On November 12, at the UNESCO Internet Governance Forum (IGF), President Emmanuel Macron launched the Paris Call for Trust and Security in Cyberspace. This high-level declaration on developing common principles for securing cyberspace is meeting with mixed reviews. Some optimistic that it is a step in the right direction and others well, not so much.
Here’s what cybersecurity experts have to say.
Nick Bilogorskiy, cybersecurity strategist at Juniper Networks:
“I appreciate the Paris initiative, however, it falls short of being the Digital Geneva Convention. It is symbolic, but it draws attention to the problem of the systemic harm to individuals and critical infrastructure as a result of malicious cyber activities in peacetime.
We need to go further. The only effective way to prevent significant widespread attacks will be to institute a formal agreement with a global mechanism of international penalties enforced by many countries. My hope is that the largest governments of the world will not wait for a catastrophic precipitating event to put this type of framework in place.”
Mounir Hahad, head of the Juniper Threat Labs:
“This initiative is DOA (Dead On Arrival). The non-signatories are the countries that are the most active in cyberspace in terms of intercepts, espionage and even offensive cyber warfare.
One can hope that the world comes to abide by such an agreement, but it is naive to believe that we are at a point where all countries are ready to sign it. For us to reach that point, the internet has to evolve to allow for irrefutable attribution of cyber attacks and I’m sad to say that it may also require a catastrophic attack for the world to come to its senses. There is a very strong parallel with nuclear weapons.
In my opinion, President Macron knew this agreement would be signed, it is an opportunity for him and others to openly point out to the whole world who the bad players are.”
Colin Bastable, CEO, Lucy Security:
“The conflict is between those who want an unregulated internet and those who want a regulated internet.
We see from the ‘Paris Call for Peace and Security in Cyberspace’ how nation-states and global entities (corporations, NGOs etc.) combine to impose control. That the pact was signed by 51 countries, hundreds of companies, and 92 non-profit organization, universities, and advocacy groups indicates that there was a lot of background work being undertaken by national and global interests – you can’t assemble and align such a large group overnight.
It is a three-cornered fight – globalists who want global control, nationalists who want national control, and users who want personal control.
We should not seek reconciliation in this conflict – conflict drives innovation. Tension between interest groups creates new technologies.
The Web is 30 years old – Tim Berners-Lee’s new startup Inrupt (https://www.inrupt.com/ ) could reboot the Internet, change the rules, and it will also spawn new tools for control.”
Pravin Kothari, CEO, CipherCloud:
“The Paris Call for Trust and Security in Cyberspace is replete with good intentions but likely short on practical results. Statements of support to stop online mercenary activities and offensive activity are important and worthy of public praise and U.S. participation. That said, there is no operational legal framework within the Paris Call that can produce any new or meaningful results.
If you ask the Chinese government today, I expect they will tell you that they support all of these principals. Yet China continues to lead in boldfaced and brazen cyberattack activity around the world. Depending on the exact timing and sources quoted, roughly between 25% to over 40% of cyber attacks worldwide seem to involve China. Chinese nation-state attributed attacks such as Byzantine Hades, GhostNet, Aurora, Titan Rain, and the constant efforts of Unit 61398 of the People’s Liberation Army to hack, steal, and damage the interests of many other nations continue unabated.
In the absence of meaningful enforcement within such initiatives such as the Paris Call, we need to continue to call out bad actors, confront them on the world stage, and work with our allies to mitigate and contain their activity.”
Paul Bischoff, privacy advocate at Comparitech.com:
“To be clear, countries who signed the pact did not agree to any specific rules, goals, or penalties. Instead, they agreed to figure all that out together at a later date. So the pact is mostly symbolic.
Russia and China will obviously not sign. Many of the pact’s measures imply taking action against them. Russia and China are the sources of most of the world’s malware and cyber attacks, many of which are state-sponsored. Russia, in particular, is at the forefront of everyone’s mind when it comes to election hacking. The pact says it will try to “prevent malign interference by foreign actors.” Who does “foreign actors” refer to if not the Russians? “Prevent ICT-enabled theft of intellectual property,” is a finger-wag at China.
The US is also involved in a fair deal of cyber espionage, and it has its own interests to worry about. The US is home to most of the world’s largest and most profitable tech and internet giants, many of which served as a medium for previous election hacking campaigns. This pact could seek to regulate them. And after seeing Trump walk away from the Paris Climate Accord, I’m not sure why anyone would be surprised at this result.”