Initiatives to globalize cybersecurity governance took a step forward this weekend with the release of a RAND Corporation study of an international attribution organization. The Microsoft Corporation’s idea for a global attribution agency modeled on the International Atomic Energy Agency was the catalyst for this report; the research was funded by Microsoft. But RAND did a relatively independent assessment of the Microsoft initiative, noting that a report by the Atlantic Council was a precursor and proposing an approach that differs from Microsoft’s in certain respects.
For those interested in institutional change to meet the challenges of cybersecurity, the report is worth reading. It proposes a Global Cyber Attribution Consortium based on non-state actors. The Consortium would be a standing body to “select cases for investigation through a normalized and transparent process.” It wants the Consortium to develop a formalized model to facilitate an ongoing, “campaign” approach to attribution investigations. Membership should include representatives from two sectors: technical experts from academia and information technology companies; and cyberspace policy experts, legal scholars, and international policy experts from a diverse academic and research organizations.
Unlike Microsoft and the Atlantic Council, the RAND study suggests that the attribution organization should be managed and operated independently from states. The report adduces three powerful reasons why states should not be involved:
- States’ attribution claims are often based on evidence and intelligence that they are not willing to publicly share, which engender persistent questions about how their findings were reached and whether they are credible.
- States make public attribution claims for political purposes, and, as members, they would have reason to shape the Consortium’s findings to serve their national interests.
- States would have incentives to influence what cyber incidents the Consortium would investigate, and they would seek to steer the Consortium away from accepting cases that might shed light on or otherwise threaten their own cyber operations.
Further, the proposal in the Atlantic Council paper also contemplates an enforcement role for the organization. RAND does not support including an enforcement function.
In general, the report reinforces IGP’s focus on the close, interdependent relationship between cybersecurity and Internet governance, as do many other developments in the field. It acknowledges that the task of building an independent attribution consortium reproduces many of the problems of multistakeholder governance. The decision to make the proposed Consortium independent of state actors mirrors many of the same reasons for keeping Internet governance independent of state actors: it requires a transnational, rather than an international, organization. It is “crucial that the Consortium includes broad membership across geopolitical lines to foster a diversity of perspectives and to minimize the possibility that its findings are tainted by political influence.” The report briefly examines similarities and differences with a few other international organizations, such as the International Atomic Energy Agency, ICANN, SWIFT, and the UN 1267 Terrorist Sanctions Committee.
The report, Stateless Attribution: Toward International Accountability in Cyberspace by John S. Davis II, Benjamin Adam Boudreaux, Jonathan William Welburn, Jair Aguirre, Cordaye Ogletree, Geoffrey McGovern, Michael Chase is available for free download here.
I agree that an attribution agency should not be an inter-governmental body, for the reasons stated above. You cite Microsoft’s initial proposal, but it subsequently modified its proposal and called for the attribution organization to be non-governmental, see for example:
https://www.wired.com/2017/05/microsoft-right-need-digital-geneva-convention/
I would add that the attribution organization must have immunity, in order to be truly free of state influence. We have a well-known model for that: the Red Cross organizations. They are non-governmental, based in Switzerland, but immune from Swiss law.
By analogy to the Red Cross, the attribution agency could be a Swiss non-profit association whose members would include CERTs. It could be granted immunity by the Swiss government.
The focus on attribution is correct — that’s the root cause of our cyber “insecurity” today — but the proposal to separate nation-state governments from the work required to gather attributional information is naive. Attribution requires government compulsion (subpoena power to compel unwilling disclosures and the penalty of perjury to deter false disclosures). Moreover, attribution only matters if it leads to consequences, and those consequences will necessarily be administered by nation-state actors (directly through military or covert power, or indirectly through courts deciding breach of contract and tort claims). Rather than try to reject the value that nation-states can offer in the governance of the Internet, we would be better served acknowledging that nation-state borders matter and focus on: (1) how nation-states can technically control Internet traffic at those borders (the question being an objective, not normative, one), and (2) how laws can create a favorable economic environment that: (a) uses Coase Theorem to reduce the cost of shifting loss from victims to perpetrators through the cheapest cost avoiders, (b) attracts people and money by offering security/confidentiality and (c) deters illegal conduct by penalizing insecurity and breaches of confidentiality.