Microsoft has a clear view on cybersecurity norms: global information and communications technology (ICT) companies, like nation-states, must also adhere to some agreed-upon norms.
In a report headed up by Scott Charney, Microsoft’s corporate vice president for trustworthy computing, the company says that before international cybersecurity laws can be enacted, nation-states and global ICT companies must agree upon a set of norms. The report maintains that it’s very risky for the world to enact cybersecurity laws because it lacks scenario experience.
“This is really a new area,” says Bruce McConnell, global vice president of the EastWest Institute. “And as we move to the Internet of Things, it really doesn’t help to continue talking about doomsday scenarios. I understand why people might be skeptical about cybersecurity norms, but it’s certainly a good place to start.”
James Lewis, senior vice president and director of the strategic technologies program at the Center for Strategic and International Studies, adds that the computer industry is still working through the Snowden effect. "We must find a way to build trust in the supply chain and norms are a good first step,” he says.
Microsoft issued a set of norms for nation-states about a year ago, and last month added norms for global ICT companies to the equation. Microsoft took its lead from the United Nations Group of Governmental Experts, which in a July 2015 report said that the private sector should contribute to the development of cybersecurity norms.
The UN report noted that this approach followed other developments in the financial sector and the aviation industry, which have collaborated for many years to develop regulatory frameworks.
Here's a rundown of Microsoft’s proposed norms for nation-states as well as for businesses, along with a quick analysis of the proposals based on interviews with Bruce McConnell, James Lewis, and additional reporting:
1. Maintain trust.
Nation-States: Governments should not target global ICT companies to insert vulnerabilities (back doors) or take actions that would otherwise undermine public trust in products and services.
Global ICT: Companies should not should not permit or enable nation-states to adversely impact the security of commercial, mass-market ICT products.
Analysis: Apple tested this principle after it refused to cooperate in the FBI’s investigation of the San Bernardino shootings. As a general principle, global companies can’t afford to be compromised by their home country government. While disputes will inevitably come up, and nation-states will continue to develop cyber weapons, setting this principle as an accepted norm stands as something global ICT companies can point to in a crisis.
2. Coordinated approach to vulnerability-handling.
Nation-States: Governments should have a clear, principle-based policy for handling product and service vulnerabilities that reflects a strong mandate to report them to vendors rather than to stockpile, buy, sell, or exploit them.
Global ICT: Companies should adhere to coordinate disclosure practices for handling of ICT products and service vulnerabilities.
Analysis: Microsoft has taken the lead with this since 2003 with Patch Tuesday, which takes place either the second or fourth Tuesday of every month. Google has also stepped up its practices by issuing monthly vulnerability reports and patches. And most other reputable global ICT companies have a formal patching schedule.
3. Stop proliferation of vulnerabilities.
Nation-States: Governments should exercise restraint in developing cyber weapons and should ensure that any that are developed are limited, precise and not reusable.
Global ICT: Companies should collaborate to proactively defend against nation-state attacks and to remediate the impact of such attacks.
Analysis: On the government front, the NSA and other intelligence agencies have found a reduction in the number of hacking incidents by the Chinese. Some of the reduction could be the result of an agreement between presidents Barack Obama and Xi Jinping last fall, but US officials are still not clear if some of the hacking has left government and simply been passed to Chinese companies. One point is clear: The Chinese have acknowledged a cyber threat of their own internally and are more disposed to cooperate than in the past. As far as ICT companies collaborating, Fortinet, Intel Security, Palo Alto Networks, and Symantec have formed the Cyber Threat Alliance, for example. The companies aim to share threat information to protect industry from advanced cyber adversaries.
4. Mitigate the impact of nation-state attacks.
Nation-States: Governments should commit to nonproliferation activities related to cyber weapons.
Global ICT: Global ICT companies should not traffic in cyber vulnerabilities for offensive purposes, nor should ICT companies embrace business models that involve proliferation of cyber vulnerabilities for offensive purposes.
Analysis: Although some of the government-sponsored hacking may ease over time, it’s naïve to think that it will ever stop altogether. The release of these norms attempts to put a set of ethical values that governments can follow. The same holds true for ICT companies. While some companies make zero-day attacks available to customers for defensive purposes, as a general principle, it makes sense that ICT companies should not traffic or aggressively deploy vulnerabilities to enact a ransom or in tandem with a government entity.
5. Prevent mass events.
Nation-States: Governments should limit their engagement in cyber-offensive operations to avoid creating a mass event.
Global ICT: There is no corresponding norm for the Global ICT industry.
Analysis: It remains to be seen to what extent governments will cooperate.
6. Support response efforts.
Nation-States: Governments should assist private sector efforts to detect, contain, and respond to, and recover from, events in cyberspace.
Global ICT: Global ICT companies should assist public sector efforts to identify, prevent, detect, respond to, and recover from events in cyberspace.
Analysis: At the federal level here in the US through the Cyber Information Sharing and Collaboration Program, the Department of Homeland Security has built a trusted environment for sharing cyber threat information with the private sector through formal Cooperative Research and Development Agreements. As of July 2015, there were 125 agreements in place and DHS has already shared more than 28,000 indicators with these partners since the program’s inception. More are under way.
7. Patch customers globally.
Nation-States: No corresponding norm for nation-states.
Global ICT: Companies should issue patches to protect ICT users, regardless of the attacker and their motives.
Analysis: Global ICT companies can’t afford to favor companies in one country over companies in another. Their allegiances are much broader than any one country or one government, so they can’t be seen as playing favorites. As a general principle, they have to support the concept of patching a vulnerability when it appears, especially if it’s a customer under attack.