The US, China and Russia are some of the big names that are missing from the list of signees of the Paris Call for Trust and Security in Cyberspace: an initiative designed to establish international etiquette with regards to the internet, including coordinating disclosure of technical vulnerabilities.
French President Emmanuel Macron announced the agreement on Monday at the annual UNESCO Internet Governance Forum in Paris.
The document proposes rules of engagement for a slew of internet-related challenges, including cooperating to fend off interference in elections, online censorship and hate speech, intellectual property theft, malware proliferation and cyberattacks, and the use of cyberweapons to hack back… or, in the parlance of the US military, “offensive hacking,” as in, what the Department of Defense gave itself the power to do in the new military strategy it set forth in September.
The document has been endorsed by more than 50 nations, 90 nonprofits and universities, and 130 private corporations and groups.
You can see why the accord’s attitude about cyberwarfare wouldn’t fly with a lot of countries. Besides the US, some of the nations that abstained from signing on, including China and Iran, have active cyberwar programs. As we reported last week, Iran unravelled the CIA’s secret online network years ago with simple online searches, leading to informants being left vulnerable to exposure and execution worldwide.
Wired characterized the Paris Call as “lacking teeth,” with no legal requirements for governments or corporations to adhere to its principles.
It’s mostly a symbol of the need for diplomacy and cooperation in cyberspace, where it’s hard to enforce any single country’s laws.
Even some of the groups that support the Paris agreement say it’s not perfect. Access Now, an international non-profit dedicated to a free and open internet, pointed out that the accord, in promoting cooperation between industry and law enforcement when it comes to fighting cybercrime, could mean a few things, not all of them good.
Would such cooperation entail weakening encryption to enable backdoors, for example? …a crippling of security for which law enforcement has been strenuously campaigning? Access Now certainly thinks so:
Judicial orders should be the basis for any assistance between providers and law enforcement. Cooperation, on the other hand, can be interpreted to mean informal exchange of data or the intentional weakening of platforms to enable law enforcement access. As such, “cooperation” is not the proper framework for the relationship between law enforcement and companies.
The Paris Call also refers to the Budapest Convention: a cybercrime treaty that has been criticized for its broad definition of what constitutes “crime.” We can look to the US for a recent example of how that can play out: in February, the US state of Georgia drew up what critics called a “misguided” bill that could have criminalized security research.
Then too, Access Now said, the Council of Europe is developing an additional protocol that would extend law enforcement’s ability to reach data stored across borders. But will it be crafted with an eye toward protecting human rights? Or will repressive regimes be given greater latitude to unmask activists, journalists, and/or persecuted groups, such as LGBTQ people or dissidents?
In spite of these reservations, plus concern about the potential limiting of the free flow of information online in the case of zealous intellectual property protections, Access Now signed on. Others that signed on to the Paris Call include technology companies such as Microsoft, Oracle, Facebook, IBM, and HP.
Wired quoted Microsoft President Brad Smith, who also gave a speech on Monday in Paris. Smith:
It’s an opportunity for people to come together around a few of the key principles: around protecting innocent civilians, around protecting elections, around protecting the availability of the internet itself. It’s an opportunity to advance that through a multi-stakeholder process.
This is characteristic of the new responsibilities that corporations such as Microsoft are shouldering when it comes to keeping the internet secure. Wired quoted Megan Stifel, the cybersecurity policy director at Public Knowledge, a nonprofit that also signed on to the Paris Call:
If you look over the past three or four years, we’ve really seen a groundswell of private leadership. The private sector is now willing to say that we can and we will do more.
One of many examples of nation-like behavior coming from corporations is the war room that Facebook set up last week in an effort to fight misinformation on a global level and to protect election integrity. Microsoft, for its part, disrupted alleged Russian Fancy Bear election meddlers in August.
Of course, it’s in corporations’ best interests to have a safer, more predictable internet, and to avoid getting dragged in front of Congress to answer for it when it’s less than safe. Drew Mitnick, policy counsel at Access Now, said that the Paris Call might not be perfect, but it’s a step in the right direction, and for the time being, we can look forward to Paris Call 2.0:
The document is imperfect but it arrives as other governments, that did not endorse the Paris Call, have shown a competing vision for cybersecurity grounded instead in state sovereignty and control.
Look for Paris Call 2.0 to come next year, when it reconvenes in Germany.