Cybercriminals are increasingly finding new ways to hack into organizational networks to cause mass disruption and steal sensitive personal or valuable corporate data. While achieving good cybersecurity is a multifaceted challenge, the cybersecurity skills shortage we are experiencing today is adding to the problem and leaving many organizations struggling to keep up with the ever-changing threat landscape. Globally, more than three million jobs are currently unfilled, making it harder to prevent cybersecurity incidents.

In 2018, the Cybersecurity Tech Accord participated in the annual conference organized by the National Initiative for Cybersecurity Education (NICE) in United States. The conference, along with numerous studies that were published in late 2018, highlighted the rapidly increasing gap in the number of cybersecurity professionals available to fill critical roles in the workforce today. The event and these recent studies have underlined the inescapable reality that action in this space needs to be taken to address this growing problem, and quickly.

NICE is a wonderful example of what needs to be, and can be, done if different stakeholders come together to address complex problems. In fostering a partnership between government, academia, and the private sector, NICE has already helped expand the cybersecurity workforce by accelerating necessary learning and skills development, nurturing a diverse education community, and guiding career development and workforce planning. However, by now it is also clear that any meaningful intervention will only start bearing fruit in a few years’ time, and that innovative approaches to safeguarding global security and economic prosperity are needed today.

To demonstrate its public commitment to improve the security, stability and resilience of cyberspace, the Cybersecurity Tech Accord today published a whitepaper on, “Addressing the cybersecurity skills gap through cooperation. education and emerging technologies”. The whitepaper underscores the critical need for industries to adopt and implement emerging technologies such as Artificial Intelligence (AI) and machine learning, among others, to increase cybersecurity and scale responses in an environment in which cybersecurity positions remain unfilled by qualified professionals, and current cybersecurity teams are being stretched thin.

We believe organizations that continue to address their cybersecurity needs strictly by relying on understaffed workforces put themselves and their customers at greater risk from sophisticated, large scale cyberattacks that are increasingly heavily automated by machines, especially in the near-term. As an example, while a human hacker can spend several hours on multiple attempts to take control of a single company’s network, a malicious bot can compromise computers to launch denial of service (DoS) attacks, seek out and exploit several known vulnerabilities, scan a company’s network, and steal and dump credentials for other vulnerable machines all within minutes. Enterprises that adopt artificial intelligence (AI) and machine learning, among other emerging technology solutions, will be able to further navigate this increasingly malicious landscape and counter sophisticated attacks, allowing software to fight software in an innovative, fast network.

However, we recognize that these tools will not solve the problem. We need to do more, on education, on technology, and on ensuring cybersecurity is treated as a business priority. Therefore, the Cybersecurity Tech Accord signatories urge both policy makers and the industry to:

• Support reform in education: Give greater priority to STEM curricula and career paths that adequately prepare future generations to work with emerging technologies.
• Establish cooperation between government, academia and industry: Use public private partnerships to identify the cybersecurity skills that are particularly needed, and also to determine how these can be addressed, e.g. through dedicated university courses or certified trainings with the private sector.
• Make the adoption of emerging technologies a strategic business priority: Technologies, such as AI and cloud computing can enable a smaller number of IT professionals to centrally manage certain aspects of security, e.g. patch management or administrative privilege access rights.
• Prepare for automation of cybersecurity skills: In the near future many cybersecurity functions will be automated. As a result, cybersecurity professionals will have to trained to add value by dealing with more advanced threats and by utilizing complex data science.
• Foster AI-friendly policy environments: Support open and fair markets, ensure the free flow of data, create workable privacy and access to data regimes, and promote greater regulatory alignment and common practices/standards across jurisdictions.

The effort to establish a more secure cyberspace will require improvements in many areas, from improvements in technology, to government policy, to industry standards. Creating a cybersecurity workforce that has the capacity and capability to do the job should remain a focal point of this process. Ensuring that we leverage the tools we already have available to us today to enhance our defenses needs to be a similarly critical component of our approach.

Aujourd’hui, le Cybersecurity Tech Accord accueille 11 nouvelles entreprises, comptant désormais un total de 79 signataires mobilisés pour améliorer la sécurité du cyberespace. Binary House, EBRC, Entel, Eyeo, Globant, GREYCORTEX, Lirex, Northwave, Orange, Strong Connexions et VU Security se sont engagés à protéger les utilisateurs et les clients où qu’ils soient. Cette expansion globale permet de faire grandir la communauté des signataires du Cybersecurity Tech Accord en renforçant la dynamique auprès de nouveaux membres venus d’Argentine, de Bulgarie, du Chili, de République tchèque, d’Allemagne, du Luxembourg, des Pays-Bas, de Slovaquie et des États-Unis. Cette expansion prolonge l’expertise du groupe, en ajoutant également à la diversité des secteurs et des technologies représentés dans l’organisation.

« Orange est pleinement mobilisé dans la construction d’un Internet plus sûr et est heureux de participer au Cybersecurity Tech Accord”, a déclaré Arnaud Martin, Chief Information Security Officer d’Orange. »

Un sentiment partagé par Fook Hwa Tan, Chief Quality Officer de Northwave : « En adhérant au Cybersecurity Tech Accord, nous affirmons notre mission qui vise à sécuriser la transformation numérique de nos clients. Nous pensons que cette coopération est essentielle pour renforcer l’efficacité de nos efforts dans la constitution d’un environnement digital sécurisé. C’est pourquoi nous partagerons volontiers nos connaissances et nos ressources dans le cadre de cet accord. »

En adhérant à l’accord, les signataires s’engagent à œuvrer sur quatre engagements-clés :

1. en édifiant une défense plus forte contre les cyberattaques et en s’engageant à protéger tous les clients globalement, quelle que soit la motivation des attaques ;
2. en ne commettant aucune action délictueuse à la faveur de gouvernements qui voudraient lancer des cyberattaques contre des citoyens et des entreprises innocents, et en protégeant ceux-ci contre l’altération ou l’exploitation de produits et services malveillants durant toutes les étapes de leur développement, de leur conception et de leur distribution ;
3. en accomplissant plus d’efforts pour responsabiliser les développeurs, les utilisateurs et les entreprises qui exploitent le potentiel de la technologie, en les aidant à construire et renforcer leurs capacités de protection ; et
4. en s’appuyant sur les relations existantes et en entreprenant des actions collectives pour établir de nouveaux partenariats, formels et informels, avec des chercheurs issus de l’industrie, de la société civile et de la sécurité. L’objectif étant d’améliorer la collaboration technique, de coordonner la divulgation des vulnérabilités, de partager les menaces et de minimiser les risques d’introduction de codes malveillants dans le cyberespace.

« Strong Connexions s’efforce de sensibiliser et de responsabiliser ceux qui sont désireux de faire de ce monde un lieu plus sûr et se tourne vers les générations futures et leurs talents pour mener à bien cet effort. C’est pourquoi nous avons accepté de soutenir et de rejoindre le Cybersecurity Tech Accord. Aucune personne ni organisation seule ne peut surmonter les énormes défis auxquels nous sommes confrontés en matière de cybersécurité. Pour y parvenir, il faudra un effort conjoint de tous les acteurs pour surmonter les menaces à l’œuvre, et compter sur des partenariats stratégiques dans les secteurs de l’enseignement et la formation, du secteur public et dans la société civile », a déclaré Jared Hoskins, directeur des opérations (Chief Operating Officer) chez Strong Connexions.

