Initiatives to globalize cybersecurity governance took a step forward this weekend with the release of a RAND Corporation study of an international attribution organization. The Microsoft Corporation’s idea for a global attribution agency modeled on the International Atomic Energy Agency was the catalyst for this report; the research was funded by Microsoft. But RAND did a relatively independent assessment of the Microsoft initiative, noting that a report by the Atlantic Council was a precursor and proposing an approach that differs from Microsoft’s in certain respects.
For those interested in institutional change to meet the challenges of cybersecurity, the report is worth reading. It proposes a Global Cyber Attribution Consortium based on non-state actors. The Consortium would be a standing body to “select cases for investigation through a normalized and transparent process.” It wants the Consortium to develop a formalized model to facilitate an ongoing, “campaign” approach to attribution investigations. Membership should include representatives from two sectors: technical experts from academia and information technology companies; and cyberspace policy experts, legal scholars, and international policy experts from a diverse academic and research organizations.
Unlike Microsoft and the Atlantic Council, the RAND study suggests that the attribution organization should be managed and operated independently from states. The report adduces three powerful reasons why states should not be involved:
- States’ attribution claims are often based on evidence and intelligence that they are not willing to publicly share, which engender persistent questions about how their findings were reached and whether they are credible.
- States make public attribution claims for political purposes, and, as members, they would have reason to shape the Consortium’s findings to serve their national interests.
- States would have incentives to influence what cyber incidents the Consortium would investigate, and they would seek to steer the Consortium away from accepting cases that might shed light on or otherwise threaten their own cyber operations.
Further, the proposal in the Atlantic Council paper also contemplates an enforcement role for the organization. RAND does not support including an enforcement function.
In general, the report reinforces IGP’s focus on the close, interdependent relationship between cybersecurity and Internet governance, as do many other developments in the field. It acknowledges that the task of building an independent attribution consortium reproduces many of the problems of multistakeholder governance. The decision to make the proposed Consortium independent of state actors mirrors many of the same reasons for keeping Internet governance independent of state actors: it requires a transnational, rather than an international, organization. It is “crucial that the Consortium includes broad membership across geopolitical lines to foster a diversity of perspectives and to minimize the possibility that its findings are tainted by political influence.” The report briefly examines similarities and differences with a few other international organizations, such as the International Atomic Energy Agency, ICANN, SWIFT, and the UN 1267 Terrorist Sanctions Committee.
The report, Stateless Attribution: Toward International Accountability in Cyberspace by John S. Davis II, Benjamin Adam Boudreaux, Jonathan William Welburn, Jair Aguirre, Cordaye Ogletree, Geoffrey McGovern, Michael Chase is available for free download here.