More than 70 nations have signed up to the global cybersecurity initiative, although China, Russia, and the US remain notable omissions
One year on from the launch of the Paris Call for Trust and Security in Cyberspace, the number of signatories has nearly tripled – but the declaration still has notable omissions, including the US government.
Unveiled by French President Emmanuel Macron last November, the Paris Call sets out a series of common principles for securing cyberspace, such as making digital products more secure, strengthening collective defenses against cybercrime, and encouraging international cybersecurity cooperation.
Signatories also pledge to work to prevent electoral interference, intellectual property violations, and other offensive action.
Number of signatories grows
One year in, there are now 74 nations signed up to the Paris Call, including all EU member states. They join over 350 international, civil society and public sector organizations, and more than 600 private sector entities.
However, there are some notable omissions, from China and Russia to Brazil, India, and the US – and at the Paris Peace Forum this week, speakers pledged to continue to try and drum up more support.
John Frank, vice president for EU government affairs at Microsoft, says he is encouraged by the way that local and state governments in the US have signed up to the Paris Call for themselves, following a series of ransomware attacks.
“New joiners include the cities of San Jose and Louisville and the states of Colorado, Virginia and Washington, bringing the number of US signatories to more than 130,” he says.
“We believe this strengthens the case for the US government to sign onto the Paris Call. The Paris Call builds on international norms that the US has endorsed previously, with the addition of one new commitment that the US should find easy to support: the protection of elections.’
Over the last few months, participants have held roundtable discussions in cities around the world on how to proactively advance the principles of the Paris Call internationally.
And as a result of this, a number of new initiatives have been announced at the Paris Peace Forum. These include the creation of a Paris Call Community, centered around the nine principles of the declaration.
Microsoft and the Alliance for Securing Democracy, for example, have created the Paris Call Community on Countering Election Interference.
Focused on implementing principle three, it is aimed at working to identify best practices and build capacity to defend against foreign interference in democratic processes.
Meanwhile, groups including Cybersecurity Tech Accord, the Internet Society, Global Cyber Alliance, and CyberGreen are working to strengthen solutions that improve cyber hygiene, or basic security practices, among signatories in line with principle seven.
Speaking at the event, Frank said he hoped to see the Paris Call continue to expand, but said there was still much work to do.
“We need to go beyond the one-sentence descriptions so they can be elaborated and we can understand what norms could be, and we need more detailed discussions. I think that's what's happening this year,” he said.
“We’ve had a great first year, but the challenge is going to be to take that multi-stakeholder model that President Macron made the centerpiece for this Peace Forum and bring the community to making real progress across a range of issues.”
Engaging with the industry
One thorny issue highlighted during the discussion was that of ‘hacking back’ – prohibited by the Paris Call, but vitally important for pen testers.
“Principle eight of the Paris Call is essentially that private sector companies shouldn’t be hacking back. Now, that’s a fine principle to articulate, but, to engineers, that needs a lot of elaboration,” said Frank.
“I think that one of the opportunities now, this next year, is to engage with engineers and policy-makers to actually talk through the particular steps that people are concerned about, so at an operational level you can build more consensus.”
While the Paris Call is still a voluntary code of practice, Eugene Kaspersky, CEO of Kaspersky Lab, called for greater government oversight of security issues.
“I think that now is the right time to introduce regulation, for example for the Internet of Things. Simple regulation – for example, when you have connected devices they must have different passwords by default,” he said.
“I am convinced that it is the right time to introduce regulation for critical infrastructure… so the software and hardware for critical infrastructure must be under strict control.”
Organizations wishing to sign up for the Paris Call for Trust and Security in Cyberspace can do so here.