This week, 34 global technology companies announced the launch of the Global Cybersecurity Tech Accord, which is a set of principles that these companies promise to abide by. They want to “protect and empower civilians online and to improve the security, stability and resilience of cyberspace.”
The companies made commitments in four areas. Their promises include:
- Providing a stronger defence against cyberattacks, pledging to “protect all customers globally regardless of the motivation for attacks online”
- Not helping governments launch cyberattacks against innocent citizens and enterprises from anywhere, including by protecting their users “against tampering or exploitation of their products and services through every stage of technology development, design and distribution”.
- Empowering developers and the people and businesses that use their technology, helping them improve their capacity for protecting themselves.
- Establishing formal and informal partnerships with industry, civil society and security researchers to improve collaboration, for instance on coordinated vulnerability disclosures
It is not immediately clear whether the new accord will result in changed policies in some companies as a result of the signing this Tech Accord, and it is also not clear how this Tech Accord will be translated in practice. Will the signatories oppose any government-mandated backdoors in their products? Will they decide not to enter a market if they need to hand over the source code of their products?
There is a trend towards norms being developed by the private sector. While industry-collaboration should be encouraged, it can never replace the creation of responsible norms for state behaviour in cyberspace and laws. Clearly, while private companies have a significant responsibility towards the public, they do not serve the public interest necessarily, and sometime profit models and incentives are at odds with accountability and transparency. In the Global Commission on the Stability of Cyberspace we work on proposing norms with a broader set of stakeholders. Challenges around the protection and governance of the open internet require governments, civil society, the private sector and internet users to come together.
But cybersecurity and digital rights should also be top of mind for policy makers. According to NATO assistant secretary general Sorin Ducaru in geopolitical circles “cyber is still seen as a technical problem constricted to the virtual world”. This is a strategic mistake. States should not waste time to develop normative restraints on state behaviour in cyberspace to secure trust in digital infrastructure, protection of human rights and avoiding a digital arms race. In the EU we are currently working on the adoption of the EU Cybersecurity Act, which will establish at least some norms for companies that want to operate in the EU. The disclosure of software vulnerabilities is one area where the EU can make significant improvements. As the Chair of the CEPS Taskforce on Vulnerabilities Disclosure, representatives from governments, companies and civil society presented recommendations, that should lead to higher EU standards and a level playing field. The Tech Accord should enforce the call to action for more leadership towards norms and rules for the open internet and cybersecurity, in the public interest.