Cybersecurity Tech Accord Letter to OECD Scoping Paper on Digital Security of Products

Dear Mr. Bernat,

Thank you very much for the opportunity to provide comments on the Draft Scoping Paper: Enhancing the Digital Security of Products that the OECD Working Party on Security in the Digital Economy is considering. The Cybersecurity Tech Accord signatories believe this is an important initiative that has the potential to bring together industry, civil society, and government in agreeing and promoting good practices that will improve digital security for us all.

The Cybersecurity Tech Accord is a public commitment among over 100 global companies to protect and empower civilians online and to improve the security, stability and resilience of cyberspace. The signatories are committed to advancing the mission of the Cybersecurity Tech Accord by partnering on initiatives that improve the security, stability and resilience of cyberspace. By combining the resources and expertise of the global technology industry, the Cybersecurity Tech Accord creates a starting point for dialogue, discovery and decisive action. We hope that our response will help provide a technology industry perspective, highlighting the lessons of both small players and large multinationals, and serve as a starting point for further collaboration on these dynamic challenges moving forward.

While we provide detailed comments in the margins of the document itself, we wanted to highlight a few of the recommendations that we believe would substantially improve the Draft Scoping Paper here. In particular, we would encourage the Working Group to re-assess what the problem is that they are trying to address. This is not immediately obvious from the document provided, which reads more like a report based on a scoping paper rather than an analysis that sets out the problems identified and several potential paths forward, which is what we believe the objective of a Scoping Paper should be.

The Cybersecurity Tech Accord signatories believe that this re-assessment would uncover a number of different aspects that are critical for the state of modern cybersecurity, but are not included in the Draft Scoping Paper today. This is particularly the case when it comes to security of open source products, which are very prevalent in today’s digital environment and have very specific security characteristics, which cannot be easily addressed through the options highlighted in the paper.

Another example that could be given more attention in the Draft Scoping Paper are user practices. While the efforts of technology providers are rightly highlighted, it is important that the paper should also highlight that practices, such as vulnerability management depend on users patching their systems. There will continue to be vulnerabilities in digital technology products and services, and getting providers to invest in preparing their products and services to be patchable and in developing fixes is essential. However, if those patches aren’t deployed, then the whole exercise is undermined. As such, there’s a need for a sufficiently broad perspective on the challenge of vulnerabilities and the need for action.

In addition, we believe the broader re-assessment would allow the Working Party to restructure and include additional case studies. It is currently unclear why the current case studies have been selected and what they aim to demonstrate. We believe it would be helpful to include case studies that seek to address the different aspects of digital security challenges. For example, the computing and mobile ecosystems are very different and risk mitigations are diverge as well. Thus, combining them into one section is not illustrative of a potential way forward. Furthermore, the paper identifies that smaller software and app developers as well as developers for larger companies from less digitally mature sectors may not have as much maturity as leading companies in the technology sector. However, there is no case study and attempt to address those challenges.

Finally, the Cybersecurity Tech Accord signatories wanted to encourage the Working Group to consider some of the language used in the Draft Scoping Paper, as many of the terms used lack specific definitions and at the same time carry very negative connotations – the terms optimal and suboptimal levels of security that are used throughout the document are case in point and diverge substantially from established risk management practices. Similarly, we would strongly encourage the authors to reconsider the use of sweeping statements, such as “…both software developers and device manufacturers usually do not follow good security design practices…”, as these tend to be unsubstantiated and do not set up the Working Group for success given that they could sour the attitude with which stakeholders approach this work.

We would like to once again thank you for the opportunity to provide comments on the work of the Working Party on Security in the Digital Economy. We believe the OECD has a critical role to play in enhancing cybersecurity not solely for the countries that are members of the organization, but for the world. We therefore look forward to subsequent opportunities to work together and provide further input and guidance on issues related to cybersecurity. Should you have any questions that emerge based on our input, please do not hesitate to contact the Cybersecurity Tech Accord through our Secretariat.