Recently France has taken the initiative to produce what they call The Paris Call for Trust and Security. This call has garnered signatures of some 57 countries and and several hundred companies and organizations (including that of my own employer).* What President Macron and others have recognized is that there is a risk of both state and non-state actors interfering in the lives of everyday people, possibly causing them great harm.
Every day provides a new example of why protection of our institutions is necessary. This video was made some time ago. We’d like to think that security of our infrastructure has improved, but Marriott proved us wrong last week, with over half a billion customer records having been stolen.
The Paris Call seems to address itself to these sorts of civilian attacks, which to me is appropriate. In particular, it focuses on the following areas (I’m condensing just a bit):
- Protection of critical infrastructure,
- Protection of electoral processes (Gee, I wonder who that is aimed at),
- IPR protection,
- Tools development to prevent the spread of malware,
- No hack-backs, where people attempt to take the offense as a either a defense or a means of deterrence,
- Acceptance of international norms of behavior.
The Call does not create or call for the creation of any new mechanism to pursue these points, but rather the use of existing mechanisms. Instead, what we appear to be witnessing is the creation of a voting bloc inside existing multilateral and multi-stakeholder processes, as well as a non-binding commitment among the signatories themselves to pursue these principles. It’s all motherhood and apple pie until we understand what the actual instantiation of these principles means. Does it mean, for instance, an end of free software in order to protect content providers? Will it require content publishers to actively protect all rights of copyright holders, even if those holders are unknown?
Also, should these principles apply equally to civilians and the military ? Let’s take for example the Stuxnet attack, where some state actor attacked Iran’s nuclear weapons facility. Should that attack have been prevented by these principles? To what end? Helping Iran gain an offensive nuclear capability? If the choice was a cyberattack against a military installation versus a physical attack, where people would surely die, I’ll take the cyber attack any time.
There is another big topic that isn’t covered. Right now governments are all struggling with how to handle cross-border law enforcement. That is- if someone in Jurisdiction A hacks into or uses a computer in Jurisdiction B to attack a person in a third Jurisdiction C, who can reasonably ask Jurisdiction B for the data? This is a massive topic that the Council of Europe has been attempting to address for years. These are knotty issues, because of the limitations on the powers of each country relating to search and seizure.
In short, while this is nice text, it doesn’t seem to me to accomplish much on its own.
It does seem to be a slap at Russia and China, two notably absent countries. Three other notably absent countries are the U.S., Israel, and Iran. Coincidence? I think not.
*The views of my employer surely vary from my own today.