Depuis la création du Cybersecurity Tech Accord, les signataires ont soutenu des initiatives concernant la sécurité des courriers électroniques et du routage, la mise en œuvre de l’authentification, la signalisation et la conformité des messages au niveau du domaine (DMARC) dans leurs propres opérations, et ont participé à des actions globales avec des commentaires adressés au Groupe de travail de haut niveau sur la coopération numérique des Nations Unies, et en soutenant sans réserve l’Appel de Paris pour la confiance et la sécurité dans le cyberespace. En outre, le groupe a assuré la coordination avec des organisations partageant les mêmes volontés, telles que la Global Cyber Alliance, l’Internet Society et le Forum mondial sur la cyber expertise (GFCE).

Au fur et à mesure que le groupe se développera, le rythme d’activités se poursuivra et permettra d’accroître encore en 2019 la dynamique engagée. Au cours des prochains mois, Cybersecurity Tech Accord va notamment :

– continuer à organiser sa série de webinaires, qui a déjà débuté en 2019 par un exposé des meilleures pratiques pour évaluer les cyber-vulnérabilités ou les cyber-risques présenté par Tenable le 7 janvier dernier (rediffusion disponible en ligne). Le prochain webinaire qui aura lieu le lundi 4 février, sera consacré aux cyberattaques sur les infrastructures et sera présenté par ESET.

– contribuer davantage au dialogue multipartite dans des conférences mondiales à venir tels que le World Economic Forum de Davos, où Brad Smith, président et directeur juridique de Microsoft prononcera une allocution d’ouverture, et où Carlos Moreira, PDG et fondateur de WISeKey, signataire du Cybersecurity Tech Accord, animera une table ronde sur les objectifs soutenus par l’initiative. Parmi les autres participants figurent Guy Diedrich, vice-président et responsable de l’innovation globale chez Cisco Systems, et Sanja Poonen, chef d’exploitation – opérations commerciales (COO, Customer Operations) chez VMware.

« Notre civilisation humaine est confrontée à un changement de paradigme sans précédent : une transition rapide d’un monde physique compréhensible vers un nouveau monde numérique et virtuel inconnu : le cyberespace. La nouvelle révolution numérique en cours créera d’énormes opportunités pour le développement de l’humanité mais générera en même temps de nouvelles menaces. En effet, nous constatons que les cyber-risques augmentent actuellement à un rythme exponentiel.

La cyber-résilience devrait être l’une des principales priorités des organisations qui souhaitent étendre leurs activités dans le cyberespace. La cyber-résilience deviendra un avantage concurrentiel durable pour toutes les entreprises. Le Cybersecurity Tech Accord est une pierre angulaire dans la construction d’un monde sûr et socialement responsable en matière de cyber-résilience », a déclaré Yves Reding, PDG d’EBRC (European Business Reliance Center).

Today, the Cybersecurity Tech Accord welcomed 11 new companies, bringing the total to 79 signatories committed to improving the security of cyberspace. Binary House, EBRC, Entel, Eyeo, Globant, GREYCORTEX, Lirex, Northwave, Orange, Strong Connexions and VU Security have pledged to protect users and customers everywhere. This global expansion contributes to the increasingly diverse reach of the signatory community – further broadening the dialogue around cybersecurity with signatories from Argentina, Bulgaria, Chile, the Czech Republic, Germany, Luxembourg, The Netherlands, Slovakia, and the United States, expressing a commitment to a more secure cyberspace. This expansion continues to deepen the group’s expertise, adding to the variety of sectors and technologies that characterize the organization.

“Orange is fully engaged in making the internet safer and is happy to participate in the Cybersecurity Tech Accord,” said Orange’s Chief Information Security Officer, Arnaud Martin.

His sentiment was echoed by Fook Hwa Tan, Chief Quality Officer at Northwave. “By signing the Cybersecurity Tech Accord, we underline our mission to secure the digital journey of our clients. We believe that this cooperation is crucial in making our joined effort to ensure a safe global online environment more effective. That is why we will gladly share our knowledge and resources as part of this Accord.”

By joining the agreement, the signatories agree to four key commitments:

1. a stronger defense against cyberattacks – pledging to protect all customers globally regardless of the motivation for attacks online;
2. taking no offense by choosing not to help governments launch cyberattacks against innocent citizens and enterprises and will protect against tampering or exploitation of their products and services through every stage of technology development, design and distribution;
3. doing more to empower developers and the people and businesses that use their technology, by helping them build and improve capacity for protecting themselves; and
4. building on existing relationships and taking collective action together to establish new formal and informal partnerships with industry, civil society and security researchers. The goal being to improve technical collaboration, coordinate vulnerability disclosures, share threats and minimize the potential for malicious code to be introduced into cyberspace.

“Strong Connexions strives to educate and empower those willing and able to make this world a safer place and looks to future generations and their capabilities in accomplishing this effort, which is why we have collectively agreed to support and join the Cybersecurity Tech Accord. No one individual or organization can overcome the overwhelming challenges we face in cybersecurity, it will take a team effort to overcome the threats we face by creating strategic partnerships in education, government, & the public spaces to make this happen,” said Jared Hoskins, Chief Operating Officer at Strong Connexions.

Since forming the Cybersecurity Tech Accord, the signatories have supported initiatives on email and routing security, implemented Domain-based Message Authentication, Reporting and Conformance (DMARC) in their own operations, participated in global requests for comments on the UN’s new High Level Panel on Digital Cooperation, and endorsed the Paris Call for Trust and Security in Cyberspace as an early supporter. Additionally, the group has coordinated with like-minded organizations such as the Global Cyber Alliance, the Internet Society, and the Global Forum on Cyber Expertise (GFCE). As the group expands, we expect the pace of activity to continue and look forward to increased momentum throughout 2019. In the coming months the Cybersecurity Tech Accord will, among others:

• Continue hosting its webinar series, which kicked off the New Year with a review of best practices for assessing cyber vulnerabilities and/or cyber risk presented by Tenable on Monday, January 7 (replay available here). The next webinar discussing cyberattacks on infrastructure will take place on Monday, February 4 and will be presented by ESET.
• The Cybersecurity Tech Accord further contribute to the global multi-stakeholder dialogue in upcoming fora such as the World Economic Forum at Davos, where Brad Smith, President at Microsoft will opening remarks and Carlos Moreira, CEO and Founder of WISeKey, a Cybersecurity Tech Accord signatory, will moderate a panel discussion on the objectives behind the initiative. Other participants include Guy Diedrich, Vice President and Global Innovation Officer at Cisco Systems, and Sanja Poonen, Chief Operating Officer, Customer Operations at VMware. If interested in attending you can register here.

“Our human civilization is facing an unprecedented paradigm shift: a fast transition from an understandable physical world to a new unknown digital and virtual world: the cyberspace. The new digital ongoing revolution will generate huge new opportunities for the development of mankind but at the same time will generate new threats. Cyber-risks are increasing at an exponential rate.

Cyber-resilience should be one of the top priorities of organizations aiming to expand their activities in the Cyberspace. Cyber-resilience will become a sustainable competitive advantage for all enterprises. The Cybersecurity Tech Accord is for all of us, a cornerstone in building a sustainable and socially responsible Cyber-resilient world,” says Yves Reding, CEO, EBRC (European Business Reliance Centre).

More information on such activities will be released in coming weeks.

Presented by Jon Clay, Director of Global Threat Communications, Trend Micro.

Email remains the number one tactic for threat actors targeting organizations. Threat actors use email to deliver ransomware, phishing, and business email compromise, among others. In this webinar, learn the latest email trends and attack methods that threat actors are using, who they target within your organization, and their objectives. Finally, learn about the newest technologies used to detect threats, and best practices to reduce your attack surface. 

