Microsoft Proposes Cybersecurity Norms, Attribution Process Work

private sector. The proposed principles include ones addressing nonproliferation of cyber vulnerabilities, coordination on vulnerability disclosure practices and mitigation of government-initiated cyberattacks. “Norms should advance common objectives where possible, regardless of whether the norms are focused on offense, defense or industry,” said Microsoft Vice President-Trustworthy Computing Scott Charney in a blog post. “While there is a strong complementary structure for nation-state norms and industry norms, they vary in two important instances: nation-states possess the ability to create mass effects through offensive cyber activities; and the global ICT industry has the ability to patch all customers, even during conflicts between and among governments.” Microsoft’s white paper also proposes a public-private forum for addressing the need for attribution of severe cyberattacks, saying further development of attribution processes is needed to make the company’s proposed cybersecurity "rules of the road" effective. “As governments commit increasing resources into offensive cyber capabilities, the global ICT industry must strengthen its resolve, and take active steps to prevent user exploitation through adherence to industry norms,” Charney said. “We must continue to raise the bar in our defensive capabilities to deter nation-states from targeting technology users.”