'Tech Accord' Emphasizes Teamwork to Prevent Hacking DamageAgreement Includes Pledge to Not Aid Governments With Cyber Warfare
At last year's RSA Conference, Microsoft's President and Chief Legal Officer Brad Smith called for a digital Geneva Convention - an agreed set of rules in cyberspace. The idea was to minimize the effects of escalating cyber conflicts on civilians.
Such a universal treaty among countries has so far been elusive despite concerns that rules around cyber conflict are needed. But at this year's RSA Conference, Smith says private industry is making progress with a new agreement called the Cybersecurity Tech Accord.
Thirty-four companies have agreed to four principles that broadly encompass protecting users wherever they may live and a stronger esprit de corps between companies and organizations trying to defend in an ever-more hostile environments.
"The attacks from the past year demonstrate that cybersecurity is not just about what any single company can do alone, but what we can do together," Smith tweeted.
The attacks from the past year demonstrate that cybersecurity is not just about what any single company can do alone, but what we can do together. Today 34 companies signed a #TechAccord pledging to protect and defend customers everywhere. https://t.co/iNd7AOxjKH— Brad Smith (@BradSmi) April 17, 2018
According to an estimate from Juniper Research, the economic losses from cyberattacks may reach an astounding $8 trillion by 2022.
The Tech Accord comes as the U.S and U.K. on Monday issued an unprecedented joint statement accusing Russia of undermining a wide range of network equipment. The countries warned that Russia could be gaining foothold from which to launch future cyberattacks. Russia was also blamed for creating NotPetya, a potent ransomware that targeted Ukraine but eventually spread worldwide (see US, UK: Russian Hackers Deeply Embedded in Routers, Switches).
The accord is designed to form a more cohesive defense among private companies, researchers, "civil society" and nongovernmental organizations against the range of threats. It also crucially includes a pledge to not assist governments in cyberattacks.
"We will protect against tampering with and exploitation of technology products and services during their development, design, distribution and use," Smith writes in a blog post. "We will not help governments launch cyberattacks against innocent citizens and enterprises."
Tension sparked between Microsoft and the U.S. government following the WannaCry ransomware outbreak in May 2017. The ransomware used a vulnerability in Microsoft's operating system to rapidly spread, causing millions of dollars in damages. North Korea has been accused by the U.S. and U.K. of developing WannaCry (see British Security Services Tie North Korea to WannaCry).
The vulnerability was believed to have been one of the most productive ones used by U.S. National Security Agency. But a mysterious group calling itself the Shadow Brokers leaked the vulnerability in April 2017. By then, Microsoft had become aware of the flaw and patched it a month earlier, but it was too late for many organizations that didn't apply it.
Microsoft was subsequently furious, with Smith warning that the stockpiling of vulnerabilities by intelligence agencies puts innocent people at risk. The U.S. government has a program, the Vulnerabilities Equity Process, to share flaws with vendors. But there's a fuzzy trade-off between intelligence-gathering needs and prompt notifications (see Post-WannaCry, Microsoft Slams Spy Agency Exploit-Hoarding).
In many ways the Tech Accord reiterates what should already be happening: Technology companies should be closely collaborating to defend against cyberattacks. But Smith maintains the public commitment will provide the binding that will result in action.
"The success of this alliance is not just about signing a pledge, it's about execution," Smith writes. "That's why today is just an initial step, and tomorrow we start the important work of growing our alliance and take effective action together."
The signatories include some of the most prominent technology companies, including Cisco, Juniper, Facebook, BT, CA Technologies and Symantec. Smith writes that "in the coming weeks and months, we are confident that these numbers will grow further."
Smith's announcement falls short of what he outlined last year, when he envisioned governments signing on to an international agreement. Still, anything that helps bring private industry closer is important.
Private companies often are the first to spot hints of state-sponsored attacks. A renewed effort for more cohesive collaboration could slow down the next global cyberattack.