Kaja opened discussion emphasizing the increasing role of the Internet in the world: “In 2005 Google Maps were just announced; Mark Zuckerberg has bought the facebook.com address and the number of people connected online reached 1 bln. Today over 3.4 bln people are online; Facebook alone has more users than the internet had in 2005, similarly, over a 1 bln people use Windows”. According to the data demonstrated by the expert over the next decade, the number of Internet users will grow to 5 bln, connecting more than 91% of people in developed countries and nearly 69% of those in emerging economics. These changes bring a lot of opportunities (cloud computing; IoT, etc.), but they also contain many threats (surveillance; disruption of connectivity; “impact of pressing a button”; control of online environment; rise of cities, etc.), when any escalation of hostilities could result in catastrophic consequences.

Kaja Ciglic

In these conditions governments might perform protective functions: create laws and policies in support of cybersecurity and critical infrastructure protection, but they also might exploit networks in a different way (including economic espionage, military espionage, and military operations). “This development of defensive and offensive cyberspace capabilities will promote cyber insecurity between nation states, especially without a normative framework around those capabilities”, — told Kaja. As a result, in order to bring predictability, stability, and security to the international environment cybersecurity norms are needed. 

According to the internal Microsoft research in the last 6 months, 95 countries have discussed legislative initiatives focused on cybersecurity. “Two categories of norms — offensive norms and defensive norms — have emerged. For instance, over 40 countries declared offensive capabilities (top 5 – the US, China, Russia, Iran, UK). There are also interesting cases, when, for example, despite lack of infrastructure Zimbabwe decided to invest in offensive capabilities”, — said the expert.

Youri Dranev and Kaja Ciglic

However, norms are not just for governments. Kaja highlighted that global ICT providers, who make global, mass-market products, in order to protect their customers and increase confidence in global ICT, must also drive this process. For instance, Microsoft has put forward 7 cybersecurity norms both for nation-states and global ICT industry actors. These norms are based on following principles: 

1. maintenance of trust;
2. coordinated approach to vulnerability handling;
3. non-proliferation of vulnerabilities;
4. mitigation of the impact of nation-state attacks;
5. prevention on creating mass-events;
6. support of response efforts;
7. patch customers globally.

Kaja also mentioned high importance of civil society and academia in the process of creating the norms. “Governments might avoid development of cybersecurity norms that limit conflict because they have concerns about the impact to their national security options. This view is short-sighted, since it erodes the confidence of enterprises, citizens, and other governments” — believes the expert. “In efforts to improve cybersecurity, the need for multiple stakeholders is an operational reality”, — concluded Kaja. 

During Q&A session participants of the meeting agreed that we can be more secure, but we will not be totally secure. Security takes time and lots of effort. But security is a great opportunity which drives innovation and promotes economic growth! 

Text: Elza Ganeeva

All photographs from the event