Advancing Cyber Hygiene and Speaking Out on Hack Backs: recognizing the 2nd anniversary of the Paris Call for Trust and Security in Cyberspace with action
Two years ago, on November 12, 2018, French President Emmanuel Macron launched a landmark and first-of-its-kind international compact – The Paris Call for Trust and Security in Cyberspace. Amid increasing numbers of sophisticated attacks online, the Paris Call established a multistakeholder commitment to principles to form the basis of a more stable and secure online world. The Cybersecurity Tech Accord has been a vocal supporter of this agreement ever since its launch, believing firmly that it creates type of coalition necessary to respond to the challenges of escalating conflict in cyberspace. In recognition of the second anniversary of the agreement we are today launching two new resources intended to help implement two of the Paris Call’s principles.
The challenges of peace and security in cyberspace cannot be addressed by any one stakeholder group alone. As with other domains of conflict, governments have an indispensable role to play in setting expectations and holding one another accountable to discourage reckless behavior online. However, as cyberspace is largely owned and maintained by private organizations, industry also needs a seat at the table in order to provide input and guidance in helping to set these expectations if they are to be successful. Finally, we also need international organizations and civil society groups everywhere to expand their mandates to include cyberspace in order to promote responsible behavior and to defend human rights and freedoms in a new domain of human activity.
This is the promise and potential of the Paris Call. While the agreement was first launched with a few dozen government supporters and a core group of industry and civil society groups, in two years it has swelled to include now 78 national governments as well as hundreds of industry and civil society organizations from every corner of the world – for a total of more than 1,000 supporting entities committed to shared principles for responsible behavior online. And in the past year, we have seen coalitions within this community of supporters joining together to help reinforce and implement the different principles of the agreement.
For our part, the Cybersecurity Tech Accord, as a leading industry voice on peace and security online, has worked among our signatories and with other Paris Call supporters to advance two of the agreement’s principles – Principle #7 on improving cyber hygiene for all actors, and Principle #8 on discouraging private organizations from “hacking back.” We are today releasing two new resources to help guide individuals, organizations and governments uphold these principles and promote stability and security online.
- The Cyber Hygiene Compendium – Principle #7: Support efforts to strengthen an advanced cyber hygiene for all actors.
For months now, the Cybersecurity Tech Accord has been highlighting and breaking down the essential practices and protocols which can have the highest impact in improving cyber hygiene, for both individuals and organizations. The Cyber Hygiene Compendium has pulled this work together into one easy-to-navigate guidebook. The compendium includes guidance on best practices surrounding things like multifactor authentication, domain name security, email authentication, routing security, virtual private networks, and how to defend against common attack methods like password spray or those which target consumer IoT products. To accomplish all this, we have worked closely with our company signatories with industry-leading expertise, as well as with civil society partners like the Global Cyber Alliance and the Internet Society, to create easy-to-understand reference materials and video content to help improve the cyber hygiene of individuals and organizations of all sizes.
- No Hacking Back: Vigilante Justice vs. Good Security Online – Principle #8: Take steps to prevent non-State actors, including the private sector, from hacking-back, for their own purposes or those of other non-State actors.
In cyberspace, just like in the physical world, law enforcement is primarily the responsibility of governments and vigilante justice is to be discouraged. This is the essence of Paris call principle #8 – “no private hack back” – and it is critical to a stable online world. However, in cyberspace industry often does have unique capabilities and responsibilities for customer security that need to be safeguarded. This new whitepaper provides a deep dive into this nuanced topic to distinguish between what should be considered inadvisable and illegal “hack back” activities, and what are valuable forward-leaning security practices employed by the technology industry today. The whitepaper serves as an essential guide for policymakers seeking to better understand the boundaries of industry actions in cyberspace to prevent and deter cyberattacks by criminals, and why “hack backs” are not a suitable way to address growing numbers of threats.
We hope both of these new resources prove valuable in clarifying and upholding these respective principles. At the end of the day, the success of the Paris Call will be determined by its impact. How it changes behaviors and builds consensus around the rules of the road in cyberspace. To this end, it has already built an unparalleled multistakeholder coalition that is up to the task of addressing some of the most dynamic challenges related to escalating conflict online. The Cybersecurity Tech Accord has been proud to support work aligned with these two principles over the past year, while other organizations and groups of Paris Call supporters have started to tackle other principles. Looking ahead to the next year, we are excited for more opportunities to work in collaboration with others in the Paris Call community to help turn the tide on increasing attacks in cyberspace through multistakeholder action.