Tech Accord reflections and comments on Geneva Dialogue background document

The Cybersecurity Tech Accord signatories appreciate the opportunity to provide feedback to the Geneva Dialogue’s background document and look forward to further engaging in this important effort as it continues to take shape, both as an organization and as individual companies. Our group promotes a safer online world by fostering collaboration among more than 140 global technology companies committed to protecting their customers and users and helping them defend against malicious threats in cyberspace.

Beyond a mere commitment, the Cybersecurity Tech Accord signatories regularly participate in and lead initiatives to improve the security of the digital ecosystem. You can find an overview of our most recent efforts in the Annual Report that we published in February. Indeed, given that the Cybersecurity Tech Accord was featured in the 2018 Geneva Dialogue on Responsible Behaviour in Cyberspace: Private Sector report, it feels a fitting privilege to be able to now contribute to the work of the Dialogue.

With that in mind, we would like to highlight the specific principles of the Cybersecurity Tech Accord, rather than the broader shorthand commitment that is included in the current draft document:

  1. WE WILL PROTECT ALL OF OUR USERS AND CUSTOMERS EVERYWHERE.

We will strive to protect all our users and customers from cyberattacks – whether an individual, organization or government – irrespective of their technical acumen, culture or location, or the motives of the attacker, whether criminal or geopolitical.

We will design, develop, and deliver products and services that prioritize security, privacy, integrity and reliability, and in turn reduce the likelihood, frequency, exploitability, and severity of vulnerabilities.

  • WE WILL OPPOSE CYBERATTACKS ON INNOCENT CITIZENS AND ENTERPRISES FROM ANYWHERE.

We will protect against tampering with and exploitation of technology products and services during their development, design, distribution and use.

We will not help governments launch cyberattacks against innocent citizens and enterprises from anywhere.

  • WE WILL HELP EMPOWER USERS, CUSTOMERS AND DEVELOPERS TO STRENGTHEN CYBERSECURITY PROTECTION.

We will provide our users, customers and the wider developer ecosystem with information and tools that enable them to understand current and future threats and protect themselves against them.

We will support civil society, governments and international organizations in their efforts to advance security in cyberspace and to build cybersecurity capacity in developed and emerging economies alike.

  • WE WILL PARTNER WITH EACH OTHER AND WITH LIKEMINDED GROUPS TO ENHANCE CYBERSECURITY.

We will work with each other and will establish formal and informal partnerships with industry, civil society, and security researchers, across proprietary and open source technologies to improve technical collaboration, coordinated vulnerability disclosure, and threat sharing, as well as to minimize the levels of malicious code being introduced into cyberspace.

We will encourage global information sharing and civilian efforts to identify, prevent, detect, respond to, and recover from cyberattacks and ensure flexible responses to security of the wider global technology ecosystem.

Our submission below touches on the “reflection points” highlighted in the background document, as well as on the content set out in each section. At a high-level, however, we believe that the effort to map-out existing principles and agreements, as well as industry roles and responsibilities, would benefit from greater clarity around its intended scope, or at least a more concrete categorization of the types of agreements and activities included, and how they relate to one another. Such a mapping would not only represent a unique contribution to the global discussion of cybersecurity rules, norms and laws, but would also make the resulting report more accessible to a wider audience.

Moreover, we would recommend the draft document, and the effort more broadly, acknowledge that securing the digital space is indeed a collective effort, one that is not solely dependent on the technology industry. An exclusive focus on the roles and responsibilities of industry, without noting the efforts of others – including states – to purposefully undermine and manipulate the security of digital products and services, would paint an inaccurate picture of the online environment we all operate in. Moreover, while the draft document recognizes the need to drive demand among users for secure products, it does not deal with the fact that vulnerabilities of digital products are not the sole, or indeed the main, vector of attack. In fact, our experience shows that successful attacks frequently rely on human error and methods such as phishing, or indeed exploit vulnerabilities that vendors have urged their customers to patch well in advance.

We hope that our comments prove helpful in shaping a unique contribution to the stability of the digital environment. As mentioned above, the Cybersecurity Tech Accord signatories look forward to subsequent opportunities to work together in this effort. Should you have any questions that emerge based on our input, please do not hesitate to contact us.

Section 1: Principles and roles

Reflection points:

  • What other multilateral, multistakeholder, or industry-specific guidelines related to industry responsibilities and measures for securing digital products and services, may be added to the list and consulted?
  • What are the security guidelines for your products and services that you can share with the group as examples of good practices?

The Cybersecurity Tech Accord signatories are grateful for the start of the mapping that the draft document provides; however, we are not entirely clear what the objective of this exercise purports to be. As highlighted in our introductory remarks we are unsure about the intended scope in particular and believe that the language used – conflating norms and principles, does not help in this regard. For example, while our understanding from the draft document is to identify best practices for the industry to follow, references to norms are taken from discussions around international legal frameworks.