When: Monday, March 4, 2019 @11am (PT)/2pm (ET)

Register here

This webinar is part of a series on cybersecurity best practices from the Cybersecurity Tech Accord in partnership with the Global Forum on Cyber Expertise (GFCE). More information on the webinar series is available here.

Presented by Robert Lipovsky, Senior Malware Researcher, ESET, this webinar will share research by ESET, on one of the most dangerous Advanced Persistent Threat (APT) groups active today – TeleBots (aka Sandworm). The attackers have been targeting critical infrastructure over the past several years, most notably during the first ever, malware-enabled electricity blackouts, and the most damaging cyberattack in history by NotPetya. The webinar will also focus on the group’s most recent attacks against energy companies in Europe by the GreyEnergy malware.

When: Monday, February 4, 2019 @4pm (GMT+1)/ 7am (PT)

Register here

This webinar is part of a series on cybersecurity best practices from the Cybersecurity Tech Accord in partnership with the Global Forum on Cyber Expertise (GFCE). More information on the webinar series is available here.

In September, the Cybersecurity Tech Accord asked governments to do more, and say more, on vulnerability handling. As we noted at the time, the increasing numbers of governments that develop or use offensive cyber capabilities have an obligation to do so responsibly and in keeping with the global, and not only national, public interest. An important signal demonstrating this is the adoption and publication of a process for handling and disclosing vulnerabilities discovered in information and communications technology (ICT) products and services.

When we first published the blog, only a few countries had acknowledged developing a process for reviewing discovered vulnerabilities and evaluating whether to disclose them to be fixed or retain them for possible exploitation. Recently, the United Kingdom released such a policy, its vulnerabilities “equities process,” And while the mere gesture of transparency would be a positive step forward in a policy area too often shrouded in secrecy, we are also encouraged by many of the particular elements of the initiative.

In our earlier blog, we encouraged governments to embrace several principles in vulnerability handling and disclosure policies, many of which are indeed reflected in the British equities process. Chief among these is a presumption of disclosure. While we know that governments will from time to time make decisions justified by national security concerns to retain discovered vulnerabilities, any such decision should be both time-bound and subject to ongoing risk assessment built around the assumption that the information should be pushed to a vendor capable of fixing or mitigating the security issue as quickly as possible. We are encouraged to see these issues addressed in the recently published UK policy.

Furthermore, the Cybersecurity Tech Accord signatories appreciate the detailed thinking that went into how discovered vulnerabilities are disclosed with the vendors. In accordance with international best practice, articulated in the International Standardization Organization standard on vulnerability disclosure (ISO 29147), the equities process outlines a “coordinated disclosure approach” and emphasizes that the government will not publicly disclose vulnerabilities before solutions are available to address them, recognizing that vendors need time to develop such solutions. Commitments such as these increase trust and confidence across sectors, facilitating greater dialogue and ultimately improving security outcomes for everyone.

However, while the release of the equities process is indeed a positive step demonstrating leadership and modeling responsible state behavior, opportunities to improve on this first iteration remain. Perhaps most pressing is the need for a greater diversity of stakeholders in the decision-making process outlined in the policy. The individuals charged with deciding whether or not to disclose a vulnerability seem to come almost exclusively from the British intelligence community, with the exception of the Government Communications Headquarters (GCHQ) Equity Board which “includes representation from other Government agencies and Departments as required.” However, these other representatives are unspecified in the process, leaving a clear need for the express inclusion of stakeholders that more directly reflect the public interest namely representatives of the industry and non-governmental organizations.

Regardless of any areas for improvement that remain, the decision by the British government to publicly release its equities process for handling and disclosing vulnerabilities is an important and commendable step in the right direction, promoting greater transparency and prompting further discussion about how to address cybersecurity challenges. We are hopeful that this kind of action will inspire other nations to follow suit and develop and release similarly-minded policies that emphasize the important role governments can and should play in defending the interests of all users of technology products and services.

Digital technology powers every aspect of business, society and our individual lives: from improving education and healthcare to advancing agriculture, from creating jobs to enhancing environmental sustainability. It keeps us informed, connected, entertained and inspired; opening the doors to an ever-bigger world of opportunity. At the same time, technology can act as a great equalizer, especially when it comes to online risk. Cyber-threats know no borders, nationality, size or wealth. That makes the challenges posed by them inherently and inescapably shared responsibilities.

It is against this backdrop that the Cybersecurity Tech Accord signatories have been excited to learn about the establishment of the UN’s new High Level Panel on Digital Cooperation. While the Panel has a broad mandate to engage on a variety of issues at the intersection of technology and society, we hope that some of its focus will be on cybersecurity. With that in mind, the group has responded to its call for comments issued earlier this year. We hope that our response helps provide a technology industry perspective on the questions posed, highlighting the insights of both large multinationals and smaller companies, and serves as a starting point for further collaboration on these dynamic challenges.

Perhaps unsurprisingly, in our response we encourage the Panel to adopt the same principles for its work, and as part of its proposals, that bind the Cybersecurity Tech Accord signatories together:

• protections for technology users,
• opposition to cyberattacks anywhere,
• empowering users to defend themselves, and
• working together to address challenges.

We believe that these foundational commitments should not be limited to the technology industry, but also define the efforts of governments and civil society organizations in addressing cybersecurity challenges. The Panel has a unique opportunity to pull together these partners and to marshal their attention on critical issues, including cybersecurity and cyberwarfare.

In fact, when it comes to cybersecurity, a central challenge is the lack of trust and cooperation across different stakeholder groups, which hinders progress in this space. More than any other issue in the digital world, cybersecurity is cross-cutting: it affects all aspects of the online environment, and every individual and organization that relies on it. Therefore, for cybersecurity initiatives to be effective, they should be developed in an inclusive process with a broad set of stakeholders, including from the private sector and civil society. Their various perspectives and expertise would add value to the process and the eventual outcome of any new initiatives.

In addition, our response to the Panel directs its attention to the recently signed Paris Call for Trust and Security in Cyberspace as an example of a multi-stakeholder approach at work. With more than 55 government signatories and over 350 other signatories from industry and civil society organizations, the Paris Call brings together a remarkable coalition around a robust and important set of cybersecurity principles. These include protections for civilians and critical infrastructure from cyberattack, as well as for electoral systems and the public core of the internet. These are key tenants that should continue to be at the heart of multi-stakeholder collaborations on issues related to technology and cyberspace, including the work of the Panel.

The Cybersecurity Tech Accord signatories wholeheartedly welcome The UN High Level Panel on Digital Cooperation as it begins to undertake its work, joining the growing number of international organizations committed to collaboration on these important issues. We look forward to additional opportunities to work together and learn from one another moving forward.

Signatories express concern about the lack of access, highlighting how it has already impacted their ability to protect customers.

In August, the Cybersecurity Tech Accord signatories addressed the decision of the Internet Corporation for Assigned Names and Numbers (ICANN) to restrict users’ access to domain name registration information (WHOIS) following the EU General Data Protection Regulation (GDPR) coming into force (via a Temporary Specification – the “Temp Spec”). We emphasized how this decision had de facto undermined an essential tool to protect internet users from online threats. At the same time, we welcomed ICANN’s plans to develop a framework for accreditation and access, but underlined the need for action to be taken immediately. In addition, we expressed concerns that any fragmentation of approaches could lead to the loss of precious data.

