Corporate Involvement in International Cybersecurity Treaties

The Paris Call for Trust and Stability in Cyberspace is an initiative launched by French President Emmanuel Macron during the 2018 UNESCO’s Internet Governance Forum. It’s an attempt by the world’s governments to come together and create a set of international norms and standards for a reliable, trustworthy, safe, and secure Internet. It’s not an international treaty, but it does impose obligations on the signatories. It’s a major milestone for global Internet security and safety.

Corporate interests are all over this initiative, sponsoring and managing different parts of the process. As part of the Call, the French company Cigref and the Russian company Kaspersky chaired a working group on cybersecurity processes, along with French research center GEODE. Another working group on international norms was chaired by US company Microsoft and Finnish company F-Secure, along with a University of Florence research center. A third working group’s participant list includes more corporations than any other group.

As a result, this process has become very different than previous international negotiations. Instead of governments coming together to create standards, it is being drive by the very corporations that the new international regulatory climate is supposed to govern. This is wrong.

The companies making the tools and equipment being regulated shouldn’t be the ones negotiating the international regulatory climate, and their executives shouldn’t be named to key negotiation roles without appointment and confirmation. It’s an abdication of responsibility by the US government for something that is too important to be treated this cavalierly.

On the one hand, this is no surprise. The notions of trust and stability in cyberspace are about much more than international safety and security. They’re about market share and corporate profits. And corporations have long led policymakers in the fast-moving and highly technological battleground that is cyberspace.

The international Internet has always relied on what is known as a multistakeholder model, where those who show up and do the work can be more influential than those in charge of governments. The Internet Engineering Task Force, the group that agrees on the technical protocols that make the Internet work, is largely run by volunteer individuals. This worked best during the Internet’s era of benign neglect, where no one but the technologists cared. Today, it’s different. Corporate and government interests dominate, even if the individuals involved use the polite fiction of their own names and personal identities.

However, we are a far cry from decades past, where the Internet was something that governments didn’t understand and largely ignored. Today, the Internet is an essential infrastructure that underpins much of society, and its governance structure is something that nations care about deeply. Having for-profit tech companies run the Paris Call process on regulating tech is analogous to putting the defense contractors Northrop Grumman or Boeing in charge of the 1970s SALT nuclear agreements between the US and the Soviet Union.

This also isn’t the first time that US corporations have led what should be an international relations process regarding the Internet. Since he first gave a speech on the topic in 2017, Microsoft President Brad Smith has become almost synonymous with the term “Digital Geneva Convention.” It’s not just that corporations in the US and elsewhere are taking a lead on international diplomacy, they’re framing the debate down to the words and the concepts.

Why is this happening? Different countries have their own problems, but we can point to three that currently plague the US.

First and foremost, “cyber” still isn’t taken seriously by much of the government, specifically the State Department. It’s not real to the older military veterans, or to the even older politicians who confuse Facebook with TikTok and use the same password for everything. It’s not even a topic area for negotiations for the US Trade Representative. Nuclear disarmament is “real geopolitics,” while the Internet is still, even now, seen as vaguely magical, and something that can be “fixed” by having the nerds yank plugs out of a wall.

Second, the State Department was gutted during the Trump years. It lost many of the up-and-coming public servants who understood the way the world was changing. The work of previous diplomats to increase the visibility of the State Department’s cyber efforts was abandoned. There are few left on staff to do this work, and even fewer to decide if they’re any good. It’s hard to hire senior information security professionals in the best of circumstances; it’s why charlatans so easily flourish in the cybersecurity field. The built-up skill set of the people who poured their effort and time into this work during the Obama years is gone.

Third, there’s a power struggle at the heart of the US government involving cyber issues, between the White House, the Department of Homeland Security (represented by CISA), and the military (represented by US Cyber Command). Trying to create another cyber center of power within the State Department threatens those existing powers. It’s easier to leave it in the hands of private industry, which does not affect those government organizations’ budgets or turf.

We don’t want to go back to the era when only governments set technological standards. The governance model from the days of the telephone is another lesson in how not to do things. The International Telecommunications Union is an agency run out of the United Nations. It is moribund and ponderous precisely because it is run by national governments, with civil society and corporations largely alienated from the decision-making processes.

Today, the Internet is fundamental to global society. It’s part of everything. It affects national security and will be a theater in any future war. How individuals, corporations, and governments act in cyberspace is critical to our future. The Internet is critical infrastructure. It provides and controls access to healthcare, space, the military, water, energy, education, and nuclear weaponry. How it is regulated isn’t just something that will affect the future. It is the future.

