Security experts (and security writers) spend a lot of time talking about cybercriminals and hackers—the so-called bad actors who are after data to use or sell on the dark web. But the time has come to expand our thinking of who or what constitutes a bad actor. Many of the cyberthreats in the past few years weren’t traditional cybercriminals, but instead were actions by or taken on behalf of a government. The WannaCry ransomware attack, for instance, was credited to North Korea. Representatives of the Chinese government infiltrated American government networks and were responsible for the Office of Personnel Management breach. Investigations continue to determine Russian involvement in hacking our election system. The American government isn’t innocent, either, as it launched the Stuxnet virus against Iran’s critical infrastructure.
Cyberwarfare is real, and we can expect governments to use cyberthreats more frequently as they prove to be effective. Just don’t expect some of the world’s largest tech companies to be involved.
At this year’s RSA Conference in San Francisco, 34 tech companies announced a Cybersecurity Tech Accord, a collective agreement against involvement in developing cyberattacks conducted by any government entity, including the United States. Microsoft’s Brad Smith calls the accord a “digital Geneva Convention.” In his keynote speech at RSA, Smith said, “In May and June of last year, we saw governments attacking civilians in a time of peace. We have a message to the governments of the world: That’s an attack that endangers people’s lives.”
Protecting the Online Environment
The Cybersecurity Tech Accord recognizes that the world is undergoing a major shift. We live online as much as we live offline. We are dependent on the internet and interconnected networks to sustain daily routines. One strategically placed piece of malware could take down the power grid for millions on the east coast or halt the water supply to the west coast. What North Korea could do with a cyberattack is scarier than what it could do with its missiles program.
That’s why the accord says it is in everyone’s interest to protect the online environment. They steps tech companies vow to take are cybersecurity efforts to prevent attacks, as well as to not be a party to helping the government launch attacks. They also want to empower businesses and users to be better cybersecurity stewards and think about their own actions to enhance security efforts.
Tech Companies, Not Security Companies, Taking the Lead
The Cybersecurity Tech Accord isn’t the security industry trying to convince everyone of the need to pay more for security tools. As Nathan Wenzler, chief security strategist at AsTech, points out, most of the companies involved in this group have had data breaches themselves or have been the root cause of some major security flaw in an operating system or database that resulted in a data breach. But they also need to put action to their words.
“So, on one hand, it is important that they’re making a public statement committing to doing what they do better,” said Wenzler. “But on the other hand, unless they’re going to upend their business models and spend the time, money and human effort to write applications that are secure from the start and not rush to market as soon as it’s functionally ready, then this may end up being nothing more than yet another bit of marketing and an attempt to show that they’re doing something.”
It isn’t a perfect solution by any means. David Ginsburg, vice president of Marketing at Cavirin, noted that some of the major social media networks and cloud operators are not part of the original 34. Ginsburg also thinks there needs to be improved communications between the tech companies and their users on how to use the security capabilities in each application.
“In several cases, the capabilities are there, but they are too difficult to deploy, or, in some cases, tools from multiple vendors will provide contradictory guidance,” he said. “This practical aspect is tremendously important.”
A vow not to be part of state-sponsored cyberattacks is a very important step in mitigating today’s threat landscape. Tech and security have to work in tandem to ensure applications developed by tech companies aren’t weaponized. At the same time, tech and security companies must make security functions more user friendly so the average user isn’t conned into the mistake that leads to a serious cyber crisis.