle space?” pondered Purtilo.
“What about researchers who study means of effecting a cyberattack at the nation-state level? I bet these collaborations will still go on,” he added.
More Than PR?
The timing of the Cybersecurity Tech Accord announcement is noteworthy.
“The agreement is probably best seen as a blend of PR, marketing andcorporate vision,” said Charles King, principal analyst atPund-IT.
Coming during the RSA security conference and a week after MarkZuckerberg’s congressional testimony, the announcement arrives as theIT industry and media outlets are focusing on security issues, Kingtold TechNewsWorld.
“It also follows the minor brouhaha that erupted a week or so ago when3,000 Google employees signed a petition protesting the company’sinvolvement in ‘The Business of War’ via work it pursues in governmentcontracts,” King added.
Taking the World Stage
The 34 firms also may be digging into their respective deep pockets to solve a problem that the world powers have been unable to stop: the growing threats in a connected world.
“That may be one of the underlying points to the initiative — alongwith the fact that few, if any, entities exist that could or wouldorchestrate an effective response to cyberattacks and cyberterrorismevents that have an increasingly global reach,” suggested King.
“It’s also important to note that many or most of the signers areworking in numerous global markets, so the accord could also beinterpreted as an assurance to partners and customers that they won’tbe actively stabbed in the back,” he added.
What isn’t clear is how these companies — even if they won’t workwith the U.S. government offensively — might sign on to help defendit.
“Active defenses in cyberspace are among the assets available to ourgovernment for purposes of national defense — said simply, these arerobust cyberattacks,” warned Purtilo.
How might the signatories address efforts against an enemy statein a potential time of war?
“A plain reading of the accord tells us that these corporatesignatories would intervene to neutralize such an attack — but would acompany actively intervene in order to oppose a U.S. governmentoperation?” asked Purtilo.
“If Putin unleashes an overtly hostile action in cyberspace, then mostAmericans would be happy for corporate assistance in quashing it, butI doubt most would appreciate corporate interference with ourmilitary’s countermeasures, as they apparently just committedthemselves to doing,” he explained. “The accord says they won’tenable cyberattacks against the innocent; I wonder which corporateboard decides which citizens are which?”
Conspicuous by Their Absence
Not all of the major tech giants have signed on to the accord. Notablymissing are Amazon, Apple and Google — companies that have asignificant global presence.
“Two points underscore their decisions not to participate: one, activeprograms they already have in place with defense and other governmentagencies that may conflict with the accord; and two, plans or effortsto work in countries that are suspected of being involved in cyberattacks, particularly China,” suggested King.
“Broadly speaking, it’s sensible for organizations to avoidinitiatives that might immediately or eventually hinder them,” hepointed out.
This accord — like so many treaties and agreements over theeons — may be worth little more than the paper, or screen, it was written on.
“The accord may not be fully thought through,” Purtilo said candidly.
“If it was done for PR value, then they might get a little bump forone news cycle, but there will be lasting problems if the publicstarts to see corporate messaging contrast with corporate actions overtime,” he added.
“The accord itself is fairly bland,” noted King.
“Refusing to help governments mount cyberattacks on innocentcivilians and businesses is hardly controversial,” he said. “Thebigger question is how or whether the signers would know if theirproducts and services were being used in such attacks. Facebook’s fakenews mea culpas are rooted in the company’s claimed cluelessness abouthow partners were playing with user data the company willing sold tothem.”