Technology companies are increasingly joining together to develop and promote the adoption of international “norms” and other rules for cyberspace, hoping to fill a void left by governments and international institutions that have failed to act.
The latest example of the dynamic came last week when a prominent group of corporations, including Siemens, Airbus and microchip maker NXP, announced a new nine-member cybersecurity charter. The document — essentially a nonbinding agreement to work to improve global cybersecurity — is currently open for other companies to join, one member said.
“Cybersecurity is and has to be more than a seatbelt or an airbag here; it’s a factor that’s crucial to the success of the digital economy,” reads a statement on the charter’s website. “People and organizations need to trust that their digital technologies are safe and secure; otherwise they won’t embrace the digital transformation. That’s why we are signing together a Charter of Trust bearing the principles that are fundamental to a secure digital world.”
The charter advocates for certain basic standards and other security-centric initiatives without necessarily needing to consult with any government or other outside entity. Though the United Nations has pioneered the development of several key norms, they too have struggled to help countries find common ground.
Among other commitments, the charter sets up an “industrial cybersecurity network” to share active data about cyberthreats rather than keep this information private for individual advantage. The agreement was announced in mid-February during the Munich Security Conference, a well-recognized event that brings together world leaders to speak about national security priorities.
Governments and private companies alike tend to be interested in the concept of cyber norms because there’s a belief that they can lead to collective action to set policies, solve problems or address weaknesses.
In other words, clearly defining what is and isn’t acceptable in cyberspace may help industries decide the most appropriate and effective ways to respond to attacks, accidents and other events. In many cases, it’s still an open question, especially when government-backed hacking is involved. Unlike, say, the international rules of war, there is no consensus for how large, powerful entities should behave in cyberspace.
Looking for ‘a big impact’
The move comes during a time of questionable leadership by the U.S. government. The State Department, which previously led the country’s cybersecurity-focused international relations mission, has been stifled through budget cuts and a mass exodus of talent. Under the Trump administration, Secretary of State Rex Tillerson also disbanded the primary office — named the Office of the Cybersecurity Coordinator — that had been responsible for these efforts in the past.
For now, the Charter of Trust offers a series of vague public commitments, including improved transparency, increased threat-intelligence sharing and better processes for companies and governments to disclose software vulnerabilities. Members plan to work with one another to exemplify these principles.
“The alliance I think can be very influential,” Sami Nassar, vice president of cybersecurity solutions with NXP, told CyberScoop in a phone interview. “Even without legislation, whenever a major industry player like Siemens states that they are going to prioritize something, and act on it, that can have a big impact on the market.”
Customers are definitely paying attention, Nassar said.
“People are becoming more aware and private sector leadership is important … this isn’t so different from any other new technology development,” Nassar said. “Businesses will always be faster to react than governments when it comes to anything with technology.”
Although most corporations would typically shy away from creating additional rules for their respective industries, cybersecurity expands well beyond the confines of their core businesses. Leading tech vendors not only recognize that their core products and services are vulnerable to hackers, but also that they are dependent on complex supply chains that involve many different companies.
In such an environment, the weakest link is often the first targeted by hackers looking to gain a foothold into more valuable organizations. The powerful companies at the top have a lot to gain by working together.
Not the DGC
Perhaps the most famous attempt by a private company to develop a guiding global set of voluntary rules for cybersecurity came from Microsoft last year, through the creation of the “Digital Geneva Convention,” or DGC. The DGC differs somewhat from the recently released charter, however, because it more overtly references the need to discourage government-backed hacking operations.
“The private sector has been interested for some time in the cyber norms issue, but it was not until Microsoft came up with the idea for a Digital Geneva Convention, that the issue took on a more serious form,” said Paul Triolo, head of the geo-
A spokesperson for Microsoft told CyberScoop that the company welcomes “actions that help build greater consensus with regard to cybersecurity, particularly around the need for binding, international norms of nation-state behavior in cyberspace.” Microsoft’s efforts are partly shaped by the fact that the tech giant and its products are continuously targeted by advanced hacking groups.
“The core principals of Microsoft’s initiative is complementary to the Charter of Trust, and therefore are supported by Siemens,” said Stefan Jost-Drummer, head of Siemens’ protection management office for cybersecurity. “Cybersecurity remains a journey, and there is no single approach to solving the threat of cyberattack. We believe our 10 principles are a starting point for a best practice approach across both the private and public sector, and through partnerships, this approach can better society as a whole.”
Although governments have historically controlled these types of global policy discussions — such as what constituted a war crime, for example — there have been cases where the private sector has taken the lead. Parts of the global financial system, for instance, have evolved outside of government influence.
Exactly what government should be leading the conversation about cyber norms, however, remains an open-ended question. Should it be the U.S.? Should it be China? Should it be the European Union? What does it mean for the future of the internet if companies end up defining what’s inappropriate and appropriate when it comes to digital security? Is there room for everyone to be involved?
“The [cyber] norms issue very quickly becomes political because of things like attribution, and the fact that actors such as Russia, Iran, and North Korea are either not going to agree to norms or will not abide by them,” Triolo said. “But many governments are reluctant to cede these issues to the private sector entirely and will continue to improve public private cooperation, through things like information sharing and analysis centers.”
The push by Siemens for a cybersecurity charter is significant because it shows how corporations are finding it advantageous to set clearly visible international expectations beyond the usual governmental avenues.
“l think this and other efforts are a positive step and illustrates that the private sector, beyond just the traditional tech sector, is taking these issues seriously and raising the level of awareness and action,” said Christopher Painter, a former cybersecurity coordinator at the U.S. State Department.
Other experts, however, remain skeptical.
Sasha Romanosky, a former cyber policy adviser at the Pentagon in the Office of the Under Secretary of Defense for Policy, said it’s important to consider the larger picture.
“These are noble goals, but we must be clear to understand where the incentives lie,” Romanosky said.
Cybersecurity may not be the biggest concern for every company, and prioritizing it over other things may not be pragmatic.
“We’re all faced with multiple interests and motivations. For many, environmental concerns are important, for others it’s health concerns, or child labor, or crime prevention,” he continued. “If we’re going to take a stand on making cybersecurity ‘everyone’s task’ we need to convince them why this is more important relative to these other concerns. If we can’t do that, then how can we expect anyone else to follow the lead?”
Update: A previous version of this story referred to NXP as “DXP.” The error has been corrected.