A consortium of 34 technology companies has agreed to a "Digital Geneva Convention" aimed at thwarting all kinds of hackers, even those backed by the United States.
"We will not help governments launch cyberattacks against innocent citizens and enterprises from anywhere," the companies said in a four-point "Tech Accord" first proposed by Microsoft Corp. last year.
The signatories include technology giants like HP Inc., Facebook Inc. and Oracle Corp., as well as global cybersecurity firms such as FireEye Inc., Symantec Corp., the Finnish company F-Secure Corp. and Japan-based Trend Micro Inc.
"The real-world consequences of cyberthreats have been repeatedly proven," said Kevin Simzer, chief operating officer at Trend Micro. "As an industry, we must band together to fight cyber criminals and stop future attacks from causing even more damage."
The accord amounts to a nonbinding commitment for the companies to steer clear of malicious activity in cyberspace. The 500-word document lays out four core principles for its backers: protecting all users from cyberattacks, opposing attacks "on innocent citizens and enterprises," helping customers strengthen their cyber postures, and partnering with other groups to bolster the internet’s defenses.
Microsoft President Brad Smith said in a blog post that the success of the alliance would depend on its execution.
He cited two devastating worldwide malware outbreaks last year — dubbed WannaCry and NotPetya — to point out that cybersecurity responsibilities "must be shared across the entire tech sector and with governments."
Recent cyberthreats to U.S. energy systems have highlighted a thorny problem in today’s interconnected world: How can private companies, which own and operate the vast majority of U.S. critical infrastructure, fend off hackers backed by national military or intelligence services?
Though diplomats have tried, hacking powerhouses like China, the U.S. and Russia have not settled on a global standard for acceptable behavior in cyberspace (Energywire, Dec. 22, 2014).
Against that murky backdrop, state-sponsored hackers have zeroed in on increasingly alarming targets. Earlier this year, the U.S. blamed a series of cyber intrusions targeting the nuclear, electricity, aviation and critical manufacturing sectors on Russia (Energywire, March 16).
The U.S. isn’t above the fray. Top-secret documents brought to light by former National Security Agency contractor Edward Snowden showed U.S. spy agencies’ willingness to set sights on American citizens and companies. The U.S. and Israeli governments are widely believed to have crafted Stuxnet, a first-of-its-kind digital weapon that damaged Iranian nuclear centrifuges in the late 2000s.
Iran has amassed its own hacking arsenal in response and in recent years has been accused of carrying out cyberattacks everywhere from U.S. financial markets to the control system of a small dam near Rye, N.Y.
"Malicious actors, with motives ranging from criminal to geopolitical, have inflicted economic harm, put human lives at risk, and undermined the trust that is essential to an open, free, and secure internet," the accord notes.
Norma Krayem, senior policy adviser at Holland & Knight LLP and co-chair of the firm’s cybersecurity and privacy team, said interest in the accord shows the need for a "cohesive approach to managing global risks" and finding norms in cyberspace.
"At this point, it’s a useful discussion to have," she said. "Whether or not [the accord] is the solution to the problem is unclear."
Lifeline systems
The accord calls for joining forces with future "like-minded" groups to further its mission of protecting everyone online.
"No single company or technology can secure cyberspace alone," said Switzerland-based industrial automation and technology firm ABB Ltd., one of the accord’s signatories. "We believe it is important to collaborate with other companies to protect customers and improve cybersecurity."
Late last year, ABB took the unusual step of offering guidance and comment on a cyberattack that hit one of its competitors.
In mid-2017, hackers targeted a type of critical safety support system produced by ABB rival Schneider Electric SE. The attackers managed to breach the defenses of an unidentified petrochemical facility in the Middle East and could have killed someone had they not inadvertently tripped Schneider’s safety system with malware, causing the plant to shut down.
"While currently we have no indication that a similar malware exists which is targeting other safety products, conceptually the attack scheme can also be used against any sufficiently similar safety system, incl. ABB systems," ABB said in a Dec. 22 notice to customers (Energywire, Jan. 30).
For its part, Schneider Electric officials say they have been laying the groundwork to build a coalition of grid and control system vendors dedicated to improving cybersecurity across their industry. Schneider has not yet signed on to the Microsoft-led tech accord but has recently advocated for a sector-specific approach.
Gary Williams, senior director for cybersecurity and communications at Schneider, said in a recent interview that his company would push for some trusted, third-party organization to bring control system vendors around the table to develop a cybersecurity charter.
A group of suppliers would be better positioned to respond to cyber incidents and defend against them, the thinking goes. Products from several competing companies can be found next to each other in critical facilities like power plants and oil refineries, meaning a sophisticated hack could quickly spill outside the expertise of any one company or response team.
"If we defenders can come together and start addressing security holistically, looking at ways of ensuring that we’re all following the best practices … then that’s the way to go," Williams said. "Is it the answer? No, there’s no silver bullet in any of this."
Still, Williams said a shared "charter of trust" could help control system vendors unite around a clear set of security objectives. "We need to address what’s going on in the real world now," he said.
The "Triton" malware, designed to override Schneider’s Triconex line of safety systems, presented an especially alarming case study, analysts say (Energywire, Dec. 15, 2017). The attack tool’s sophisticated design and unprecedented target — a safety system burrowed deep within an industrial network — suggest it’s the work of nation-state hackers, according to cybersecurity experts.
Williams said the company decided to publicly discuss the results of its own investigation into the Triton case, given what’s at stake.
"The security world tends to bury their heads in the sand, or at least close ranks and not talk" about attacks, he said. "When Schneider Electric got [news] of this one, we thought, ‘This is huge.’ And if it’s happening to us, chances are it’s happening to someone else."