Governments have placed cybersecurity and cyberconflict at the top of their agendas. Bilateral cyber agreements among lead economies - including the EU, China, India, Japan, Russia, Germany, Canada, and the USA - are on the rise. The number of multilateral initiatives is also increasing: G20 countries have agreed that no country should conduct or support ICT-enabled theft of intellectual property; leaders of the Shanghai Cooperation Organization (SCO) are opting for an international code of conduct for information security; the Organization for Security and Co-Operation in Europe (OSCE) has agreed on two sets of confidence-building measures for preventing cyber-conflicts; the Association of Southeast Asian Nations (ASEAN) Regional Forum (ARF) and the Organization of American States (OAS) have also undertaken initiatives. Deliberations on norms of state behaviour in cyberspace are under way within the UN Group of Governmental Experts (GGE) Other stakeholders are also discussing aspects of cyberconflicts within global multistakeholder forums such as the UN Internet Governance Forum (IGF), or the Global Conference on Cyber Space. The private sector has stepped forward, too. Microsoft has joined the dialogue on cyber-norms with its proposal on International Cybersecurity Norms: Reducing conflict in an Internet-dependent world.
Angela McKay, Director of Cybersecurity Policy and Strategy, Global Security Strategy and Diplomacy Team at Microsoft, was the guest speaker at Diplo's webinar on cyber-norms.
One of the opening questions concerned Microsoft's motivation - and that of the private sector in general - to join the debate on norms of state behaviour that has traditionally been dominated by states. According to McKay, governments play multiple roles in cyber-space: they are the protectors of national security and the largest users of ICT, but they are also exploiters of cyberspace vulnerabilities. Not only are they increasing their defence cyber-capabilities, but a growing number of states - 37 recorded at the moment - have developed offensive cyber-capabilities, which leads to the growing insecurity of the online environment and puts pressure on the private sector. At the same time, governments are also strengthening their legal environments which, according to McKay, could stifle innovations.
Threat models for enterprises are, therefore, distorted. The private sector now takes multiple positions during cyber-attacks: a possible target of cyber-attacks; the attack vector, thanks to its products being misused; and a responsible entity to clean up the consequences. This raises the costs for the industry, but also dangerously diminishes trust in ICT products and services.
There has already been considerable activity related to discussing existing international legal frameworks and the case of cyber-war. According to McKay, however, there was also a need to codify norms related to cyber-activities that fall under the threshold of armed conflict - such as in case of incidents and disruptions - which could set the state behaviour and global expectations on such occasions. Reflecting the position of the industry, Microsoft proposed a set of norms that could be broken into three categories: norms of state behaviour related to cyber-offences, those related to cyber-defence, and norms for the global ICT industry that should complement the first two categories.
It is important to look at the specific roles of various stakeholders in each of the three categories, as McKay emphasised. While the norms related to offences dominantly require the participation of states with possess such capacities, cyber-defence also demands the participation of the CERT (computer emergency response team) communities.
The ICT industry has a particularly responsible role in the third category; for instance, while states should be required to report discovered or purchased vulnerabilities to vendors, in order to facilitate securing the products by promptly issuing patches, the ICT industry should develop procedures about how to respond to such disclosures, how to triage the reported vulnerabilities, and how to process them.
Microsoft didn't envisage its norms being codified by states through any of the existing processes, like the UN GGE, the OSCE or the ARF, McKay clarified. Instead, the intent is to offer them as a contribution to the discussions by states, and emphasise the important role other stakeholders should play in these processes.
Discussions that followed the presentation raised a number of important questions on which McKay commented, including the vulnerability of the Internet of Things and the responsibility of the ICT industry; the outlook of the current processes on cyber-norms and the ways stakeholders could be involved - including what McKay called G20+ICT20; the feasibility of cyber-disarmament, including the challenges related to dual-use of ICT and verification of the disarmament process; and the importance of comprehensive and sustainable capacity building, especially in developing countries.
The webinar recording is available here. McKay's presentation can be downloaded here, while the two discussed Microsoft documents are International Cybersecurity Norms: Reducing conflict in an Internet-dependent world and From Articulation to Implementation: Enabling progress on cybersecurity norms.
For future webinars, follow Diplo's calendar of events.