Microsoft's National Cybersecurity Policy Framework: Practical Strategy or Non-Starter?
15.8.18 securityweek Safety
Microsoft's Cybersecurity Policy Framework Has Good Intentions, But It's Difficult to See What It Actually Brings to the Table
Microsoft has never been backward in making global recommendations for improved cybersecurity. Its latest recommendations come in a paper titled, Cybersecurity Policy Framework -- A practical guide to the development of national cybersecurity policy (PDF). Its purpose is nothing short of providing a framework that all nations can follow in the formulation of their own national cybersecurity policies.
There is nothing new in this document. Rather it is the collection of existing best practices into one source document at a critical moment in history -- the nascence of the fourth industrial revolution. This revolution promises enormous benefits to mankind; but at the same time, its increasing connectivity brings an increasing opportunity for cybercriminals to deliver dire consequences.
Microsoft believes that the solution to transnational cyber threats will be found in the generation of mutually compatible national cybersecurity policies across the globe. The intent of this document is good; but whether it is feasible is questionable. For every individual country, national policies will always be shaped by national culture and local politics; and international policies will always be subject to current geopolitical tensions. The idea that a single framework can work for everyone is ambitious.
Microsoft Cybersecurity Policy FrameworkThe document is divided into four sections, each of which offers advice. These are 'establishing and empowering a national cybersecurity agency'; 'developing and updating cybercrime laws'; 'developing and updating critical infrastructure protection laws'; and an 'international strategy for cybersecurity'.
The problems become apparent in the first section. One of the key principles that should underscore a national cybersecurity agency is that it should be "respectful of privacy, civil liberties, and rule of law." Privacy and civil liberties are subjective and relative concepts that are ultimately defined by law and often contrary to public opinion. Laws differ by country-by-country and state-by-state; and the United States came into being as a rejection of the rule of law.
The European Union has defined privacy within the General Data Protection Regulation (GDPR) and the European Constitution. This legal definition, however, has no (or very limited) standing in the U.S., which has different federal and state regulations concerning privacy -- and, indeed, a different concept of privacy tempered by the long-standing constitutional right to freedom of speech.
But perhaps the best example of the difficulties of the relative nature of 'privacy and civil liberties' can be seen in the UK. The UK traditionally and apparently places its responsibility for protecting national security above its responsibility to protect personal privacy. It has consequently introduced intrusive cybersecurity legislation designed to track actual and potential terrorists, but inevitably intruding on the privacy of innocent civilians. (The same is sometimes said of the United States.)
Since the UK is still within the European Union, it is technically subject to the European Constitution -- and there is a very strong likelihood that some UK practices would be deemed unconstitutional. Brexit will solve this problem, leaving two allied states (UK and EU) with very different views of cyber privacy separated by less than 21 miles of water at the Dover Strait (Pas de Calais).
This isn't necessarily a problem since this section of the framework is designed to provide a base level for national agencies -- and their priorities can obviously differ from country to country. The final key principal for national agencies, however, is that they should be 'globally-relevant'. When different nations cannot agree on fundamental principles of law, and simultaneously assert that their jurisdiction extends beyond their national boundaries, this is a very difficult ask.
The next two sections of the document have similar difficulties. Microsoft suggests that national cybercrime laws need to be updated, and much of this makes sense. It again falls down with the final recommendation: "build global cooperation". National laws will always reflect national politics and global tensions. Russia for example, is prohibited by its constitution from extraditing a Russian citizen to a foreign country. Regardless of U.S. law, it is unlikely that Russia will ever extradite Russian nationals indicted for cybercrimes by U.S. law enforcement.
The potential to build global cooperation into national cyberlaw becomes a one-sided option that is not likely to extend beyond national interests. Nevertheless, Microsoft describes the Budapest Convention as an example of cross-border harmonization of legal definitions.
The difficulties with the section on 'developing and updating the critical infrastructure protection laws' are more nuanced. Using NIST as the basis, Microsoft defines the critical infrastructure (CI) as, "systems and assets, whether physical or virtual, so vital to the country that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."
It is immediately clear that CI requires additional security and protection. But the implication of this is that the average commercial organization, whose destruction would not have a debilitating impact on the national economic security, does not require the same level of security -- and that individual citizens require even less. While this is pure risk management -- apply your greatest resources to your greatest assets -- it is not a comfortable, nor perhaps a politically acceptable, idea.
Since each nation defines its own critical infrastructure, the relationship between definition and level of required security can also become an issue. For example, following Russian interference in the 2016 U.S. presidential election, there were calls for reclassifying both the voting system and social networks as part of CI. Should either receive greater or lesser protection simply based on whether they are or are not classified as CI?
A second example of difficulties in this section comes with the difference between owners and operators of CI. "Owners of critical infrastructure may own the infrastructure but they are not always able or best placed to comply with the statutory [requirements] because they usually do not operate the computer systems that process the data on a day-to-day basis."
In other legislative areas this is not really an issue. GDPR separates personal data users into controllers and processors. Loosely speaking, the controllers are the primary owners, while the processors are the data users. Controllers cannot pass responsibility to processors, while processors cannot avoid responsibility. The same principle could be applied to CI -- the infrastructure owners cannot pass responsibility for security to the infrastructure users, while the infrastructure users cannot avoid liability. It simply means that both sides must communicate and operate under strict contractual terms.
It is, however, in the fourth section of the document that the Microsoft framework really begins to unravel: an international strategy for cybersecurity. For this section, Microsoft simply returns to two interrelated earlier recommendations: the need for international norms of behavior; and the proposed Digital Geneva Convention.
"Norms," explains Microsoft, "are intended to deter actions by defining what behaviors are acceptable and unacceptable, and imposing consequences when states actions don't adhere to the defined behaviors."
The Gordian Knot of international norms is the problem of attribution before the application of consequences. Attribution is always likely to follow geo-political schisms, and no nation is likely to admit to cyber transgressions. The fear -- almost certainty -- that transgressors will not accept arbitration over responsibility means that it is a proposal not likely to receive international acceptance during any period of geo-political tension.
The second proposal, the Digital Geneva Convention, also breaks down over geo-politics. Microsoft's document provides six key principles. The third requires the agreement to "Report vulnerabilities to vendors rather than to stockpile, sell or exploit them." However well-intentioned, this is unlikely to ever happen. Western governments are unlikely to abandon their cyber stockpiles for fear that Russia, China, North Korea and Iran will not abandon theirs -- and vice versa.
The final section of Microsoft's cybersecurity policy framework is a non-starter, certainly within the foreseeable future. With an almost certain guarantee of non-reciprocation in the 'global' elements of the first three sections, users of the framework will resort to purely nationalistic cybersecurity policy frameworks. These will be based on local politics and national cultural expectations, flavored by geo-political concerns -- not on the rigors of a Microsoft document. It is, frankly, difficult to see what this document actually brings to the table.