While ICANN has kicked off an expedited policy development process, the question of access to WHOIS for legitimate uses, such as cybersecurity and consumer protection, has not yet been addressed. In the intervening period, limits put on access have impaired cybersecurity professionals’ ability to minimize the impact of cyberattacks. This was reflected in last month’s publication of a survey of over 300 cyber investigators and anti-abuse service providers by M3AAWG, the Messaging, Malware, and Mobile, Anti-Abuse Working Group and APWG, the Anti-Phishing Working Group. It unequivocally found that the changes ICANN has put in place were “significantly impeding cyber applications and forensic investigations and allowing more harm to victims of cyberattacks.” The challenges experienced included:

• partial data available through the public WHOIS services after redaction were insufficient to investigate or respond to incidents;
• the need to request access to the non-public data elements introduced delays of days where mitigation of cyber incidents prior to the adoption of the Temp Spec was often accomplished within hours;
• the WHOIS contact data that is most relevant to investigators and has evidentiary value to law enforcement and prosecutors, was generally not available through public WHOIS services;
• requests to access non-public WHOIS by legitimate investigators for legitimate purposes were routinely refused.

The Cybersecurity Tech Accord signatories find that these results reflect the reality that we have experienced first-hand. To demonstrate the impact, we wanted to provide a selection of concrete examples of how fighting cybercrime has become more difficult in the last few months:

Facebook’s and FireEye’s investigations into Liberty Front Press

Use of the WHOIS database has been critical in enabling FireEye to attribute foreign Information Operations (IO) campaigns targeting the United States and European nations. For example, FireEye recently identified an extensive influence operation originating in Iran by linking a network of inauthentic news sites via registration email addresses and Iranian name servers listed in the WHOIS database. Based on that information, in August 2018 Facebook removed 650 pages, groups and accounts for coordinated inauthentic behavior that originated in Iran and targeted people across multiple internet services in the Middle East, Latin America, UK and US.

Investigations uncovered inauthentic news sites supported by a network of domain names and websites that promoted political narratives in line with Iranian interests. Investigators were able to link this network to Iranian state media through publicly available domain name registration information, as well as the use of related IP addresses and Facebook Pages sharing the same admins. Investigators used domain name registrant email addresses obtained using WHOIS queries, and historical WHOIS collected prior to 25 May 2018, to associate several websites with this attack, and social media accounts affiliated with “Liberty Front Press” were subsequently identified. Over the course of the investigation, WHOIS was repeatedly queried for current registration data for affiliated websites, and investigators “pivoted” between social media accounts, pages or posts and WHOIS using emails, names and addresses to continue to map the inauthentic news site network.

Impact: This investigation began before ICANN’s redaction of WHOIS records and is ongoing. During the investigation, WHOIS records for domain names linked to this network literally disappeared before investigators’ eyes, causing the investigation to take longer and making it more difficult to identify all domain names linked to this inauthentic news site network. Prior to ICANN updating its WHOIS policy, companies relied on WHOIS records to help detect, investigate and stop a range of abuses, including nation-state influence campaigns. Since investigators are unable to access complete domain registration data in a timely and efficient manner, WHOIS is becoming an unreliable source of threat intelligence.

Facebook’s investigation into instagramn.xyz’ phishing attack

The domain name <instagramn.xyz> recently was linked to a phishing attack and the WHOIS record was immediately used to identify the ISP hosting the website, submit a complaint, and have it taken offline. Using additional data available in the WHOIS record, Facebook conducted reverse WHOIS searches on multiple WHOIS data elements and identified the registrant, as well as 17,000 domain names the registrant also held. Facebook’s analysis of this domain name portfolio identified a total of 50 additional domain names that infringed Facebook, Instagram and WhatsApp trademarks, several of which also were being used for phishing or distribution of malware to users. These websites also were taken down as a result of the submission of a complaint to the ISP identified in the WHOIS records. While ISPs can take websites offline, the corresponding domain names still remain with the registrant perpetrating the fraud. A Uniform Dispute Resolution Policy (UDRP) complaint to recover the 51 infringing domain names was filed and the decision is expected soon.

Impact: Using WHOIS records available prior to 25 May 2018, from one domain name Facebook successfully mitigated phishing and malware attacks against our users and identified over 50 abusive domain names. The excessive redaction of public WHOIS data and failure to provide cybersecurity investigators complete domain registration data in a timely and efficient manner impedes and impairs quick, comprehensive actions to protect users from phishing attacks.

Microsoft’s ongoing investigation around Strontium/APT28

A threat actor group referred to as Strontium has been active since 2016 using fake registered domains to redirect phished users, spoof credential login pages and steal credentials. Prior to ICANN updating its WHOIS policy, Microsoft relied on WHOIS records to detect new Strontium domain registrations and successfully protect its customers.

Impact: With ICANN’s new approach in place, Microsoft could be disadvantaged in its investigations. For example, recently Microsoft investigators became aware of domains related to Strontium that they had not discovered earlier due to the recent restriction on available domain name information. Fortunately in this instance, there was no evidence that the domains had been used for cyberattacks so customers weren’t put at greater risk, but it’s easy to see how this could have turned out differently. Microsoft is unable to protect customers against potential malicious domains if the data needed to conduct investigations is unavailable.

Panasonic’s work to protect customers and brand from domain phishing attempts

The domain panasonicpro.co.uk was used to steal Panasonic customers’ credentials and has been using Panasonic’s logo without permission. At the time, Panasonic had full access to the WHOIS registry. It was, therefore, able to determine that the domain was registered by a person living in Dumbarton, UK and could take all the required steps to prevent this situation from impacting its customers. Since then, the domain has been updated but the company is today unable to determine who is behind it.

Impact: With ICANN’s new approach in place, Panasonic’s Computer Security Incident Response Team (CSIRT) now does not have any means to establish the ownership of a domain and take all the necessary steps to protect its brand. While panasonicpro.co.uk is in a country code top-level domain (.uk) that is not obligated to follow ICANN rules, it’s indicative of the harm suffered by consumers when WHOIS records are not accessible to protect them and stop abuse.

FireEye’s investigation into FIN7 domain spoofing

In early June 2018, FireEye observed several ZIP files being hosted on various URLs spoofing Ukraine and Kazakhstan-based banks. In the past, FireEye has observed the cybercriminal group FIN7 establishing look-a-like domains to mimic its targets or related entities, commonly hosting content that spoofs the legitimate websites of the brands they are impersonating. Multiple samples of an unknown JavaScript backdoor—later confirmed to be BIRDDOG malware—all with the filename dog.js, were contained within similarly named ZIP files. FireEye was able to initially link this activity to FIN7 based on domain registration patterns and overlapping WHOIS records, and later confirmed through analysis of the BIRDDOG malware.

Impact: Further analysis of this campaign indicated a potential shift in targeting, and FireEye was able to swiftly provide analysis to customers on a prolific cybercriminal group’s changing tactics. Lack of access to WHOIS records would make similar cross-checks very difficult to implement with a tangible impact on cybersecurity professionals’ ability to investigate criminal activity in real time.

WHOIS has been, for more than a decade, a vital tool for companies, cybersecurity firms and law enforcement authorities to collect valuable intelligence on online threats and malicious actors. As pointed out, current restrictions on users’ real-time access to this registry have had a material impact on the safety and security of businesses and individuals online. There can be no privacy online without strong security. We therefore call on ICANN to take steps now to protect the public interest by ensuring interim access to WHOIS for cybersecurity uses, and to quickly develop a permanent model providing uniform, swift and enforceable access to WHOIS data that balances both.

