Good morning! I’m Cat Zakrzewski, a tech policy reporter at The Washington Post. I’ll be at the helm of The Cybersecurity 202 these next few weeks. If you can’t get enough of Post newsletters, sign up here for my forthcoming newsletter, The Technology 202. You won’t want to miss our daily analysis on the complex relationship between Washington and Silicon Valley, coming to your inbox in December.
The United States was notably absent from the list of more than 50 countries who signed an international agreement on cybersecurity principles revealed in Paris on Monday.
But American technology titans such as Microsoft, Google and Facebook signed the pact, a clear sign that companies are seeking to expand their role in shaping global cybersecurity policy.
The Paris Call for Trust and Security in Cyberspace unveiled by French President Emmanuel Macron outlines a commitment to end “malicious cyber activities in peacetime.” But the non-binding agreement did not include buy-in from the most active cyber actors, including Australia, Russia, China, Iran, North Korea and Israel.
Yet this move to develop norms for the way countries should act in cyberspace was different from previous efforts because of the broad support from the private sector. More than 200 companies and business associations signed the agreement, which says major private-sector actors also have a responsibility to improve cybersecurity.
The agreement highlights how governments are now understanding -- and embracing -- the significant role companies can play in combating threats in cyberspace. And by signing agreements with governments worldwide, it's clear that American companies are becoming a global political force of their own.
Peter Singer, a strategist and senior fellow at the think tank New America, said companies are increasingly banding together to address policy issues, especially because efforts in developing an international framework at the government level have floundered. “These agreements were in part a reaction to lack of government activity,” Singer said.
Klara Jordan, the director of the Cyber Statecraft Initiative at the Atlantic Council think tank, said this is the first agreement of its kind to include principles that address steps the government and private sector should take on cybersecurity. The Atlantic Council was one of almost 100 nongovernmental organizations that also signed the agreement. To address cybersecurity issues, “you need this multistakeholder kind of commitment,” she said.
Companies are recognizing they have responsibilities beyond their business goals to protect people online, Jordan said. “Industry is taking a lead on it.”
As one example, Microsoft has long been taking collective action with other companies to improve cybersecurity. Earlier this year, the company announced the Cybersecurity Tech Accord, a commitment of more than 60 technology and cybersecurity companies to improve the security of cyberspace. Last year, Microsoft President Brad Smith called for a “digital Geneva Convention” to unite companies and governments in tackling cybersecurity issues.
Microsoft is escalating these efforts by signing the pact with other governments. “While the tech sector has the first and highest responsibility to protect this technology and the people who rely upon it, this is an issue that requires that governments, companies and civil society come together,” Smith said in a blog post. “That is the only effective way to protect people from what at times have become military-grade cybersecurity threats.”
Other technology leaders — such as Amazon and Apple — were not among the signatories. The companies did not immediately respond to requests for comment. (Amazon founder and chief executive Jeffrey P. Bezos owns The Washington Post.)
The Paris Call says that the rights people have offline must be upheld online, and that international human rights laws apply in cyberspace. All members of the European Union, as well as Japan, South Korea and other nations, signed on. “We condemn malicious cyber activities in peacetime, notably the ones threatening or resulting in significant, indiscriminate or systemic harm to individuals and critical infrastructure and welcome calls for their improved protection,” the pact says.
But ultimately, the effort to set international norms on cybersecurity issues may fall short without buy-in from the major actors in cyberspace. Many of the states absent on the list have been more “aggressive” and have pushed forward on offensive cyber operations, Singer said, adding that the absence of the United States creates bad optics. “It’s not a good look for us to be on the outs and be aligned with China, Russia and North Korea on cyberspace issues."
Jordan also said the lack of U.S. participation was disappointing. “It is in my view a break with what happened in the past administrations, where norms were so important,” she said.
This could make way for other players on the global stage. France and the United Kingdom, Jordan said, are now emerging as leaders in the push to develop international cybersecurity norms. But the absence of the United States also reflects the Trump administration’s aversion to signing on to global pacts, instead favoring a transactional approach to issues, Singer said. He compared the U.S. absence on the cybersecurity pact to the Trump administration's withdrawal from the Paris agreement on climate change.
This approach was one reason the U.N.'s Group of Governmental Experts did not reach a consensus on international cyber laws, Singer said. Singer said the group fell apart in 2017, as the administration took a different approach to global norms and after Russia made an “in-your-face violation” with its hacking attempts on the U.S. presidential election and on Ukraine, highlighted by a 2015 attack on the country's electric grid.
However, CyberScoop reported last month that the State Department was seeking to restart talks in the United Nations on global cyber norms.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: “President Trump has told advisers he has decided to remove Homeland Security Secretary Kirstjen Nielsen, and her departure from the administration is likely to occur in the coming weeks, if not sooner, according to five current and former White House officials,” The Washington Post's Nick Miroff, Josh Dawsey and Philip Rucker reported. “Trump canceled a planned trip with Nielsen this week to visit U.S. troops at the border in South Texas and told aides over the weekend that he wants her out as soon as possible, these officials said.” My colleagues reported that Trump is unhappy with the way she has implemented his immigration policy. But Nielsen's ouster would also affect the federal government's cybersecurity policies since DHS oversees election security initiatives, critical infrastructure protection and other cybersecurity efforts.
White House Chief of Staff John F. Kelly opposes a Nielsen departure and is trying to delay it, according to my colleagues. “Nielsen worked on disaster-management response in the Bush White House, then in the private sector and academia as a cybersecurity expert before returning to DHS to work as chief of staff under Kelly when he was homeland security secretary during Trump’s first six months in office,” Nick, Josh and Philip wrote.
PATCHED: Experts and officials have suggested several possible reasons that Russian operatives apparently decided to sit out the midterms, the Wall Street Journal's Dustin Volz and Robert McMillan reported. For instance, it would be complicated to interfere in so many individual races throughout the country. Another possible explanation is that the Trump administration's cyber deterrence efforts may be working. “Still a third possibility, experts say: Russian President Vladimir Putin, figuring he had successfully inflamed political divides and undermined confidence in American democracy, may have been content to kick back and watch others do the work for him,” Volz and McMillan wrote.
But the midterm elections were held just last week, and as the Journal reported, “current and former officials cautioned that it may be too early to declare victory. The intelligence community didn’t fully grasp the Russian influence operation to denigrate Democrat Hillary Clinton and boost Mr. Trump until months after the 2016 election. Russia’s online disinformation efforts weren’t well understood until nearly a year later.” Still, Clint Watts, a distinguished research fellow at the Foreign Policy Research Institute and former FBI special agent, told the Journal that he thinks Russia would have trouble replicating its 2016 efforts to spread disinformation. “I don’t think they’ll be able to do it in the same way they did in 2016 ever again,” Watts said, as quoted by Volz and McMillan. “The public is so much more aware of this stuff.”
PWNED: “Facebook will open its doors for French regulators to study its approach to combating hate speech online, marking the latest attempt by governments around the world to figure out new ways to thwart toxic, derogatory content from spreading on social media,” The Washington Post's Tony Romm and James McAuley reported. “Under a six-month arrangement announced on Monday, French investigators will monitor Facebook’s policies and tools for stopping posts and photos that attack people on the basis of race, ethnicity, religion, sexuality or gender. From there, aides to [Macron] hope to determine ‘the necessary regulatory and legislative developments’ to fight online hate speech, a government official said.”
The announcement follows other initiatives in Europe that aim to regulate online platforms. “In the United States, hate speech generally is protected under the First Amendment, so members of Congress have been hesitant to write a new law even amid broad, bipartisan disgust with the spread of hate-tinged content online,” Tony and James wrote. “In Europe, though, there’s been a greater appetite to regulate. Germany, for example, began enforcing new rules in January that fine tech giants for failing to take down hate speech within a day. The European Union, meanwhile, recently has proposed levying steep penalties on sites that fail to spot and take down terrorist content within an hour.”
— Security experts have warned online voting is a bad idea. But one Florida county allowed some voters to cast ballots by email. "As counties recount ballots in three statewide races and lawyers battle over the complex vote tallying in court, the top elections official in Bay County said he allowed some displaced voters to cast ballots by email or fax after Hurricane Michael hit the Panhandle, even though there is no provision for it in state law,” Elizabeth Koh of the Miami Herald and Tampa Bay Times reported. “Bay County Supervisor of Elections Mark Andersen said Monday that 11 ballots were accepted by email and 147 ballots were domestically faxed in, though state statute does not allow emailed ballots and faxing in ballots is only permitted for military and voters overseas.”
— “South Carolina election officials said Friday they’re pushing ahead with plans to replace the state’s nearly 13,000 electronic voting machines in time for the next presidential election in 2020, following complaints by some voters last week that the aging equipment changed their ballots or simply broke down, causing extreme wait times at polling places,” StateScoop's Benjamin Freed reported. “The State Election Commission said it is requesting $60 million from South Carolina lawmakers to swap out the existing equipment, which was purchased in 2004, for a balloting system that can produce a paper ballot.”
— More cybersecurity news from the public sector:
— “Facebook failed to closely monitor device makers after granting them access to the personal data of hundreds of millions of people, according to a previously unreported disclosure to Congress last month,” the New York Times's Nicholas Confessore, Michael LaForgia and Gabriel J.X. Dance reported. “Facebook’s loose oversight of the partnerships was detected by the company’s government-approved privacy monitor in 2013. But it was never revealed to Facebook users, most of whom had not explicitly given the company permission to share their information. Details of those oversight practices were revealed in a letter Facebook sent last month to Senator Ron Wyden, the Oregon Democrat, a privacy advocate and frequent critic of the social media giant.”
— “Cyber security, energy price shocks and failure of national governance are among the biggest threats to business in 2018, according to research published Monday,” CNBC's Chloe Taylor reported. “The World Economic Forum (WEF) spoke to more than 12,000 executives around the world about what they considered to be the biggest risks to doing business, ranging across political, societal and technological concerns.” The report said that cyberattacks are considered to be the top risk for business in three regions — North America, East Asia and the Pacific, and Europe — out of eight.
— More cybersecurity news from the private sector:
— “The personal information of American charity donors, political party supporters, and online shoppers, has continued to quietly leak onto the internet as a result of poor website security practices, new research shows,” Bloomberg News's Nate Lanxon reported. “As many as one in five e-commerce sites in the U.S. are still leaving their customers exposed, Philadelphia-based search marketing company Seer Interactive said Monday.” Moreover, Bloomberg News was also able to access personal user information from several organizations just via Google searches.
“The vulnerability can be caused by a number of basic errors, one of which is that if a website lets a user share a transaction on social media — such as to promote a charitable donation — a search engine can see their post, and from there index the original web page, whether the user knows this or not,” Lanxon wrote. “With no security protection in place, these pages are available to anyone.” Additionally, according to Bloomberg News, another “explanation is that when a website operator creates an index of pages on their server to give to Google — known as a ‘site map’ — pages that should be only visible by a customer can be accidentally included.” Such vulnerabilities could allow criminals to gather and use personal data for a variety of scams, Lanxon reported.
— “A rising tide of nationalism in India is driving ordinary citizens to spread fake news, according to BBC research,” the BBC reported. “The research found that facts were less important to some than the emotional desire to bolster national identity. Social media analysis suggested that right-wing networks are much more organised than on the left, pushing nationalistic fake stories further. There was also an overlap of fake news sources on Twitter and support networks of Prime Minister Narendra Modi.”
— More cybersecurity news from abroad:
- Pen Test HackFest Summit in Bethesda, Md.
- Infosecurity North America conference tomorrow through Thursday in New York.
- House Armed Services subcommittee hearing on “interagency cyber cooperation” tomorrow.
- Senate Armed Services subcommittee hearing on the “Department of Defense’s cybersecurity acquisition and practices from the private sector” tomorrow.
- The Center for American Progress organizes an event on election security in Washington on Thursday.
- The U.S. Chamber of Commerce hosts a conference, titled “Critical Infrastructure Risk Management: A Path Forward,” in Washington on Friday.
Some of the Trump administration investigations Democrats plan to pursue:
Newly revealed North Korean ballistic missile bases operational:
Remembering Stan Lee, godfather to all Marvel superheroes: