A large number of technology companies have signed a new agreement promising greater cyber protections for everyone. But it’s worth noting who didn’t sign the pledge. And it’s not clear what the agreement’s actual effect will be.
Microsoft CEO Satya Nadella, Facebook CEO Mark Zuckerberg, and LinkedIn CEO Jeff Weiner probably don’t agree about many things. But they seem to agree about this: The world and its citizens need better protection from cyber-attacks, whether they come from rogue hackers, organized groups of criminals–or national governments, including our own.
They’re not the only ones. A total of 34 high-tech firms, some of them deeply involved in the workings of the internet, have all signed the Cybersecurity Tech Accord. The Accord is modeled after the Geneva Conventions in which 196 nations agreed to protect the basic rights of civilians and prisoners of war during wartime.
The Accord was first proposed by Brad Smith, Microsoft president, who has argued over the past year that ordinary citizens and small businesses need and deserve better protection against such attacks than they currently have. Signers of the accord agree to four basic principles: protecting users and customers from cyber-attacks and building more secure products; opposing attacks on “innocent citizens and enterprises from anywhere” which includes refusing help to any government planning such attacks; empowering users and developers with the tools they need to strengthen cyber-security on their own; and working with each other and with other organizations dedicated to improving cyber-security in the developed and developing world.
The pact seems like a great idea, but it also appears to leave some loopholes and it’s not clear what its actual effect will be. Here are some questions the agreement doesn’t answer:
1. How do you define ‘innocent’?
The agreement reads “We will not help governments launch cyber-attacks against innocent citizens and enterprises from anywhere.” That’s very different from saying, “We will not help governments launch cyber-attacks against anyone.” And the agreement doesn’t specify what constitutes a guilty vs. an innocent party.
2. Does this agreement have any teeth?
Signers pledge to “report publicly on our progress in achieving these goals.” However, the agreement is completely voluntary–there is no enforcement proposed and no consequences if a signer fails to live up to it. By contrast, the Geneva Conventions have a specific system in place for a neutral party to supervise how the Conventions are observed during global conflicts.
3. Will more non-U.S. companies sign?
For now, U.S. companies make up the biggest number of signers although there are several signers from other nations. Japanese company Trend Micro, Nokia from Sweden, Avast from the Czech Republic, Telefonica from Spain, and SAP from Germany are all signers. But notably missing are Russian tech firms, particularly Russian security firm Kaspersky Lab which has been banned from use within the U.S. government after Russian hackers allegedly exploited the company’s product to gain access to secret National Security Agency information.
4. Why haven’t some of the biggest U.S. tech companies signed on?
Amazon, Apple, and Google are all absent from the signatories list. It’s particularly surprising that Apple is not a signer since it has made it clear in the past that customers’ privacy and protection trumps government policy, as when it refused to unlock a sniper’s iPhone, for instance. Why hasn’t it signed this agreement?
5. What about governments?
If we want to reduce or eliminate cyber warfare, the logical approach might be to ask national governments–who are often accused of launching cyber-attacks–to sign this agreement or something like it. That was Smith’s original vision when he proposed a “Digital Geneva Convention” and back in November he was calling for national governments from around the world to join the effort. “While technology companies like Microsoft have the first responsibility to address these issues, it would be a mistake to think the private sector by itself can prevent or stop the risk of cyber-attacks any more than it can prevent any other types of military attacks,” he wrote at the time.