RSA President Rohit Ghai said the multi-vendor pledge to not assist any government in offensive cyber-attacks is "too broad" and needs to consider both risks and rewards.
Ghai said the 34 signatories of the Cybersecurity Tech Accord need to examine what's at stake on either side and what's being given up on each end as a compromise is pursued.
"I think it's too broad of a statement," Ghai said. "I think it needs to be qualified with some more granular descriptors of 'what do we mean by offensive capability?'"
The pledge was announced by Microsoft President Brad Smith during a keynote Tuesday at the RSA Conference 2018 in San Francisco, with participating companies agreeing to not assist any government in offensive cyber-attacks as well as protect all customers from attack regardless of geopolitical or criminal motive, according to Reuters.
Prominent firms that signed onto the agreement include Microsoft, Facebook, Cisco, Juniper Networks, Oracle, Nokia, SAP, Dell, Symantec and FireEye. And despite Ghai's critique, a website built for the Cybersecurity Tech Accord indicates that RSA is one of the 34 signatories. Microsoft didn't immediately respond to a request for comment.
Ghai said participating companies should look at the risk and reward equation and get down into the nitty gritty details.
"There's always this duality and need," Ghai said. "It's a balance, but it needs to be a granular discussion, not an abstract, theoretical, high-level discussion."
Although Ghai thinks a more crisp definition is needed in terms of what isn't allowed from an offensive perspective, he said he doesn't have any concerns with the defensive obligations, which he said is the right intent for sure regardless of where the source of an attack is based.
Ghai likened the situation to the CLOUD Act, which was signed into law last month and allows federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.
In that instance, Ghai said lawmakers needed to balance the burden of the technology sector caring for data privacy against the need of public sector organizations to fight cross-border terrorism. Similar deliberations need to take place around the Cybersecurity Tech Accord as well, according to Ghai.
"I think it's a very tricky situation," Ghai said. "I don't know if the right solutions can be arrived at, but with the collective thinking power of multiple companies, you have a better shot of getting to the right answer."
Malwarebytes CEO Marcin Kleczynski questioned whether a pledge that requires more than 30 companies to come to an agreement around a course of action can really be an effective source of change.
"I don't think much is going to happen," Kleczynski said. "I need to study it more, but on the face of it, it does seem like a PR push."
Kleczynski said a similar collective pledge effort to halt the downloading of malware and unwanted software, with Microsoft coming out, defining it, and trying to pull various companies together. However, Kleczynski said the final product "had no teeth."
"They put a stamp of approval on tactics that we think are deceptive to our user base on the consumer side as well as on the enterprise," Kleczynski said.
Instead of signing a pledge, Kleczynski said organizations can effectively combat misuse of their technology through a bug bounty program, which compensates outsiders for uncovering and reporting flaws in their hardware or applications. Malwarebytes has such a program, and offers bounties of up to $1,000 depending on the bug's severity and exploitability.
"You would rather be aware of these issues, vulnerabilities and exploits and pay that bounty versus finding out about it in the news one day that your product, your solution was exploited," Kleczynski said.
Kleczynski pointed to the business model of Italian IT company the Hacking Team – whose sole source of revenue is selling exploits to nation-states – as an example of where bug bounties could be effective. Had vendors been willing to pay more for the information than nation-states, Kleczynski said actors like the Hacking Team would have likely just reported the vulnerabilities directly to the vendor.
"The incentives need to align," Kleczynski said. "Most people want to do the right thing, but they need incentive to do that."