IGF 2020 WS #350 Attributing attacks: political, technical & legal dimensions

Time
Tuesday, 17th November, 2020 (14:30 UTC) - Tuesday, 17th November, 2020 (16:00 UTC)
Room
Room 3
About this Session
This session will moderate a discussion among those from the technical, policy and legal communities that have a role to play in establishing and coordinating attribution claims following cyberattacks. It will focus on what essential elements should be included in all public attribution statements to lend them credibility and reinforce a rules-based international order online. The session will leverage the experiences of attendees to identify ways to further streamline and improve attribution.
Thematic Track

Organizer 1: John Hering, Microsoft
Organizer 2: Marietje Schaake, European Parliament

Speaker 1: Johanna Weaver, Government, Asia-Pacific Group
Speaker 2: John Scott-Railton, Civil Society, Western European and Others Group (WEOG)
Speaker 3: Camille François, Private Sector, Western European and Others Group (WEOG)
Speaker 4: Serge Droz, Technical Community, Western European and Others Group (WEOG)
Speaker 5: Jens Monrad, Private Sector, Western European and Others Group (WEOG)

Moderator

Marietje Schaake, Intergovernmental Organization, Intergovernmental Organization

Online Moderator

John Hering, Private Sector, Western European and Others Group (WEOG)

Rapporteur

John Hering, Private Sector, Western European and Others Group (WEOG)

Format

Panel - Auditorium - 90 Min

Policy Question(s)

Cybersecurity policy, standards and norms i) What should be included as essential elements in all public attributions of cyberattacks by governments, from a legal, technical and political perspective? ii)What relationships need to exist between stakeholder groups such that comprehensive and reliable attributions of cyberattacks can be made? iii) Do we need new international structures or institutions to play a role in attributing cyberattacks, or should such efforts be led by states on an ad-hoc basis?

As the frequency and sophistication of cyberattacks, particularly those led by nation-states, have escalated in recent years, there have been increasing efforts to promote accountability through public attributions. This can prove challenging, however, as attacks in cyberspace often do not have a physical impact and tracing back responsibility can require sophisticated technological capabilities and other sources of intelligence. These sources of information often must be kept secret and are generally spread across government agencies and even different sectors. Moreover, to avoid unilateral finger-pointing and a “my word against yours” dynamic, it is generally preferable to have attribution statements made in coordination with other nations, requiring new relationships and lines of dialogue be formed across governments. As a result of these challenges, government-led attributions of nation-state cyberattacks remain infrequent, and when they are issued it is generally well-after the attack itself has taken place – especially when the attribution needs to be coordinated with other governments. Nevertheless, attribution remains one of the most promising tools of statecraft in a limited toolbox of response options when it comes to cyber conflict. This session will hope to illustrate how these challenges are viewed by different stakeholders, and how they might be overcome through efforts like data-sharing, standardization, greater transparency and other diplomatic engagements across stakeholder groups.

SDGs

GOAL 9: Industry, Innovation and Infrastructure
GOAL 16: Peace, Justice and Strong Institutions
GOAL 17: Partnerships for the Goals

Description:

This session will moderate a discussion among those from the technical, policy and legal communities that have a role to play in establishing and coordinating attribution claims following sophisticated cyberattacks. It will focus, in particular, on what essential elements should be included in all public attribution statements to lend them credibility and reinforce a rules-based international order online. The session will provide opportunity to hear from expert speakers from each of these communities about the role they play in establishing responsibility for cyberattacks, and the relationships they need or rely on within other stakeholder groups to coordinate attributions. The session will then leverage the experiences of others in the room to identify ways to further streamline and improve attribution efforts in their accuracy, credibility, coordination and speed.

Format:

Given the virtual setting, the 90-minute panel will be split roughly evenly into two sections, with the first 45 minutes dedicated to a moderated panel discussion, and the second 45 minutes being open to questions from those in attendance. Those in attendance are encouraged to come prepared with questions

 

Expected Outcomes

The session will hope to build greater consensus among those in attendance on two topics:

(i) the essential elements that should be included at minimum in all public attribution statements, and

(ii) how different stakeholders should be included in the process of attributing cyberattacks. Such consensus will hopefully help advance discussions in international forums about how best to establish and interpret attribution claims – including within the United Nations Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security.

