The new paper, signed by 34 tech companies, is akin to a “digital Geneva Convention” to govern the rules of engagement in technology.
Here are the big takeaways:
Signatories to the accord will not, among other things, “help governments launch cyberattacks against innocent citizens and enterprises.”
The accord comes amid a wave of new attempts by governments to compel tech companies to decrypt communicattions.
One week ago a group of 34 technology companies signed the “Cybersecurity Tech Accord,” a document that declares that the signatories will protect all of their customers from threats and will not “help governments launch cyberattacks against innocent citizens and enterprises from anywhere.”
The signatories include Microsoft and Facebook, Dell, VMware, HP and HP Enterprise, Cisco, Avast, CloudFlare, F-Secure, Symantec, Trend Micro, BT, Juniper Networks and Telefonica, among others. Notably missing from the list of signatories is Google, which is currently facing an internal revolt over their collaboration with the US Department of Defense on the use of AI to analyze drone footage. Likewise, Apple and Amazon are also conspicuously missing from the list.
The accord, available at www.cybertechaccord.org/accord/, has four key components:
■ We will protect all of our users and customers everywhere.
■ We will oppose cyber attacks on innocent citizens and enterprises from anywhere.
■ We will help empower users, customers and developers to strengthen cybersecurity protection
■ We will partner with each other and with like-minded groups to enhance cybersecurity.
According to a report in The New York Times, the accord was spearheaded by Microsoft President and Chief Legal Officer Brad Smith. For years, Smith has been calling for a “digital Geneva Convention” to mirror the rules of engagement in technology, in the same way that the Geneva Convention sets standards for conduct in war.
In a blog post about the accord, Smith stated that “the success of this alliance is not just about signing a pledge, it’s about execution. That’s why today is just an initial step, and tomorrow we start the important work of growing our alliance and taking effective action together.”
Facebook’s involvement in the accord rings hollow. The social- media giant is presently embroiled in a scandal involving Cambridge Analytica and related organizations harvesting user data en masse and using it for psychologically tailored political advertising. To that end, a former employee indicated in a testimony to a UK Parliamentary committee that the data collection “far exceeds the previously stated figure of 87 million users.” Facebook’s view of civic responsibility appears nearsighted, as the company has been found to have a “two-tiered” privacy system that favors Facebook executives, leading ZDNet’s Zack Whittaker to declare, “On Facebook, Zuckerberg gets privacy and you get nothing.”
The timing of the accord is important, as it comes just as new life has been breathed into the odyssey of government agencies around the world demanding backdoors into encryption.
We also have to bear in mind that the implementation of the Philippine Data Privacy Act is in full swing, and that on May 25, the European Union’s General Data Protection Regulation will take effect, ushering in the most consequential changes to European Union data-protection law in more than two decades, replacing the EU Data Protection Directive 95/46/EC. The GDPR applies to any company with operations in the European Union but can also apply to non-EU companies that offer goods or services to European Union residents or monitor the behavior of EU residents, such as their online activities. These protected European Union residents are called “Data Subjects” in the GDPR. The GDPR applies not only to companies collecting the personal data of EU residents
(“Data Controllers”) but also any company processing that data (“Data Processors”).
Let me conclude by saying that, in recent years, cybersecurity has risen ever higher up the corporate agenda for the very good reason that incidents and breaches result in significant costs—money or intellectual property stolen, valuable data compromised, business disruption, impaired brand reputation, reduced revenue and/or lowered share price.
More important, the need for cyber-risk assessment and coherent cybersecurity policies in companies is obvious. Companies may want to look at gap analysis, vulnerability tests or penetrations tests—to effectively reduce their cybersecurity exposure.
For comments or assistance, contact me at Schumacher@eitsc.com.
Image credits: Mast3r | Dreamstime.com