Despite the differences that exist between governments, there is a growing recognition around the world that attacks on the security and stability of the Internet threaten all nations’ interests. The reality driving this alignment is that both emerging and developed economies are internet-dependent and, equally significantly, that malicious actors can use ubiquitous technologies to attack critical systems and infrastructure.
While cybercrime by non-state actors must be dealt with, it is also increasingly clear that governments need to carefully consider the impacts of their own military and intelligence actions in cyberspace, as well as those of their peers. Without some norms of state behavior in cyberspace the world could experience weakening of international security, national security, and even public safety. The potential erosion of trust citizens, consumers, and businesses have in globally interconnected information technology systems could significantly undermine our global economy.
Against this background, the United Nations Group of Governmental Experts (UN GGE) began its next round of discussions on cybersecurity norms and confidence building measures in New York at the end of August. This new session, due to report back to the UN General Assembly in September 2017, will have to tackle a wide range of thorny issues, one of which will be the question of applicability of international law to cyberspace. How can concepts such as “use of force” be applied? How should cyberweapons be classified – as conventional weapons, weapons of mass destruction, or something else? And, as if these questions weren’t complex enough, the UN GGE is going to have to consider valid ways to handle non-state actors or quasi-non-state actors when they threaten a nation’s critical systems.
The re-convening of the UN GGE also represents an opportunity to take stock of the norms debate so far, as well as to explore the different roles government and private sector could play in enhancing global online security. Microsoft has for some time argued that a decision-making framework is needed to help governments balance their roles as users, protectors, and exploiters of the internet. This is not an easy task for governments as they can be confronted with seemingly conflicting priorities, e.g. securing immediate economic advantages or ensuring longer-term growth of a digital economy.
Two years ago, Microsoft set out our own proposals around a cyber-norms framework. Our view, then and now, is that government decisions should be interrogated through the lens of the various actors in cyberspace. Each actors’ objectives, the actions they could take in pursuit of those objectives, and the potential impacts of a particular decision all need to be considered. Framed this way, the norms conversation can become more precise, focusing on discussing acceptable and unacceptable objectives, which actions may be taken in pursuit of those objectives, what the possible impacts of those actions are, and whether they are acceptable for a civilized, connected society.
Microsoft will, of course, make what contributions we can to the UN GGE and the other processes taking place to build a secure and lasting global approach to cyberspace. Our collective progress towards that goal can, I think, be judged against four key criteria. First, the approach must be practicable, rather than technically very challenging to achieve. Second, risks from complex cyber events and disruptions that could lead to conflict should be demonstrably reduced. Third, observable behavioural change needs to occur, change that clearly enhances the security of cyberspace for states, enterprises, civil society, and individual stakeholders and users. Fourth, and finally, existing risk-management concepts should be harnessed to help mitigate against escalation or to manage the potential actions of involved parties if escalation is unavoidable. Only when these criteria, or ones much like them, are met can the world feel confident in the future of the Internet, and in the economies and societies that are now dependent upon it.