Microsoft, Facebook, Cisco, Dell and 30 other companies have announced a new Cybersecurity Tech Accord, committing themselves to protecting internet users from cybercriminals to state-backed hackers.
The accord is a collective response by tech giants, security firms and industrial firms to major cyberattacks over the last year. Participants have vowed not to assist governments launch cyberattacks against citizens and enterprise, and to protect their own products against tampering and vulnerability exploitation.
Signatories include ABB, Arm, Avast, Bitdefender, BT, CA, Cisco, Cloudflare, Datastax, Dell, Docusign, Facebook, Fastly, Fireeye, F-Secure, GitHub, Guardtime, HP Inc, HPE, Intuit, Juniper Networks, LinkedIn, Microsoft, Nielsen, Nokia, Oracle, RSA, SAP, Stripe, Symantec, Telefonica, Tenable, Trendmicro, and VMWare.
Notably, Cisco and Microsoft are among the tech giants that have been caught in the cross-hairs of national security programs that either exploit software vulnerabilities or supply chain weaknesses to carry out attacks on targets.
"The companies will not help governments launch cyberattacks against innocent citizens and enterprises, and will protect against tampering or exploitation of their products and services through every stage of technology development, design and distribution," the accord reads.
Edward Snowden’s leaks revealed an NSA factory for planting backdoors in Cisco gear while the Shadow Brokers leak of NSA cyber weapons included a Windows exploit that came to be used in last year’s devastating WannaCry and NotPetya attacks, affecting 300,000 Windows computers in the former instance, and costing businesses around $1.2 billion dollars in the latter.
In the wake of May's WannaCry Microsoft president and general counsel Brad Smith called for a Digital Geneva Convention, criticizing the NSA for stockpiling vulnerabilities and arguing that governments instead report them to vendors.
Smith today said he sees the industry-driven cybersecurity accord as a precursor to such a convention.
A number of large technology companies haven’t signed up to the accord, most notably Google and Apple, though the pledge remains open to new private sector signatories. Smith also said he expects more tech and cyber security firms to join in the coming months.
The announcement of the accord came as the Supreme Court dismissed (PDF) Microsoft’s legal battle with the US Justice Department over access to email hosted in its Irish data centre related to a drug investigation.
Microsoft has since 2013 argued that the Stored Communications Act (SCA) didn’t cover information stored outside the US. The Supreme Court dismissed the case as a result of President Trump signing the Cloud Act in March, which amended the SCA with a provision that requires service providers to comply with a warrant regardless of whether data is stored in the US or overseas.
“A [service provider] shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States,” the provision reads.
As noted in the decision, the Cloud Act rendered the case moot, and following its passing the government got a new warrant under the act which Microsoft complied with. The Justice Department earlier this month filed a motion with the Supreme Court to dismiss the case as moot due to the Cloud Act.