Cybersecurity Norms for a Secure Cyber-Future

I’m pleased today to introduce a guest blog post by Jan Neutze, a senior global security strategist on my team who focuses on cybersecurity norms and Internet governance. Jan is speaking today at the Atlantic Council of the United States and shares insights on ways to build a more secure cyber future by advancing international collaboration on cybersecurity.

This week Microsoft’s Global Security Strategy and Diplomacy (GSSD) team is partnering with the Atlantic Council of the United States, a notable Washington, DC-based think tank, on a project called Building a Secure Cyber Future. The project focuses on improving cybersecurity at the nation state level by focusing on shared interests, building communities of like-minded actors, and leveraging the cybersecurity experience of the private sector.

The partnership was launched today at an event held in Washington, DC which – on the fifth anniversary of the cyberattacks directed against Estonia in 2007 – aims to highlight the importance of planning and preparedness while examining what role international cybersecurity norms can play in building a safer ecosystem.  “Building a Secure Cyber Future” is part of the “Cyber Statecraft Initiative” and the Council’s much-noted paper on Five
Futures on Cyber Conflict and Cooperation
, which outlines possible scenarios for cooperation over the next decade.

This effort comes at an important time as governments around the world continue to express concerns about “cyber-insecurity”.  In part, these concerns are fueled by a proliferation of cybercrime, increasingly sophisticated malware and exploit methods, as well as possible conflicts in cyberspace.  To mitigate these concerns of cyber insecurity, some governments have proposed an international treaty or codes of conduct. Other governments, concerned about unintended consequences such a treaty may have on innovation and freedom of speech, support voluntary principles for cybersecurity “norms”. These discussions have mainly been held among nation-state
governments, for instance at the United Nations, and often without meaningful industry participation.

This August, more than a dozen countries are coming together under the auspices of the United Nations for another round of negotiations of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (referred to as the “GGE”).  The GGE will likely evaluate the pros and cons of an international code of conduct for behavior in cyberspace and potential confidence-building measures as possible first steps. 

To note, private sector is often not represented or marginally involved in these meetings.  At the same time, it is the private sector which owns and operates the majority of the global networks and services that make up cyberspace. And during actual cyber-incidents such as the attacks against Estonia in 2007, it is the private sector that is critical to effective incident response, often relying on trusted communities of engineers, network operators, and many other experts from outside of government. Meaningful discussions on cybersecurity would therefore benefit from industry participation. Governments together with private sector and other relevant stakeholders can collaboratively examine and develop effective cybersecurity
norms – both at the national and international level – improving risk management and resiliency. Cyber insecurity is best addressed by a transparent process with relevant stakeholders from government and the private sector – and the
Microsoft-Atlantic Council project aims to contribute to exactly that.

About the Author
Paul Nicholas

Senior Director, Trustworthy Computing

Paul Nicholas leads Microsoft’s Global Security Strategy and Diplomacy Team, which focuses on driving strategic change, both within Microsoft and externally, to advance infrastructure security and resiliency. His team addresses global challenges related to risk management, incident response, emergency communications, Read more »