In a similar vein, the second question asks about security guidelines, which we take to be specific guidelines for developing, delivering and maintaining technology products and services, rather than the higher level principles. These have so far not been included in this mapping exercise, but these are the ones that today largely guide the operations and development of technology. They could include standards developed by national and international standards bodies, such as the National Institute for Standards and Technology (NIST) in the United States or the International Standardization Organization, as well as independent guidance and best practices established by individual companies and industry organizations. While an exhaustive list of such efforts may not be necessary here, the Cybersecurity Tech Accord will be releasing an organized list of security guidance resources for Internet of Things (IoT) manufacturers specifically on our website in the coming weeks, and we will be happy to share as soon as it is available.

Furthermore, guidelines highlighted in this first section of the background document range from agreements between different stakeholders, to calls to action and proposals – including things like the IoT Trust Framework, as well as our own Cybersecurity Tech Accord. While each of these resources may present a valuable contribution worthy of discussion, conflating them can make a productive and focused dialogue difficult. Indeed, some of them are not focused on industry at all (Microsoft’s Digital Peace Now effort).  The background document would therefore benefit from creating some basic categories to differentiate these resources up-front – such as “multilateral agreements” (Framework for Responsible State Behavior), “agreements between other stakeholders” (Paris Call, Cybersecurity Tech Accord, …etc.), and then “proposals” or “calls to action” (Digital Peace Now, A New Digital Deal.. etc.), as well as individual commitments or agreed upon standards.

Once a clearer taxonomy has been established, the Cybersecurity Tech Accord signatories would be delighted to be able to work with the group to help identify further individual initiatives to incorporate in the draft document. At this stage, we would be remis if we did not call out the Global Commission on Stability of Cyberspace report, which we provided input to, as well as the recommendations of the United Nations Secretary General’s High Level Panel on Digital Cooperation, which we also encouraged to focus on cybersecurity.

Section 2: Resilience and security of digital products and services

Reflection points

  • What other principles have you identified?
  • Are there any listed principles which are not or should not be of concern?
  • Are there any principles or practices you would particularly like to highlight?
  • Which of those principles have you embraced already and how? Please share good practices.
  • What are the obstacles to implementing certain principles (related to technological, market, geopolitical, or other challenges)?

As a group of over 140 technology companies from around the world, including everything from chip manufacturers to social media platforms, the Cybersecurity Tech Accord has remained focused on high-level principles that can apply broadly to all facets of the technology industry. This is how we arrived at the four foundational principles of the Cybersecurity Tech Accord – strong defense, no offense, capacity building and collective action ­­­– which striveto reflect the security responsibilities of the entire technology industry. We are glad to see these called out specifically, and feel they are largely reflected in the specific roles and responsibilities included in the background document as well.

Nowhere is this evident than in the references to responsible vulnerability handling and vulnerability disclosure policies in the background document. Support for responsible vulnerability handling is one of the first things the Cybersecurity Tech Accord emphasized following its launch in 2018, and last year we committed to having all signatories adopt their own vulnerability disclosure policies. While these policies look different from company to company, based on how they are structured and what they produce, they are a universal best practice and we now catalogue and share these policies from signatories on our website. This effort not only reflects our signatories implementing best practices for their customers, it is also leading by example, helping other companies consider what such a policy might look like in their context.

In addition to our work on vulnerability disclosure, the Cybersecurity Tech Accord pursues initiatives independently and in collaboration with other stakeholders in support of the four principles. We outline much of this work in our recently-released Annual Report, highlighted above, and a few examples are listed below aligned with respective principles:

  • Strong Defense:
    • MANRS expansion – working in collaboration with the Internet Society and other industry partners, a Cybersecurity Tech Accord working group developed actions and modifications such that the Mutual Agreed Norms for Routing Security (MANRS) could be implemented by cloud providers and content delivery networks, improving security for large parts of the digital ecosystem.
    • Apps4DigitalPeace – Together with multiple UN offices, the Cybersecurity Tech Accord is hosting a youth contest to drive innovative technology solutions to peace and security challenges online, aligned directly with the objectives of the OEWG and GGE dialogues.
  • No Offense:
    • UN Dialogues – The Cybersecurity Tech Accord has been a vocal proponent of multistakeholder inclusion in the dialogues at the United Nations focused on peace and security online, and participated at the intersessional meeting of the OEWG last December to highlight how the industry can support capacity building and confidence building measures to address escalating conflict online.
    • Calls on government – One of the core tenants of the Cybersecurity Tech Accord is that, as an industry, we are not interested in playing a role in escalating conflict between states and other actors online, or engaging in activities that would harm the security of users and customers anywhere. This is why we have been quick to call on governments to protect essential security features like strong encryption, and to adopt vulnerabilities equities processes to help keep technology products secure. It is also why we published industry guidance on establishing confidence building measures to reduce tensions and conflict in cyberspace.
  • Capacity Building:
    • Cybersecurity awarenessIn collaboration with the United Kingdom’s Foreign & Commonwealth Office, the Cybersecurity Tech Accord produced a comprehensive report on the state of cybersecurity awareness and associated campaigns across the 53-state Commonwealth of Nations, and providing industry guidance on how to make such programs successful.
    • Webinar series – Together with the Global Forum on Cyber Expertise, the Cybersecurity Tech Accord hosts a regular webinar series on different cybersecurity topics to support capacity building efforts across the globe. The webinars are free to access, and a growing library of previous webinars can be viewed anytime through our website.
  • Collective response:
    • Paris Call implementation – As the above examples make clear, the Cybersecurity Tech Accord frequently collaborates with partners across industries and stakeholder groups to amplify and improve its efforts. This is especially true for our work supporting implementation of the principles of the Paris Call for Trust and Security in Cyberspace. As the largest ever multistakeholder agreement on cybersecurity principles, the Paris Call creates a unique opportunity to work with others to implement the values and commitments of the agreement. To this end, the Cybersecurity Tech Accord has been working closely with other organizations – including CyberGreen, Internet Society, and the Global Cyber Alliance – to advance cybersecurity hygiene best practices in accordance with the Paris Call.

