Cybersecurity experts at the World Economic Forum Annual Meeting have called for a “coalition of the willing” to embrace the Paris Call of 12 November 2018 for Trust and Security in Cyberspace (the Paris Call), a multistakeholder declaration that favours the development of common principles for securing cyberspace. The Paris Call, which has been signed by 64 states, more than 300 private-sector companies and over 150 NGOs and other civil society organizations, offers a framework for multilateral action on addressing the critical issue of cybersecurity in a time of increasingly prolific and sophisticated attacks by criminal organizations as well as nation states.
“It’s really about keeping the world safe,” said Bradford L. Smith, President and Chief Legal Officer of Microsoft. “The world depends on digital infrastructure, it depends on our devices, and they’re under attack every single day,” he said.
While noting that the Paris Call has been signed by all 28 members of the European Union and by all but one member of NATO, as well as other democratic states, including Australia, Japan, New Zealand, Singapore and South Korea, Smith singled out two holdouts: India and the United States. “The world’s biggest democracy needs to stand with the world’s other great democratic nations,” he said. “The world needs India.”
Smith attributed US reluctance to sign to the current American administration’s aversion to multilateralism, but warned, “Some of the most serious attacks are those against democracy itself. The most significant threat is to voting systems.”
Although he acknowledged the difficulty of assessing the actual impact of interference operations on the outcome of the 2016 US election, Smith said, “Let’s focus on what we do know. We do know that 30 million Americans have read intentional disinformation by governments, and they shared it, they liked it, and they believed it. It was done with the goal of disrupting democracy. It was not limited to the United States alone … Every single candidate running for the French presidency was attacked in some way. It is a problem, a threat to democracy, and needs to be addressed.”
Smith and other cybersecurity experts emphasized the importance of attribution but said that attribution itself is not enough. “I don’t think one can expect governments to change what they’re doing if there aren’t consequences,” he said.
Smith said that the responsibility for security begins with the tech companies themselves. “People can’t trust tech unless they have confidence in the companies that create the technology,” he said, noting that the Cambridge Analytica incident, in which Facebook user data was acquired illicitly by a now-defunct political data analytics company, was a turning point in public distrust of tech companies. “Tech companies and the sector as a whole need to address this, and they must start with acknowledging the scepticism,” he said. Action needs to be taken, he said. “The public has developed a keen ability to differentiate between words and deeds.”
He added, however, that “we shouldn’t look to the private sector alone to respond to what are essentially military grade cyberattacks. The private sector has not saved the nation from military attacks before.”