Microsoft, Facebook, Oracle Among 34 Firms to Join Cybersecurity Tech Accord
Microsoft, Oracle and Facebook, along with 31 other companies, on
Tuesday signed the
Cybersecurity Tech Accord, an agreement aimed at
defending against cyberattacks, whether coming from rogue hackers or nation-states. The 34 tech firms committed to stronger defenses, no offensive attacks, capacity building and collective action.
The accord is designed to protect the integrity of the 1 trillion connected devices that could be in use around the world within the next 20 years. Security remains a major issue in the tech world, with economic losses expected to reach US$8 trillion by 2022, according to Juniper Research.
The companies that signed the Cybersecurity Tech Accord plan to hold the first meeting during the security-focused RSA Conference taking place this
week in San Francisco. The meeting will focus on capacity building
and collective action.
The companies agreed to mount a stronger defense against
cyberattacks, regardless of the motivation underlying them. They also pledged not to help governments launch cyberattacks against innocent citizens or enterprises. They promised to protect their products and services from any tampering or exploitation that could enable their use in such attacks.
The signatory companies plan to do more to empower
developers, as well as the people who use technology products, to improve
their capacity to defend against attacks. This could include joint work on developing stronger security practices.
Finally, the Cybersecurity Tech Accord companies aim to
take collective action to establish formal and informal partnerships with industry, civil society and security researchers, to improve collaboration that will ensure the disclosure of vulnerabilities and other threats. The goal is to minimize the
potential for the introduction of malicious code.
Not Fully Binding
The Cybersecurity Tech Accord is very much a work in progress -- one
that the companies noted remains open to consideration of new private
sector signatories. However, one key takeaway from Tuesday's
announcement is that the companies have the option to adhere
to some or all of the principles.
That could mean the companies still could do what is in their best
interests rather than adhere strictly to the principles of the agreement.
"It will be very interesting to see how this plays out, since many
devils lurk in the details," said Jim Purtilo,
associate professor in the computer science department at the
University of Maryland.
"Some companies signing this accord actively collaborate with
governments in development or manipulation of technologies that are
commonly part of cyberattacks," he told TechNewsWorld.
"Will they no longer participate in those projects, on the theory that
their efforts could result in deployment of an attack? Or will they
out the white hat (ethical) hackers who help friendly governments
understand the digital battle space?" pondered Purtilo.
"What about researchers who study means of effecting a cyberattack at the nation-state level? I bet these collaborations will still go on," he added.
More Than PR?
The timing of the Cybersecurity Tech Accord announcement is noteworthy.
"The agreement is probably best seen as a blend of PR, marketing and
corporate vision," said Charles King, principal analyst at
Coming during the RSA security conference and a week after Mark
Zuckerberg's congressional testimony, the announcement arrives as the
IT industry and media outlets are focusing on security issues, King
"It also follows the minor brouhaha that erupted a week or so ago when
3,000 Google employees signed a petition protesting the company's
involvement in 'The Business of War' via work it pursues in government
contracts," King added.
Taking the World Stage
The 34 firms also may be digging into their respective deep pockets to solve a problem that the world powers have been unable to stop: the growing threats in a connected world.
"That may be one of the underlying points to the initiative -- along
with the fact that few, if any, entities exist that could or would
orchestrate an effective response to cyberattacks and cyberterrorism
events that have an increasingly global reach," suggested King.
"It's also important to note that many or most of the signers are
working in numerous global markets, so the accord could also be
interpreted as an assurance to partners and customers that they won't
be actively stabbed in the back," he added.
What isn't clear is how these companies -- even if they won't work
with the U.S. government offensively -- might sign on to help defend
"Active defenses in cyberspace are among the assets available to our
government for purposes of national defense -- said simply, these are
robust cyberattacks," warned Purtilo.
How might the signatories address efforts against an enemy state
in a potential time of war?
"A plain reading of the accord tells us that these corporate
signatories would intervene to neutralize such an attack -- but would a
company actively intervene in order to oppose a U.S. government
operation?" asked Purtilo.
"If Putin unleashes an overtly hostile action in cyberspace, then most
Americans would be happy for corporate assistance in quashing it, but
I doubt most would appreciate corporate interference with our
military's countermeasures, as they apparently just committed
themselves to doing," he explained. "The accord says they won't
enable cyberattacks against the innocent; I wonder which corporate
board decides which citizens are which?"
Conspicuous by Their Absence
Not all of the major tech giants have signed on to the accord. Notably
missing are Amazon, Apple and Google -- companies that have a
significant global presence.
"Two points underscore their decisions not to participate: one, active
programs they already have in place with defense and other government
agencies that may conflict with the accord; and two, plans or efforts
to work in countries that are suspected of being involved in cyberattacks, particularly China," suggested King.
"Broadly speaking, it's sensible for organizations to avoid
initiatives that might immediately or eventually hinder them," he
This accord -- like so many treaties and agreements over the
eons -- may be worth little more than the paper, or screen, it was written on.
"The accord may not be fully thought through," Purtilo said candidly.
"If it was done for PR value, then they might get a little bump for
one news cycle, but there will be lasting problems if the public
starts to see corporate messaging contrast with corporate actions over
time," he added.
"The accord itself is fairly bland," noted King.
"Refusing to help governments mount cyberattacks on innocent
civilians and businesses is hardly controversial," he said. "The
bigger question is how or whether the signers would know if their
products and services were being used in such attacks. Facebook's fake
news mea culpas are rooted in the company's claimed cluelessness about
how partners were playing with user data the company willing sold to
From Technews World: