News

Microsoft Backs Industrywide Cybersecurity Pledge

• By Kurt Mackie
• April 18, 2018

Microsoft on Tuesday joined other tech industry giants in signing the new Cybersecurity Tech Accord.

The accord asks companies to commit to four security tenets within their organizations. The four commitments are general policy-and-procedure kinds of statements, which have broad scope in terms of commercial, public and governmental relations.

There were 34 signers in all, as listed in this announcement. They include software and chip makers (such as Microsoft and ARM Holdings), anti-malware solution providers (such as Bitdefender, CA Technologies, FireEye, F-Secure, Symantec and Trend Micro), a telecom company (Telefonica), and computer and networking equipment manufacturers (such as Cisco Systems, Dell, HP and Juniper Networks).

Even Facebook is a member of the Cybersecurity Tech Accord.

In general, the companies are pledging to protect all of their customers against cyberattacks. They promise not to help governments launch attacks on individuals or businesses, nor will they tamper with products or services to that end. They'll collaborate with businesses on improving security protections and practices. Lastly, they plan to establish "partnerships with industry, civil society and security researchers to improve technical collaboration, coordinate vulnerability disclosures, share threats and minimize the potential for malicious code to be introduced into cyberspace."

The accord was marked on Tuesday in an announcement by Brad Smith, Microsoft's president. He noted that Microsoft had earlier called on the formation of a "Digital Geneva Convention" for governments to address cyberattacks, and that other tech companies agreed with the idea. Smith described the Cybersecurity Tech Accord as "an important step" in that context. It has "broad support" from industry leaders and "cybersecurity firms," and it promises to grow over time, he indicated.

Potentially, the Cybersecurity Tech Accord could be a big step for Microsoft, as well. Microsoft, as well as Facebook and other service providers, were portrayed in a leaked U.S. National Security Agency slide as being participants in the PRISM program, which siphoned off public Internet traffic. Smith later denied Microsoft's participation in that program. Participation in government spying or counter-terrorism efforts might be construed differently, though, from conducting cyberattacks, but Microsoft was also alleged back then to have altered its Skype, OneDrive and Outlook solutions to facilitate NSA access to traffic. If so, such product tampering possibly isn't permitted under the new Cybersecurity Tech Accord, at least if it were done for cyberattack purposes.

The Cybersecurity Tech Accord says nothing about government spying. It's not necessarily about protecting privacy.

Microsoft notably sparred with the U.S. government on handing over information from its servers located in Ireland in a purported drug trafficking investigation. It was an indication that Microsoft was willing to go to court to protect its paying cloud service customers from government snooping, at least when the data was located overseas. On Tuesday, Reuters reported that the Supreme Court had dropped hearing the case, which had pitted Microsoft against the U.S. Department of Justice.

The case was dropped, in part, because of the passage of the CLOUD Act, a mild measure that just states that cloud service providers can challenge search warrants in court when there's a conflict in laws between countries. However, the CLOUD Act also has a provision against service providers having to install backdoors or break encryption.

Since cyberattacks, and not privacy, is the subject of the Cybersecurity Tech Accord, there may not be conflict between industry and governments with the new industry accord, especially as governments continue the practice of tapping Internet and telecommunications traffic. The accord just seems to draw the line on helping to facilitate attacks.

The Cybersecurity Tech Accord is just an industry agreement. It's not a law. The New York Times reported that Microsoft had informed the Trump administration about the accord, and there were no objections raised.