Cybersecurity Tech Accord: 34 Tech Companies Just Promised a Bunch of Nothing

Cybersecurity Tech Accord

34 tech companies came together on Thursday to announce a whole bunch of nothing called the Cybersecurity Tech Accord. It’s a pledge with two essential parts: the first is that these companies will protect their customers, and the second is that they won’t help governments launch cyberattacks on “innocent customers and enterprises.”

Heavyweight signatories include: Microsoft, Facebook, Oracle, SAP, Cisco, HP, Cloudflare, and Github. You can see the whole list on the Accord’s website. Notable companies who aren’t signatories include Apple, Google, and Amazon.

The Accord has gotten some positive headlines, but I don’t think the announcement stands up to logical scrutiny. For one thing, both claims include mealy-mouthed wiggle room in their wording. For another, even if these pledges had some bite, most of the signatories aren’t being asked to hack anyone anyway. They might be asked to give up customer data to a warrant from time to time, but they aren’t pledging to protect against that.

What’s worst to me is that if the second pledge was taken at face value, it’s not hard to come up with scenarios where the promise becomes absurd.

I Promise…

Let’s look at the first major pledge, the one that makes the most sense, but is still essentially saying nothing:

Stronger defense

The companies will mount a stronger defense against cyberattacks. As part of this, recognizing that everyone deserves protection, the companies pledged to protect all customers globally regardless of the motivation for attacks online.

I like the principle behind this one. The companies are saying they’ll protect their customers. That’s great! But…no, it’s not really saying that, is it? The companies are pledging to “mount a stronger defense.”

[Cybersecurity Tech Accord, Cyberwar Is Now, Social Network Inertia – ACM 458]

What does that even mean? Stronger than what? Stronger than my Great Aunt Sue? Stronger than a pack of ravenous guard dogs? Are they saying they haven’t been giving it their all already? That they’ve been holding back, but from here on out they’re finally going to do their best? That’s probably not the intended meaning, but without an objective measure, promising “a stronger defense” has no meaning at all.

Regardless of Motivation?

Hold on a second, what’s this about “regardless of motivation of attacks online” there at the end? Are they saying that they’ll be working “stronger” to protect murderous dictators, hostile foreign powers, and terrorists organizations from cyberattacks by the companies’ own governments?

Really?

‘Cause I gotta tell you that’s not going to end well, and it doesn’t make you the good guys.

FADE IN: WAR ROOM IN AN UNNAMED WESTERN GOVERNMENT

COMMS OFFICER
Sir, the stolen nuclear missile just armed.
[it’s a B-movie, so just roll with it]

DEMOCRATICALLY ELECTED LEADER
Oh my god. We’ve got to stop them!

GENERAL
Don’t worry, sir. Our side has the hacking capability to shut that missile down. We’ll stop them.

CUT TO MICROSOFT HEADQUARTERS

MICROSERF SHIFT MANAGER
OK, team. We’re detecting a cyber intrusion on a Windows system in Foreignistan. We’ve got a job to do, so let’s protect our customer!

Don’t get me wrong, I understand what they’re going for. They’re trying to say that they’ll put their customers first, regardless of nation-state interests. But above and beyond the legalities such a pledge might encounter, I can think of all kinds of scenarios where protecting customers regardless of motivation is just stupid.

And note the sharp difference from Apple’s approach of providing end-to-end encryption in services like iMessage and device-level encryption on iPhones. Apple can’t provide the keys because it doesn’t have the keys.

Apple’s approach protects the privacy of everyone—including possibly the bad guys—because it’s the only way to have proper protection for anyone. Where Apple does have keys—to data stored in iCloud, for instance—Apple complies with legal warrants, as it should.

Innocent Customers

Moving on, let’s look at the second pledge:

No offense

The companies will not help governments launch cyberattacks against innocent citizens and enterprises, and will protect against tampering or exploitation of their products and services through every stage of technology development, design and distribution.

My jaded pundit kicks in with this one starting with the reality that few—if any—of these companies are being asked to launch cyberattacks against anyone. Ever. That makes this an empty promise, or worse, a cynical one. Nation-state cyberattacks are handled by nation-states, not vendors like these. There are plenty of companies offering hacking and related services for nation-states, but they aren’t signatories to this Accord.

But then we get to more of that mealy-mouthed nonsense: “launch cyberattacks against innocent citizens and enterprises.” So guilty citizens and enterprises are fair game? If so, who’s deciding innocence and guilt here? If it’s a court of law, and these companies are going to follow the law, there’s little to this promise because at any time laws can be written requiring their help in launching cyberattacks. If it’s the companies deciding innocence, Holy Cyberpunk Dystopia, Batman!

I know I’m prone to thinking way too hard about what words mean, but even at its very best, the Accord would only have meaning if these companies were above and separate from governments. But they aren’t above nation-states. Come the day their services are required, they will obey their home governments if compelled. And so once we again we’re back to this Accord being meaningless.

In reality, this pledge doesn’t mean a gosh darned thing, and I think it’s a shame so many mainstream outlets let it pass with so little examination.

4 thoughts on “Cybersecurity Tech Accord: 34 Tech Companies Just Promised a Bunch of Nothing

  • In reality, this pledge doesn’t mean a gosh darned thing…

    Language!

    I enjoyed your and Jeff’s discussion of this last night on ACM 458. As for parties, like nation states that might exploit this declaration, they would be the first to point out that your problem, Bryan, is that you’re thinking; not just about the words, just thinking. Full stop. And that’s dangerous because, without the right…guidance, you may come to wrong conclusions. That’s why re-education camps exist, they are your friends.

    As for the work-arounds, as you’ve pointed out, these are simple. State actors merely declare that said citizens are not ‘innocent’, but, as we’ve seen time again, ‘terrorists’, ‘under foreign influence’, ‘counter-revolutionary’, ‘spies’, ‘misguided’, or ‘foreign agents and mercenaries’ to name just a few of the descriptors gleaned from press reports. As we all know, ‘Innocent’ citizens don’t cause trouble and always support the regime. That’s how you know they’re innocent. Simple, right?

    By the way, I have it on stronger authority that you’ll be hearing from MS’s legal team later today. Something about ‘defamation’ (?). Have a nice day.

  • Spot on Bryan, great analysis. This is a huge nothing burger. It wasn’t even drafted by anyone with any legal authority of any consequence (ACLU, I’m looking at you), it may as well have been the local PTA. I personally think it’s an attempt to get those that *won’t* take the time to read carefully or don’t fully comprehend the issues to feel that the situation is ‘handled’. It is indeed 100% meaningless. If I were more conspiratorially mindd, I might even think the companies in question were involved in its drafting.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.