The Cybersecurity Tech Accord is pleased to endorse the Paris Call for Trust and Security in Cyberspace as an early supporter. The Paris Call was  announced today by French President Emmanuel Macron at the opening of the 13^th Internet Governance Forum (IGF) in Paris, delivering an important signal on the importance of stability of cyberspace and the need of governments, industry, civil society and academia to work together towards that objective.

With this endorsement, the Tech Accord is delighted to join what we expect to be a growing signatory list of over 300 governments, civil society organizations, and industry groups and representatives in a commitment to trust and stability in cyberspace.

The Internet has become central to human existence, delivering countless benefits to individuals and organizations alike. As we look to the future, new online technologies will do even more to help address important societal challenges, from improving education and healthcare to advancing agriculture, business growth, job creation, and addressing environmental sustainability.

On a number of occasions in the last few years we have seen how precious a resource the internet is and how vulnerable to attacks by sophisticated actors. Events such as WannaCry and NotPetya can and have not only crippled companies and resulted in substantial financial losses, but can also have serious, adverse consequences for international and national security, democratic processes, the global economy, and the safety, security and privacy of individuals.

President Macron’s leadership on this initiative is therefore both timely and sorely needed. As a community we need to work together towards a consensus of shared principles and mechanisms that will help ensure that we can further encourage the evolution of innovative technologies, whilst at the same time ensure they can operate in a peaceful and secure cyberspace.

With that in mind, the Cybersecurity Tech Accord signatories particularly wish to highlight:

• our support to an open, secure, stable, accessible and peaceful cyberspace;
• the commitment to international human rights law in cyberspace: the same rights that people have offline must also be protected online;
• the importance of international law as the foundation for international peace and security in cyberspace;
• our encouragement in seeing our call for greater uptake of coordinated vulnerability disclosure policies reflected in the text; and
• the recognition of the importance of cybersecurity capacity building efforts, such as the ones we have embarked on over the past few months.

We also welcome the symbolic timing of the initiative. The launch of the Paris Call comes during the Paris Digital Week, which encompasses both the Paris Peace Forum and the IGF meeting, bringing together the various communities active and critical to in Internet Governance – from governments, industry, to civil society and academia. The Paris Digital Week is an important milestone in today’s global efforts to tackle the challenges generated by the ongoing digital transformation our world is experiencing. The effort to bring these communities together should be applauded and has already born fruit as we have seen many individuals and organizations, who do not typically engage in these discussions, endorse the Paris Call. Indeed, we believe that only a multi-stakeholder approach, focused on improving global prosperity and security, can help us achieve an open, secure, stable, accessible and peaceful cyberspace.

This opportunity demonstrates our collective action under the 4^th principle of our guiding efforts – partnering with each other and likeminded groups to enhance cybersecurity. That said, we are honored to have the opportunity to contribute and support the Paris Call and will continue to engage in a dialogue across the multi-stakeholder community to ensure that progress in this critical area for not just our signatory companies, but all citizens globally, continues to be made.

Today, the Cybersecurity Tech Accord welcomed nine new companies, bringing the total to 69 signatories committed to improving the security of cyberspace. Capgemini, Contrast Security, Fractal Industries, G DATA, Mercado Libre, SONDA, StackPath, TAD GROUP and ThreatModeler Software, Inc. give new impetus to the pledge to protect users and customers everywhere. The expansion gives the agreement a truly global reach, extending the ongoing dialogue among signatories to South America, with companies from Argentina and Chile expressing a commitment to stronger cybersecurity. As a result, the expansion broadens and deepens the group’s expertise, adding to the variety of sectors and technologies that characterize the signatory community.

“In an increasingly interconnected world, cybersecurity has become one of the biggest concerns for businesses and governments. Acting alone, every company, no matter how big, will struggle to make a real impact. There is a need for a worldwide perspective, for common values and coordinated actions. The Cybersecurity Tech Accord is an important step forward in this regard,” said Steve Wanklin, Group Chief Cybersecurity Officer, Capgemini.

By joining the agreement, the signatories agree to commitments in four areas.

Stronger defense
The companies will mount a stronger defense against cyberattacks. As part of this, recognizing that everyone deserves protection, the companies pledged to protect all customers globally regardless of the motivation for attacks online.

No offense
The companies will not help governments launch cyberattacks against innocent citizens and enterprises and will protect against tampering or exploitation of their products and services through every stage of technology development, design and distribution.

Capacity building
The companies will do more to empower developers and the people and businesses that use their technology, helping them improve their capacity for protecting themselves. This may include joint work on new security practices and new features the companies can deploy in their individual products and services.

Collective action
The companies will build on existing relationships and together establish new formal and informal partnerships with industry, civil society and security researchers to improve technical collaboration, coordinate vulnerability disclosures, share threats and minimize the potential for malicious code to be introduced into cyberspace.

“The fight against cybercrime has become a task for society as a whole and is becoming increasingly important in a digitized world. As a German IT security company, G DATA naturally supports this initiative for digital security,“ said Hendrik Flierman, Global Sales Director at G DATA.

Since forming the Cybersecurity Tech Accord, the signatories have supported initiatives on email and routing security, and implementing Domain-based Message Authentication, Reporting and Conformance (DMARC) in their own operations, among others. Additionally, the group has forged coordinate with like-minded organizations such as the Global Cyber Alliance, the Internet Society, and the Global Forum on Cyber Expertise (GFCE).

As the group expands, we expect the pace of activity to continue unabated. By December 2018, the Cybersecurity Tech Accord will, among others:

• Continue hosting its webinar series, which kicked off with an introduction to cloud computing presented by Microsoft on Monday, 5 November (replay available here). The next webinar on protecting your hardware will take place on Monday 17 December and will be presented by HP Inc.
• Host the event, Building the path to a secure cyberspace in Brussels, on Monday, 19 November, in partnership with the Global Cyber Alliance to present some of its latest initiatives with a focus on email security and responsible vulnerability handling.
• Participate in the NICE Conference 2018, sharing ideas and best practices on the ways to overcome the cybersecurity skill gap challenge.

Monday, 19 November, 13:00-19:00 (a light lunch will be served and a cocktail reception will follow)
Microsoft Center, Rue Montoyer 51, 1000 Brussels, Belgium

The Cybersecurity Tech Accord and the Global Cyber Alliance are delighted to invite you to their first joint event in Brussels, where they will discuss, together with policy-makers, existing and emerging efforts being undertaken at government and industry level to improve the security, stability and resilience of cyberspace.

Launched in April 2018, the Cybersecurity Tech Accord is the largest-ever cybersecurity alliance gathering more than 40 companies vowing to protect and empower civilians online from evolving cyberthreats. In their pledge to build a safer online world, they have partnered with like-minded organizations such as the Global Cyber Alliance, which has made eradicating cyber risk its mission.

The event will be an opportunity to hear more about their initiatives and reflect on what else needs to be done in the path to a secure cyberspace. Discussion panels and workshops will focus on industry and policy perspectives on the challenges we face now and how we can address them to improve the future by promoting coordinated approaches to cyber defense in the EU and around the globe. Topics of discussion will include the economic return on investing in cyber security, email security, and responsible vulnerability handling.

To register, please submit this form before 15 November, 2018.

