In an announcement ostensibly meant to put Russian and Chinese hackers on notice – but we imagine is truly intended to reassure wary foreign customers that American cloud computing firms wont’ turn their data over to the NSA – 31 tech titans from around the world (but mostly the US) have signed on to a set of principles stipulating that they will not help any government – including the US deep state – mount cyberattacks or cyberespionage against “innocent civilians and enterprises from anywhere,” the New York Times reported.
The publication of these principles follows a first-of-its-kind joint condemnation on Monday from American and British officials that placed the blame for nefarious cyberactivity squarely on Russia’s shoulders.
The Cybersecurity Tech Accord, which vows to protect all customers from attacks regardless of geopolitical or criminal motive, follows a year that witnessed an unprecedented level of destructive cyber attacks, including the global WannaCry worm and the devastating NotPetya attack.
The principles are intended to be the cornerstone of an eventual “Geneva Convention for the Internet” that would strictly limit how governments can conduct cyberespionage and cyberwarfare.
On Monday, American and British officials issued a first-of-its-kind joint warning about years of cyberattacks emanating from Russia, aimed not only at businesses and utilities but, in some cases, individuals and small enterprises. The warning was only the latest in a series about Russian threats to elections and electoral systems.
But thanks to some of the documents stolen by former NSA contractor Edward Snowden, the public understands that the US is extremely guilty of browbeating tech firms into cooperating with its intelligence agencies, according to the New York Times.
Perhaps as important, none of the signers come from the countries viewed as most responsible for what Brad Smith, Microsoft’s president, called in an interview “the devastating attacks of the past year.” Those came chiefly from Russia, North Korea, Iran and, to a lesser degree, China.
The impetus for the effort came largely from Mr. Smith, who has been arguing for several years that the world needs a “digital Geneva Convention” that sets norms of behavior for cyberspace just as the Geneva Conventions set rules for the conduct of war in the physical world. Although there was some progress in setting basic norms of behavior in cyberspace through a United Nations-organized group of experts several years ago, the movement has since faltered.
Mr. Smith said over the weekend that the first move needed to come from the American companies that often find themselves acting as the “first responders” when cyberattacks hit their customers. “This has become a much bigger problem, and I think what we have learned in the past few years is that we need to work together in much bigger ways,” Mr. Smith said in an interview. “We need to approach this in a principled way, and if we expect to get governments to do that, we have to start with some principles ourselves.”
Microsoft played a central role in trying to extinguish the WannaCry attack last year that struck the British health care system and companies around the world. The Trump administration, along with several other Western governments, later blamed that attack on North Korea. Last summer the NotPetya attack struck Ukraine, crippling systems throughout the country. Iran is suspected in a recent attack on a Saudi petrochemical plant.
Yet not all governments are likely to embrace the “Cybersecurity Tech Accord” in part because the principles it espouses can run headlong into their own, usually secret efforts to develop cyberweapons.
According to Microsoft President Brad Smith, who led efforts to organize the alliance, several high-profile cyberattacks from 2017 demonstrated the need for the technology sector to “take a principled path toward more effective steps to work together and defend customers around the world,” per Reuters. Microsoft and – how’s this for irony? – Facebook are leading the project.
While the accord promised to establish new formal and informal partnerships within the industry and with security researchers to share threats and coordinate vulnerability disclosures, several major US tech companies including Amazon, Apple, Alphabet and Twitter didn’t sign on. And for those that did, Reuters notes that “it was not clear whether any companies would change their existing policies as a result of joining the accord.”
With this in mind, will the CTA ensure that US tech firms will do everything in their power to rebuff not only hackers but intelligence agencies like the CIA and NSA?
Or is this essentially a marketing ploy for the US cloud-computing industry?