Can Cybersecurity Tech Accord Really Curb State Actions?

By Mark Raymond and Josie Smith

On 17 April 2018, 34 leading global technology firms announced a new private-sector agreement intended to curb the worst excesses of state behavior in the cyber domain, and to improve the general state of global computer network security.

This agreement is a worthwhile effort. It indicates that the private-sector is prepared to take some responsibility for actual and potential harms enabled by their business operations. However, it places firms in clear opposition to states, and commits these companies to taking steps that governments may interpret as inhibiting their legitimate prerogatives in the conduct of foreign policy. The willingness of these firms to take such a public position is notable in itself, but the Cybersecurity Tech Accord also poses at least two kinds of more pragmatic concerns. It raises questions about implementation, as well as crucial long-term uncertainties about how states will respond.

The private-sector is prepared to take some responsibility for actual and potential harms enabled by their business operations.

The Cybersecurity Tech Accord has four main pillars. The first and third commit parties to general product design principles that emphasize security, privacy, integrity, and reliability, as well as to facilitating the adoption of these principles by other players in the technology industry and by civil society.

The second and fourth pillars are more controversial. The second entails commitments to protect against exploitation of technology products, and a promise that participants “will not help governments launch cyberattacks against innocent citizens and enterprises from anywhere.” The fourth pillar provides for partnerships among firms, as well as with civil society and security researchers, to reduce and respond to vulnerabilities; notably, governments are omitted from this list, which specifically encourages civilian efforts.

These second and fourth pillars in particular raise questions about implementation, the root of which concern definitional ambiguities. What exactly would constitute a “cyberattack”? Does there need to be evidence of certain kinds of damage, or do surveillance activities such as signal intelligence (SIGiNT) also count? What about anticipatory military work, such as preparing the battlefield for potential future attacks? The degree to which this commitment against cyberattack is defined vastly changes both the strength of the Accord and the potential opposition against it.

Furthermore, what constitutes “help”? Does assistance need to be willful, or does any use of a firm’s software or services constitute a violation of their commitments? What happens if governments use off-the-shelf products to assist in targeted surveillance or cyberattacks? A strong adherence to these principles might demand that firms refuse to allow these governments to purchase from them in the future, severely restricting their own potential profits.

Even assuming that firms are able to agree upon a unified implementation structure, there remains uncertainty about how governments would respond.

These answers are not immediately clear, and likely vary among firms within the Cybersecurity Tech Accord as well. Are there mechanisms in place to facilitate decision-making in order to accomplish these objectives? Pillar Four outlines both formal and informal partnerships between firms and “likeminded groups” in civil society. However, lacking a detailed process through which such partnerships will make decisions, the ability to concretely define the scope of these commitments is questionable.

Even assuming that firms are able to agree upon a unified implementation structure, there remains uncertainty about how governments would respond. States would likely welcome an opportunity to limit the ability of foreign actors to interfere in domestic affairs, but attempts to restrict their own intelligence gathering activities would not be well-received.

One possibility is that governments would simply turn to less scrupulous firms to provide these services and software. As major customers of tech firms, the loss of government contracts would damage existing market share as well as the aims of the Accord. Whether or not firms will be willing to accept this loss of business is unclear, and to the extent that less scrupulous competitors are willing to fill the void it is also unclear whether the agreement can attain its major objective of reducing the ability of governments to conduct certain kinds of cyber operations

Beyond the threat of losing market share and government contracts, are there legal or regulatory means through which states could respond? Are these limited to domestic actions, or will states (or groups of states) attempt to coordinate a collective international response?

By focusing on capacity building and collective actions, these firms might be able to demonstrate a commitment to these principles without damaging their business model or provoking retaliation from states. However, the resulting lack of a strong position on what such commitments to “no offense” would entail in practice would prevent them from fully realizing the objectives of the Accord. Most important, advocates of such approaches should not underestimate the willingness of states to employ the vast range of policy tools and jurisdictional authorities at their disposal to blunt an extraordinary coordinated attempt by a group of large technology firms to constrain what governments are likely to see as their core prerogatives in the conduct of foreign policy.

About the authors:

Mark Raymond is the Director of the Cyber Governance and Policy Center and the Wick Cary Assistant Professor of International Security at the University of Oklahoma. He is also a CDT Fellow.

Josie Smith is a graduate student at the University of Oklahoma’s College of International Studies and is researching Internet governance and cybersecurity.

The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of CDT.