Agenda:

In discussions within the group and with external stakeholders, the Cybersecurity Tech Accord signatories realized that many terms in cybersecurity are not yet settled and may be used to mean different things by different stakeholders. To establish greater clarity and alignment in the terms we use, the group has pulled together this initial list of definitions. There is more work to be done and we welcome feedback and suggestions as to how to improve and iterate on this document. Please send comments to techaccord@apcoworldwide.com

View the cybersecurity definitions for comment

Yesterday, in an event in Washington DC, the Cybersecurity Tech Accord took a decisive step to enhance the security of email communication, one of the most vulnerable areas in cybersecurity and one of the most targeted by cyber criminals worldwide. Building on existing efforts by like-minded organizations, governments and businesses, we endorsed Domain-based Message Authentication, Reporting & Conformance (DMARC), an email authentication policy and reporting protocol that helps prevent impersonation attacks via email. We did so in partnership with the Global Cyber Alliance (GCA), an international non-profit organization that has made eradicating global cyber risk its mission.

Speakers and attendees at the Building a path to secure cyberspace event in Washington D.C, September 16, 2018.

For the past two years, GCA has focused on the risk of phishing and strongly supported DMARC adoption to empower public and private organizations to defend against malicious emails. The GCA implementation guide has helped many businesses create a DMARC policy to protect their brand. The Cybersecurity Tech Accord signatories will support GCA in promoting the adoption of the DMARC protocol on a broad scale and commit to implementing the solution across our own operations, following through on our promise to protect users and customers from evolving cyber threats. As a first step, the Cybersecurity Tech Accord signatories will, under the GCA’s guidance, implement internal education measures around email security.

Email remains one of the primary communications channels for private individuals, organizations and government institutions and has become a preferred attack method for impersonation and fraud. Data on email threats in the first half of 2018 showed that approximately 6.4 billion emails sent worldwide each day are fake with the United States as the main source, and healthcare and government being the most impacted sectors. The fraudulent practice of phishing emails are the entry weapon of choice for many cyber criminals and have become more sophisticated over time.

DMARC is the first and only widely deployed technology that helps protects customers and the brand. Designed on the basis of real-world experience by some of the world’s largest email senders and receivers, DMARC builds on a system where senders and receivers collaborate to improve mail authentication practices of senders and enable receivers to reject unauthenticated messages. DMARC allows:

Domain owners to

• Signal that they are using email authentication (SPF, DKIM).
• Provide an email address to gather feedback about messages using their domain – legitimate or not.
• A policy to apply to messages that fail authentication (report, quarantine, reject).

Email receivers to

• Be certain a given sending domain is using email authentication.
• Consistently evaluate SPF and DKIM along with what the end user sees in their inbox.
• Determine the domain owner’s preference (report, quarantine or reject) for messages that do not pass authentication checks.
• Provide the domain owner with feedback about messages using their domain.

However, DMARC adoption has been slower than its founders would have expected. Lately efforts have been undertaken at government and industry level to see this protocol implemented more consistently. In October 2017, the US Department of Homeland Security issued a directive that requires all federal agencies to implement DMARC for every domain they own. The UK government has made concrete steps in this direction already in 2016, when Government Digital Service (GDS), part of the UK’s Cabinet Office required that other governments department adopted DMARC to protect their online services. This is despite the fact that the research from GCA, published today, shows the 1,046 organizations that have used GCA’s DMARC tools saved $19 million dollars since the start of 2018.

The Cybersecurity Tech Accord welcomes these developments but believes that it is vital for DMARC adoption to accelerate across sectors with businesses and governments taking a decisive step to enhance email security. Failing to address this issue exposes internet users everywhere to cyberattacks and the internet more broadly to systemic cybersecurity challenges. That is why we are committed as a group to advancing our email security policies and encourage other businesses to do the same with the objective to have a more secure internet ecosystem.

October marks Cybersecurity Awareness Month, an annual awareness campaign intended to encourage greater safety and protection among all computer users. Launched in 2004 by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS), the initiative has expanded to Europe and Latin America, among other regions, as the importance of educating citizens about cyber risks has become recognized. In Europe, events, campaigns and other initiatives will be held under the auspices of the European Union Agency for Network and Information Security (ENISA), as well as on the national level, with a focus on digital skills, education, and emerging technologies. The US will see an equally large line-up of events throughout the month under NCSA’s coordination.

In today’s always-on world, cybersecurity can no longer only be a concern for cybersecurity professionals, but should become a shared responsibility, requiring efforts at all levels of organizations and, more broadly, of society. This means that everyone must hold themselves accountable for adhering to cybersecurity best practices; no individual, business, or government entity can be solely responsible nor fully exempt from helping keep the internet safe and secure. Now more than ever, the smallest actions can have the largest positive impact. The events referenced above recognize this need.

However, it is also important to recognize that it is difficult to know what to do if you are not a cybersecurity professional. To this end the Cybersecurity Tech Accord signatories pulled together ten very concrete and simple steps that individuals globally can take to better protect themselves. These are based on the tips the signatories have shared over the years encouraging users to stay safe online (see for example, Cisco, Microsoft, TrendMicro and Facebook). They include:

1. Always change your default passwords, create strong, unique passwords for each of your accounts, and consider using a password manager to help keep personal information safe;
2. Use two-factor authentication whenever possible in addition to strong passwords to confirm your identity when logging into your accounts;
3. Use a firewall to block unauthorized access to computers and devices;
4. Ensure that you update your operating system, browser, and other software up to date with security patches to minimize threats from viruses and malware;
5. Limit what you do over public Wi-Fi and use software that creates a secure connection over the internet such as a Virtual Private Network (VPN) to safely connect from anywhere;
6. Practice safe surfing and shopping, checking that the site’s address starts with “https”, instead of just “http”;
7. Enable privacy settings and increase the default security settings of the software you use;
8. Be selective when sharing personal information as this could be used by hackers to guess passwords and logins.
9. Do not download pirated softwareas it is not only illegal, but it often includes some type of malware;
10. Back up your data, either to an external hard drive or the cloud, as this is the easiest way to recover from a ransomware attack.

Cybersecurity Awareness Month also creates a unique opportunity to get more involved in the various initiatives across the world that seek to generate greater awareness of cybersecurity. Many of our signatories already participate in those, but we also wanted to highlight two that the group has committed to do collectively:

– The Cybersecurity Tech Accord will host an event in and Washington, D.C. on “building a path to a secure cyberspace” on 16th October. Our objective is to contribute to a lively dialogue with policy makers and civil society on how to improve the security of our online environment. Further information on how to register can be found here.

– We have also joined forces with the Global Forum on Cyber Expertise (GFCE) and launched a series of freely available webinars that will begin in October, with the objective to increase the understanding of key cybersecurity topics to empower users, developers and customers to better protect themselves;
Cyberattacks are expected to increase in frequency and complexity in the years to come. The Cybersecurity Tech Accord signatories agree with the sentiment that the Internet is a shared resource and securing it is a shared responsibility. If everyone takes a collective action to protecting our online environment, the digital society that we live in can become stronger, safer, more resilient and more resistant from future cyberattacks.

Today, in a move to enhance efforts to secure the online environment, the Cybersecurity Tech Accord announces a new partnership with the Global Forum on Cyber Expertise (GFCE), a global multi-stakeholder platform that aims to strengthen cyber capacity building and expertise through the exchange of best practices, while upholding the values of an Internet that is free, open and secure.

The partnership represents a pivotal role in bringing together governments, international organizations, civil society, and private companies to exchange best practices and expertise on cybersecurity capacity building. Two signatories of the Cybersecurity Tech Accord – Microsoft and Cisco Systems – already contribute to the GFCE’s work as members. To further this commitment, and as a first concrete step under the GFCE umbrella, the Cybersecurity Tech Accord has launched a series of webinars on cybersecurity technical best practices with the objective of increasing the understanding of key cybersecurity topics for emerging markets.

