What Microsoft needs to get right about cyber norms5 minutes read

In my recent essay for the Centre for Internet & Society, I surmised that the current initiatives to derive cyber norms within the ambit of international law could be incongruous with the technical dynamics of cyber operations. I shed light on the critical fissures in global attempts to establish normative frameworks for cyberspace.

I built my argument upon the two fundamentals parameters of power in cyberspace – disanalogy and disintermediation – which remain under-researched and largely ignored by the policy community.

Disanalogy challenges the teleologic approach of applying international law to cyber operations, hinged at the highly questionable legal assumptions of “reasoning by analogy.” Disintermediation refers to the dissolution of statist power within the architectural abstractions of cyberspace – mostly controlled by the private sector.

Nonetheless, I also stressed that the mantle of cyber norms – the faint sliver of hope of deriving responsible state behaviour in cyberspace – may actually lie with corporations, not countries.

Microsoft and its multi-stakeholder initiatives like the Cybersecurity Tech Accord and CyberPeace Institute – and its departments like Digital Diplomacy, Defending Democracy and Microsoft Threat Intelligence Centre – could end up carving a robust geopolitical alliance in cyberspace; more powerful than any multilateral effort.

While Microsoft’s vision is splendid, it is plagued with the same old contradictions that made previous such efforts toothless.

The proverbial proof of the pudding lies in the applicability of normative frameworks to the extant geopolitical climate of cyberspace. In that respect, not even a single policy or doctrinal project passes muster.

An excuse that it is too soon to expect anything concrete may have been valid a decade ago, but not when the fourth generation of cyber warriors is goose-stepping into the battlefield.

In fact, I reasoned in my essay that, while militaries may be assiduously divorcing their doctrines from the impracticality of international law, the policy community chooses to stick to dogma.

Microsoft cannot afford to squander this opportunity away. Assuming that the company’s missionary zeal stems from its unwavering commitment to cyber stability – and not some shrewd calculation around business risks – its approach should undergo course-correction.

Firstly, an overemphasis on cyber norms could, in reality, be stymying the policy effort. More than norms, we need to derive the essential parameters of cyber operations, thus organically laying the foundation of customary law for cyberspace.

To paraphrase Selmer Bringsjord from my essay, “Augustine and Aquinas had a stunningly long run…Today’s world, based as it is on digital information…points the way to a beast so big and so radically different, that the core of this duo’s insights needs to be radically extended.”

In an almost confessional account of the United Nations’ Governmental Group of Experts (GGE), right after it came crashing down in 2016, Michelle Markoff, the then US envoy to GGE, recommended “interleaving strategies” – defence, declaratory policies, alliance activities, and norms of behaviour.

Microsoft could tick all the boxes.

The private sector has an enviable access to telemetry and intelligence, mirroring capabilities like planet-scale counterintelligence and deterrence that were earlier limited to state actors (I expect the readers to be patient as I refer to my essay again and again). However, it has shied away from explicit declaratory signalling. It probably hampers the private sector’s business priorities, but a global forum led by the likes of Microsoft could neutralise that risk. At best, leading threat intelligence companies have occasionally behaved like Track 1.5/2 interlocutors.

Microsoft’s recent emphasis on Russia-enabled phishing or disinformation under its Defending Democracy program is one such miscalculation. It is also a kind of declaratory signal, but one which only fosters the inequity of power.

Rather, Microsoft could have made a more public effort in detailing the profile of, say, prolific threat actors like PLATINUM. The unadvertised discretion of the industry in naming and shaming only intensifies suspicion among cyber adversaries – which is a major detriment to confidence-building.

“Digital Geneva Convention” first needs to sport the blindfold of Lady Justice.

The problem with the array of resolutions and goals adopted by cyber norms initiatives is that they are founded on inequity. Issuing “black-letter rules” like do not attack electoral infrastructure or do not hack computer emergency response teams may end up creating the wrong kind of customary law – only aggravating abuse and impunity. We saw that in the case of targeted assassination programs.

Imposing upon cyber actors to avert or ignore a “barred” attack surface is an idea which is extremely flawed, if not tragicomic. It betrays ignorance of the policy community in understanding even the basic constraints of cyber operations like cost-benefits, concept of operations, geopolitical imperatives, and doctrinal lineages, etc.

What would happen if you impose the same set of blanket restrictions on resource-stricken North Korean operators coding their offensive toolchains in the Microsoft Foundation Class library and the National Security Agency which has had a 100-year hegemony on encryption?

You will have massively funded A-teams enjoying compliance with black-letter rules – but not necessarily with international law – while D-teams get painted as global villains. Borderline rogue actors may get castigated and left out from the norm-setting process, only encouraging the weaponisation of cyberspace. As is happening now, norm-violation would become the sole avenue of norm-setting.

However, Microsoft has stuck to the hackneyed narrative of applicability of international law its in its current form, endorsing blanket restrictions. The Global Commission for the Stability of Cyberspace (GCSC) recently released a dossier among much fanfare furthering the same arcane philosophy. GCSC’s only contribution was to the carbon footprint as it flew participants to exotic locales.

While I am not a lawyer, a question often comes to my mind: could the International Court of Justice revisit its ambiguous stance on information operations? That is the first reform that I want in international law.

The real threat of cyber operations lies in the cognitive dimension, not “deceive, degrade, deny, disrupt and destroy.” In fact, all cyber operations are information operations in disguise (again, my essay). The exposition of the policy community on it has been paltry.

The world needs a platform that brings cyber adversaries to the negotiating table with some coercion and a lot of incentivisation. Microsoft is sitting on data required to map cyber operations to a new international relations taxonomy.

Private sector alliances – by being more open and neutral about attack attribution, adversarial intent and capabilities, and targeting criteria – may lower the incentives while increasing the costs of cyber actions. That may force various actors to the negotiating table.