On 26 March at the RSAC Conference, the Cybersecurity Tech Accord organized a panel discussion on how the private sector and open societies can work together on a positive, holistic international agenda for reducing cyber insecurity. Aside from its practical benefits this can help counter authoritarian states’ push for a UN treaty on “ICT security”, which risks undermining encryption, weakening cybersecurity, and creating extensive state control over Internet infrastructure.
The session, moderated by Nick Ashton-Hart, Head of the Cybersecurity Tech Accord, opened with a video message from Vint Cerf , one of the fathers of the Internet, Vice-President and Chief Internet Evangelist at Google. Mr. Cerf emphasized the central challenge facing today’s Internet governance: how to make the Internet a safer place while preserving the freedoms that have defined it for more than fifty years.
To meet this challenge, Mr. Cerf stressed the importance of developing a shared understanding of what a “safer Internet” should look like, including the principles and safeguards required. Given the Internet’s global nature, he underlined that international cooperation is essential for this effort to be effective. Mr. Cerf also warned that in some countries cybersecurity policies are designed primarily to protect governments rather than citizens, resulting in restrictions that undermine the qualities that make the Internet economically and socially valuable. It is important to work together to preserve Internet’s openness, which is the cornerstone of the digital economy.
“We need to articulate collectively what the desirable properties are for a safer Internet, what practices need to be obtained, and how we do this in an internationally collaborative way” – Vint Cert
The discussion then continued with Chris Inglis , the first National Cyber Director of the United States and current board member of MITRE, AIG, Huntington National Bank, and Andesite. He agreed with Mr. Cerf’s assessment and added that another key challenge lies in the fundamentally different interpretations of “information security” in democratic and autocratic systems.
In democratic systems, information security typically refers to applying governance mechanisms to protect a free and open society. In contrast, autocratic systems often use information security as a means to deliver security for the state. He highlighted that the private sector is uniquely positioned to address the ambiguities that persist in cyberspace.
“Here’s my recommendations: Do your homework. Take a position. You don’t need to align with a geopolitical coalition. You don’t need to say I’m for the United States or against the Russians. But do take a position on behalf of your customers” – Chris Inglis
Mr. Inglis also outlined several areas where the private sector could deliver meaningful impact, including helping to define what “critical infrastructure” truly means, reducing ambiguity in policy language, focusing on transformation grounded in real‑world practice, rethinking vulnerability and safety, and strengthening what already works, such as shared CERT responses and cross‑border cooperation.
Encryption under pressure from governments
The panel also addressed the topic of encryption, as authoritarian states’ push for a UN treaty on “ICT security” raises questions about backdoors in encryption technologies. Ongoing debates focus on whether law enforcement or other authorities should have the ability to access or even break the encryption when necessary in pursuit of other public policy priorities.
Whitfield Diffie, one of the fathers of public key encryption and current Honorary Fellow at Gonville & Caius College at Cambridge, explained how he views this challenge in international discussions. The “wars” began with government attempts to restrict cryptographic research warning that widespread cryptography would undermine intelligence capabilities. Those efforts largely failed as encryption became an essential part of digital systems. Over time the debate shifted toward a regulatory framing, with governments arguing that since they regulate goods and services, they should also regulate encrypted communications and tools including messaging platforms.
To support this shift, arguments increasingly relied on emotionally charged scenarios. Initially, terrorism was cited as the primary risk, suggesting that encryption could enable covert attacks. More recently, broader concerns, such as online radicalisation or children’s protection, have been used to justify expanded access to encrypted communications. These cases are powerful precisely because they provoke fear or moral outrage, making expanded surveillance appear politically necessary.
“[The encryption debate] has evolved into something that [governments] are much more likely to win [by picking up issues that people find frightening or revolting]” – Whitfield Diffie
Mr. Diffie also warned against viewing control solely as a state‑driven impulse. Private actors, including large corporations and major institutions, often seek similar levels of control over users and devices. From mandatory deep access to institutional networks to manufacturer‑driven software management, individual autonomy is increasingly constrained by both public and private entities. As a result, the divide is not simply one between governments and industry. Instead, a broad coalition of state and private interests often converges around control, complicating narratives about openness, sovereignty, and individual agency in international cyber discussions.
“Control over individuals is not something only states seek” – Whitfield Diffie
If you’re not at the table, you’re on the menu
Edna Conway, former Chief Security and Risk Officer at Microsoft and Cisco, and current Board Director, CEO, Non-Resident Scholar, Carnegie Endowment for International Peace, and Chief Operating & Risk Officer, TPO Group, encouraged the private sector, and particularly CISOs to rise up and speak out in both public and private forums. She urged them to coordinate internally, engage directly with governments, and strengthen public-private partnerships, which are more essential than ever.
“I believe the private sector has an opportunity—and a responsibility—to step up again and say: we want these allies with us. More importantly, we want to hear the voices that differ from our own.” – Edna Conway
From dialogue to action: join the Cybersecurity Tech Accord and contribute to the positive agenda
Ms. Conway concluded by encouraging industry representatives from the security community to contribute to the positive agenda for cybersecurity and to join the Cybersecurity Tech Accord. Now is the time to coordinate efforts and be ready when the next treaty proposal is tabled, a process which is already underway.
Do you need more information about the Cybersecurity Tech Accord? You can find more information here or contact us via email.