The United States has joined an 80-country agreement that condemns reckless behavior in cyberspace and seeks to mobilize resources to secure the software supply chain that the Trump administration declined to sign, Vice President Kamala Harris announced Wednesday following a meeting with French President Emmanuel Macron.
The Paris Call for Trust and Security in Cyberspace, as the voluntary initiative is known, seeks to make the internet a greater force for stability at a time when election meddling and ransomware attacks are commonplace. It includes a series of principles like defending elections from cyberattacks, protecting intellectual property from theft, and condemning the use of hacking tools by non-state actors.
Harris said Wednesday that she looked forward to discussing areas of cooperation with France, including in scientific research, space, cyberspace and climate change, and she vowed to “continue to work together and renew the focus that we have always had on our partnership.”
The French government began the multilateral cyber initiative in 2018. Scores of governments and hundreds of corporations, including Microsoft and Google, have agreed to the document. Yet despite allies like the United Kingdom, and even local US governments, agreeing to the Paris Call, the US federal government had been conspicuously uninvolved. That was inconsistent with US efforts to promote norms of acceptable behavior in cyberspace at the United Nations and elsewhere, according to analysts.
“The US was glaring by its absence because China and Russia didn’t agree to it either,” Christopher Painter, a former top cybersecurity diplomat in the Obama and Trump administrations, told CNN.
Through the Paris Call, companies and governments hold a series of “working groups” on things like responsible behavior in cyberspace and developing more secure software products.
The US decision to join the Paris Call comes as the Biden administration has looked for international help in cracking down on Eastern European and Russian ransomware gangs that have hacked major US firms.
One such criminal group in May forced Colonial Pipeline, which provides fuel to the East Coast, to shut down for days, leading to long lines at the gas pump in multiple states. The State Department has offered a $10 million reward for key information on the hackers responsible for that incident.
President Joe Biden in June lobbied Russian President Vladimir Putin to take action against cybercriminals on Russian soil. US officials have said it is “too early to tell” whether any downturn in ransomware attacks conducted from Russian soil is due to action by the Kremlin.
“We’ve shared information with the Russians, and this will be a test of their follow-on activity to act,” Anne Neuberger, deputy national security adviser for cybersecurity and emerging technology, told reporters on Tuesday. “They’ve committed to act on the information that’s been shared.”
The multilateral fight against ransomware notched a win this week when the Justice Department announced the arrest and indictment of a Ukrainian man for allegedly carrying out a far-reaching ransomware attack on US software firm Kaseya in July.
Still, experts say, sustained progress in countering ransomware will require the elimination of safe havens for dangerous cybercriminal groups.
Microsoft President Brad Smith, a vocal advocate of the Paris Call, said Wednesday that ransomware is “flourishing in countries where governments are prepared to look the other way.”
International norms were necessary because cyberspace had blurred the lines between peace and conflict, Smith said in a speech in Paris.
“So much of the … hostilities between nations happen not as acts of overt war,” Smith said, “but acts that feel very different from what we should expect in times of peace. They happen in cyberspace.”
CNN’s Jennifer Hansler and Jeremy Diamond contributed reporting.