The Internet has by and large been a cause for good, driving economic growth across developed and emerging economies, connecting individuals and communities to previously unattainable services, and propelling innovation online, as well as offline. Today, all over the world public utilities, banks, and governments use the Internet, cloud services, and mobile technology to enhance their productivity. Unfortunately, the benefits of greater connectivity have also brought about increased information security threats, some stemming from nation state activities in cyberspace.
Microsoft believes that there are certain acts in cyberspace that, whatever the national or strategic aim, nation states should not pursue. Because of that we are today publishing a new white paper “International Cybersecurity Norms, Reducing Conflict in an Internet-dependent World”, as part of the EastWest Institute’s 2014 Global Cyberspace Cooperation Summit in Berlin, Germany. In the paper we recommend six cybersecurity norms with the intention of reducing the possibility that Information Communication Technology (ICT) products and services are used, abused, or exploited by nation states as part of military operations. We believe such actions could bring about potentially unintended and likely unacceptable consequences.
Our team developed a unique framework that evaluates various actors in cyberspace, the objectives they are seeking to advance, the corresponding actions that could to be taken, and finally the potential impacts of such action. Using this risk based approach, we believe that the norms we are putting forward today will be just as relevant tomorrow and for the years to come. This is not a new position for Microsoft, as we’ve been advocating for an international effort to develop cybersecurity norms for several years. Underscoring the difficulty, as well as the importance of establishing cybersecurity norms, Microsoft Corporate Vice President Scott Charney noted in a blog post last year, “Creating these norms will be as difficult as it sounds, but it is still both necessary and, ultimately, unavoidable. Absent such an agreement, unilateral and potentially unprincipled actions will lead to consequences that will be unacceptable and regrettable.”
Our goal is not to advance a niche field in international relations. We realize that moving from politically binding norms to legally binding norms will take time and commitment, and that some policymakers might see our proposals as more aspirational than realistic. However, historically, international norms have only developed after an event with horrific consequences has already occurred and the international community realized that a particular activity – whether it be the use of chemical weapons, carpet bombing, or landmines – can no longer be acceptable.
Our goal – albeit ambitious – is to prevent the emergence of a world where cyber conflict undermines trust. The alternative is to realize too late, among the wreckage, that something should have been done long ago. Cybersecurity norms that limit potential conflict in cyberspace are likely to bring greater predictability, stability and security to the international community. The cybersecurity norms we propose can also serve as a compass for governments, as they seek to codify their own laws and regulations for government action in cyberspace. Although making meaningful progress will be a challenge, especially as demographic, political, and economic shifts test traditional models for collaboration, we are nevertheless optimistic that, through dialogue, development, and general practice, certain cybersecurity norms can evolve into customary international law over time. We believe that the consequences of inaction are unacceptable.