34 global technology and security companies today announced a Cybersecurity Tech Accord, likely the largest-ever formal alliance of the sort, with participating businesses agreeing to defend “all customers everywhere from malicious attacks by cybercriminal enterprises and nation-states.”
According to their press release, the companies, which include such notables as Facebook, Microsoft, Cisco, and Dell, made commitments in four areas:
Stronger defense – The companies will mount a stronger defense against cyberattacks. As part of this, recognizing that everyone deserves protection, the companies pledged to protect all customers globally regardless of the motivation for attacks online.
No offense – The companies will not help governments launch cyberattacks against innocent citizens and enterprises, and will protect against tampering or exploitation of their products and services through every stage of technology development, design and distribution.
Capacity building – The companies will do more to empower developers and the people and businesses that use their technology, helping them improve their capacity for protecting themselves. This may include joint work on new security practices and new features the companies can deploy in their individual products and services.
Collective action -The companies will build on existing relationships and together establish new formal and informal partnerships with industry, civil society and security researchers to improve technical collaboration, coordinate vulnerability disclosures, share threats and minimize the potential for malicious code to be introduced into cyberspace.
Of course, many of the firms involved already adhered to some or all of the aforementioned principles prior to today’s announcement, but the formal, public announcement hopefully indicates that the firms will devote additional resources to cybersecurity, as well as enhance their collaboration vis-à-vis cybersecurity efforts, both with themselves as well as with others. In fact, the 34 firms involved have already stated that they are open to other additional businesses joining the alliance, provided that such firms are “trusted, have high cybersecurity standards and will adhere unreservedly to the Accord’s principles;” firms are invited to apply regardless of sector or size.
Some serious questions do remain unanswered, however.
1. Why doesn’t the accord include an explicit commitment to protect the privacy of people’s personal information? In fact, the word “privacy” does not appear anywhere in today’s announcement. In light of recent events, this omission seems both intentional and glaring.
2. How exactly will the 34 firms mount a “stronger defense”? What new actions will be taken that have not been taken to date – and, if they were not taken in the past, why not?
3. How well will any of these companies really comply with the requirement not to assist governments in launching cyberattacks against innocent parties? Will executives really risk imprisonment for ignoring government demands – especially in countries with less than stellar human rights records? Even in free societies, how can any business possibly determine if a government’s target is “innocent,” if the relevant government obtains a warrant that allows for the non-disclosure of any pertinent information to the party being served? (Interestingly, Microsoft President, Brad Smith, even compared the new alliance to a “Digital Geneva Convention” — but the signatories to the Geneva Convention were governments that were empowered to make and enforce laws, not businesses that are subject to laws created by others; that distinction can have tremendous repercussions.)
Time will certainly tell whether today’s announcement represents a great leap forward, a marketing event, or something in between.
The 34 companies that have already joined the alliance include: ABB, ARM, Avast, Bitdefender, BT, CA, Cisco, Cloudflare, Datastax, Dell, Docusign, Facebook, Fastly, FireEye, F-Secure, GitHub, Guardtime, HP, HPE, Intuit, Juniper Networks, LinkedIn, Microsoft, Nielsen, Nokia, Oracle, RSA, SAP, Stripe, Symantec, Telefonica, Tenable, TrendMicro, and VMWare. (Note that the figure of 34 includes firms that are wholly owned by one another.)