In light of increased and more sophisticated threats in the cybersecurity landscape, tech giants have vowed to get more serious about protecting their customers by working together through a new Cybersecurity Tech Accord.
Thirty-four companies—including Microsoft, Oracle, HP, Facebook, Cisco, Nokia TrendMicro and others—have signed on to the accord, which was unveiled Tuesday at the RSA Conference taking place in San Francisco this week. Those signing on said it’s the largest-ever group to agree to band together in the fight against malicious attacks from cybercriminals and nation-states.
Speaking at the conference at the unveiling of the accord, Microsoft’s President and Chief Legal Officer Brad Smith told attendees that the recent WannaCry and NotPetya malware attacks were a sign that cybersecurity events were taking a turn for the worse.
“We need to get the governments of the world to stop targeting tech companies, stop targeting the electrical grid, the private sector, hospitals,” he said.
Smith cited precedence for how working together can help strengthen resistance to threats and attacks. The work by the U.S. government and its allies to identify the government of North Korea as the source of the NotPetya malware outbreak was an example of the “kind of progress” that is needed, he said.
“Governments need to look at existing international laws and think about how we can apply them or strengthen them and put pressure on these governments to stop attacking civilians,” Smith said.
“World War I got us the Geneva convention,” he added. “We need a digital Geneva Convention.”
United front on cybersecurity
The Cybersecurity Tech Accord plans to be something like that through collective commitments on four fronts—a stronger defense, no offense, capacity building and collective action. The companies have been working on these fronts separately already, and the accord is a way they can now come together for a deeper focus, they said.
The first commitment is obvious; companies plan to mount a stronger defense against cyber attacks, they said. Accord partners said they will give all customers globally the protection they deserve, regardless of what the motivation is for an online attack.
Member companies also will try themselves to do no harm in the cybersecurity landscape. In terms of providing no offense, tech leaders said they won’t help governments launch cyber attacks against innocent citizens and enterprises. Moreover, they plan to provide better protection against tampering with or exploitation of their products and services through the product lifecycle in a way to aid attacks.
To achieve capacity building, the accord aims to arm developers and customers—both individuals and businesses—better weapons and tools to use to defend themselves against cybersecurity threats. These efforts could include joint work on new security practices and features that companies can deploy in their individual products and services.
Calling all stakeholders
Finally, the companies vow to work together more effectively to fight cybersecurity threats by branching out into new areas of partnership.
These days, businesses and organizations of all sizes are victims of cyber attacks, and the increased threats against critical infrastructure—including new attacks aimed at emergency-alert systems—means there are new and varied stakeholders involved in the battle. A report by Juniper Research expects economic losses from cyber attacks to reach $8 trillion by 2022.
To help get everyone on board to fight cyber crime, the companies plan to build on existing relationships and set up both formal and informal partnerships with industry, civil society and security researchers to improve technical collaboration, coordinate vulnerability disclosures, share threats and minimize the potential for malicious code to be introduced into cyberspace, they said.
“We are the first responders on the new battlefield,” Smith said. “It’s not something anyone can do alone.”
The Cybersecurity Tech Accord held its first meeting at RSA with a focus on capacity building and collective action. Group plans for the near future include joint work to develop cybersecurity guidelines and features that can be deployed broadly, as well as information sharing and partnering to fight specific threats.