The role of cybernorms in preventing digital warfare

Today, leaders from NATO countries and partners are meeting in Warsaw for a landmark Summit. Cybersecurity will figure prominently on the agenda. Today’s security landscape has evolved since the first NATO summit held almost 60 decades ago. With threats becoming more hybrid in nature, the role of “cyber” has increased significantly; a state of affairs which the Summit is likely to recognize in designating cyber as the “fifth domain of warfare”.

In an increasingly hostile cyber-environment, where anonymous actors can often pursue aggressive offensive action with impunity, it’s clear that we need rules about how to behave in cyberspace. This means developing and implementing international norms for cybersecurity.

We’ve spoken previously before about the importance of cybersecurity norms for nation-states. While important progress has been made around near universal recognition that existing international humanitarian law applies to cyberspace, the normative framework ultimately rests on nation states’ willingness and ability to uphold, abide by and enforce such laws.

But this isn’t just a matter for governments – industry must play a role, too.

ICT services and infrastructure have become the battlefield for cyber warfare, whether directly targeted or simply used as the tools from which to launch offensive activities. Even when ICT services are not deliberately implicated, the intertwined nature of the Internet makes it challenging for those carrying out cyber-attacks to maintain precision or proportionality, which can result in unavoidable collateral damage. In the meantime, governments are looking to the ICT industry to help deal with the impact of cyber-attacks, since ICT service providers are often the first line of defense and response in any cyber-conflict.

In order to articulate our vision of how both industry and nation-states can help promote responsible behavior in cyberspace, Microsoft has published a new whitepaper; “From Articulation to Implementation: Enabling progress on cybersecurity norms”, building on our previous recommendations. But we’re not alone in recognizing the need for an industry role in cybersecurity norms. In its most recent report, the United Nations Group of Governmental Experts expressly highlighted that the private sector and civil society should both help develop cybersecurity norms.

Industry involvement is necessary to ensure norms are tangible, practical and accurate. However, in order for this to remain a constructive process, it is essential that rules for behavior in cyberspace take account of the fact that ICT providers cannot be expected to take sides in such conflicts – this risks undermining trust in their services.

In our new whitepaper we outline six proposed norms for the global ICT industry, which include a commitment by companies not to permit back doors into their products nor enable nation-states to adversely impact the security of commercial, mass market ICT products and services. Global ICT companies should issue patches to protect ICT users, regardless of the attacker and their motives. And global ICT companies should adhere to coordinated disclosure practices for the handling of ICT products and services.

Other recommended norms for the global ICT industry include proactive cooperation between different ICT companies to defend against nation-state attacks, and a commitment to helping the public sector identify, prevent, detect and respond to cyberthreats. You can view the recommendations in full here.

Finally, it’s worth noting that one of the biggest enablers of cyber conflict is the difficulty around proving who is responsible – namely the challenges to attribution. However, in an era when nation-states and their proxies can leverage offensive cyber tools to significant effect, leading to potentially large-scale unintended consequences, it is essential to establish mechanisms for improving attribution of attacks.

Verifying whether or not actors have stuck to the norms is not impossible, but it requires greater cooperation across geographic and organizational boundaries. One possible model is the International Atomic Energy Agency (IAEA), which is made up representatives from around the world, works on a peer review basis, and uses established criteria to conducts its verification work. Creating a similar organization for the verification of activities in cyberspace could help us make significant progress in exposing violators of agreed-upon norms of behavior. Many – in particular governments – may find this approach unworkable. But the reality is there is no existing, practicable framework or organization which can bring together the broad expertise necessary for this kind of work in a meaningful way.

Ultimately, the public and private sectors need to work together to establish, implement and defend acceptable behavior in cyberspace. This is not an abstract, otherworldly dimension; offensive cyber actions can have devastating consequences in the “real world”. The NATO Summit provides a prime opportunity for leaders to demonstrate their commitment to tackling this challenge. If the modern battlefield has moved online, then we must all meet this challenge with equal digital innovation and more effective collaboration.