Facebook, Microsoft and others sign anti-cyberattack pledge

Microsoft, Facebook and Cloudflare are among a group of technology firms that have signed a joint pledge committing publicly not to assist offensive government cyberattacks.

The pledge also commits them to work together to enhance security awareness and the resilience of the global tech ecosystem.

The four top-line principles the firms are agreeing to are [ALL CAPS theirs]:

  • 1. WE WILL PROTECT ALL OF OUR USERS AND CUSTOMERS EVERYWHERE.
  • 2. WE WILL OPPOSE CYBERATTACKS ON INNOCENT CITIZENS AND ENTERPRISES FROM ANYWHERE.
  • 3. WE WILL HELP EMPOWER USERS, CUSTOMERS AND DEVELOPERS TO STRENGTHEN CYBERSECURITY PROTECTION.
  • 4. WE WILL PARTNER WITH EACH OTHER AND WITH LIKEMINDED GROUPS TO ENHANCE CYBERSECURITY.

You can read the full Cybersecurity Tech Accord here.

So far 34 companies have signed up to the initiative, which was announced on the eve of the RSA Conference in San Francisco, including ARM, Cloudflare, Facebook, Github, LinkedIn, Microsoft and Telefonica.

In a blog post announcing the initiative Microsoft’s Brad Smith writes that it’s hopeful more will soon follow.

“Protecting our online environment is in everyone’s interest,” says Smith. “The companies that are part of the Cybersecurity Tech Accord promise to defend and advance technology’s benefits for society. And we commit to act responsibly, to protect and empower our users and customers, and help create a safer and more secure online world.”

Notably not on the list are big tech’s other major guns: Amazon, Apple and Google — nor indeed most major mobile carriers (TC’s parent Oath’s parent Verizon is not yet a signee, for example).

And, well, tech giants are often the most visible commercial entities bowing to political pressure to comply with ‘regulations’ that do the opposite of enhance the security of their users living under certain regimes — merely to ensure continued market access for themselves.

But the accord raises more nuanced questions than who has not (yet) spilt ink on it.

What does ‘protect’ mean in this cybersecurity context? Are the companies which have signed up to the accord committing to protect their users from government mass surveillance programs, for example?

What about the problem of exploits being stockpiled by intelligence agencies — which might later leak and wreak havoc on innocent web users — as was apparently the case with the Wannacrypt malware.

Will the undersigned companies fight against (their own and other) governments doing that — in order to reduce security risks for all Internet users?

“We will strive to protect all our users and customers from cyberattacks — whether an individual, organization or government — irrespective of their technical acumen, culture or location, or the motives of the attacker, whether criminal or geopolitical,” sure sounds great in principle.

In practice this stuff gets very muddy and murky, very fast.

Perhaps the best element here is the commitment between the firms to work together for the greater security cause — including “to improve technical collaboration, coordinated vulnerability disclosure, and threat sharing, as well as to minimize the levels of malicious code being introduced into cyberspace”.

That at least may bear some tangible fruit.

Other security issues are far too tightly bound up with geopolitics for even a number of well-intentioned technology firms to be able to do much to shift the needle.