A large number of technology companies have signed a new agreement promising greater cyber protections for everyone. But it's worth noting who didn't sign the pledge. And it's not clear what the agreement's actual effect will be.
Microsoft CEO Satya Nadella, Facebook CEO Mark Zuckerberg, and LinkedIn CEO Jeff Weiner probably don't agree about many things. But they seem to agree about this: The world and its citizens need better protection from cyber-attacks, whether they come from rogue hackers, organized groups of criminals--or national governments, including our own.
They're not the only ones. A total of 34 high-tech firms, some of them deeply involved in the workings of the internet, have all signed the Cybersecurity Tech Accord. The Accord is modeled after the Geneva Conventions in which 196 nations agreed to protect the basic rights of civilians and prisoners of war during wartime.
The Accord was first proposed by Brad Smith, Microsoft president, who has argued over the past year that ordinary citizens and small businesses need and deserve better protection against such attacks than they currently have. Signers of the accord agree to four basic principles: protecting users and customers from cyber-attacks and building more secure products; opposing attacks on "innocent citizens and enterprises from anywhere" which includes refusing help to any government planning such attacks; empowering users and developers with the tools they need to strengthen cyber-security on their own; and working with each other and with other organizations dedicated to improving cyber-security in the developed and developing world.
The pact seems like a great idea, but it also appears to leave some loopholes and it's not clear what its actual effect will be. Here are some questions the agreement doesn't answer:
1. How do you define 'innocent'?
The agreement reads "We will not help governments launch cyber-attacks against innocent citizens and enterprises from anywhere." That's very different from saying, "We will not help governments launch cyber-attacks against anyone." And the agreement doesn't specify what constitutes a guilty vs. an innocent party.
Take Stuxnet. Stuxnet was a computer worm--a self-replicating bit of standalone malware that spreads through a network. It attacked Windows systems and spread itself via infected USB flash drives. But, according to security experts, it was originally created as a joint U.S.-Israeli project to mess with Iran's nuclear capabilities, which it did. Would the creation of something like Stuxnet be forbidden by this agreement? Since the initial victim--Iran's nuclear program--wasn't necessarily innocent, it seems unclear.
2. Does this agreement have any teeth?
Signers pledge to "report publicly on our progress in achieving these goals." However, the agreement is completely voluntary--there is no enforcement proposed and no consequences if a signer fails to live up to it. By contrast, the Geneva Conventions have a specific system in place for a neutral party to supervise how the Conventions are observed during global conflicts.
3. Will more non-U.S. companies sign?
For now, U.S. companies make up the biggest number of signers although there are several signers from other nations. Japanese company Trend Micro, Nokia from Sweden, Avast from the Czech Republic, Telefonica from Spain, and SAP from Germany are all signers. But notably missing are Russian tech firms, particularly Russian security firm Kaspersky Lab which has been banned from use within the U.S. government after Russian hackers allegedly exploited the company's product to gain access to secret National Security Agency information.
Why didn't Kaspersky Lab sign the accord? It wasn't invited, according to a statement from the company. "As an independent global cybersecurity company facing geopolitical challenges, we fully support the aims of the Cybersecurity Tech Accord and regret that we were not invited to join," the company said. "We have contacted Brad Smith through Twitter and look forward to discussing it further." Adding Russian firms to the Accord certainly seems like it would make it more powerful.
4. Why haven't some of the biggest U.S. tech companies signed on?
Amazon, Apple, and Google are all absent from the signatories list. It's particularly surprising that Apple is not a signer since it has made it clear in the past that customers' privacy and protection trumps government policy, as when it refused to unlock a sniper's iPhone, for instance. Why hasn't it signed this agreement?
5. What about governments?
If we want to reduce or eliminate cyber warfare, the logical approach might be to ask national governments--who are often accused of launching cyber-attacks--to sign this agreement or something like it. That was Smith's original vision when he proposed a "Digital Geneva Convention" and back in November he was calling for national governments from around the world to join the effort. "While technology companies like Microsoft have the first responsibility to address these issues, it would be a mistake to think the private sector by itself can prevent or stop the risk of cyber-attacks any more than it can prevent any other types of military attacks," he wrote at the time.
But he also noted that the process might take a long time, and might involve several steps. Perhaps this is just the first of them. We can hope that more companies--and governments--will sign on in the future.