Cisco, Microsoft and 32 big vendor pals join ‘Accord’ to improve security by doing … security stuff
No roadmap. No timeframe. No success metrics. Not much grip on reality, either
Analysis Thirty-four technology companies inked a "Cybersecurity Tech Accord" on Tuesday which they said represents "a public commitment … to protect and empower civilians online and to improve the security, stability and resilience of cyberspace".
The 34 vendors include Cisco, SAP, both HPs, Microsoft, Oracle, Juniper, Dell, BT, VMware, Arm, GitHub and plenty of other key enterprise IT suppliers. But there is no sign of Apple, Lenovo, major SaaS players, AWS, Google or IBM.
The Register has read the group's foundational document and can report that it does not detail how, or when, it will act. Nor does it offer any detail or metric that participants will use to measure progress or success. It offers no hint that the 34 have considered risks, appropriate responses, or what resources are available, the foundations of a security plan.
And while the Accord has said it "will continue to define collaborative activities we will undertake to further this Accord", there is no timeframe for that or its plans to "report publicly on our progress in achieving these goals".
Let’s dive in nonetheless.
The group’s first principle is to "protect all of our users and customers everywhere" with efforts to "design, develop, and deliver products and services that prioritize security, privacy, integrity and reliability, and in turn reduce the likelihood, frequency, exploitability, and severity of vulnerabilities".
Nice words. But when were any of the 34 companies not trying to deliver secure reliable products? And how seriously can we take a pledge to do good works on privacy when signatories include LinkedIn and Facebook, two businesses that exist to exploit personal data and have demonstrably failed to safeguard user privacy with a data breach and allowing years of unlimited profile scraping under their respective belts?
There's also some shifting language here. The principle says signatories "will protect" us all but by the time we get to the bullet points explaining the intent it changes to "will strive".
Pardon us for bastardising Master Yoda to analyse this one: "Do or do not. There is no strive."
Diplomats, 'Net greybeards work to disarm USA, China and Russia’s cyber-weaponsREAD MORE
The group's second principle is to "oppose cyberattacks on innocent citizens and enterprises from anywhere" accompanied by a declaration that "We will not help governments launch cyberattacks against innocent citizens and enterprises from anywhere".
The Register can imagine that a producer somewhere is already imagining a CEO singalong of "Cyberwar: what is it good for?" to hammer home the Accord’s opposition to it.
The signatories say they will stop governments doing naughty cybers with efforts to "protect against tampering with and exploitation of technology products and services during their development, design, distribution and use".
But there is no explanation of what the signatories will do to protect against tampering or a definition of "use". The language also leaves open the prospect of support for cyberattacks on targets deemed not to be innocent, without mention of how signatories would judge guilt.
And what on Earth is "exploitation"? As Cisco's ongoing troubles with Smart Install show, one developer's remote deployment tool is another developer's attack vector.
Good luck with that anti-tampering plan, too, given the NSA is known to intercept kit so it can insert attacks and known government hoarding of zero-days.
Hooray for empowerment!
The Accord's third principle is to "help empower users, customers and developers to strengthen cybersecurity protection".
To do so, signatories will "provide our users, customers and the wider developer ecosystem with information and tools that enable them to understand current and future threats and protect themselves against them". The 34 will also "support civil society, governments and international organizations in their efforts to advance security in cyberspace and to build cybersecurity capacity in developed and emerging economies alike".
These are noble intentions that are hard to oppose. But the group has failed to explain what its members will do - or to explain whether those efforts would be new activity or existing programmes they might re-badge as Accord actions.
The Register has scanned the "we joined!" blog posts of Accord signatories and can’t find mention of new actions, new commitments, new spending or new anything really. Plenty of the posts describe today's announcement as the first step on a road to … somewhere.
Hey, govt hacker bod. Made some really nasty malware? Don't be upset if it returns to bite youREAD MORE
The Accord’s fourth principle is to "partner with each other and with likeminded groups to enhance cybersecurity".
Collaboration across a complex ecosystem as a means to improvement? We're glad someone finally thought of that!
To chase the fourth principle the group "will establish formal and informal partnerships with industry, civil society, and security researchers, across proprietary and open source technologies to improve technical collaboration, coordinated vulnerability disclosure, and threat sharing, as well as to minimize the levels of malicious code being introduced into cyberspace".
Nothing in the paragraph above sounds new, but it could hint at interesting efforts like the Microsoft-supported Global Commission on the Stability of Cyberspace's efforts to make a diplomatic end-run around the US, Russia and China. Absent any specifics on the type of collaborations and partnerships, this appears to be the tech industry saying it will carry on as usual.
There's also a pledge to "encourage global information sharing and civilian efforts to identify, prevent, detect, respond to, and recover from cyberattacks and ensure flexible responses to security of the wider global technology ecosystem".
Oh thanks for that, vendor-land. It's just grand that you will encourage this stuff. I'm sure the likes of Maersk feel so much better now (after having spent $331m cleaning up NotPetya).
Omissions from the Accord also deserve mention. Microsoft fought long and hard to oppose US government access to emails stored in Ireland. But the company has seemingly rolled over now that the Cloud Act legislated away its resistance. Surely an organisation dedicated to security and privacy would also oppose such measures and lobby for users?
We could go on but you get the idea: absent any information on what the Accord will actually do, this reads like well-intentioned stuff that seems likely to lead to some lovely meetings and deliver some nice white-papers to download. But unless it requires the signatories to spend new money on new activities, it's hard to see it making much difference to anyone other than graphic designers who get to put the Accord's logo on those white-papers, or try to figure out how to get all 34 signatories' logos onto slideware.
As an exercise in demonstrating the Accord's members have a sincere desire to improve security, and the skills to enact that desire, it falls well short. ®