By Phil Reitinger
In August 1969, somewhere near 500,000 people gathered on a farm in New York for a music festival – an event that became “the definitive nexus for the larger counterculture generation.” On Tuesday, April 17, 2018, about 50,000 RSA Conference attendees gathered to hear Microsoft’s Brad Smith present a new “Tech Accord” – a pact signed by 34 companies to oppose the militarization of the Internet. Tired of seeing their products, and the vulnerabilities in them, drafted into the service of larger political goals, the companies promised to work together to protect all their customers against cyber attacks, regardless of source or motivation for the attacks. Make business, not war.
While it would be an exaggeration to say that this accord is an attack on the core of sovereignty – there is nothing in the Tech Accord’s commitments that suggests the signatories would not comply with a legal demand – the companies are asserting that their highest duty is to their customers and not to the companies’ countries of origin. The signatories are asserting, in my view, that they are Internet companies, and not, for example, U.S. or Finnish companies.
This approach strikes me as inevitable. The Internet is global and the companies’ customers are global, and any attempt to draw distinctions among “innocent” customers puts the companies in an untenable position of saying some customers are more important than others. Just as interesting is the promise of signatories to work together on cybersecurity efforts – that the need for collective self-defense outweighs the individual economic interests of the companies involved. To me, this sounds like an initial movement toward non-violent resistance to militant action in cyberspace.
The text of the Tech Accord commitments raises several points and questions.
- The first “Stronger defense” commitment is explicit that the companies will protect government customers from attacks by other governments. The signatories cannot stand aside when faced with geopolitical conflicts.
- The second “No offense” commitment says that “WE WILL OPPOSE CYBERATTACKS ON INNOCENT CITIZENS AND ENTERPRISES FROM ANYWHERE.” Where will the line be drawn on “innocent”? Are suspected terrorists innocent, and are criminal suspects innocent until proven guilty?
- That same commitment also says that the companies “…will protect against tampering with and exploitation of technology products and services during their development, design, distribution and use.” Is this a positive commitment that every signatory will have a Secure Development Lifecycle program? Must the risk of malicious developers be addressed?
- The “Capacity building” commitment says the companies “WILL HELP EMPOWER USERS, CUSTOMERS AND DEVELOPERS TO STRENGTHEN CYBERSECURITY PROTECTION.” Because the commitment is to empower, are the companies committing to making security products and functions interoperable? That would be a quite significant promise, called for by the U.S. Department of Homeland Security in 2011.
- The last commitment promises “Collective action.” “WE WILL PARTNER WITH EACH OTHER AND WITH LIKEMINDED GROUPS TO ENHANCE CYBERSECURITY.” This is motherhood and apple pie, and you’d be hard pressed to find someone who would argue against companies working jointly to fight cybercrime and cyber attacks. But what “partner” means in this context will be demonstrated by action.
I support this effort. While there remain ambiguities, the direction is right. I look forward to seeing how this develops and if it drives action.