34 tech companies came together on Thursday to announce a whole bunch of nothing called the Cybersecurity Tech Accord. It’s a pledge with two essential parts: the first is that these companies will protect their customers, and the second is that they won’t help governments launch cyberattacks on “innocent customers and enterprises.”
Heavyweight signatories include: Microsoft, Facebook, Oracle, SAP, Cisco, HP, Cloudflare, and Github. You can see the whole list on the Accord’s website. Notable companies who aren’t signatories include Apple, Google, and Amazon.
The Accord has gotten some positive headlines, but I don’t think the announcement stands up to logical scrutiny. For one thing, both claims include mealy-mouthed wiggle room in their wording. For another, even if these pledges had some bite, most of the signatories aren’t being asked to hack anyone anyway. They might be asked to give up customer data to a warrant from time to time, but they aren’t pledging to protect against that.
What’s worst to me is that if the second pledge was taken at face value, it’s not hard to come up with scenarios where the promise becomes absurd.
Let’s look at the first major pledge, the one that makes the most sense, but is still essentially saying nothing:
The companies will mount a stronger defense against cyberattacks. As part of this, recognizing that everyone deserves protection, the companies pledged to protect all customers globally regardless of the motivation for attacks online.
I like the principle behind this one. The companies are saying they’ll protect their customers. That’s great! But…no, it’s not really saying that, is it? The companies are pledging to “mount a stronger defense.”
What does that even mean? Stronger than what? Stronger than my Great Aunt Sue? Stronger than a pack of ravenous guard dogs? Are they saying they haven’t been giving it their all already? That they’ve been holding back, but from here on out they’re finally going to do their best? That’s probably not the intended meaning, but without an objective measure, promising “a stronger defense” has no meaning at all.
Regardless of Motivation?
Hold on a second, what’s this about “regardless of motivation of attacks online” there at the end? Are they saying that they’ll be working “stronger” to protect murderous dictators, hostile foreign powers, and terrorists organizations from cyberattacks by the companies’ own governments?
‘Cause I gotta tell you that’s not going to end well, and it doesn’t make you the good guys.
FADE IN: WAR ROOM IN AN UNNAMED WESTERN GOVERNMENT
Sir, the stolen nuclear missile just armed.
[it’s a B-movie, so just roll with it]
DEMOCRATICALLY ELECTED LEADER
Oh my god. We’ve got to stop them!
Don’t worry, sir. Our side has the hacking capability to shut that missile down. We’ll stop them.
CUT TO MICROSOFT HEADQUARTERS
MICROSERF SHIFT MANAGER
OK, team. We’re detecting a cyber intrusion on a Windows system in Foreignistan. We’ve got a job to do, so let’s protect our customer!
Don’t get me wrong, I understand what they’re going for. They’re trying to say that they’ll put their customers first, regardless of nation-state interests. But above and beyond the legalities such a pledge might encounter, I can think of all kinds of scenarios where protecting customers regardless of motivation is just stupid.
And note the sharp difference from Apple’s approach of providing end-to-end encryption in services like iMessage and device-level encryption on iPhones. Apple can’t provide the keys because it doesn’t have the keys.
Apple’s approach protects the privacy of everyone—including possibly the bad guys—because it’s the only way to have proper protection for anyone. Where Apple does have keys—to data stored in iCloud, for instance—Apple complies with legal warrants, as it should.
Moving on, let’s look at the second pledge:
The companies will not help governments launch cyberattacks against innocent citizens and enterprises, and will protect against tampering or exploitation of their products and services through every stage of technology development, design and distribution.
My jaded pundit kicks in with this one starting with the reality that few—if any—of these companies are being asked to launch cyberattacks against anyone. Ever. That makes this an empty promise, or worse, a cynical one. Nation-state cyberattacks are handled by nation-states, not vendors like these. There are plenty of companies offering hacking and related services for nation-states, but they aren’t signatories to this Accord.
But then we get to more of that mealy-mouthed nonsense: “launch cyberattacks against innocent citizens and enterprises.” So guilty citizens and enterprises are fair game? If so, who’s deciding innocence and guilt here? If it’s a court of law, and these companies are going to follow the law, there’s little to this promise because at any time laws can be written requiring their help in launching cyberattacks. If it’s the companies deciding innocence, Holy Cyberpunk Dystopia, Batman!
I know I’m prone to thinking way too hard about what words mean, but even at its very best, the Accord would only have meaning if these companies were above and separate from governments. But they aren’t above nation-states. Come the day their services are required, they will obey their home governments if compelled. And so once we again we’re back to this Accord being meaningless.
In reality, this pledge doesn’t mean a gosh darned thing, and I think it’s a shame so many mainstream outlets let it pass with so little examination.