There’s a dangerously misguided provision in the otherwise laudable accord signed recently by 30 leading tech companies.
As cyber enemies proliferate, the United States needs every tool at its disposal to protect itself from attack. But a recent cybersecurity accord between leading technology companies snubs cooperation with the U.S. government, effectively undercutting U.S. cyber deterrence and emboldening cyber adversaries.
Last month, more than 30 technology companies signed the Cybersecurity Tech Accord, aimed at protecting customers from malicious cyberattacks. Facebook, Microsoft, Dell, and Oracle pledged to join forces to mitigate state-sponsored attacks, develop stronger cyber defense capabilities, and prevent bad actors from tampering with their products. However, the companies also vowed not to aid any governments in “offensive” cyber activities.
Everyone should applaud the technology sector for taking a stand to protect its customers and their data. However, we should be wary of the potential consequences of the companies’ refusal to cooperate on offensive cyber operations and the message that it sends to U.S. foreign adversaries.
Although the Accord is narrowly defined to oppose operations against “innocent” enterprises, the line between innocent and dangerous is one that our government – not private-sector business – is best equipped to make.
The Accord comes roughly a year after two of the most destabilizing state-sponsored cyberattacks on record: WannaCry and NotPetya. WannaCry, a ransomware attack attributed to North Korea, struck almost 200,000 organizations in over 150 countries and inflicted billions of dollars in damages. NotPetya, another ransomware attack, was deemed “the most destructive and costly cyber attack in history” by the Trump Administration. The attack was launched by the Russian military against Ukrainian entities, but quickly spread around the globe. Both attacks resulted in costly financial and reputational damages across the public and private sectors worldwide.
The Accord signatories’ refusal to work the any government on offensive cyber attacks may ultimately undercut their noble effort to protect customers. To best protect people from attacks like WannaCry and NotPetya, you must deter the actors behind the attacks: Russia, China, North Korea, and Iran. And although the Accord showcases a united tech sector, it undermines U.S. deterrence and highlights a vulnerability: private-sector distrust of democratic governments.
Rather than incorporating government entities into the cybersecurity alliance, the Accord undermines them by effectively condemning offensive cyber capabilities most critical to deterring Russia, China, North Korea, and Iran from conducting future cyberattacks. Furthermore, the Accord appears to pit Silicon Valley against Washington, a dangerous move at a time when relations between the two are already strained. Our adversaries want to see a continued breakdown in relations between tech and government; the less coordination between the two, the more vulnerable the United States.
The Accord’s signatories should also remember that the relationship between tech and the U.S. government is a two-way street. Of course, our government badly needs the tech sector’s help in information sharing initiatives, innovative ventures, and strong public-private partnerships. But the tech sector also needs the U.S. government’s help in establishing strong regulations, information exchanges, and best practices throughout the private sector to ensure there are no weak links in the system.
WannaCry and NotPetya are just the start of this new wave of state-sponsored cyberattacks. Whether hackers target private companies or government organizations, citizens will always be the primary victims of these malicious attacks. Technology companies need to actively find ways to work with the U.S. government to protect their customers and data. More importantly, they need to stand side-by-side with the government to deter bad actors and preserve the health and well-being of this democracy – and others that share our values and interests. A capable, credible, and united front is key to any deterrence strategy, especially when dealing with cyber aggressors targeting critical infrastructure, personal identifiable information, and intellectual property.
So to Big Tech: don’t leave Uncle Sam to the cyber fight with one hand tied behind his back. If you do, everyone loses.