Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

02:15 PM
Connect Directly

A Closer Look At Microsoft's Proposed Norms For Cybersecurity

Microsoft last month outlined steps companies can take to collaborate on cybersecurity, following its proposed norms for nation-states.

Microsoft has a clear view on cybersecurity norms: global information and communications technology (ICT) companies, like nation-states, must also adhere to some agreed-upon norms.

In a report headed up by Scott Charney, Microsoft’s corporate vice president for trustworthy computing, the company says that before international cybersecurity laws can be enacted, nation-states and global ICT companies must agree upon a set of norms. The report maintains that it’s very risky for the world to enact cybersecurity laws because it lacks scenario experience.

“This is really a new area,” says Bruce McConnell, global vice president of the EastWest Institute. “And as we move to the Internet of Things, it really doesn’t help to continue talking about doomsday scenarios. I understand why people might be skeptical about cybersecurity norms, but it’s certainly a good place to start.”

James Lewis, senior vice president and director of the strategic technologies program at the Center for Strategic and International Studies, adds that the computer industry is still working through the Snowden effect. "We must find a way to build trust in the supply chain and norms are a good first step,” he says.

Microsoft issued a set of norms for nation-states about a year ago, and last month added norms for global ICT companies to the equation. Microsoft took its lead from the United Nations Group of Governmental Experts, which in a July 2015 report said that the private sector should contribute to the development of cybersecurity norms.

The UN report noted that this approach followed other developments in the financial sector and the aviation industry, which have collaborated for many years to develop regulatory frameworks. 

Here's a rundown of Microsoft’s proposed norms for nation-states as well as for businesses, along with a quick analysis of the proposals based on interviews with Bruce McConnell, James Lewis, and additional reporting:

1. Maintain trust.

Nation-States: Governments should not target global ICT companies to insert vulnerabilities  (back doors) or take actions that would otherwise undermine public trust in products and services.

Global ICT:  Companies should not should not permit or enable nation-states to adversely impact the security of commercial, mass-market ICT products.

Analysis: Apple tested this principle after it refused to cooperate in the FBI’s investigation of the San Bernardino shootings. As a general principle, global companies can’t afford to be compromised by their home country government. While disputes will inevitably come up, and nation-states will continue to develop cyber weapons, setting this principle as an accepted norm stands as something global ICT companies can point to in a crisis.

2. Coordinated approach to vulnerability-handling.

Nation-States: Governments should have a clear, principle-based policy for handling product and service vulnerabilities that reflects a strong mandate to report them to vendors rather than to stockpile, buy, sell, or exploit them.

Global ICT:  Companies should adhere to coordinate disclosure practices for handling of ICT products and service vulnerabilities.

Analysis: Microsoft has taken the lead with this since 2003 with Patch Tuesday, which takes place either the second or fourth Tuesday of every month. Google has also stepped up its practices by issuing monthly vulnerability reports and patches. And most other reputable global ICT companies have a formal patching schedule.   

3. Stop proliferation of vulnerabilities.

Nation-States: Governments should exercise restraint in developing cyber weapons and should ensure that any that are developed are limited, precise and not reusable.

Global ICT: Companies should collaborate to proactively defend against nation-state attacks and to remediate the impact of such attacks.

Analysis: On the government front, the NSA and other intelligence agencies have found a reduction in the number of hacking incidents by the Chinese. Some of the reduction could be the result of an agreement between presidents Barack Obama and Xi Jinping last fall, but US officials are still not clear if some of the hacking has left government and simply been passed to Chinese companies. One point is clear: The Chinese have acknowledged a cyber threat of their own internally and are more disposed to cooperate than in the past. As far as ICT companies collaborating, Fortinet, Intel Security, Palo Alto Networks, and Symantec have formed the Cyber Threat Alliance, for example. The companies aim to share threat information to protect industry from advanced cyber adversaries.

4. Mitigate the impact of nation-state attacks.

Nation-States: Governments should commit to nonproliferation activities related to cyber weapons.

Global ICT: Global ICT companies should not traffic in cyber vulnerabilities for offensive purposes, nor should ICT companies embrace business models that involve proliferation of cyber vulnerabilities for offensive purposes.

Analysis: Although some of the government-sponsored hacking may ease over time, it’s naïve to think that it will ever stop altogether. The release of these norms attempts to put a set of ethical values that governments can follow. The same holds true for ICT companies. While some companies make zero-day attacks available to customers for defensive purposes, as a general principle, it makes sense that ICT companies should not traffic or aggressively deploy vulnerabilities to enact a ransom or in tandem with a government entity.

Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business. Click to register.


5. Prevent mass events.

Nation-States: Governments should limit their engagement in cyber-offensive operations to avoid creating a mass event.

Global ICT: There is no corresponding norm for the Global ICT industry.

Analysis: It remains to be seen to what extent governments will cooperate.

6. Support response efforts.

Nation-States: Governments should assist private sector efforts to detect, contain, and respond to, and recover from, events in cyberspace.

Global ICT: Global ICT companies should assist public sector efforts to identify, prevent, detect, respond to, and recover from events in cyberspace.

Analysis: At the federal level here in the US through the Cyber Information Sharing and Collaboration Program, the Department of Homeland Security has built a trusted environment for sharing cyber threat information with the private sector through formal Cooperative Research and Development Agreements. As of July 2015, there were 125 agreements in place and DHS has already shared more than 28,000 indicators with these partners since the program’s inception. More are under way.

7. Patch customers globally.

Nation-States: No corresponding norm for nation-states.

Global ICT: Companies should issue patches to protect ICT users, regardless of the attacker and their motives.

Analysis: Global ICT companies can’t afford to favor companies in one country over companies in another. Their allegiances are much broader than any one country or one government, so they can’t be seen as playing favorites. As a general principle, they have to support the concept of patching a vulnerability when it appears, especially if it’s a customer under attack.


Steve Zurier has more than 30 years of journalism and publishing experience and has covered networking, security, and IT as a writer and editor since 1992. Steve is based in Columbia, Md. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-20
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...
PUBLISHED: 2021-01-20
Weave Net is open source software which creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery. Weave Net before version 2.8.0 has a vulnerability in which can allow an attacker to take over any host in the cluster. Weave Net is suppli...
PUBLISHED: 2021-01-20
A vulnerability in the CLI of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to read sensitive database files on an affected system. The vulnerability is due to insufficient user authorization. An attacker could exploit this vulnerability by accessing the vshell of an af...
PUBLISHED: 2021-01-20
Multiple vulnerabilities in Cisco SD-WAN products could allow an unauthenticated, remote attacker to execute denial of service (DoS) attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
PUBLISHED: 2021-01-20
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.