As cyber threats mount, ‘coalition of the willing’ needed

Cybersecurity experts at last week’s World Economic Forum Annual Meeting called for a “coalition of the willing” to embrace the Paris Call of 12 November 2018 for Trust and Security in Cyberspace (the Paris Call), a multistakeholder declaration that favours the development of common principles for securing cyberspace.

The Paris Call, which has been signed by 64 states, more than 300 private-sector companies and over 150 NGOs and other civil society organisations, offers a framework for multilateral action on addressing the critical issue of cybersecurity in a time of increasingly prolific and sophisticated attacks by criminal organisations as well as nation states.

“It’s really about keeping the world safe,” says Bradford Smith, president and chief legal officer of Microsoft. “The world depends on digital infrastructure, it depends on our devices, and they’re under attack every single day.”

While noting that the Paris Call has been signed by all 28 members of the European Union and by all but one member of NATO, as well as other democratic states, including Australia, Japan, New Zealand, Singapore and South Korea, Smith singles out two holdouts: India and the US.

“The world’s biggest democracy needs to stand with the world’s other great democratic nations,” he says. “The world needs India.”

Smith attributes US reluctance to sign to the current American administration’s aversion to multilateralism, but warns: “Some of the most serious attacks are those against democracy itself. The most significant threat is to voting systems.”

Although he acknowledges the difficulty of assessing the actual impact of interference operations on the outcome of the 2016 US election, Smith says: “Let’s focus on what we do know. We do know that 30-million Americans have read intentional disinformation by governments, and they shared it, they liked it, and they believed it. It was done with the goal of disrupting democracy. It was not limited to the US alone … every single candidate running for the French presidency was attacked in some way.

“It is a problem, a threat to democracy, and needs to be addressed.”

Smith and other cybersecurity experts emphasise the importance of attribution but said that attribution itself is not enough. “I don’t think one can expect governments to change what they’re doing if there aren’t consequences,” he says.

Smith points out that the responsibility for security begins with the tech companies themselves.

“People can’t trust tech unless they have confidence in the companies that create the technology,” he says, noting that the Cambridge Analytica incident, in which Facebook user data was acquired illicitly by a now-defunct political data analytics company, was a turning point in public distrust of tech companies.

“Tech companies and the sector as a whole need to address this, and they must start with acknowledging the skepticism.” Action needs to be taken, he said. “The public has developed a keen ability to differentiate between words and deeds.”

He adds, however, that “we shouldn’t look to the private sector alone to respond to what are essentially military grade cyberattacks. The private sector has not saved the nation from military attacks before.”