In addition to the work that the Cybersecurity Tech Accord pursues collectively, we also help shine a light on what our signatory companies are doing on their own to abide by and implement the four principles. This includes an ongoing series of case studies, where companies showcase how they are working to address cybersecurity challenges aligned with our principles, and a blog series from company executives explaining the most pressing cybersecurity challenges they are currently focused on.

Finally, we would also like to underline that not all principles or good practices are applicable to all technology companies – this is evident from our own commitment. This is an industry that encompasses everything from apps developers, cloud providers, chip manufacturers, as well as telecommunication companies. Therefore, it is difficult to highlight practices or principles beyond those we have focused on as a group for this document.

In fact, before looking at implementation of particular principles and doing a more thorough analysis of those, we would recommend a discussion around the different principles listed, as currently we perceive there to be a substantial overlap between the categories proposed; for example the principle discussing supply chain and lifecycle, a second one focused on legacy products, and a third one focusing on development of software. There are similar examples related to data security. A limited list would enable us to provide a more in depth and comprehensive response.

Moreover, some of these principles should in fact be applied to industry more broadly. In today’s day and age, it is clear that financial services companies, car manufacturers, etc. all develop their own software solutions and it is critical that these are also secure. We would therefore recommend that the draft document takes that diversity into account as it creates a structure for the different principles, as well as provides definitions for some of the terms used, such as “industry.”

(3a) Reflection point

  • What are other potentially critical types of services and products? Share experiences from your work and work conducted with your partners from other industries.

As digital technologies become increasingly intertwined with the operations of every business and every sector, and with virtually all aspects of our daily lives, effective cybersecurity and cyber resilience have become indispensable. This is at the core of the Cybersecurity Tech Accord’s mission – to enhance cybersecurity of the entire ecosystem via collaborative action to identify and implement best practices, empower users and customers, and discourage malicious actors.

With this in mind, it may be less helpful to try and enumerate specific “critical digital products and services,” as the draft document currently does, and to instead focus on the best practices that vendors can follow to ensure they are meeting high security expectations. The Cybersecurity Tech Accord has worked to help define and amplify such standards and practices, and to raise awareness and help lower barriers to adoption to support their widespread implementation by vendors of all sizes. This includes work we have done in support of MANRS, Domain-based Message Authentication, Reporting & Conformance (DMARC), DNS security, and ETSI’s international specifications for IoT Security.

Moreover, no one can consider every possible deployment scenario for every technology, and the implications of security failures of products and services will always be based on context. This is why regulators around the world have focused on identifying where particular products might be used and under what circumstances and adjusting their risk management posture accordingly. We recommend using established legal definitions, frameworks and methods rather than creating a list, which is bound to be controversial, as well as inherently time-constrained, as these technologies themselves are subject to innovation, evolution and eventually obsolescence.

(3b) Reflection point

  • As we prepare for a crisis-resilient society, including ‘black swan’ scenarios, what elements could help us forecast possible criticality in different sectors and various circumstances?
  • How can we ensure to bring on board these potentially critical sectors which are not thinking about cybersecurity at the moment?

Determinations of what should be considered “critical infrastructure” must be made by respective countries and their governments, delineating what are the essential institutions for the functioning of their society. There are different planning processes for making these determinations, but they all should incorporate contingency planning around crises – such as pandemics – and leverage the input from a multistakeholder community to gain necessary perspective to identify which sectors should be included.

However, it is important to remember that risk management, including cyber risk management, is about prioritization and mitigation. Many sectors may become increasingly significant in a crisis, but this does not mean that all sectors can be designated as “critical infrastructure.” This designation has been reserved for the most essential industries that must prioritize security at all costs. Truly, if everything can be deemed “critical” then nothing is. This is not to say that there are not valuable lessons about security to come out of the current health crisis – including the importance of respective elements of the healthcare system, or even the integrity and resilience of the Internet itself. This is why careful planning, review, and multistakeholder inclusion, in determining and designating critical infrastructure is essential.