Over the past two months, I have travelled around Europe and Africa far more than I have been at home. So have many of my colleagues. And while I wish wanderlust was the primary driver for our travels, the travel has been driven by a growing regional interest in developing effective long-term cybersecurity policy strategies and frameworks. Policy makers are increasingly aware of how connected and conversely how vulnerable, their critical systems are to attack. They are taking steps to address cybersecurity risk for critical systems and to raise the levels of understanding and awareness of the dangers online across all users of cyberspace.
It is particularly encouraging to see that governments are open to new ideas and committed to not “reinventing the wheel”. It is great to see policy makers actively seeking out examples of what has been done elsewhere and worked well. While it is clear that a “copy and paste” approach does not work, there are many policy principles and approaches can be harmonized. We outline many of those in our paper on National Cybersecurity Strategies.
Initiatives such as the European Union legislative push, seeking to increase and unify security baselines across its 28 member states, and the African Union Convention on Confidence and Security in Cyberspace, which attempts to provide a template for basic legislation across the continent, are to be welcomed despite some of the inherent challenges. Improving cybersecurity in a way that harmonizes rules and regulations for service providers will lead to economies of scale and ensure limited resources we have available are targeted at tackling critical challenges, rather than being diffused across countless jurisdictions.
What is also heartening is the fact that governments are not only looking to learn from each other, but from other players in this field, including from private sector participants. Microsoft has a history of working with not only governments, such as supporting the UK capacity building efforts, but universities and international organizations to develop trainings and share our understanding of how the online ecosystem is developing. Our knowledge is based on a determined effort to protect our own network and our customers, a practice developed and honed over the past 15 years. Moreover, our global footprint allows us to see where new threats and vulnerabilities are emerging, information we make available in our Security Intelligence Report. It also gives us the ability to understand connections between criminal enterprises, which may not be apparent to authorities focusing on single jurisdiction, through the work done by our Cybercrime Center.
We have tried to combine this unique broad understanding of the global cybersecurity policy environment in recent workshops we conducted in Poland and South Africa; two countries with very different histories and therefore very different approaches to regulation overall. However, it quickly became clear the thirst for knowledge and tried and tested approaches was common to both. Moreover, the broad principles we outlined for developing national cybersecurity strategies, as well as initiatives for protecting the critical infrastructures held true. Focusing on the desired end state rather than prescribing the means to achieve it, understanding what the greatest risks are and prioritizing those, respecting privacy and ensuring that international standards are integrated in any framework that is developed were seen as essential to any policy consideration.
However, as with other events we participated in over the past few months, whether they were in Slovakia, Denmark, the Netherlands, Ethiopia, Brussels or London, a key question that remained was whether states can not only begin to learn from another, but play with each other. Specifically, can we will build an effective framework for cybersecurity norms. Last year, my team released a document outlining 5 principles for cybersecurity norms and in the coming months we are looking forward to continuing this debate.