The Swiss-based advocacy organization ICT4Peace held a workshop late last month to discuss ongoing efforts to build an independent network of organizations engaged in attribution activities. There were approximately two dozen attendees, from US and European universities (including Georgia Tech’s IGP), industry, a handful of European government agencies, and a Chinese and a Russian attendee.
According to a draft report from ICT4Peace, discussion centered on two issues: the role of governments and the development of a “fact-finding” network of organizations. We address the two issues below separately.
The role of governments
One European government announced that it is interested in setting up an attribution organization as a “tool for diplomatic pressure.” Without further detail, it’s impossible to know whether this is a good or bad development. A governmentally-sponsored attribution organization sounds almost like competition with the non-state actor based approaches to attribution that have been proposed elsewhere. On the other hand, if this organization were to rely on attributions made independently following some defined and agreed upon process and/or standards it could serve as an effective communications vehicle and be an appropriate use of government power. More clarification is needed. In other contexts, IGP has heard that some governments are reluctant to relinquish their power to attribute because they think attribution is “political.” Some prominent researchers in the field have explicitly called it such. IGP has pushed back strongly against this line of thinking: while we agree that making an attribution public may have political implications, the actual attribution itself is a factual issue, not a political one – and the politicization of cyber-attribution is precisely what an independent attribution organization is attempting to defuse.
Another European government suggested a more traditional role for governments, saying that they should be involved through developing a treaty concerning attribution, otherwise they (governments) won’t accept the outcome(s). Here we’re far less optimistic. Cooperation of this sort is possible but unlikely, and if it happened it would take a long time. And why would a treaty be necessary if there are more lightweight means of developing widespread consensus among private and public actors about an attribution? Once that consensus exists, states could “enforce” an attribution through a variety of actions, e.g., coordinated sanctions or other diplomatic means.
A “fact-finding” network?
In discussions between academic and industry participants, one potential path forward was identified where various university-based groups and cybersecurity firms pick an incident and agree to do “fact-finding” and peer review of its attribution. Participating organizations would meet to determine which incident to investigate, and then initiate a process expected to take up to 12 months. Each group would bring their own methodological expertise (computer science, political science, etc.) to an investigation. The rationale of this approach is two-fold. It would contribute to building a field of attribution research (e.g., establishing conceptual clarity) and possibly create broader agreement on a set of facts concerning the incident. Importantly, governments would not be involved and any decision(s) to pursue public attribution would be distinct, left up to individual organizations participating in the fact-finding network or others outside of it. By sticking to fact-finding and not explicitly making public attributions, network participants could avoid making governments uncomfortable. Additionally, while the proposed fact-finding network is a form of networked governance, where participants collaborate voluntarily to achieve some collective good, it doesn’t create some new supra-entity that could theoretically take credit for achievements of the individual network participants.
IGP takes a supportive but critical stance towards this proposal. It’s true that any facts generated by the above process could help to establish, validate or disprove attribution(s). As a result, particular attribution(s) might be viewed as more legitimate and perceived as more credible. But limiting these efforts to fact-finding seems too clever by half. We know industry and governments can use attributions strategically. Just because there is a set of publicly available, agreed “facts” around an incident doesn’t mean that such behavior will stop. Facts can be cherry-picked or partially ignored to support a narrative. What is additionally needed is a mechanism for the participating organizations to develop and issue consensus statements. With an authoritative “voice” the network can publicly challenge distorted or selective use of facts in attributions by other actors. Furthermore, “fact-finding” is analogous to data collection in the scientific method, and some participants in the network could obviously apply it, for instance developing valid and reliable measurements (e.g., does this telemetry data accurately identify a host machine or user?). But this leaves out other important steps like hypothesis formation and testing, interpreting results, and communication of findings. Consistent application of the scientific method is needed throughout the entire attribution process. The aforementioned practice of peer review will certainly enable discrediting of non-scientific attributions, but it is the application of scientific method which will improve attributions.
Going forward, IGP will continue its work with attendees from the Zurich workshop, as well as other efforts like the nascent Cyber Peace Institute and ongoing Cyberspace Solarium Commission to develop independent, transnational attribution capability.