IGF 2019 WS #60
Cyber-Accountability: Building Attribution Capability

Organizer 1: Farzaneh Badii, Internet Governance Project
Organizer 2: Brenden Kuerbis, Georgia Institute of Technology
Organizer 3: Serge Droz, ICT4Peace, FIRST

Speaker 1: Brenden Kuerbis, Civil Society, Western European and Others Group (WEOG)
Speaker 2: Farzaneh Badii, Civil Society, Asia-Pacific Group
Speaker 3: Serge Droz, Private Sector, Western European and Others Group (WEOG)
Speaker 4: jacqueline eggenschwiler, Technical Community, Eastern European Group

Moderator

Farzaneh Badii, Civil Society, Asia-Pacific Group

Online Moderator

Brenden Kuerbis, Civil Society, Western European and Others Group (WEOG)

Rapporteur

Serge Droz, Private Sector, Western European and Others Group (WEOG)

Format

Break-out Group Discussions - Round Tables - 60 Min

Policy Question(s)

Attribution is defined as identifying with an understood degree of confidence who is responsible for a cyber-attack. It is important, particularly in view of emerging norms for responsible state-behavior in cyber space, because it contributes to the accountability of actors in cyberspace. Our proposal addresses the following policy questions:
1. What is wrong with how cyber-attributions are conducted today?
2. How can we make the cyber-attribution process more objective, scientific, transparent and widely accepted?
3. Will making neutral, accurate and authoritative cyber-attributions improve accountability and help reduce cyber-attacks?

SDGs

GOAL 9: Industry, Innovation and Infrastructure
GOAL 16: Peace, Justice and Strong Institutions
GOAL 17: Partnerships for the Goals

Description: The session will inform participants about an ongoing effort to form a global network of cybersecurity researchers who want to cooperate to develop attribution capabilities, and perform cyber-attributions of state-sponsored cyber attacks. The goal is to perform attributions that are considered scientific and credible by the community. Attribution is defined as identifying with an understood degree of confidence who is responsible for a cyberattack. It is important because it contributes to the accountability of actors in cyberspace. Accountability for cyber attacks has increasing geopolitical significance. Attribution made by one nation-state is unlikely to be accepted as neutral and authoritative by other nation-states, especially if those states are rivals or hostile. Various commentators on this issue have proposed that a transnational attribution organization exclude governments and be led by experts in academia and business. The Internet Governance Project (IGP), ICT4Peace, and several other organizations are forming the nucleus of an informal network of universities and civil society organizations who want to become involved in cyber-attribution and attribution research.

As a breakout group discussion, this session does not really have "speakers;" it is organized as an informational and discussion session amongst any researchers and businesses who are engaged in or interested in cyber-attribution. However, discussion will be led and moderated by 4 people who attended the Toronto workshop forming the network. They will update the group on the formation of the network and facilitate engagement of new people and organizations.

Expected Outcomes: The main expected outcome is to identify additional participants who want to contribute to a research network on attribution.
Another outcome is to improve understanding of the challenges of conducting globally credible cyber-attributions

This is an interactive session. Attendees in the room and remote participants will have the chance to interrupt and make comments at any time during the discussion.

Relevance to Theme: In the last decade, state actors have become one of the most important sources of cyber-attacks because such attacks serve their foreign policy, military or espionage goals. These attacks tend to generate retaliation and a cyber “arms race” among other state actors and may create large collateral damage beyond the intended target. This kind of escalation and conflict threatens the security, stability, safety, trust and resilience of the Internet.
Although states claim to be working on cyber norms that would reduce these activities, we cannot enforce international cyber-norms unless we can hold actors who violate them responsible. Holding cyber-attackers responsible for their attacks requires "attribution" - that is, accurate identification of the perpetrator. But governments and their cyber-armies are usually unwilling to conduct or accept neutral and scientific attributions. Their decision to publicly attribute depends on the political stakes, and behavior can be strategic and even deceitful. Successful attribution involves credibly explaining a finding and the evidence basis to the public in a reproducible manner. But states’ attribution claims are often based on intelligence that they are not willing to publicly share, which raises persistent questions about how their findings were reached and whether they are true.
This workshop will explore ways that civil society and business can work together to institutionalize the cyber attribution process, and put it in the hands of credible non-state actors who are not parties to inter-state conflicts.

Relevance to Internet Governance: Cybersecurity is one of the most important domains of Internet governance. The security, stability, safety and resilience of the Internet will be improved it we can develop new institutions and processes to conduct credible cyber-attributions. Attribution contributes to governance by fostering accountability.

Online Participation

The official online tool will allow remote IGF participants to send in questions. For more robust discussion we will use the Blue Jeans video link described below

Proposed Additional Tools: We will also set up a BlueJeans room at Georgia Tech. Blue Jeans is a remote participation tool with improved video and audio capabilities that will allow students and youth to attend the sessions remotely.