A US-led group of tech companies has vowed not to help governments mount cyber attacks against “innocent citizens and enterprises”, in the first attempt by a broad cross-section of the tech industry to stake out a position on cyber warfare.
The commitment includes a pledge to help governments and others that come under attack themselves — potentially putting the tech companies on the side of customers who are the targets of cyber attack from the US.
The initiative, dubbed the cyber security tech accord, was the brainchild of Brad Smith, president and general counsel of Microsoft. Backers of the agreement include Cisco, HP and Facebook, along with European concerns like Nokia, ABB and ARM.
The tech companies behind the accord described it as the first step in what they hoped would be a broader international consensus on the limits of cyber warfare.
“We need to keep pushing the countries of the world for a new digital Geneva convention,” Mr Smith said on Tuesday during a speech at the RSA security conference in San Francisco. A lack of agreement on the limits of cyber warfare had exposed individuals and private companies to attack, he added.
He also called on governments to promise “they will stop targeting tech companies, they will stop targeting the electrical grid, they will stop targeting hospitals” — an allusion to the way last year’s NotPetya attack, since blamed on Russia, hit hospitals in the UK.
The accord is “a very productive measure and long overdue”, said Sean Kanuck, cyber security director at the International Institute for Strategic Studies.
However, he said that the broad pledges made by the tech companies raised many questions about how it would work in practice. “You could write a 500-page treatise out of each of these principles,” he said.
A key late addition during the drafting of the industry pledge was the word “innocent” to describe the entities the tech companies would not help attack, Mr Kanuck said.
Until that point, the tech companies had wanted to make a blanket promise not to get involved in launching attacks. However, that could put them in a position of “refusing to prevent things the whole world wants to prevent”, such as attacking a genocidal regime, he added.
The new wording, however, “introduces uncertainty about what “innocent” means, and who decides who is innocent”, Mr Kanuck said.
The push to get a broad group of tech companies to stake out a position on cyber war followed a narrower attempt by Microsoft to promote a “digital Geneva convention” among governments, said Jim Lewis, a senior vice-president at the Center for Strategic and International Studies.
“You can’t talk about what governments should do, without companies being willing to make a pledge,” he added.