Microsoft, Oracle and Facebook, along with 31 other companies, on Tuesday signed the Cybersecurity Tech Accord, an agreement aimed at defending against cyberattacks, whether coming from rogue hackers or nation-states. The 34 tech firms committed to stronger defenses, no offensive attacks, capacity building and collective action.
The accord is designed to protect the integrity of the 1 trillion connected devices that could be in use around the world within the next 20 years. Security remains a major issue in the tech world, with economic losses expected to reach US$8 trillion by 2022, according to Juniper Research.
The companies that signed the Cybersecurity Tech Accord plan to hold the first meeting during the security-focused RSA Conference taking place this week in San Francisco. The meeting will focus on capacity building and collective action.
The companies agreed to mount a stronger defense against cyberattacks, regardless of the motivation underlying them. They also pledged not to help governments launch cyberattacks against innocent citizens or enterprises. They promised to protect their products and services from any tampering or exploitation that could enable their use in such attacks.
The signatory companies plan to do more to empower developers, as well as the people who use technology products, to improve their capacity to defend against attacks. This could include joint work on developing stronger security practices.
Finally, the Cybersecurity Tech Accord companies aim to take collective action to establish formal and informal partnerships with industry, civil society and security researchers, to improve collaboration that will ensure the disclosure of vulnerabilities and other threats. The goal is to minimize the potential for the introduction of malicious code.
The Cybersecurity Tech Accord is very much a work in progress — one that the companies noted remains open to consideration of new private sector signatories. However, one key takeaway from Tuesday’s announcement is that the companies have the option to adhere to some or all of the principles.
That could mean the companies still could do what is in their best interests rather than adhere strictly to the principles of the agreement.
“It will be very interesting to see how this plays out, since many devils lurk in the details,” said Jim Purtilo, associate professor in the computer science department at the University of Maryland.
“Some companies signing this accord actively collaborate with governments in development or manipulation of technologies that are commonly part of cyberattacks,” he told TechNewsWorld.
“Will they no longer participate in those projects, on the theory that their efforts could result in deployment of an attack? Or will they out the white hat (ethical) hackers who help friendly governments understand the digital battle space?” pondered Purtilo.
“What about researchers who study means of effecting a cyberattack at the nation-state level? I bet these collaborations will still go on,” he added.
The timing of the Cybersecurity Tech Accord announcement is noteworthy.
“The agreement is probably best seen as a blend of PR, marketing and corporate vision,” said Charles King, principal analyst at Pund-IT.
Coming during the RSA security conference and a week after Mark Zuckerberg’s congressional testimony, the announcement arrives as the IT industry and media outlets are focusing on security issues, King told TechNewsWorld.
“It also follows the minor brouhaha that erupted a week or so ago when 3,000 Google employees signed a petition protesting the company’s involvement in ‘The Business of War’ via work it pursues in government contracts,” King added.
The 34 firms also may be digging into their respective deep pockets to solve a problem that the world powers have been unable to stop: the growing threats in a connected world.
“That may be one of the underlying points to the initiative — along with the fact that few, if any, entities exist that could or would orchestrate an effective response to cyberattacks and cyberterrorism events that have an increasingly global reach,” suggested King.
“It’s also important to note that many or most of the signers are working in numerous global markets, so the accord could also be interpreted as an assurance to partners and customers that they won’t be actively stabbed in the back,” he added.
What isn’t clear is how these companies — even if they won’t work with the U.S. government offensively — might sign on to help defend it.
“Active defenses in cyberspace are among the assets available to our government for purposes of national defense — said simply, these are robust cyberattacks,” warned Purtilo.
How might the signatories address efforts against an enemy state in a potential time of war?
“A plain reading of the accord tells us that these corporate signatories would intervene to neutralize such an attack — but would a company actively intervene in order to oppose a U.S. government operation?” asked Purtilo.
“If Putin unleashes an overtly hostile action in cyberspace, then most Americans would be happy for corporate assistance in quashing it, but I doubt most would appreciate corporate interference with our military’s countermeasures, as they apparently just committed themselves to doing,” he explained. “The accord says they won’t enable cyberattacks against the innocent; I wonder which corporate board decides which citizens are which?”
Not all of the major tech giants have signed on to the accord. Notably missing are Amazon, Apple and Google — companies that have a significant global presence.
“Two points underscore their decisions not to participate: one, active programs they already have in place with defense and other government agencies that may conflict with the accord; and two, plans or efforts to work in countries that are suspected of being involved in cyberattacks, particularly China,” suggested King.
“Broadly speaking, it’s sensible for organizations to avoid initiatives that might immediately or eventually hinder them,” he pointed out.
This accord — like so many treaties and agreements over the eons — may be worth little more than the paper, or screen, it was written on.
“The accord may not be fully thought through,” Purtilo said candidly.
“If it was done for PR value, then they might get a little bump for one news cycle, but there will be lasting problems if the public starts to see corporate messaging contrast with corporate actions over time,” he added.
“The accord itself is fairly bland,” noted King.
“Refusing to help governments mount cyberattacks on innocent civilians and businesses is hardly controversial,” he said. “The bigger question is how or whether the signers would know if their products and services were being used in such attacks. Facebook’s fake news mea culpas are rooted in the company’s claimed cluelessness about how partners were playing with user data the company willing sold to them.”