Why companies should not sign the “Cybersecurity Tech Accord”

Last week Brad Smith, Microsoft’s President and Chief Legal officer, announced that 34 technology companies signed the “Cybersecurity Tech Accord.”   While attempting to address cybersecurity issues is laudable, this is not the way to do it.  Allow me to explain why companies should not sign the pledge.

Its promoters say the Tech Accord is supposed to be “a public commitment among more than 30 global companies to protect and empower civilians online and to improve the security, stability and resilience of cyberspace.”  Nice idea, but the devil is – of course –  in the details.

Consider that the Tech Accord states that the companies will:

“[S]trive to protect all our users and customers from cyberattacks – whether an individual, organization or government – irrespective of their technical acumen, culture or location, or the motives of the attacker, whether criminal or geopolitical”. (Bolding added.)

“Protect all of [their] users”?  “Irrespective” of the “motives of the attacker”?  Really?

Think about it: should we now assume that if, for example, the Islamic State of Iraq and Syria (ISIS) is a “user,” the signatory companies will “protect” them from “cyberattacks” even if the “motives of the attacker” (the U.S. government for instance) are to degrade the operational capabilities of that loathsome organization?

Let’s make no mistake about it, ISIS (and other illicit organizations) are “users” of commercial tech.  Last summer, C4ISRNET’s  Mark Pomerleau explained “How ISIS harnesses commercial tech to run its global terrorist network,”  Specifically, Pomerleau reports:

“ISIS understands the broad range of commercial technological applicability, and social media allows the group to conduct global operations, [John] Mulligan said. The militant group can conduct financial transactions, facilitate logistical movements, and organize in a dispersed, remote way.”

Why on earth would tech companies want to “protect” those “users”?   Indeed, couldn’t defending terrorist networks amount to providing “material support to terrorism,” a serious felony under U.S. law?   What about civil liability?   Why doesn’t the “motive of the attacker” matter to the tech companies, particular if that “attacker” is a  legitimate law enforcement or security entity, “motivated” by an intent to defend the helpless?

Moreover, wouldn’t this undifferentiated pledge to “protect all…users” appear to extend even to enemy combatants in hostile countries during wartime?  Isn’t it foreseeable that aiding an enemy in that way could at some point amount to “levying war against the United States”?  Do the employees of the signatory companies fully appreciate how open-ended the pledge is, and how directly “protecting” enemy “users” during hostilities might put them in personal jeopardy?

This isn’t the only misguided part of the Accord.  Although the New York Times headline is a bit misleading (“Tech Firms Sign ‘Digital Geneva Accord’ Not to Aid Governments in Cyberwar”), the actual text of the Tech Accord is still extremely troubling.  Here’s what it says in relevant part:

“We will not help governments launch cyberattacks against innocent citizens and enterprises from anywhere.”

What leaps out is the word “innocent.”  Minda Zetlin points out on Inc. that “the agreement doesn’t specify what constitutes a guilty vs. an innocent party.”  She goes on to ask:

“Would the creation of something like Stuxnet be forbidden by this Agreement? Since the initial victim–Iran’s nuclear program–wasn’t necessarily innocent, it seems unclear.”

“Unclear” is an understatement.  Moreover, who gets to decides who is – or is not – “innocent”?  The companies?  In a democracy, such determinations are made by elected governments, not outsourced to transnational, for-profit mega corporations.  Are we to suppose that the signatories believe they have a veto over government cyber operations if they somehow decide for whatever reason that a particular  “enterprise” is “innocent”?

This also seems to manifest a misapprehension about the law of war.  Keep in mind that the jus in bello law of war makes no judgments as to “innocence” or “guilt.”  Rather, the distinction is made between civilians/civilian objects on one side, and combatants and military objectives on the other.  It is quite possible, for example, that someone might be legally and/or morally “guilty,” but still retain the protected status of “civilian” for purposes of targeting and other law-of-war principles.

Furthermore, otherwise civilian objects can properly become military objectives under the law of war if “their nature, location, purpose or use make an effective contribution to military action and whose partial or total destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage.”

In the cyber realm, it isn’t hard to conceive how a variety of civilian “enterprises” might become military objectives.  For example, the Tallinn Manual 2.0 makes it clear in Rule 101 that “[c]yber infrastructure used for both civilian and military purposes is a military objective,” and explains that it is “often the case that civilian and military users use share computers, computer networks, and other cyber infrastructure.”  Indeed, a military objective can lawfully be attacked even when it is known that losses of civilians and civilian objects will occur, so long as such losses are not “excessive in relation to the concrete and direct military advantage anticipated.”

Additionally, Tech Accord smacks of unilateral cyber disarmament.  As Ernie Smith points out, “no companies based in countries that have been blamed for cyberattacks—including Russia, North Korea, Iran, and China—are on the list of signatories.”  Can’t the signatory companies appreciate the disadvantage at which the Tech Accord puts the U.S. and other rule-of-law democracies?  The lack of clarity of the Tech Accord as to who the companies might consider “innocent” in a given situation erodes the ability of the U.S. and other democracies to deter cyber adversaries.

So what to do?  If these tech companies refuse to help the U.S. attack ISIS and other threats to our democracy, Congress may need to act so as to permit the government to require  U.S. companies to help in the “common defense.”

There is precedent that could be helpful should Congress decide to act.  Specifically, in the 1948 case of Lichter v. United States, 334 U.S. 742, the Supreme Court upheld the Constitutionality of the Renegotiation Act which permitted the government “to determine and recapture excessive profits by private contractors during war time.”

The Court explained its reasoning this way:

“Each was a part of a national policy adopted in time of crisis in the conduct of total global warfare by a nation dedicated to the preservation, practice, and development of the maximum measure of individual freedom consistent with the unity of effort essential to success.

With the advent of such warfare, mobilized property in the form of equipment and supplies became as essential as mobilized manpower. Mobilization of effort extended not only to the uniformed armed services, but to the entire population. Both Acts were a form of mobilization. The language of the Constitution authorizing such measures is broad, rather than restrictive. It says

“The Congress shall have Power . . . To raise and support Armies, but no Appropriation of Money to that Use shall be for a longer Term than two Years. . . .”Art. I, § 8, Cl. 12.

“This places emphasis upon the supporting, as well as upon the raising of armies. The power of Congress as to both is inescapably express, not merely implied. The conscription of manpower is a more vital interference with the life, liberty, and property of the individual than is the conscription of his property or his profits, or any substitute for such conscription of them. For his hazardous, full-time service in the armed forces, a soldier is paid whatever the Government deems to be a fair but modest compensation. Comparatively speaking, the manufacturer of war goods undergoes no such hazard to his personal safety as does a front-line soldier, and yet the Renegotiation Act gives him far better assurance of a reasonable return for his wartime services than the Selective Service Act and all its related legislation give to the men in the armed forces. The constitutionality of the conscription of manpower for military service is beyond question. The constitutional power of Congress to support the armed forces with equipment and supplies is no less clear and sweeping. It is valid a fortiori.”  (Bolding added; citations omitted).

Although the case is not “on all fours” with all the issues with the Tech Accord, it does stand for the proposition that the private companies can be “mobilized” to aid in the Nation’s security.  I am confident that a statute can be constructed that could, consistent with the Constitution, require wartime cooperation from the tech companies – and perhaps much more – regardless of the pledge.

But does it really need to come to that?   Wouldn’t it be better to rescind the Tech Accord and re-write it in a way that responsible companies in rule-of-law nations can legally and morally sign-on to help address the very serious problem of cybersecurity?

But as we like to say at Lawfire, check the facts, assess the law and the arguments, and then decide for yourself!