The online world has become a cornerstone of global society, important to virtually every aspect of our public infrastructure and private lives. The webinar series aims to address the growing need to respond to the cybersecurity skills gap around the world and across different sectors.

Additionally, 17 new companies have signed the Cybersecurity Tech Accord promising to protect users and customers worldwide from evolving threats, bringing the total to 61 companies united in their pledge, Aliter, Anomali, Balasys, Billennium, Cognizant, Cyber Services, Hitachi, Imperva, Integrity Partners, Panasonic, Panda, Predica, Rockwell Automation, Safetica, SecuCloud, Swisscom, and Telelink join an expanding community of like-minded companies to improve cyberspace’s resilience against malicious activities, and reaffirm as a group, their pledge to empower users, developers and customers to better protect themselves. The new signatory companies represent countries from across the globe and span sectors from Artificial Intelligence (AI) to telecommunications and will contribute to the group’s existing and upcoming initiatives around cybersecurity capacity building, cyberthreat defense and vulnerability disclosure. As an immediate step toward greater collaboration across the industry, they will join their signatory community to help address the global cybersecurity capacity gap through joined forces with the GFCE, and participation in the webinar series.

Webinars will be freely accessible, recorded and made available once per month on the Cybersecurity Tech Accord website beginning in October. Microsoft will lead the first webinar on ‘Introduction to Cloud Computing’ followed by the expertise of signatories on various cybersecurity basics, including encryption, browser protection, ransomware, and phishing. In addition, we will also create a series of training materials for cybersecurity, which we hope will serve as useful educational resources to be accessed by any interested parties in the future.

With the expansion of new signatories and new partnership with the GFCE, the Cybersecurity Tech Accord signatories hope that by highlighting effective cybersecurity best practices across the different platforms and technologies we represent, we will be able to start raising cybersecurity to a higher level by reaching a new audience.

While the webinar series marks the first milestone in this new partnership between the GFCE and the Cybersecurity Tech Accord signatories, we hope to further build on it with additional joint initiatives in the near future.

Tuesday, 16 October, 8:30am – 1:00pm (a light lunch will be served)
Microsoft Innovation & Policy Center 901 K Street, 11th Floor, Washington DC 20001

The Cybersecurity Tech Accord and the Global Cyber Alliance are delighted to invite you to their first joint event in Washington, where they will discuss, together with policy-makers, existing and emerging efforts being undertaken at government and industry level to improve the security, stability and resilience of cyberspace. Launched in April 2018, the Cybersecurity Tech Accord is the largest-ever cybersecurity alliance gathering more than 40 companies vowing to protect and empower civilians online from evolving cyberthreats. In their pledge to build a safer online world, they have partnered with like-minded organizations such as the Global Cyber Alliance, which has made eradicating cyber risk its mission. The event will be an opportunity to hear more about their initiatives and reflect on what else needs to be done in the path to a secure cyberspace. Discussion panels and workshops will focus on industry and policy perspectives on the challenges we face now and how we can address them to improve the future by promoting coordinated approaches to cyber defense in the US and around the globe. Topics of discussion will include the economic return on investing in cyber security, email security, and responsible vulnerability handling.

Registration at TechAccordDC@apcoworldwide.com before 12 October 2018.

Agenda:

Today, the Cybersecurity Tech Accord takes a step forward in enhancing cybersecurity best practices by endorsing greater transparency around receiving, handling and communicating about vulnerabilities. In doing so, we echo guidance from the Global Forum on Cyber Expertise (GFCE)’s Global Good Practices on Coordinated Vulnerability Disclosure (CVD).  Launched in 2015 in The Hague, the GFCE is a global platform that aims to strengthen cyber capacity and expertise globally, while upholding the values of an Internet that is free, open, and secure. Today’s endorsement of the GFCE’s CVD good practice for transparency by the Cybersecurity Tech Accord – a group of leading technology companies committed to protect and empower civilians online and to improve the security, stability and resilience of cyberspace – demonstrates our signatories’ commitment to minimizing the harm to society resulting from the malicious exploitation of vulnerabilities. In addition, on an ongoing basis, we also commit to working with the GFCE to achieve greater alignment between the Global Good Practices Guide and best practices for CVD in use by Cybersecurity Tech Accord companies.

Nearly – if not all – organizations and individuals use software today: it runs in products we use every day such as laptops, mobiles, TVs, cars, or even household appliances, but also enables critical infrastructures and services, from public transportation to hospitals, banks, governments, and electricity/water supplies. Any weaknesses in software can enable an attacker to compromise the integrity of these products and services.  In an interconnected world, our ability to manage the risks that can be associated to their use is therefore essential.

Software vulnerabilities have become more prevalent and must be reduced to strengthen cybersecurity: over 14,500 new vulnerabilities were recorded in 2017, compared with just 6,000 the previous year. As vulnerabilities can be maliciously exploited, it is crucial that the affected vendors are informed when they are found, enabling vendors to resolve the issue without exposing users to undue risk.

While the process of disclosing such vulnerabilities can be straightforward, a vast number of different stakeholders are involved (e.g., manufacturers, vendors, reporters, government agencies, IT security providers), adding significant operational and legal complexities. Moreover, stakeholders may have very different motivations to disclose (or not) vulnerabilities: technology companies would want to preserve the integrity and security of their products and services and, ultimately, their reputations; security firms could profit from sharing such information; researchers may want to use vulnerabilities for academic purposes; and, criminals could exploit them.

CVD can significantly contribute to addressing these issues prior to public release. The Cybersecurity Tech Accord signatories strongly believe in CVD and support the idea that this approach should be endorsed by all companies – not just software companies – that develop technology.  While there have been different approaches to CVD, the GFCE has, in our view, developed the most comprehensive guide for good practices.

This guide was published in 2017, building on the efforts of the Dutch, Hungarian, and Romanian governments and industry representatives to establish proven cooperation mechanisms within the cyber security community to effectively find and fix software vulnerabilities. It outlines a set of good practices for all stakeholders involved.  From an industry perspective, it proposes that manufacturers, vendors, and user organizations should:

• Use existing standards and guidelines (e.g. ISO/IEC standards, FIRST’s guidelines, ENISA good practice, OIS framework);
• Implement the required processes to deal with incoming reports, investigate the reported vulnerabilities, and communicate with reporters, being as transparent as practicable about risk-based remediation timelines. This also includes publishing CVD policies on organizations’ websites;
• Allocate adequate resources to implement CVD policies to ensure that organizations have the necessary expertise. This could include running a pilot and starting with a narrow set of in-scope products/services, using a third-party bug bounty platform, and/or consulting with similarly situated organizations that have CVD policies and processes in place;
• Ensure continuous communication with all stakeholders, explicitly stating expectations towards reporters and third-party organizations;
• Agree on timelines on a case-by-case basis, avoiding a ‘one-size-fits-all’ policy and maintaining flexibility in handling various vulnerability discovery cases;
• And provide a clear explanation of pros and cons to the legal counsel, ensuring they have a good understanding of the national legal framework on CVD and the importance and advantages of CVD for an organization. Legal counsel needs to have the right information to give the best legal advice.

As a first concrete step, the Cybersecurity Tech Accord’s signatories commit to publish their CVD policies, in line with one of the GFCE’s best practices inviting organizations to be as transparent as possible (links below). In addition, we call on more technology companies to adopt CVD policies and hope to announce further actions to encourage this initiative in the coming months.

