Private Companies Take the Lead on Cyber Security
Last month, 34 technology and security companies signed what they call the Cybersecurity Tech Accord, “agreeing to defend all customers everywhere from malicious attacks by cybercriminal enterprises and nation-states.” The agreement is a remarkable initiative by a group of industry heavyweights, ranging from Cisco to Facebook, Microsoft to Nokia and Oracle, that usually tend to fight over customers or patents rather than form political alliances. It raises the question, what motivated these companies and why did they sign this agreement now? More broadly, it is only the latest sign that what norms govern cyber space and the global governance of cyber security – or, rather, the lack thereof – have captured the attention of corporate boardrooms around the world.
A driving force behind the initiative is Brad Smith, Microsoft’s president and chief legal officer. In 2017, Smith made headlines by calling for a Digital Geneva Convention, a new international legal treaty for cyber warfare. Yet even before the head of the company become personally and actively involved, Microsoft has been part of the international discussions about cyber security for years. I remember the company participating in diplomatic cyber security conferences as early as in December 2011, when the German Foreign Office hosted a major international conference on the topic, long before it became a front page, CEO or heads of state issue. Not only does Microsoft have an entire team dedicated to these issues through what was once called the Office of Global Security Strategy and Diplomacy, it has also actively recruited staff who previously worked as diplomats at the United Nations or the Organization for Security and Cooperation in Europe.
Over the last several years, Microsoft was the lone industry representative at many public and private convenings on international cyber norms that I have attended, advocating for international agreements and limitations on malicious cyber activity. These arguments are more commonly advanced by civil society organizations in other areas of global governance, which is why some consider Microsoft a “norm entrepreneur.” For example, in 2015 and 2016, Microsoft published two papers that made specific recommendations outlining norms for states’ and companies’ behavior and use of cyber space. These efforts were criticized by some. After the 2015 report, for example, some government officials asked why Microsoft was only focused on norms for state behavior not industry. In response to the expanded 2016 report that also focused on industry, some critics asked why it was only Microsoft that made the case and not a broader group of companies.
The new Cybersecurity Tech Accord is partly a response to both of these criticisms. First, it is no longer Microsoft alone but a group of over 30 companies. Second, the initiative focuses on what industry can do.
So why did so many more companies join at this particular moment? Certainly, Smith’s personal engagement took the initiative to a new level; he raised the issue at high-profile forums from the RSA Conference to the World Economic Forum to the Munich Security Conference. At the same time, there has clearly been a significant change in the broader threat and political environment. Only a few months prior to the signing of the Tech Accord, two of the costliest cyber attacks hit targets around the world. The WannaCry and NotPetya malware caused widespread disruption and several billion dollars in cost. FedEx and global shipping company Maersk alone each reportedly suffered USD 300 million in cost. North Korean hackers stand accused to be behind WannaCry and Russian hackers behind the NotPetya attacks.
In short, cyber security has become a recurring item on the agendas of board meetings around the world and CEOs can no longer afford to ignore it. Perhaps the best sign of this heightened awareness is that the Tech Accord is not the only recent high-profile industry effort. In February, at the Munich Security Conference, an annual gathering of heads of states, defense and foreign ministers, and other representatives from government and industry, several CEOs and officials from industry giants such as Siemens, IBM, and Daimler signed a Charter of Trust focusing on security standards and supply chain integrity.
Other geopolitical trends are also pushing industry leaders to become increasingly active. Relations between states are clearly becoming more contentious rather than more harmonious. Protectionism and isolationism is on the rise. This resurgence of national borders and national thinking is at odds with the multinational nature, business model, and outlook of many of these companies. Clashes have already occurred in the wake of the Snowden disclosures, clashes are currently occurring over encryption, and clashes are likely to continue to occur in the future as calls for data localization and more ‘cyber’ or ‘tech sovereignty’ are ringing louder. One way to counter these trends is by industry exercising thought leadership and presenting alternative visions. The Tech Accord, for example, focuses on protecting users worldwide regardless of their location or citizenship. It also highlights the need for collective action, a commitment not to support cyber attacks, and new security practices.
Ultimately, the effectiveness and true nature of these initiatives will be measured by companies’ actions, not only their words. How will the commitments of the Tech Accord and the Charter of Trust be implemented? Will companies make changes to their Terms of Service and their contractual relationships to reflect their commitments? How will they behave if governments take action that violate the commitments? How will they respond if Chinese or Russian companies seek to join the groups? Will the initiatives proceed in parallel or will they merge? And will they be driven by individual companies or become recognized industry-efforts reflected in talking points and broader government affairs agendas across companies and industries?
Just like governments, companies will be measured not only by their speeches and statements but by their actions and policies. Just like governments, it wouldn’t be surprising if they are not always aligned, and occasionally accused of hypocrisy. But issuing clear norms is nevertheless valuable because it provides a baseline against which to measure these firms’ behavior. For example, while the prohibition on the use of chemical weapons has clearly been violated recently, the very fact that the norm exists highlights what the rest of the world considers crossing a line and provides the basis to take action against those who violate such norms. As cyber space grows riskier and more complex, private companies’ moves toward agreed-upon rules of the road are a welcome development.
Tim Maurer is Co-director of the Cyber Policy Initiative at the Carnegie Endowment for International Peace. In January 2018, Cambridge University Press published his Cyber Mercenaries: The State, Hackers, and Power.