This year’s RSA Conference saw 34 technology companies sign a pledge, outlining their commitment to ensuring better security in cyberspace for citizens and businesses alike. The Cybersecurity Tech Accord sets out to provide increased protection for consumers in their use of technology, and a promise to strengthen the security of companies by sharing vulnerabilities and improving collaboration against threats. It’s a step in the right direction to create a safer world but one that needs to be grounded in action.
Already, a number of cybersecurity initiatives committed to policing cyberspace exist. A prime example of this is the EU General Data Protection Regulation (GDPR), which has seen nations across the EU come together to protect their citizens. The initiative is set to be the first major factor in what will hopefully be a string of changes that will transform the way we think about and handle data. The CVE database, also a key initiative for policing the cyberspace, is a public sourcebook of known security vulnerabilities that companies can freely reference their systems against. Likewise, the UK CISP information sharing initiative is a joint venture between industry and government in the UK to share security threat and vulnerability information. However, The Cybersecurity Tech Accord is the first of its kind, aimed at protecting both citizens and organizations, to improve security for those who use technology products and those who develop them.
Those companies that are part of the Accord have set out their commitments in four key principles:
- First, to provide stronger cybersecurity for customers around the world – whether those customers are citizens, businesses or governments – and protect them from all forms of cyber-attack.
- Second, to not help governments launch cyber-attacks on innocent citizens and organizations. This includes protecting their products from deliberate design flaws and tampering that would allow government agencies to bypass security features.
- Third, to provide more information and tools that empower customers and designers to strengthen cyber-security protection in their use and development of technology products.
- Fourth, to establish partnerships across industry, civil society and security research areas to engender better technical collaboration. Ultimately, this aims to improve the disclosure and sharing of vulnerabilities and threats to minimize the potential for zero-day attacks and malicious code being introduced into cyberspace.
The Accord’s value is that it recognizes the interconnectivity that technology now brings to society. Improving cybersecurity cannot be limited to a single area. By coming together, a new set of standards are likely to be created which should result in better ‘joined up’ security for all those who use technology from various vendors and within the industry itself by increasing information sharing and cooperation. However, for the Accord to achieve real impact, key hurdles must be overcome.
The first principle requires a course of action and level of accountability. For example, in committing to stronger cybersecurity for customers around the world, the 34 vendors may develop a new standard of security across their products that is enforced by a commission made up of members of the Accord. Likewise, the third principle requires defined deliverables that set out exactly what information and tools will be provided to customers and designers; for example, will training be included as part of this and will there be a minimum level of information given to customers who purchase a product?
The second principle will be particularly challenging for the vendors to adhere to as companies cannot ignore the individual laws in their own countries. Major technology firms are already engaged in an ongoing struggle against government influence to create encryption backdoors that give law enforcement privileged access to devices, which will make the principle of securing products against this kind of deliberate tampering even harder to implement. What’s more, as WannaCry has demonstrated, state agencies also intentionally identify and stockpile vulnerabilities for the purpose of cyber-attacks, which calls into question the idea of developing increased collaboration across industry and civil society. However, with so many major technology companies pledging to not aid government tampering of products, this might persuade law enforcement agencies to not push for backdoors in security products.
To build better cyber defenses across the globe, industry-wide collaboration ensuring security is built-in from the ground up at the point of manufacture – and through every stage of development, design, and distribution – is paramount. This is exactly what the Accord sets out to achieve, and it’s hugely beneficial that the global IT community is being mobilized towards working together to keep citizens and businesses safer from cyber-crime and cyber-attacks. However, concrete steps are required to implement its ideals and only time will tell whether these will be realized.