Last year Microsoft put forward six cybersecurity norms with the aim of reducing conflict in cyberspace and protecting global trust in technology. They offer considerations for limiting nation-state activity against commercial, mass-market ICT; responsible handling of ICT vulnerabilities and cyber weapons; appropriate conduct of offensive operations in cyberspace; and support for private sector management of cyber events. However, while we remain the only industry player to offer a proposal in this space, the dialogue on cybersecurity norms has evolved even since then.
Indeed, stakeholders from government, academia and civil society have put forward a number of proposals for cybersecurity norms, seeking to address a spectrum of challenges caused by the exploitation of ICT systems. While the proposals are not uniform, they offer a level of overlap that has meant that the discussion has slowly began to evolve from a conceptual discussion about the rights and responsibilities of nation states towards more clearly articulated norms. The key proposals driving the debate are:
- the Code of Conduct drafted by the Shanghai Cooperation Organization in January 2015;
- S. Government proposal from May 2015;
- recommendations put forward by the UN Group of Governmental Experts in June 2015;
- agreement between the United States and China in September 2015 regarding cyber-enabled theft of intellectual property, law enforcement collaboration, and other cybersecurity measures; and
- G20 Communique on cyber-enabled theft of intellectual property, privacy, and international collaboration for cybersecurity.
However, even as these proposals begin to take root among governments, many question the feasibility of their implementation. Governments have acknowledged the centrality of international law in cybersecurity norms but international legal instruments often cannot address complexity of cyberspace, particularly in non-conflict, short-of-war scenarios. Cybersecurity attack attribution is arguably the most prominent example of this gap and it has been argued that without it, particularly whether an attack was perpetrated by a government or its proxies, norms implementation will lack accountability and therefore lack credibility as a policy tool.
Attribution is not impossible, but it can be difficult from both technical and international relations perspectives. The latter represents a typical challenge in diplomatic relations, as nation-states might choose not to act on particular intelligence, for reasons unrelated to cybersecurity (in this case). This lack of action might in the long-run undermine the framework itself. From a technical perspective, the private sector has been analyzing the attacks and its origins for many years in defending the online environment – irrespective whether attacks may have been sponsored or conducted by a state. Indeed, several global ICT companies, including Microsoft, have adopted policies and practices designed to alert users of popular online services when it appears that nation-states have targeted them.
In our view, these policies and practices can lay the groundwork for future collaboration with other norms stakeholders to drive accountability in nation-state behavior and ultimately to protect ICT users from compromise of their data by nation-states. As indicated, we believe implementation is only possible as a two-part process involving both technical assessment of the nature of the attack and political determination about nation-state responsibility. These are topics that we will address here and in a coming paper in the months to come.