The moderators will work to ensure that the discussion at the outset of the session highlights the current state of play in the issue space and then prompt speakers to actively engage with and respond to one another. Moderators will also keep the timing of the discussion on track to allow for a half hour of audience questions at the end of the session, which they will make attendees aware of at the outset to promote thoughtful questions and comments in response to speakers. The onsite and online moderators will work together to make sure audience questions are taken from a diverse collection of session attendees, both on site and online.

Relevance to Internet Governance: Credible attribution of cyberattacks is a cornerstone of establishing a rules-based international order online, as the enforcement of expectations for responsible behavior by States and other actors requires first that violations can be readily and reliably identified. The process of attributing such attacks creates roles and responsibilities for government, industry and civil society alike, and requires collaboration between these groups.

Relevance to Theme: The escalation of conflict in cyberspace, resulting in increasing numbers of sophisticated cyberattacks, threatens to undermine trust and confidence in the public Internet that people and societies around the world rely on. A driving factor in these trends is a perceived impunity on the part of attackers, due to the challenges in making timely and credible attributions following such attacks. Improving the coordination between governments, as well as other stakeholders, to make attribution claims more regular, transparent and authoritative will be an important step in promoting more responsible behavior and engendering greater trust in the online world.

Online Participation

 

Usage of IGF Official Tool.

 

Agenda

Given the virtual setting, the 90-minute panel will be split roughly evenly into two sections, with the first 45 minutes dedicated to a moderated panel discussion, and the second 45 minutes being open to questions from those in attendance.

1. Key Policy Questions and related issues
What are the different objectives and approaches to political, legal and technical attributions of cyber attacks?
How can different stakeholder groups work together more effectively to improve the attribution of cyber incidents?
2. Summary of Issues Discussed

There was broad consensus around the multi-dimensional nature of attribution, which can have a different meaning and different objective across different communities. Communities focused on a technical attribution may be more focused on how an attack has been carried out, and from where. Meanwhile, from a legal standpoint there is obviously much more interest in knowing who the individuals were behind an attack, and political attributions would be focused on understanding whether there was an organization or state-sponsor for a particular action. All of these different types of attribution require different and overlapping types of data from various sources. What is increasingly clear is that there needs to be greater cooperation across stakeholder groups, who have access to these different forms of data, to support more robust and reliable attributions to support a rules-based order in cyberspace.

Given that attribution efforts can be resource-intensive, there is concern that the scope of cyber incidents that wind up being attributed is too narrow, and often does not capture the growing numbers of attacks which target civil society groups, journalists, political dissidents, or other vulnerable populations, resulting in limited awareness or accountability. However, with limited resources, all actors need to be judicious and intentional about where it elects to focus its attribution efforts. While there was general agreement that it would help if attributions were made with greater transparency and clarity around how an attack occurred and which laws were violated, several factors – including protecting sensitive information and the rights of the accused – are frequently limiting factors. One area needing further discussion is whether there would be value in having an independent international body, or a consortium of organizations from around the world, responsible for conducting or verifying attribution to increase confidence in the claims.

3. Key Takeaways
  • Trust and confidence in attribution claims is essential for them to be impactful, which may require greater transparency from those making the claims.
  • While governments tend to attribute high-profile attacks and those which threaten essential values and principles, and industry does so on behalf of their customers, vulnerable groups – including political dissidents, journalists and others in civil society – rarely receive this kind of attention despite escalating numbers of attacks against them.
  • Attribution relies on the existence of clear rules and expectations for responsible behavior online.
  • The success of an attribution efforts, especially in calling out bad actors, is often largely based on a balance between speed and robustness. A quick attribution is helpful in responding promptly to a recent incident that is still in the public consciousness, but is undermined if it is not properly substantiated or supported by other actors.
  • Escalating political divides, both within and between nations, as well as increasing amounts of disinformation, have the potential to undermine confidence and trust of attribution claims.  
6. Final Speakers

Speaker 1: Johanna Weaver, Government, Asia-Pacific Group
Speaker 2: John Scott-Railton, Civil Society, Western European and Others Group (WEOG)
Speaker 3: Camille François, Private Sector, Western European and Others Group (WEOG)
Speaker 4: Serge Droz, Technical Community, Western European and Others Group (WEOG)
Speaker 5: Jens Monrad, Private Sector, Western European and Others Group (WEOG)

7. Reflection to Gender Issues

Gender was not featured prominently in the discussion

9. Group Photo
IGF 2020 WS #350 Attributing attacks: political, technical & legal dimensions