International cyber ‘Kum Ba Yah’ lacks U.S. signature

Two stories have dragged on so long they’ve become boring. Amazon has finally picked two places for its multiplicity of headquarters, and baseball free agent Bryce Harper is going — somewhere. Nationals fans’ attention moves on to the rotation.

But I’m more interested in why the U.S. opted out of signing a new international cybersecurity agreement? The Paris Call for Trust and Security in Cyberspace looks like a feel-good manifesto. It came out this week to coincide with French events commemorating the 100th anniversary of Armistice Day. All of the European Union nations signed and all but two NATO allies signed. Other nonsigners included Russia, China, Iran and Israel.

None of the published reports of this episode could state a reason for the non-signature. The New York Times cited an unnamed source speculating the U.S. might yet sign.

Perhaps, and I’m only guessing, US and Israeli diplomats don’t like where the Paris Call originated? The United Nations Educational, Scientific and Cultural Organization (UNESCO) has often misaligned with the two countries’ policies in other domains.

As for Russia, China and Iran, aren’t we basically in cyberwar with them already?

The Paris Call comes as the Trump administration embarks on two initiatives.  First, the National Cyber Strategy came out a couple of months ago and emphasizes, among many things, international law enforcement to combat cyber crime. Second, the administration launched an indictment against a Chinese competitor of US semiconductor manufacturer Micron Technology. Micron had already sued Fujian Jinhua Integrated Circuit Co. for theft of Micron’s intellectual property. Now the Justice Department has joined in, following a Commerce Department ban on imports from Jinhua.

This is all tough stuff. By contrast, the Paris Call has more emphasis on product security, cyber defenses, “security of digital processes,” resilience and prevention of IP theft. It talks about “collaboration among governments, the private sector and civil society.” But not much is said about counterattacks, criminal pursuit, and specific law enforcement cooperation. That’s not surprising, given the hundreds of companies and nonprofits that have signed on.

Microsoft has backed the Paris Call in a big way. Its president, Brad Smith, apparently attended the rollout where French President Emmanuel Macron announced the accord. He called the Paris Call “an important step toward peace.” A couple of analysts pointed out that governments, including that of the U.S., are more and more enlisting companies in privacy and cybersecurity efforts. Twitter, Google, Microsoft, Facebook and others have all taken steps at the behest of the government to weed out spurious accounts or help identify criminals operating in cyberspace. In many ways they’re like itchy dogs helping the vet find the fleas. This Wired article provides a good background on activities of Microsoft in particular.

But privacy, good government and internet governance nonprofits don’t always approve of or trust state activities related to the internet.  The Paris Call has the flavor of that point of view. I don’t see the initiative and the Trump administration cyber strategy as canceling one another. In fact I think they’re complementary. If anything, the Paris Call is more platitudinous, calling for few specific laws or activities.

It’s more “Kum Ba Yah” than come-down-on-cybercriminals. It’s hard to see how signing it would limit U.S. actions.