Since the Paris Call was finalized in 2018, it has been signed by 81 countries — including the US in 2021 — 36 local governments and public authorities, 706 companies and private organizations, and 390 civil society groups. The Paris Call isn’t the first international agreement that puts companies on an equal signatory footing as governments. The Global Internet Forum to Combat Terrorism and the Christchurch Call to eliminate extremist content online do the same thing. But the Paris Call is different. It’s bigger. It’s more important. It’s something that should be the purview of governments and not a vehicle for corporate power and profit.

When something as important as the Paris Call comes along again, perhaps in UN negotiations for a cybercrime treaty, we call for actual State Department officials with technical expertise to be sitting at the table with the interests of the entire US in their pocket…not people with equity shares to protect.

This essay was written with Tarah Wheeler, and previously published on The Cipher Brief.

Posted on May 6, 2022 at 6:01 AM12 Comments

Comments

Ted May 6, 2022 9:18 AM

we call for actual State Department officials with technical expertise to be sitting at the table with the interests of the entire US in their pocket

Awesome article. I’m really interested in how the Bureau of Cyberspace and Digital Policy (CDP) – launched April 4, 2022 and nested in the State Dept – will play in this space.

I hope the Senate confirmation of the Bureau’s “Ambassador-at-Large” is publicly broadcast.

nobody May 6, 2022 10:22 AM

The US has a very long history of essentially delegating commercially-relevant international treaty negotiations to the corporations that will be impacted by the resulting treaties. US positions during WTO rounds and in the (defunct) TPP were written by US corporations, to the complete exclusion of all other input.

Putting US businesses first is situation normal.

Gordon Gekko May 6, 2022 11:33 AM

Corporations already make policy. Many of our lawmakers are just well paid proxies.

It’s like everyone has forgotten 2008, when Banks (who were left responsible for policing themselves) cratered the economy. Do you really trust a bunch of Bay Area oligarchs to do the right thing? Really? REALLY?

But we all know boot licking has its rewards, eh? All the small perks afforded to celebrities

Clive Robinson May 6, 2022 1:18 PM

@ Bruce,

Back in 2014 there was a meeting of the ITU in Doha, in which Google was strongly involvd.

Back then I said that people should take serious interest in what was going on.

I also mentioned that during that ITU meetup it was very clear thar Russia and other states were very unhappy about “the all roads lead to Rome” or rather Washington of the Internet, and that balkanisation was going to follow sooner rather than later.

Here we are at that magic “eight year point” where it’s now of such urgent concern to people…

Well we realy should have been concerned back in 2014 when we haf a chance to keep the Internet on track.

We failed, so now we are reaping the crop of weeds that grew because of what we failed to sow…

Now realy is “to little to late”…

JohnJay May 6, 2022 2:40 PM

“a reliable, trustworthy, safe, and secure Internet” means an internet where every participant can be identified, and therefore free speech can be suppressed. Microsoft, Google, and Apple have called for an end to passwords, and in their place is your phone, their app, and a biometic ID of you personally. If you spread the “misinformation” that is any opinion contrary to the view of those in power, you can be silenced.

Clive Robinson May 6, 2022 5:51 PM

@ JohnJay,

With regards,

“a reliable, trustworthy, safe, and secure Internet”

Even the Chinese know you can only ever have two of the four of “reliable”, “trustworthy”, “safe” and “secure”.

If you want “reliable and trustworthy” you can not have “safe and secure”.

To be reliable it can not also be safe, likewise to be trustworthy it can not be secure. It can take a while for people to fully get there heads around this…

That is “to be safe” the Internet has to be unreliable by blocking access in various ways. The only way for the Internet “to be trustworthy” is by it being insecure and having no privacy for anyone.

Georg May 8, 2022 7:05 AM

Bruce wrote that

Different countries have their own problems, but we can point to three that currently plague the US.

First and foremost, “cyber” still isn’t taken seriously by much of the government,

Could be that to the prevailing mindset “cyber” is just not as cool or “hands on” as, say, the opportunity to militarize the police departments thanks to 1033.

Sumadelet May 11, 2022 5:05 AM

Comingling corporate interests and state interests is regarded by many as a bad idea. I agree that putting the development of technological standards in solely state hands should be avoided. I feel that independent standards settings institutions are needed, that take input from several parties. Those parties should include corporations, but also government and (independent) academia. I’m not sure who would be tasked with preserving the rights of individuals – possible one or several ombudsmen or similar functional groups. All this requires the political will, which is a different topic.

