A cohort of major technology companies led by Microsoft committed Tuesday to a core set of principles for behavior in cyberspace, including not helping any government mount a cyberattack against “innocent civilians and enterprises.”
For the last several weeks, Microsoft has been seeking support from companies in order to define a common standard of behavior, or norms, for the broader software making community. The announcement was spearheaded by Brad Smith, president and chief legal officer of Microsoft. Smith spoke Tuesday morning at the RSA cybersecurity conference in San Francisco to an audience mostly comprised of cybersecurity industry insiders and marketers.
These norms spelled out in the agreement cover more than government relations. They contain the concept of “collective action” between technology companies to eliminate some of the more expansive cybersecurity threats facing the global economy.
Dubbed the “Cybersecurity Tech Accord,” the agreement showcases the signatures of more than 30 chief executives from some of the largest brand-name technology and cybersecurity firms in the world. Most of these companies are either headquartered in or own a large U.S.-based subsidiary.
The cohort includes representation from cybersecurity companies Symantec, Tenable and TrendMicro, among others. Non-cybersecurity companies also feature prominently, including Dell, Facebook, Oracle, RSA and VMware.
Google, Apple and Amazon have yet to sign the accord, which remains open for additional commitments. A separate agreement led by European companies Siemens and Airbus was announced in February.
Over the last two years, Smith has been arguing for the creation and acceptance of a so-called “digital Geneva Convention.” Such an agreement would be backed by the private sector, instead of engineered by any overarching governmental body, like the European Union.
Smith’s latest effort follows a year in which hackers from North Korea and Russia were able to successfully adopt leaked NSA hacking tools to conduct sweeping attacks against the private sector.
Smith previously wrote a scorching blog post about the U.S. government’s handling of the leak, which put various Microsoft products at risk.
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” Smith wrote. “An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”
The accord is important because some prominent American tech companies carry a reputation for working closely with governments to identify targets of criminal investigations. Exactly how the accord defines “innocent” is unclear, however.
Prior reporting by Reuters found that “the NSA paid [cybersecurity company] RSA $10 million to make a now-discredited cryptography system the default in software used by a wide range of Internet and computer security programs.”
Leaked documents from Edward Snowden also showed that historically, governments have occasionally worked closely with large technology vendors to spy on specific targets.