Last week 34 tech companies signed the Cybersecurity Tech Accord saying they won’t help any government, including the U.S., carry out cyber-attacks. That came amid warnings from the U.S. and the U.K. about the Russian government’s global attempts to hack routers and other network equipment. Marketplace Tech host Molly Wood spoke with Bruce Schneier, a cybersecurity expert at Harvard, about how tech companies will play a role in combating international cyber threats. The following is an edited transcript of their conversation.
Bruce Schneier: Microsoft and a bunch of tech companies, primarily U.S. tech companies, have gotten together and agreed that they will not help governments attacking civilians. If one of them is attacked they’ll come to the aid of each other. It’s a nice statement by these companies that the internet infrastructure should be off limits by governments for cyberattack.
Molly Wood: The natural question that arises when they sign something like this is have they helped the government before?
Schneier: Probably not. I mean this is not you get a warrant and you turn over information about a criminal. These are things like the Russian attack on the Ukraine power grid. These are actual cyberattacks we’re talking about and absent from the signatories are companies in Russia, in China, in Iran and North Korea who probably have done this on the behest of their governments. So, it’s really just more making a statement.
Wood: But also absent from the signatories are Google, Apple, Amazon and Twitter. What should we take from that?
Schneier: That there’s a lot of backroom politics here and we don’t understand it. I don’t think Twitter, Google or Amazon have any different positions, but for whatever reason they didn’t want to participate in this press release in this initiative. I don’t think we can read anything sinister into that.
Wood: Do you think it’s fair to draw this connection between the Cybersecurity Tech Accord and what is happening with governments and these pressures around law enforcement? That it’s all part of this increasing tension?
Schneier: It’s hard to know what the Tech Accord covers. I read it and it’s really very squishy. It talks about cyberattack. It uses the word “attack.” Is espionage attack? In the United States, it is not. When China stole 20-something million personal records from the Office of Personnel Management, the United States, the director of national intelligence very carefully corrected a Senator at a hearing, “It was not an attack, sir. It was espionage.” So, we make this very clear distinction between espionage and attack. The Tech Accord talks about attack, but are they making the same distinction? So, I don’t think there’s a lot here, but I don’t want to diss it because let’s start somewhere.
Wood: What do you think could come next? You know if this is a baby step.
Schneier: I mean the two dimensions this gets better are more signatories from other countries and more statements, more things they will do. The question to really ask is how much control they will have. If the U.S. government goes to Microsoft and says, “we are launching a cyberattack on country X, we want your help. Here’s the presidential directive.” Is Microsoft going to say, “well you know Cybersecurity Tech Accord says we don’t do that?” There are rules in the U.S. about commandeering and we’ve never seen a network commandeered. But if there are actual hostilities, I guarantee you corporate networks will be commandeered. This is a statement, but that’s not going to hold in court. It’s not going to be something you’re going to fall back on if there are actual hostilities between nations.
Wood: Right. Like if we actually go to war, there’s not necessarily a promise that Microsoft or some other company can keep.
Schneier: Right, if we go to war, the government goes to Ford and says, “you’re now making tanks” and goes to Google and says, “you’re now part of U.S. Cyber Command.” We’re done.
|Russian cyberattacks “should wake us up,” former Air Force officer says|
|What the nightmare cybersecurity scenario looks like|
|What rules exist around our faces, and how are they tracked?|