Identifying the perpetrators of cyberattacks and other malicious online activities is tough. Aside from the purely technical difficulties, would-be attributors also must deal with a skeptical public that is suspicious of official pronouncements and wary about misinformation — even from democratic governments.
That being the case, concludes a new study, what’s needed is an international nongovernmental body consisting of technical, policy and legal experts that could conduct independent investigations into cyber-incidents and publish their results. The study was published Friday by the RAND Corp., a think tank with historic ties to the U.S. military.
“We see this as a first step,” the study’s lead author, RAND Senior Information Scientist John Davis, told CyberScoop. “Personally, I hope this work continues.”
The study was financed by Microsoft, whose President Brad Smith called in February for a “Digital Geneva Convention.” Last year, in a policy paper, the company called for an intergovernmental body — modeled on the International Atomic Energy Agency — to attribute cyberattacks.
But importantly, Davis said, the Global Cyber Attribution Consortium, as the study authors call the international body, would not have any government representatives on it. “We just concluded that the politics of it would be too difficult,” he said. “Perception is absolutely the key … It must be seen as transparent and unbiased.”
“It is crucial,” the report states, “that the consortium includes broad membership across geopolitical lines to foster a diversity of perspectives and to minimize the possibility that its findings are tainted by political influence.”
According to the report, the consortium “would work with victims or their advocates upon request and with their cooperation to investigate cyber incidents using a diverse set of methodologies and would publish its findings for public review.”
In addition to attributing major cyberattacks, the consortium would help to develop standard investigative methodologies, a shared lexicography of terms and transferable ways to measure and express confidence in particular findings. The consortium “would help standardize diffuse methodological approaches, naming conventions, and confidence metrics that would advance shared understanding in cyberspace and promote global cybersecurity,” the authors argue.
Right now, they state, “The practice of attribution has been diffuse and discordant.” Although there are private sector and government bodies that have impressive capability in the area, the varied approaches they take to attribution and its reporting “further darkens an already shadowy topic.”
The attribution claims that these companies or research organizations make “have sometimes been cast as politically motivated, perceived to be based on limited or opaque evidence, are denied by the accused, and met with skepticism by others.”
In a series of case studies, the report examines half-a-dozen high profile efforts at attribution, ranging from the Russian intelligence hacking of DNC emails to North Korean links to the Bank of Bangladesh cyber heist.
Hence, Davis explained, the importance of excluding national governments and their intelligence agencies — despite the fact that those agencies are frequently the only people who can add the certainty of intercepted communications to the the often-merely circumstantial evidence of technical attribution.
“There will be times when, without access to intelligence, it just isn’t going to be possible to make a high-confidence attribution, ” Davis said. But he added that such occasional drawbacks would be more than outweighed by the value of having a body that was seen as independent.
The international community could also use the consortium’s findings to identify weaknesses in network defense that will help thwart future attacks, and “pursue follow-on enforcement actions.” But, Davis said, the consortium itself should not have any enforcement role.
“The first step in any prosecutorial process is an investigation to find out who the guilty party is,” he said. “That’s our focus … We weren’t thinking about the sentencing aspect — about what consequences ought to be imposed … There’s no agreed -upon legal framework within which [such consequences] could be determined and imposed.”
But any kind of accountability — even just naming and shaming — relies on identifying the attacker first, and doing so convincingly.
“Persuasive attribution is a necessary prerequisite for publicly holding malicious actors accountable for their actions,” the authors conclude.