French President Emmanuel Macron introduced the Paris Call for Trust and Security in Cyberspace and initially received support from 50 countries, 150 companies and about 170 other organizations — but not from the U.S., China or Russia.
The international cybercrime agreement was put forward as part of Paris Digital Week at the UNESCO Internet Governance Forum. It aims to have countries commit to cooperating on a wide range of cybersecurity efforts, including the following:
- preventing malicious online activity;
- protecting the accessibility and integrity of the internet;
- preventing election interference;
- reducing intellectual property violations;
- preventing the spread of malware and malicious techniques;
- improving cyberhygiene;
- stopping “mercenary activities and offensive action by nonstate actors”; and
- strengthening international standards.
The idea of a cybercrime agreement was first proposed by major tech firms, but failed to gain support during United Nations negotiations in 2017. Then, it was rewritten by French officials in cooperation with the U.N.
“Cyberspace, which is becoming increasingly central to our lives, is a place of opportunity, but also of new threats. The growth in cybercrime and malicious activity can also endanger both our private data and certain critical infrastructures,” officials wrote in the cybercrime agreement. “In order to respect people’s rights and protect them online as they do in the physical world, States must work together, but also collaborate with private-sector partners, the world of research and civil society.”
The Paris cybercrime agreement was initially signed by 50 countries, including many from the EU, Canada, Mexico, Japan and Africa, as well as 150 companies and organizations. The numbers continue to grow two days after the agreement was announced. The accord also had support from major tech companies, like Microsoft, Google and Facebook — the latter of which agreed to allow French officials to observe how the company monitors and deals with hate speech content found on its platform.
The agreement was also signed by many organizations in the infosec space, such as Avast, Bitdefender, Carbon Black, Cisco, Cloudflare, Dell Technologies, ESET, FireEye, GitHub, HP Inc., Hewlett Packard Enterprise, IBM, Imperva, Oracle, RSA and Trend Micro.
No Chinese companies signed the cybercrime agreement, but refusals to sign by Russia and the U.S. were made all the more awkward by the support from so many U.S.-based companies, as well as from Russia’s Kaspersky Lab.
Sen. Amy Klobuchar (D-Minn.) questioned the White House on Twitter.
Why isn’t the Administration pledging to fight cybercrime and election inference? We should be doing everything we can to secure our democracy.https://t.co/eeiYPPRp2z
— Amy Klobuchar (@amyklobuchar)
November 13, 2018
Paul Bischoff, online privacy advocate at Comparitech, said it was important to note that the cybercrime agreement is “mostly symbolic” at this point. And he said he doesn’t expect Russia or China to ever sign, because “many of the pact’s measures imply taking action against them.”
“To be clear, countries who signed the pact did not agree to any specific rules, goals or penalties. Instead, they agreed to figure all that out together at a later date,” Bischoff said. “The U.S. is also involved in a fair deal of cyberespionage, and it has its own interests to worry about. The U.S. is home to most of the world’s largest and most profitable tech and internet giants, many of which served as a medium for previous election hacking campaigns. This pact could seek to regulate them. And after seeing [President Donald] Trump walk away from the Paris Climate Accord, I’m not sure why anyone would be surprised at this result.”
Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, based in Sunnyvale, Calif., agreed the cybercrime agreement fell short.
“It is symbolic, but it draws attention to the problem of the systemic harm to individuals and critical infrastructure as a result of malicious cyber activities in peacetime,” Bilogorskiy said. “We need to go further. The only effective way to prevent significant widespread attacks will be to institute a formal agreement with a global mechanism of international penalties enforced by many countries. My hope is that the largest governments of the world will not wait for a catastrophic precipitating event to put this type of framework in place.”
Mounir Hahad, head of Juniper Threat Labs, went as far as to call the agreement “dead on arrival.”
“The non-signatories are the countries that are the most active in cyberspace in terms of intercepts, espionage and even offensive cyberwarfare,” Hahad said. “One can hope that the world comes to abide by such an agreement, but it is naive to believe that we are at a point where all countries are ready to sign it. For us to reach that point, the internet has to evolve to allow for irrefutable attribution of cyberattacks, and I’m sad to say that it may also require a catastrophic attack for the world to come to its senses. There is a very strong parallel with nuclear weapons.”
Pravin Kothari, CEO of CipherCloud, based in San Jose, Calif., said the Paris cybercrime agreement was “replete with good intentions, but likely short on practical results.”
“Statements of support to stop online mercenary activities and offensive activity are important and worthy of public praise and U.S. participation. That said, there is no operational legal framework within the Paris Call that can produce any new or meaningful results,” Kothari said. “In the absence of meaningful enforcement within such initiatives such as the Paris Call, we need to continue to call out bad actors, confront them on the world stage, and work with our allies to mitigate and contain their activity.”