CVD policies of the Cybersecurity Tech Accord signatories:

ABB | ALITER | ANOMALI | ARM | ATLASSIAN | AVAST | BALASYS | BILLENNIUM | BITDEFENDER | BT | CAPGEMINI | CARBON BLACK | CISCO | CLOUDFLARE | COGNIZANT | CONTRAST SECURITY | CYBER SERVICES | DATASTAX | DELL | DOCUSIGN | ESET | FACEBOOK | FASTLY | FIREEYE | FRACTAL INDUSTRIES | F-SECURE | G DATA | GIGAMON | GITHUB | GITLAB | GUARDTIME | HITACHI | HP INC | HPE | IMPERVA | INTEGRITY PARTNERS | INTUIT | JUNIPER NETWORKS | KOOLSPAN | KPN | LINKEDIN | MEDIAPRO | MERCADO LIBRE | MICROSOFT | NIELSEN | NOKIA | ORACLE | PANASONIC | PANDA | PREDICA | ROCKWELL AUTOMATION | RSA | SAFETICA | SALESFORCE | SAP | SECUCLOUD | SONDA | STACKPATH | STRIPE | SWISSCOM | TAD GROUP | TELEFONICA | TELELINK | TENABLE | THREATMODELER SOFTWARE INC | TRENDMICRO | VMWARE | WISEKEY

About the Global Forum on Cyber Expertise (GFCE)

The Global Forum on Cyber Expertise (GFCE) is a global platform for countries, international organizations, and private companies to exchange best practices and expertise on cyber capacity building. The aim is to identify successful policies, practices, and ideas and multiply these on a global level. Together with partners from NGOs, the tech community, and academia GFCE members develop practical initiatives to build cyber capacity.

Modern warfare has moved online and the “fifth domain” of cyberspace is today a battlefield in its own right. But in many ways that is where the similarities to other domains end, as cyberweapons and the techniques used to develop and employ them are meaningfully distinct from the conventional weapons of modern warfare.  To create a cyberweapon, governments and sophisticated threat attackers exploit unintentional weaknesses or “vulnerabilities” found in mass-market hardware and software products or services and apply techniques developed to exploit those weaknesses.  The damaging effects of the resulting cyberweapons – especially when mishandled – can extend far beyond an intended target, potentially impacting millions of innocent users around the world.

In a further departure from conventional weaponry, cyberweapons can be recycled easily and indefinitely by third parties.  After being released “into the wild,” cyberweapons can be, wholly or in part, co-opted for ulterior purposes by nation states and cyber-criminals alike, as demonstrated in the WannaCry attack in May 2017 that downed computer systems in 150 countries.  And once in use by cyber-criminals, the security community continues to fight to eradicate a vulnerability for years, possibly for the entire lifecycle of the product, hardware, or service being exploited.

Governments are beginning to consider the risks associated with discovering or acquiring cybersecurity vulnerabilities and the wide-ranging scope of potential impact if they are exploited for use in a cyberweapon.  While there may be national security benefits from acquiring and retaining such vulnerabilities, these benefits must be weighed against the risks that those same vulnerabilities may be used against a government’s own computing infrastructure, all its citizens, and, potentially, interdependent organizations around the world.  The speed and ease with which cyberweapons can be recycled heighten these risks in ways that are incomparable to other domains of conflict and, at a certain point, become unacceptable.  Minimizing risk in developing these capabilities requires governments have deliberative processes in place that include relevant stakeholders, and the potential damage of such capabilities requires that such processes be made public.

At the end of 2017, the US government took a promising step towards greater transparency in this space, when it revised and, more importantly, publicly released significant portions of its Vulnerability Equities Process (VEP).   The VEP details when and how the US government will choose to disclose cyber vulnerabilities it either uncovers or purchases, and work on this process has spanned three years and two administrations. The 2017 update enhanced the transparency of the process, in part by identifying the respective departments and agencies represented on the vulnerability review committee (a mix of intelligence and civilian agencies), the criteria used for determining whether to disclose a vulnerability, and the mechanism for handling disagreements within the committee.  It also calls for annual reports on the program’s performance.

Yet areas for improvement remain, both in the United States and around the world.  The US government approach does not yet share its calculus for assessing the broader economic impact when it discovers or acquires a vulnerability, including not only how it measures direct impacts to consumers but also economic security issues related to the resilience and reliability of the global technology ecosystem.  The U.S. approach also does not seem to include in its analysis the “long tail” of cleanup when a vulnerability is released into the broader public, nor does it yet take into consideration how to address other forces seeking to leverage vulnerabilities at the State or local level, where law enforcement needs may call for the use of a vulnerability as part of an investigation.

While estimates of how many countries have cyber offensive capabilities vary widely, the lowest begin at forty.  The number of VEPs around the world is even more difficult to ascertain, with the United States being one of the few governments willing to openly discuss its process.  While it is rumored that other countries have put similar frameworks in place and that a few more, predominately European, countries are likely to adopt them soon, this remains an opaque area of government action that requires both transparency and input from the private sector companies that will need to mitigate the effects of those exploits in products around the world. This is especially concerning given the growing interest and willingness among various government departments to “hack” their way to accomplishing national security or law enforcement objectives.

To strike an appropriate balance between risks and benefits, governments should optimize investing in defensive rather than offensive technologies and develop policies that clearly define how they acquire, retain, and use vulnerability information. Central to this approach should be a presumption of private disclosure over the retention of vulnerabilities and principles underpinning this process should do the following:

• Presume disclosure as the starting point;
• Clearly consider the impact on the computing ecosystem if the vulnerability is released publicly and the costs associated with cleanup and mitigation;
• Clearly define the process of making a disclosure decision and identify the stakeholders at the departmental level, ensuring that stakeholders represent not only national security and law enforcement but also economic, consumer, and diplomatic interests;
• Make public the criteria used in determining whether to disclose a vulnerability or not. In addition to assessing the relevance of the vulnerability to national security, these criteria should also consider threat and impact, impact on international partners, and commercial concerns;
• Mandate that all government-held vulnerabilities, irrespective of where or how they have been identified, go through an evaluation process leading to a decision to disclose or retain it;
• Prohibit any vulnerability non-disclosure agreements between governments and contractors, resellers, or security researchers and limit any other exceptions, e.g., for sensitive issues;
• Prohibit use of contractors or other third parties as a means of circumventing the disclosure process;
• Ensure any decision to retain a vulnerability is subject to a six-month review;
• Establish oversight through an independent body within the government with an annual public report on the body’s activities;
• Expand funding for defensive vulnerability discovery and research;
• Ensure disclosure procedures are in line with coordinated vulnerability disclosure, an industry best practice; and
• Ensure that any retained vulnerabilities are secure from theft (or loss).

The signatories of the Tech Accord have always believed that protecting the public interest in cyberspace requires robust collaboration between the government and private sectors.  When the government approach to vulnerabilities favors stockpiling over disclosure, this critical collaboration is weakened, and we risk losing the public’s trust in cyberspace.  For technology companies and for technology developers, to be effective partners in protecting users, they must be active participants in the awareness and mitigation of new vulnerabilities.  In particular, it is incumbent upon developers to be transparent about how they receive vulnerability information, to use it in a timely, risk-based manner, and to communicate with affected customers and users about the existence of vulnerabilities and about the availability of mitigations. Finally, having a coordinated vulnerability disclosure policy in place demonstrates companies’ commitment to acting on vulnerability information received and to contributing concretely to the stability of cyberspace.