Microsoft proposes international code of conduct for cyberspace

June 23, 2016

Jack Detsch

At a time when the web is emerging as the new front for global conflicts, increasingly raising issues about consumer privacy and security, Microsoft has proposed a set of standards for how corporations and countries should engage in these digital battles.

With a lack of consensus among governments about the red lines for digital espionage, Microsoft is attempting to leverage its position in the global tech marketplace and lead the conversation around standards for how countries should conduct cyberoperations. 

"In some ways, companies like Microsoft are major cyberpowers in the way that nations are in terms of their influence on what happens on the internet," says Bruce McConnell, global vice president of the EastWest Institute, an independent think tank. "It makes sense for companies to step up to those responsibilities."

Recommended: Are China's hackers shying away from US targets?
In its recommendations released Thursday, Microsoft is pushing for states and technology firms to team up to halt the lucrative sale of nonpublic security flaws – or "zero-day" vulnerabilities – that are used in cyberattacks or espionage operations. 

The report also calls on governments to stop demanding tech companies intentionally insert vulnerabilities, or so-called "backdoors," into products that would create access for intelligence and law enforcement agencies, a similar sentiment expressed by Facebook, Google, Yahoo, and other firms following the recent legal battle between Apple and the FBI over access to the iPhone used by the shooter in the San Bernardino, Calif., mass shooting.

"The development of cybersecurity norms will require new forms of cooperation and possibly even new mechanisms or organizations to effectively deal with the new challenges of today and tomorrow," says the Microsoft report, adding that the challenge will require tech companies to "strengthen their resolve and take active steps to prevent exploitation and adhere to a very clear set of cybersecurity norms that focus exclusively on protecting users."