Microsoft proposes international code of conduct for cyberspace

The tech giant has suggested a set of rules that include proactive security disclosures and establishing global regimes to stop the spread of digital weapons.

Chinese President Xi Jinping (R) talks with Microsoft CEO Satya Nadella during a tour of Microsoft's main campus in Redmond, Washington September 23, 2015.

Ted S.Warren/Reuters/Pool

June 23, 2016

At a time when the web is emerging as the new front for global conflicts, increasingly raising issues about consumer privacy and security, Microsoft has proposed a set of standards for how corporations and countries should engage in these digital battles.

With a lack of consensus among governments about the red lines for digital espionage, Microsoft is attempting to leverage its position in the global tech marketplace and lead the conversation around standards for how countries should conduct cyberoperations. 

"In some ways, companies like Microsoft are major cyberpowers in the way that nations are in terms of their influence on what happens on the internet," says Bruce McConnell, global vice president of the EastWest Institute, an independent think tank. "It makes sense for companies to step up to those responsibilities."

Are China's hackers shying away from US targets?

In its recommendations released Thursday, Microsoft is pushing for states and technology firms to team up to halt the lucrative sale of nonpublic security flaws – or "zero-day" vulnerabilities – that are used in cyberattacks or espionage operations. 

The report also calls on governments to stop demanding tech companies intentionally insert vulnerabilities, or so-called "backdoors," into products that would create access for intelligence and law enforcement agencies, a similar sentiment expressed by Facebook, Google, Yahoo, and other firms following the recent legal battle between Apple and the FBI over access to the iPhone used by the shooter in the San Bernardino, Calif., mass shooting.

"The development of cybersecurity norms will require new forms of cooperation and possibly even new mechanisms or organizations to effectively deal with the new challenges of today and tomorrow," says the Microsoft report, adding that the challenge will require tech companies to "strengthen their resolve and take active steps to prevent exploitation and adhere to a very clear set of cybersecurity norms that focus exclusively on protecting users."

The effort to develop more stringent standards for the digital world doesn’t mark the first time that Microsoft has gotten involved in efforts to influence tech policy. Led by Brad Smith, its president and chief legal officer, the company has long taken a leading role in international tech policy issues.

In April, the company sued the Justice Department to stop investigators from accessing customer emails, the latest development in a protracted legal fight over whether the US government can compel Microsoft to release data from servers based in Ireland with a search warrant in a drug case. 

Ukraine’s Pokrovsk was about to fall to Russia 2 months ago. It’s hanging on.

But as global politics are increasingly intertwined with US tech interests, American tech companies are becoming more vocal about digital politics in Washington as well as in Brussels. Google, for instance, has also gotten increasingly entangled with EU data officials in recent months, as European officials have taken aim at the company’s claims that its Android mobile software is truly open source.

Microsoft's report also follows several efforts to enshrine cybersecurity rules on the international stage. In November, a United Nations committee focused on disarmament issues approved a report that applies portions of the UN charter to cyberspace, and calls on states to stop hacking critical infrastructure and interfering with computer incident response teams that respond to cyberattacks.

Microsoft first floated a range of potential cybersecurity rules two years ago – including clearer bug reporting procedures between states and the private sector and limits to offensive attacks in cyberspace. But Thursday's report indicates that tech companies have a bigger role to play in the promulgation and enforcement of those rules, by providing consistent patches to protect internet users and developing collective defenses to protect against cyberattacks.

There could be movement on that level already. Launched in 2014, the Cyber Threat Alliance, which includes cybersecurity companies such as Fortinet, McAfee, Palo Alto Networks, and Symantec provides a formal mechanism for antivirus companies to share intelligence on malicious software that could threaten consumers and indicators of compromised machines – possibly providing a window into what a larger defensive network could look like.

Coming just a week after NATO Secretary General Jens Stoltenberg said that a cyberattack could trigger a collective military response from the alliance, Microsoft also calls for an international verification mechanism to help companies and governments attribute digital attacks similar to the International Atomic Energy Agency – that creates and enforces safeguards for nuclear weapons.

"Our goal is to contribute to the development of frameworks and practices that protect people and companies from the effects of state-sponsored cyber operations," Scott Charney, vice president for Microsoft’s Trustworthy Computing Group, wrote in the white paper.

Some experts also think Microsoft's proposals – if widely adopted – could eventually lead to reduced conflict in cyberspace, making the web safer for regular users.

"Anything that makes cyberspace less risky for consumers is a step in the right direction," says James Lewis, a senior fellow at the Center for Strategic and International Studies. "These norms would do that."