2 July 2018

Tech Firms Sign ‘Digital Geneva Accord’ Not to Aid Governments in Cyberwar

By David E. Sanger

WASHINGTON — More than 30 high-tech companies, led by Microsoft and Facebook, announced a set of principles on Tuesday that included a declaration that they would not help any government — including that of the United States — mount cyberattacks against “innocent civilians and enterprises from anywhere,” reflecting Silicon Valley’s effort to separate itself from government cyberwarfare. The principles, which have been circulating among senior executives in the tech industry for weeks, also commit the companies to come to the aid of any nation on the receiving end of such attacks, whether the motive for the attack is “criminal or geopolitical.” Although the list of firms agreeing to the accord is lengthy, several companies have declined to sign on at least for now, including Google, Apple and Amazon.

Perhaps as important, none of the signers come from the countries viewed as most responsible for what Brad Smith, Microsoft’s president, called in an interview “the devastating attacks of the past year.” Those came chiefly from Russia, North Korea, Iran and, to a lesser degree, China.

On Monday, American and British officials issued a first-of-its-kind joint warning about years of cyberattacks emanating from Russia, aimed not only at businesses and utilities but, in some cases, individuals and small enterprises. The warning was only the latest in a series about Russian threats to elections and electoral systems.

The impetus for the effort came largely from Mr. Smith, who has been arguing for several years that the world needs a “digital Geneva Convention” that sets norms of behavior for cyberspace just as the Geneva Conventions set rules for the conduct of war in the physical world. Although there was some progress in setting basic norms of behavior in cyberspace through a United Nations-organized group of experts several years ago, the movement has since faltered.

Mr. Smith said over the weekend that the first move needed to come from the American companies that often find themselves acting as the “first responders” when cyberattacks hit their customers. “This has become a much bigger problem, and I think what we have learned in the past few years is that we need to work together in much bigger ways,” Mr. Smith said in an interview. “We need to approach this in a principled way, and if we expect to get governments to do that, we have to start with some principles ourselves.”

Microsoft played a central role in trying to extinguish the WannaCry attack last year that struck the British health care system and companies around the world. The Trump administration, along with several other Western governments, later blamed that attack on North Korea. Last summer the NotPetya attack struck Ukraine, crippling systems throughout the country. Iran is suspected in a recent attack on a Saudi petrochemical plant.

Yet not all governments are likely to embrace the “Cybersecurity Tech Accord” in part because the principles it espouses can run headlong into their own, usually secret efforts to develop cyberweapons.

When Russia’s intelligence agencies obtained some of the National Security Agency’s secrets about its own cyberweapons, it appeared to do so by manipulating a virus protection program sold by Kaspersky, a Russian firm. The company said it knew nothing about the intrusion into its products, but American officials do not believe the denials and have banned Kaspersky products from United States government systems. Kaspersky is not a signer to the new accord.

Edward J. Snowden, the former N.S.A. contractor who leaked documents about surveillance programs, revealed pictures suggesting that American officials intercepted some hardware that came out of Cisco Systems, a major manufacturer of the routers and switches that make up the spine of the internet, apparently so the equipment directed traffic back to American intelligence agencies. There is no evidence that Cisco cooperated, but the publication of the photos led some foreign customers to believe that American equipment had been broadly compromised by the N.S.A.

Cisco is one of the firms that has signed the accord. Mark Chandler, Cisco’s general counsel, said the company believed that “we need to say we will not be part of any effort that will undermine the security of the web, or undermine those who depend on it — our customers.” Among the other signatories were Dell, Juniper Networks, the two parts of the recently-split Hewlett-Packard, Symantec and FireEye. Two foreign firms, Telephonica of Spain and Nokia of Finland, also signed. There are no Chinese or Russian companies on the list of initial signatories.

The new technology accord vows that the 31 signers “will protect against tampering with and exploitation of technology products and services during their development, design, distribution and use.” Among the companies that signed are Oracle, Symantec, FireEye and HP, along with the Finnish company Nokia and the Spanish company Telefónica.

Microsoft officials said they briefed the Trump administration on the new accord and heard no objections. But that may not mean much: Mr. Trump’s homeland security adviser, Thomas P. Bossert, who oversaw cybersecurity policy, was dismissed last week after John R. Bolton took over as national security adviser.

The cybersecurity coordinator at the White House, Rob Joyce, is widely rumored to be considering leaving his post and returning to the National Security Agency, where he ran the most elite of the cyberforces that attack foreign networks. If Mr. Joyce departs, the White House will have lost its two most senior, and most knowledgeable, cybersecurity policymakers in the span of a few weeks.
Correction: April 17, 2018

An earlier version of this story incorrectly referred to the name of one of the signatories on the technology accord. It is Juniper Networks, not Juniper Systems.

No comments: