Modern field guide to security and privacy
Ted S.Warren/Reuters/Pool
Chinese President Xi Jinping (R) talks with Microsoft CEO Satya Nadella during a tour of Microsoft's main campus in Redmond, Washington September 23, 2015.

Microsoft proposes international code of conduct for cyberspace

The tech giant has suggested a set of rules that include proactive security disclosures and establishing global regimes to stop the spread of digital weapons.

At a time when the web is emerging as the new front for global conflicts, increasingly raising issues about consumer privacy and security, Microsoft has proposed a set of standards for how corporations and countries should engage in these digital battles.

With a lack of consensus among governments about the red lines for digital espionage, Microsoft is attempting to leverage its position in the global tech marketplace and lead the conversation around standards for how countries should conduct cyberoperations. 

"In some ways, companies like Microsoft are major cyberpowers in the way that nations are in terms of their influence on what happens on the internet," says Bruce McConnell, global vice president of the EastWest Institute, an independent think tank. "It makes sense for companies to step up to those responsibilities."

In its recommendations released Thursday, Microsoft is pushing for states and technology firms to team up to halt the lucrative sale of nonpublic security flaws – or "zero-day" vulnerabilities – that are used in cyberattacks or espionage operations. 

The report also calls on governments to stop demanding tech companies intentionally insert vulnerabilities, or so-called "backdoors," into products that would create access for intelligence and law enforcement agencies, a similar sentiment expressed by Facebook, Google, Yahoo, and other firms following the recent legal battle between Apple and the FBI over access to the iPhone used by the shooter in the San Bernardino, Calif., mass shooting.

"The development of cybersecurity norms will require new forms of cooperation and possibly even new mechanisms or organizations to effectively deal with the new challenges of today and tomorrow," says the Microsoft report, adding that the challenge will require tech companies to "strengthen their resolve and take active steps to prevent exploitation and adhere to a very clear set of cybersecurity norms that focus exclusively on protecting users."

The effort to develop more stringent standards for the digital world doesn’t mark the first time that Microsoft has gotten involved in efforts to influence tech policy. Led by Brad Smith, its president and chief legal officer, the company has long taken a leading role in international tech policy issues.

In April, the company sued the Justice Department to stop investigators from accessing customer emails, the latest development in a protracted legal fight over whether the US government can compel Microsoft to release data from servers based in Ireland with a search warrant in a drug case. 

But as global politics are increasingly intertwined with US tech interests, American tech companies are becoming more vocal about digital politics in Washington as well as in Brussels. Google, for instance, has also gotten increasingly entangled with EU data officials in recent months, as European officials have taken aim at the company’s claims that its Android mobile software is truly open source.

Microsoft's report also follows several efforts to enshrine cybersecurity rules on the international stage. In November, a United Nations committee focused on disarmament issues approved a report that applies portions of the UN charter to cyberspace, and calls on states to stop hacking critical infrastructure and interfering with computer incident response teams that respond to cyberattacks.

Microsoft first floated a range of potential cybersecurity rules two years ago – including clearer bug reporting procedures between states and the private sector and limits to offensive attacks in cyberspace. But Thursday's report indicates that tech companies have a bigger role to play in the promulgation and enforcement of those rules, by providing consistent patches to protect internet users and developing collective defenses to protect against cyberattacks.

There could be movement on that level already. Launched in 2014, the Cyber Threat Alliance, which includes cybersecurity companies such as Fortinet, McAfee, Palo Alto Networks, and Symantec provides a formal mechanism for antivirus companies to share intelligence on malicious software that could threaten consumers and indicators of compromised machines – possibly providing a window into what a larger defensive network could look like.

Coming just a week after NATO Secretary General Jens Stoltenberg said that a cyberattack could trigger a collective military response from the alliance, Microsoft also calls for an international verification mechanism to help companies and governments attribute digital attacks similar to the International Atomic Energy Agency – that creates and enforces safeguards for nuclear weapons.

"Our goal is to contribute to the development of frameworks and practices that protect people and companies from the effects of state-sponsored cyber operations," Scott Charney, vice president for Microsoft’s Trustworthy Computing Group, wrote in the white paper.

Some experts also think Microsoft's proposals – if widely adopted – could eventually lead to reduced conflict in cyberspace, making the web safer for regular users.

"Anything that makes cyberspace less risky for consumers is a step in the right direction," says James Lewis, a senior fellow at the Center for Strategic and International Studies. "These norms would do that."


You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Microsoft proposes international code of conduct for cyberspace
Read this article in
QR Code to Subscription page
Start your subscription today