Microsoft on Cybersecurity Norms

Contributed by Caitríona H. Heinl


Microsoft on Cybersecurity Norms

26 July 2016

This blog is based on the Microsoft paper released last month, “From Articulation to Implementation: Enabling progress on cybersecurity norms” [1]. In sum, the key policy discussions fall under four headings: 1) The importance of a role for global ICT industry in cybersecurity norms development and implementation; 2) A description of three categories of norms identified as offensive, defensive, and industry norms (plus recommendations for each); 3) Norms that have been proposed for nation states, but also six norms specific to industry; and 4) Analysis of the future challenges associated with verification of norms compliance.


The paper is a must read for those interested in the future of cyber norms development and implementation, but also for those who want to know how members of the global ICT industry are protecting their business and individual interests. At this juncture, stakeholders are not only developing norms and confidence building measures but also trying to operationalise those already agreed. The next UN Group of Governmental Experts is, for instance, due to meet this coming August with a view to reporting to the General Assembly in 2017 [2]. This Microsoft paper therefore aims to provide a framework based on its experience in this field in order to guide such future discussions on developing further cybersecurity norms. It also examines problems associated with their implementation, especially for verification where both technical and strategic attribution challenges may arise.


1) Role of the Global ICT Industry in Cybersecurity Norms

It is argued that industry must have a role in this space for reasons that include the impact on customers, products, and services; the reality that commercial mass market ICT and underlying infrastructure are often the “battlefield” for cyber conflicts or conduits for other attacks; and collateral damage to the ICT ecosystem from attacks against government targets might be hard to predict. In particular, global ICT industry input is argued to be essential so as to ensure practical guidance and that the language of cybersecurity norms will in fact be accurate, thus reflecting “the realities of defending technology users at global scale”. The ultimate result is then hoped to be a higher success rate in norms implementation.


Microsoft further supports these conclusions by arguing that industry has engaged in norms development in other fields where private sector engagement has been perceived as vital for the success of norms (examples include the Financial Action Task Force (FATF) and International Civil Aviation Organization). In fact, the latest UN GGE report in 2015 specifically notes that international cooperation would benefit from appropriate participation of the private sector, academia and civil society [3]. Whatever the most suitable model might be, it is clear that the global ICT industry wants, and needs, a space to contribute constructively to developments related to both the development and implementation of cyber norms [4].


2) Three Categories: Offensive, Defensive, and Industry Norms

The paper then provides a framework for norms, within three categories (offensive, defensive, and industry norms) that clearly outlines the actors involved, the main objectives, actions required, the primary impacts, and those forums considered most relevant for achieving these goals. For the first category, norms to guide offensive operations in cyberspace, it finds that there is growing convergence on these norms which generally aim to ensure that governments exercise some self-restraint. Notably, while the paper asserts that intergovernmental forums should lead further development of this category of norms, it specifically highlights several such forums to include the G20, the London (or GCCS) process, the OSCE, the SCO, UN GGE, and UNIDIR.


Defensive norms are described as those norms that enable cybersecurity risk management through enhanced defences and incident response. An example might be protecting the ICT supply chain or responsibly handling vulnerabilities. Again, the paper finds that there is convergence around these norms too. These norms reflect that cyber defence is a collaborative exercise requiring cross-border partnerships and joint action. Some of these defensive norms are even said to complement offensive norms. However, the paper asserts that most norms proposals relating to defensive norms fail to acknowledge that they need engagement from “cyber defenders across the public and private sectors”. It recommends that dialogue on these types of norms should be through collaborative processes, like “cyber defence organisations” such as FIRST, engagements with like-minded countries via MLATs, and UNODC.


The third category, norms for the global ICT industry, is viewed necessary since technology users in enterprises and at consumer level also have expectations of the ICT industry. A distinction is drawn however between global ICT providers, in other words global mass market suppliers aiming to protect their customers and operating in a global marketplace (who it is felt should be bound by certain expectations) as compared to those who may participate in offensive activities, may help one customer attack another, or may work for a specific government. In short, it is argued that global ICT providers must agree to certain norms that enhance trust in ICT systems. The end goal is to increase confidence in the global ICT supply chain, as well as to alert governments that these global providers will help to protect ICT users (in other words, not help to exploit them).


3) Norms Proposed for Both Nation States and Industry

The paper argues that while there is complementarity between norms for states and industry, there are two distinct differences: 1) States have the ability to cause mass effects with offensive cyber activities; and 2) the global ICT industry has the ability to patch all customers, including during conflicts between governments. The table below is from the paper and it clearly outlines Microsoft’s set of six norms for states and industry respectively [5]. The six industry norms are either current practice or proposed goals for the global ICT industry.



Desired impacts of Microsoft’s proposed norms

Cybersecurity norms proposed by Microsoft for nation-states

Cybersecurity norms proposed by Microsoft for the global ICT industry

Maintain trust

States should not target global ICT companies to insert vulnerabilities (backdoors) or take actions that would otherwise undermine public trust in products and services.

Global ICT companies should not permit or enable nation-states to adversely impact the security of commercial, massmarket ICT products and services.

Coordinated approach to vulnerability handling

States should have a clear, principlebased policy for handling product and service vulnerabilities that reflects a strong mandate to report them to vendors rather than to stockpile, buy, sell, or exploit them.

Global ICT companies should adhere to coordinated disclosure practices for handling of ICT product and service vulnerabilities.

Stop proliferation of vulnerabilities

States should exercise restraint in developing cyber weapons and should ensure that any which are developed are limited, precise, and not reusable.

Global ICT companies should collaborate to proactively defend against nationstate attacks and to remediate the impact of such attacks.

Mitigate the impact of nation-state attacks

States should commit to nonproliferation activities related to cyber weapons.

Global ICT companies should not traffic in cyber vulnerabilities for offensive purposes, nor should ICT companies embrace business models that involve proliferation of cyber vulnerabilities for offensive purposes.

Prevent mass events

States should limit their engagement in cyber offensive operations to avoid creating a mass event.

No corresponding norm for the global ICT industry.

Support response efforts

States should assist private sector efforts to detect, contain, respond to, and recover from events in cyberspace.

Global ICT companies should assist public sector efforts to identify, prevent, detect, respond to, and recover from events in cyberspace.

Patch customers globally

No corresponding norm for nation states.

ICT companies should issue patches to protect ICT users, regardless of the attacker and their motives.




4) Looking Forward

Finally, the challenge of verifying norms compliance garners much attention in the paper since norms implementation and the holding of perpetrators to account are seen as measures to weigh the impact of norms. A key takeaway is that while there are challenges, norms verification is not in fact impossible in this field. The paper then provides a short analysis on verification, explaining that both the public and private sectors have the technical capabilities to attribute attacks (including through other methods like tradecraft, target selection, artifacts, and specialised knowledge). However, even if such attribution is possible and intent is clear, the next step that is in the best interests of a state is not always certain. It therefore argues that in the absence of a routine process for identifying inappropriate activity, the verification of adherence to cybersecurity norms is challenged and these norms may then be undermined.


To resolve this issue, the paper recommends considering a model similar to the International Atomic Energy Agency (IAEA) whereby governments and the private sector can provide evidence to support technical attribution and validation would be achieved through peer review. Such a “public/private international body” would comprise technical experts from government, private sector, academia and civil society to provide technical analysis of an attack and evidence of attribution. In order that governments accept such an independent organisation though, recommendations include that it be structured to promote global acceptance. This may mean factors such as: 1) Very strong technical expertise; 2) Diverse geographic representation; 3) Only undertaking analyses for significant cyber attacks that address a small set of norms; and 4) Placing its reports about attribution under peer review to ensure better results.

By Caitríona Heinl


[1] The full report is available at:, June 2016.




[3] Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security,, July 2015.


[4] For another discussion on the role of the global ICT industry, see the chapter “Technological Integrity and the Role of Industry in Emerging Cyber Norms”, Ilias Chantzos (Symantec) and Shireen Alam, in “International Cyber Norms Legal, Policy & Industry Perspectives”, NATO CCD COE, 2016.


[5] See also “International Cybersecurity Norms: Reducing conflict in an Internet-dependent world”, Microsoft white paper, 2014.