Tech Companies as Cybersecurity Norm Entrepreneurs: A Critical Analysis of Microsoft’s Cybersecurity Tech Accord

Abstract

At its annual meeting in June 2017, the UN Group of Governmental Experts (UN GGE) failed to build upon its previous work regarding rules for state behavior in cyberspace, leading to what has widely been seen as the breakdown of the state-led cyber norm process in general. In the lead up to this meeting, the technology firm Microsoft launched a well-publicized campaign to convince states to broadly renounce certain cyber operations, advocating for what Microsoft President Brad Smith called a “Digital Geneva Convention.” Microsoft further pursued the cause in April 2018 with a “Cybersecurity Tech Accord” (CTA) calling on tech firms – for the sake of their customers – to not be complicit in state cyber operations. To date, 60 companies, spanning a number of different industries, have signed on. This paper asks two primary questions. (1) Why did Microsoft take this step, devoting resources and political capital to an apparent cyber norm-building campaign? (2) Why are others joining the accord? First, we ground our empirical analysis with IR scholarship on corporate norm entrepreneurship. Microsoft is a likely candidate for corporate norm entrepreneurship due to its social and material vulnerability, and due to the unregulated nature of the internet, which gives private actors a claim to set cyber policy and standards. We argue that Microsoft’s driving of the accord can be partially explained by accounting for the company’s participation in the NSA’s PRISM program from 2007–2013, and the subsequent PR and consumer trust fallout. We find rationalist elements of “levelling the playing field” in Microsoft’s efforts of soft standard-setting. Second, we argue that as a non-binding code of conduct, CTA membership is flexible and performative and further appropriates the language of international humanitarian law without adopting any of its commitments. Finally, we present the first analysis of CTA signatory firms and their stated reasons for joining, showing that they primarily attempt to cast themselves as champi- ons of security, and as innovative and impactful technology companies alongside tech giant Microsoft.

Publication
Hague Conference on Responsible Behaviour in Cyberspace, (The Hague, November 5-7)
Date