VP Kamala Harris: US Will Join 80-Nation Cybersecurity PactThe Paris Call, Formed in 2018, Seeks to Advance Global Norms in Cyberspace
The U.S. has joined an 80-nation agreement that sets collective goals for cyberspace, with a particular focus on internet integrity, electoral security, intellectual property theft, use of malign hacking tools and more. Vice President Kamala Harris confirmed U.S. entry into the multistate pact following a meeting with French President Emmanuel Macron on Wednesday.
A voluntarily initiative, the Paris Call for Trust and Security in Cyberspace was established in November 2018 by Macron during the annual Paris Peace Forum, to unite nations against cyberthreats endangering citizens and infrastructure. According to the Paris Call website, the effort "encourages states to cooperate with private sector partners, the world of research and civil society."
"[President Macron and I] had a comprehensive conversation on … this new era," Harris told reporters on Wednesday about a bilateral meeting the two hosted, noting that they discussed a dedication to research and the collective ability to "work together to address the issues facing our partners around the world."
In a fact sheet on Harris' visit to France, the White House says, "The U.S. is committed to working alongside our allies and partners to advance cybersecurity and uphold established global norms in cyberspace."
U.S. officials say that they aim to work with "like-minded countries to attribute and hold accountable states that engage in destructive, disruptive, and destabilizing cyber activity. … The U.S. interprets the Paris Call consistent with our existing domestic and international obligations and commitments, including the importance we place on respecting human rights, freedom of expression and privacy."
Calling the current global cybersecurity landscape "fragmented," National Cyber Security Alliance interim Executive Director Lisa Plaggemier tells Information Security Media Group, "While there may be skeptics that say these types of initiatives may just be eyewash, to see this kind of widespread public acknowledgement of the need for collaboration between countries as well as the public and private sector is actually a huge step forward."
Not all security experts are convinced. Ross Rustici, a former technical lead for the U.S. Department of Defense, tells ISMG, "This is purely a PR play. It is a nonbinding agreement that largely covers the same areas as the Budapest Convention on Cybercrime that was crafted in 2001 … [which] actually has enforcement requirements, which the Paris Call does not."
The Call: 9 Principles
The French government launched this cyber initiative with support from dozens of governments and hundreds of corporations, including Big Tech firms like Microsoft and Google, plus local U.S. governments. The federal government under then-President Donald Trump did not join the agreement.
Member states participate in ongoing working groups that address nine principles, including:
- Protecting individuals and infrastructure;
- Protecting the internet;
- Defending electoral processes;
- Defending intellectual property;
- Preventing the proliferation of malicious software and practices;
- Strengthening the security of digital processes, products and services;
- Strengthening security hygiene - along with the IT supply chain;
- Preventing the proliferation of malicious hacking tools and nonstate actors' efforts to "hack back";
- Promoting international cyberspace norms;
Security Community Reactions
Taking to Twitter following Harris' announcement, Christopher Painter, a former top cybersecurity diplomat in the Obama and Trump administrations, said, "The U.S. joining is a great and welcome thing, both because the Paris Call principles reflect the kinds of things the U.S. has fought for and because it makes them part of, and gives them access to, a vibrant multistakeholder community that endorses cyber stability.
"Moreover, the announcement coming from the VP demonstrates the continued high-level political attention this administration is giving to cyber issues as a key national security, economic, human rights and diplomatic priority."
The effectiveness of the agreement, however, will depend on the follow-up, according to John Bambenek, principal threat hunter at the security firm Netenrich. He tells ISMG, "Eighty nations is a significant block to provide sustained diplomatic pressure to get geopolitical bad actors to behave responsibly. However, it will take sustained focus and effort for some time to get there."
"This is one step in a longer journey to realize cyber peace, which includes necessary verification and enforcement mechanisms for nations that break these rules of the road," Scott Shackelford, the director of Indiana University's cybersecurity and internet governance program, tells ISMG.
And Plaggemier says, "The 'Paris Call' will not solve everything overnight. There are still numerous pressing issues that need to be addressed - from ransomware to election security - and therefore, while commitments are great, we need to see how it will translate into action."
Rustici, who is managing director of the advisory firm StoneTurn, calls it a partial fence-mending effort to strengthen U.S. ties with France following a September rift over a nuclear submarine deal between Australia, the U.S. and the U.K., with France being replaced and reportedly losing billions of dollars, according to NPR.
Top Cyber Adviser Speaks With the EU
U.S. National Security Council spokesperson Emily Horne said Wednesday that Anne Neuberger, one of President Biden's top aides on cyber policy, visited Brussels, Belgium, this week "to advance cybersecurity on both sides of the Atlantic [and] promote responsible state behavior in cyberspace."
Neuberger, who serves as the deputy national security adviser for cyber and emerging technology, met with European Union officials and members of the European Parliament to discuss cybersecurity policies. Neuberger also consulted with the North Atlantic Council at NATO on ways to enhance cyber resilience, following NATO's adoption of a new Cyber Defense Policy on shared deterrence and defense efforts.
Federal Cyber Efforts
Nevertheless, cybercrime continues to increase, as was made apparent throughout 2021 via high-profile ransomware attacks. These include a May attack on Colonial Pipeline Co. that temporarily cut off the fuel supply for much of the U.S. East Coast. Other targets have included the world's leading meat supplier, JBS, and remote IT management software vendor Kaseya, in an incident that affected 1,500 downstream organizations.
In response, Biden facilitated a bilateral summit with Russian President Vladimir Putin in June, urging him to act against cybercriminals operating within his borders. The U.S. State Department later offered $10 million rewards for high-ranking ransomware operators from both the DarkSide and REvil gangs.
U.S. Attorney General Merrick Garland this week also announced that one suspected REvil member was arrested in Ukraine and faces extradition to the U.S.; another, a Russian national still at large, was indicted for alleged ransomware crimes.