WASHINGTON — More than 30 high-tech companies, led by Microsoft and Facebook, plan to announce a set of principles on Tuesday that include a declaration that they will not help any government — including that of the United States — mount cyberattacks against “innocent civilians and enterprises from anywhere,” reflecting Silicon Valley’s effort to separate itself from government cyberwarfare.
The principles, which have been circulating among senior executives in the tech industry for weeks, also commit the companies to come to the aid of any nation on the receiving end of such attacks, whether the motive for the attack is “criminal or geopolitical.”
[Tech companies with a major presence in North Carolina other than Microsoft and Facebook that joined the alliance include Cisco, ABB and Oracle. Read more about the alliance and watch a video overview in additional coverage at WRAL TechWire.]
Although the list of firms agreeing to the accord is lengthy, several companies have declined to sign on at least for now, including Google, Apple and Amazon.
Perhaps as important, none of the signers come from the countries viewed as most responsible for what Brad Smith, Microsoft’s president, called in an interview “the devastating attacks of the past year.” Those came chiefly from Russia, North Korea, Iran and, to a lesser degree, China.
On Monday, U.S. and British officials issued a first-of-its-kind joint warning about years of cyberattacks emanating from Russia, aimed not only at businesses and utilities but, in some cases, individuals and small enterprises. The warning was only the latest in a series about Russian threats to elections and electoral systems.
‘Digital Geneva Convention’
The impetus for the effort came largely from Smith, who has been arguing for several years that the world needs a “digital Geneva Convention” that sets norms of behavior for cyberspace just as the Geneva Conventions set rules for the conduct of war in the physical world. Although there was some progress in setting basic norms of behavior in cyberspace through a United Nations-organized group of experts several years ago, the movement has since faltered.
Smith said over the weekend that the first move needed to come from the American companies that often find themselves acting as the “first responders” when cyberattacks hit their customers.
“This has become a much bigger problem, and I think what we have learned in the past few years is that we need to work together in much bigger ways,” Smith said in an interview. “We need to approach this in a principled way, and if we expect to get governments to do that, we have to start with some principles ourselves.”
Microsoft played a central role in trying to extinguish the WannaCry attack last year that struck the British health care system and companies around the world. The Trump administration, along with several other Western governments, later blamed that attack on North Korea. Last summer the NotPetya attack struck Ukraine, crippling systems throughout the country. Iran is suspected in a recent attack on a Saudi petrochemical plant.
Yet not all governments are likely to embrace the “Cybersecurity Tech Accord” in part because the principles it espouses can run headlong into their own, usually secret efforts to develop cyberweapons.
When Russia’s intelligence agencies obtained some of the National Security Agency’s secrets about its own cyberweapons, it appeared to do so by manipulating a virus protection program sold by Kaspersky, a Russian firm. The company said it knew nothing about the intrusion into its products, but U.S. officials do not believe the denials and have banned Kaspersky products from U.S. government systems. Kaspersky is not a signer to the new accord.
Edward J. Snowden, the former NSA contractor who leaked documents about surveillance programs, revealed pictures suggesting that U.S. officials intercepted some hardware that came out of Cisco Systems, a major manufacturer of the routers and switches that make up the spine of the internet, apparently so the equipment directed traffic back to U.S. intelligence agencies. There is no evidence that Cisco cooperated, but the publication of the photos led some foreign customers to believe that American equipment had been broadly compromised by the NSA.
Trump administration briefed
For that reason, the new technology accord vows that the 31 signers “will protect against tampering with and exploitation of technology products and services during their development, design, distribution and use.” Among the companies that signed are Oracle, Symantec, FireEye and HP, along with the Finnish company Nokia and the Spanish company Telefónica.
Microsoft officials said they briefed the Trump administration on the new accord and heard no objections. But that may not mean much: Trump’s homeland security adviser, Thomas P. Bossert, who oversaw cybersecurity policy, was dismissed last week after John R. Bolton took over as national security adviser.
The cybersecurity coordinator at the White House, Rob Joyce, is widely rumored to be considering leaving his post and returning to the NSA, where he ran the most elite of the cyberforces that attack foreign networks. If Joyce departs, the White House will have lost its two most senior, and most knowledgeable, cybersecurity policymakers in the span of a few weeks.