ResearcherZero May 11, 2022 3:30 PM

Designs and software from corporate contractors are exfiltrated from their premises by foreign actors, and occasionally completed overseas before the contractor has a working product of their own. Some designs are not the contractors own designs, they are just another part of an often weak and vulnerable supply chain.

Systems that once started development for gathering raw signals data are now corporate money making ventures. When some of these platforms were pitched, signals intelligence officers were horrified, they were seen as very dangerous. The bureaucrats eyes however, were like that of the Greedy Greedy Fox. Big, fat, black dilated pupils, sockets wide-open.

This pitch was especially worrying when it was first made, and it was at the time just a concept…

“I like making fun of our own people,” Clark began. Pulling up a Google Maps-like satellite view, the sales rep showed the NSA’s headquarters in Fort Meade, Maryland, and the CIA’s headquarters in Langley, Virginia. With virtual boundary boxes drawn around both, a technique known as geofencing, A6’s software revealed an incredible intelligence bounty: 183 dots representing phones that had visited both agencies potentially belonging to American intelligence personnel, with hundreds of lines streaking outward revealing their movements, ready to track throughout the world. “So, if I’m a foreign intel officer, that’s 183 start points for me now,” Clark noted.

Anomaly Six claims that it can track roughly 3 billion devices in real time, equivalent to a fifth of the world’s population.
https://theintercept.com/2022/04/22/anomaly-six-phone-tracking-zignal-surveillance-cia-nsa/

Other systems are weapons systems, with some of the contractors completely unaware of long existing foreign operations dedicated to obtaining the information that they posses on-sight at their small premises. Foreign actors are often better aware of who posses what that are own bungling, and sprawling bureaucracies.

Explaining these facts to politicians is akin to explaining electrical engineering to a kindergarten. Though I do not doubt it is at the kindergarten where one would have the most success.

Clive Robinson May 11, 2022 5:22 PM

@ ResearcherZero, ALL,

Re : Though I do not doubt it is at the kindergarten where one would have the most success.

I’ve tended to find that most children are curious about the world and not so very badly handicapped by cognative bias or self entitlement.

To say too many politicians are thicker than a stack of a dozen toilet seats is perhaps unkind…

But lets be honest politicians are mainly the self entitled suffering from atleast two of the four dark mental aberations (narcissism, sadism, Machiavellism and psycopathic failings). In fact in some cases their cognative bias is such a handicap they appear worse than stupid, and in fact worse than moronic (F12 Key Governor[1]).

But their longterm plan is to deny the citizen’s and tax payers real knowledge and attacking “The press” in all ways possible the name of the game (Remember the journalists machine gunned by US troops even though they were clearly not targets for the military[2]). Even US journalists have come under increasing preasure not just from US Politicians, but US Police and other US agencies.

Unfortunatly they are so far getting away with it.

I know that the US is not as bad as some other nations, but honestly people in the US should start asking, “In reality, just how far behind them is the US?”.

The same question should be asked in,

Australia, Britain, Canada, France, Israel, and a number more in “the G20 and guests” at the very least.

We are loosing two battles simultaneously,

1, Privacy in all electronic communications.
2, The ability to communicate other than electronically.

I’m sure it does not take much imagination to see what the combined result will be.

[1] Missouri Governor Mike Parson’s appears to be a prime example of “brain not present” thinking,

https://www.nytimes.com/2021/10/15/us/missouri-st-louis-post-teachers-hack.html

However the fact he has doubled down and is trying to get new legislation so broad that even seeing a computer in use in a public library could be called a crime, tells you there is something else behind it. Mr Parsons basically wants a law that can be used to stop his failings and the failings of those under his responsability from being made public. He is not alone in this, every US President from Obama onwards has gone after the press in every which way they can. To politicians of a certain kind press freedom is an anathema or aberration that has to be bludgeoned into the ground so that only the “chosen” politicians voice will be heard.

[2] There have been quite a few reported cases of US troops opening up on journalists, especially foreign journalists. But two that have sufficient supporting evidence to start murder investigations and trials are the death of a Reuters news photographer and their driver, and an ITN Journalist. The US military has just “arm waved them away”…

Chris Drake May 15, 2022 8:15 PM

INCREDIBLY short-sighted commentary.

This is what happens when Government gets involved: https://www.theguardian.com/australia-news/2021/aug/25/australian-powers-to-spy-on-cybercrime-suspects-given-green-light

Which over-night destroyed the entire Australian Cyber industry, and all software worked on by anyone of Aussie nationality.

Gag-ordered backdoor additions on threat of jailed-for-life ? It is LONG OVERDUE that manufacturers got involved and tried to clean up the wreck that Government self-interest has made of everything.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.