Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Tracking & Law Enforcement

Cybersecurity Tech Accord: Marketing Move or Serious Security?

Cybersecurity Tech Accord Comprises Fine Words With No Defined Deliverables and Perhaps Impossible Intentions

Cybersecurity Tech Accord Comprises Fine Words With No Defined Deliverables and Perhaps Impossible Intentions

Thirty-four major tech and security companies have aligned themselves and signed the Cybersecurity Tech Accord, what they claim is a “watershed agreement among the largest-ever group of companies agreeing to defend all customers everywhere from malicious attacks by cybercriminal enterprises and nation-states.” 

“The devastating attacks from the past year demonstrate that cybersecurity is not just about what any single company can do but also about what we can all do together,” said Microsoft President Brad Smith. “This tech sector Accord will help us take a principled path towards more effective steps to work together and defend customers around the world.”

The Accord makes commitments in four specific areas.

First, the companies say they will mount a stronger defense against cyberattacks, and will protect all customers globally regardless of the motivation of the attack.

Second, the companies claim they will not help governments launch cyberattacks against innocent citizens, and will protect their products against tampering or exploitation at every stage of development, design and distribution.

Third, the companies promise to do more to empower users to make effective use of their products with new security practices and new features.

Fourth, verbatim, “The companies will build on existing relationships and together establish new formal and informal partnerships with industry, civil society and security researchers to improve technical collaboration, coordinate vulnerability disclosures, share threats and minimize the potential for malicious code to be introduced into cyberspace.”

Advertisement. Scroll to continue reading.

A problem with the Accord, that many have already noted, is that it comprises fine words with no defined deliverables and possibly impossible intentions. It has no teeth. The first commitment is something that users could be excused for thinking they have already paid for in buying or licensing the signatories’ products. The third, again, should be part and parcel of selling security products — although it has received some support.

“Separate from the fact that some of the major social networks and cloud operators are missing [think, for example, Google and Amazon],” David Ginsburg, VP of marketing at Cavirin, told SecurityWeek, “the key to any meaningful outcome is better communication to users of how to use the security capabilities within the various vendors’ tools. In several cases, the capabilities are there, but they are too difficult to deploy; or, in some cases, tools from multiple vendors will provide contradictory guidance. This practical aspect is tremendously important.”

The second commitment is a little more complex. No company can disregard the law in its own country. Individual governments have the right and ability to pass whatever laws they wish, subject only to any overriding constitutional limitations. So, for example, once Brexit is finalized, the UK government would be able to insist on backdoors in the UK without fear of denial from the EU constitution.

Challenged on whether this commitment meant that the signatories would go against the U.S. government, or the British government or the Australian government or whoever, Microsoft president and chief legal officer, Brad Smith took the argument away from the Five Eyes nations.

“If you look at the world today,” Smith said, “the biggest attacks against private citizens are clearly coming from a set of governments that we know well. It was North Korea, and a group associated with it, that launched the WannaCry attack last year… We saw the NotPetya attack launched against the country of Ukraine. Those are the big problems that we need to solve.”

But it is doubtful that a group of tech companies could influence the governments of North Korea (WannaCry) and Russia (NotPetya); while it is equally doubtful that collaboration between the signatories could have detected and stopped the spread of WannaCry.

It is concerns such as this that are behind a degree of cynicism. One security executive — preferring to remain anonymous — told SecurityWeek, “The first two [commitments] are BS. They are pretty obvious, and I don’t see anything happening about them. Similarly, the third one. I do not see the need of this Cybersecurity Tech Accord for that.”

He was, however, more enthusiastic about the fourth commitment, commenting, “I think this could be a good place to coordinate among ourselves, and share valuable information. It is true that there are places where the exchange of threat intel already happens — but most of these places are populated by companies of the same sector. Having a wide mix of companies can open the opportunity to really improve in this field and make a change.”

F-Secure, one of the signatories, hopes that the Accord will help persuade governments not to press for law enforcement backdoors in security products. “By signing the Accord,” CIO Erka Koivunen told SecurityWeek, “the group of companies across both sides of the Atlantic wish to express that we resist attempts to introduce backdoors in our products or artificially weaken the protections that we provide against cyber security threats.”

F-Secure has won the battle in Finland, but Koivunen added, “We still feel the pressure in many countries around the world.”

Avast is another enthusiastic signatory. Jonathan Penn, director of strategy, commented, on the internet of things, “Avast has been talking in recent years about the implications of providers of these next generation devices and services continuing to operate separately, when it’s clear that what is required is industry-wide collaboration to ensure that fundamentals such as security are built-in from the ground up at point of manufacture.”

‘From the ground up’ is an interesting comment, and relates to ‘every stage of development, design and distribution’ from the second commitment. Yet still the criticism of a lack of teeth to the Accord remains.

Mike Banic, VP of marketing at Vectra, suggests, “The impending EU General Data Protection Regulation (GDPR) will have more impact since it has real teeth in the form of fines that can be as much as 4% of annual revenue if the personal information of EU based citizens is exposed or misused, and organizations must provide notification within 72 hours. An example to consider is the timeline of the Equifax breach where personally identifiable information (PII) was exposed and notification was not within the notification period. With so many organizations operating in EU nations or processing EU-based citizen’s data, evaluating their security program to ensure GDPR
compliance is such a high priority that this alliance may go unnoticed.” 

Notice also that ‘privacy by design’, that is, from the ground up, is a legal requirement under GDPR.

Last year, Microsoft’s Smith called for a digital Geneva convention. This year he has launched the Cybersecurity Tech Accord — which he hopes will be the first steps towards that. But Microsoft has a history of ambitious proposals that are unachievable. In 2016, Scott Charney proposed that an independent international body of experts should be tasked with attributing cyber incidents, so that international norms of behavior could be enforced. In 2010, he proposed that users and their computers should have a ‘digital health certificate’ before being allowed to connect to the internet — an idea that has never been seriously considered.

But it would be wrong to immediately dismiss the Accord as just another unachievable Microsoft proposal. Nathan Wenzler, chief security strategist at AsTech, points out that not all the signatories are pure-play security companies, and most have themselves been hacked. “I’d be hesitant to say it’s nothing but a marketing ploy,” he told SecurityWeek, “as there are some serious security companies in the mix, and it’s possible that if they have a voice at the table, some changes could be made with the companies that are common targets of attacks and causes of data breaches. But, time will tell on that, and it’s hard to know in the here and now just how this will play out.”

Brad Smith asks for that time. “I think that as with all such things, one needs to start with words, because we use words to define principals — but ultimately we all need to be judged by our deeds. Now that we’ve put the words down on paper, we need to live up to them and we need to take concrete steps to implement them and that’s what we’re coming together to do. It’s more than fair for you and others to judge us by what we do in the months and years ahead.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

Daniel Kelley was just 18 years old when he was arrested and charged on thirty counts – most infamously for the 2015 hack of...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

CISO Strategy

The SEC filed charges against SolarWinds and its CISO over misleading investors about its cybersecurity practices and known risks.

Cybercrime

A global cyber espionage campaign has resulted in the networks of many organizations around the world becoming compromised after the attackers managed to breach...

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...