17 November 2018

U.S. hasn't signed cyber principles — yet


The United States has not signed the Paris Call for Trust and Security in Cyberspace, a pact between 51 countries and hundreds of the important companies in tech, nonprofits and universities. At least, not yet.

The big picture: Signatories tell Axios that the U.S. hasn't shut the door on the agreement of general principles for internet security. The agreement, a first-of-its-kind document involving both the public and private sector, could be a significant step toward a global understanding of what countries are and aren't permitted to do online — but that's likely only if the U.S. lends its heft.

What they're saying: "It is a missed opportunity for the U.S., especially because the agreement is nonbinding," Peter Singer, a strategist and senior fellow at the New America Foundation, told Codebook via email.


The Paris Call is a handshake establishing principles, including:
Human rights should extend to online spaces.
Countries should work together to prevent the theft of intellectual property (as China is accused of doing), election tampering (as Russia is accused of orchestrating) and destabilizing the core of the internet (as China may have done through BGP hijacking).
Countries should never release malware causing indiscriminate harm to the public (as Russia and North Korea are accused of doing with NotPetya and WannaCry).
The private sector will not risk collateral damage by "hacking back" their hackers.

Other odds and ends: It also stipulates:
Disclosure programs and other basic cybersecurity measures are generally good.
The private sector must play a role in comprehensive security plans.

Who didn't sign: The U.S. is not the only nation that didn't sign the Paris Call. But many of the other nonsignatories skew in an unflattering direction: They include North Korea, Russia, Iran and China.
3 out of 5 of the nations in the powerful Five Eyes alliance signed the accord. (The U.K., Canada and New Zealand did. The U.S. and Australia did not.) Israel didn't sign, either.

The intrigue: The United States appears to have two motivations not to sign.

1. Trump hates these things. President Trump likes deals, not agreements. He likes bilateral, transactional things where he feels like the U.S. comes out ahead. This is more of a zero-sum affair, where everyone in the world benefits because everyone gives something up.
"The problem is that so many threats to U.S. security simply can't be solved in that way. Whether it is cybersecurity or environmental or nuclear nonproliferation issues, they are multilateral and multilayered," said Singer.

2. Big dogs don't like fences. And nearly all the major cyber powers (U.S., North Korea, China, Iran, Russia and Israel) stayed out of the agreement, likely hesitant to place even nonbinding restrictions on how they act. One exception is the United Kingdom, who signed the agreement.
"While the goal of the Call is laudable, and the list of industry signatories in particular is impressive, without the U.S. and other offensive-minded states as signatories, it feels a bit like the players on the sidelines telling the ones in the game to stop playing," said Betsy Cooper, a one-time attorney and adviser at the Department of Homeland Security who was just named director of the new Aspen Tech Policy Hub.

No comments: