Cyber-accountability: Building attribution capability

Event report

[Read more session reports and updates from the 14th Internet Governance Forum]

The open work meeting on cyber-accountability informed attendees about the current process of building a global network of cybersecurity researchers to develop attribution capabilities for cybersecurity incidents and perform cyber attributions of state-sponsored cyber-attacks.

Cyber attribution is a critical issue in Internet governance, claimed Mr Milton Muller (Internet Governance Project (IGP)). The idea of creating an independent attribution organisation came after the emergence of the Digital Geneva Convention and the Tech Accord. However, an international treaty is hardly feasible, while an attribution organisation independent from nation states could be a good solution for international cybersecurity, Mueller said. He added that many people think attribution is a highly technical process, but ‘fundamentally, attribution is more like a court coming to a decision than it is a technical process. It is about putting together pieces of evidence and having what we might call a scientific process or creating intersubjective validity’. Currently, this is controlled entirely by nation states and they have their own vested interests in attributing incidents. The IGP and ICT4Peace Foundation tried to develop organisational capacity to start forming an independent attribution organisation, but faced severe trust problems because of geopolitical tensions between prospective participants. Another problem was the large asymmetry in the resources for investigation and forensic activities between states, IT companies, and intelligence agencies, noted Mr Serge Droz (ICT4Peace Foundation).

One of the arguments supporting an independent attribution organisation was that a lot of individual organisations have parts of the puzzle and can work to put them together. Participant discussion suggested that sharing of data results and findings would assist an independent organisation to use this data to make independent attributions.

A workshop with the support of the German Department of Foreign Affairs discussed a network of independent labs that would peer review each other and develop common standards of what makes a solid analysis, with all stakeholders. The new organisation should not focus solely on attribution, but also on discovering what really happened, and deciding what to do with this knowledge. This idea will be trialled by choosing an incident that is not too politically charged, and run a simulation to see how different stakeholders might co-operate, conduct analyses, and carry out peer reviews, and what the obstacles and challenges will arise. Two more workshops will follow up on the idea.

Muller also shared details on the fact-finding versus attribution debate, saying they were pushing for a focus on attribution, as opposed to fact-finding, because they fear governments and others will use those sets of facts to draw whatever conclusions they want. Others say that attribution is not necessarily integrated with incident response capability. So even while CERTs could help with a lot of evidence, they do not need to be involved in attribution since it could undermine their primary role.

Mr Hans Klein (Professor, Georgia Tech) said attribution is an act of public authority, comparing forensics with a judge’s verdict in the courtroom, where the judge is independent and has public authority. Then it makes sense that states claim attribution is their responsibility. Interventions from the audience also touched on the problem of war and peace, and debates in the context of art. 51 of the UN Charter, asking if this should be left to governments as a high-level discussion. On the other hand, how can independence on the interstate level be ensured? Muller pointed out the importance of removing from states the ability to manipulate or make political plays with attributions, saying it must be more scientific.

Dorz noted that most crime on the Internet does not involve states, but criminals. He said ‘I don’t want to go to an international court and accuse a certain country of fostering crime but I want to demonstrate to this country that it should take measures’. Fact-finding is better in this sense – if you just want to take down a botnet, maybe it does not really matter who was behind it, you just want to take it down. If you want to arrest someone you better know who it is.

Other issues raised during the discussion were the role of IP addresses; the trend for cybersecurity organisations to publicise vulnerabilities rather than silently patch them; cyber-attacks and insurance; the role of AI in threat intelligence; and the role of civil society in the proposed independent attribution and fact-finding organisation, especially in identifying and helping victims.

By Ilona Stadnik