A group of 34 tech companies, including Facebook and Microsoft, have formed a cybersecurity consortium, pledging to work together to “act responsibly, to protect and empower our users and customers, and thereby to improve the security, stability, and resilience of cyberspace.”
The group, which also includes Arm, Cisco, HP, Nielsen, Nokia, Oracle, Telefónica and Trend Micro, has published a Cybersecurity Tech Accord that promises to protect the group’s collective users and customers from cyberattacks by designing offerings that prioritize security and privacy and that are developed with an eye to reducing vulnerabilities. Part of that includes securing the supply chain to prevent tampering.
It also said that the companies won’t work with governments on offensive capabilities.
“Protecting our online environment is in everyone’s interest,” said Microsoft president Brad Smith in a blog post. “The companies that are part of the Cybersecurity Tech Accord promise to defend and advance technology’s benefits for society. And we commit to act responsibly, to protect and empower our users and customers, and help create a safer and more secure online world.”
Crucially, the group said that members would work with each other, establishing partnerships with industry leaders and security researchers to improve technical collaboration, perform coordinated vulnerability disclosure, and share information on threats. Meanwhile, user education will be a priority, with more information and better tools to enable consumers and businesses to understand the threats and protect themselves against them.
“Separate from the fact that some of the major social networks and cloud operators are missing, the key to any meaningful outcome is better communication to users, of how to use the security capabilities within the various vendors’ tools,” David Ginsburg, vice president of marketing at Cavirin, told Infosecurity. “In several cases, the capabilities are there, but they are too difficult to deploy, or, in some cases, tools from multiple vendors will provide contradictory guidance. This practical aspect is tremendously important.”
Despite the good feels, Mike Banic, vice president of marketing at Vectra, added that the pledge doesn’t include any enforcement actions, and as a voluntary plan it is less likely to have an effect than regulation would.
“The impending EU General Data Protection Regulation (GDPR) will have more impact [on improving security], since it has real teeth in the form of fines that can be as much as 4% of annual revenue if the personal information of EU-based citizens is exposed or misused, and organizations must provide notification within 72 hours,” he said. “An example to consider is the timeline of the Equifax breach where personally identifiable information (PII) was exposed and notification was not within the notification period. With so many organizations operating in EU nations or processing EU-based citizen’s data, evaluating their security program to ensure GDPR compliance is such a high priority that this alliance may go unnoticed.”