Could an independent NGO solve the problem of cyber attack attribution?

Cyber attack attribution is a necessary prerequisite for holding actors accountable for malicious cyber activity, but is notoriously difficult to achieve. Perhaps it’s time to create an independent, global organization that will investigate and publicly attribute major cyber attacks?

The idea has been put forward by Paul Nicholas, director of Microsoft’s Global Security Strategy, at the NATO Cycon cybersecurity conference held in Tallinn last week.

How would this organization work?

According to the US nonprofit global policy think tank RAND Corporation, this “Global Cyber Attribution Consortium” would have to include technical experts from cybersecurity and information technology companies and academia, as well as cyberspace policy experts, legal scholars, and international policy experts from various academia and research organizations – but definitely not representatives of nation-states, “to avoid an appearance of bias and to protect transparency.”

“The Consortium would work with victims or their advocates upon their request and with their cooperation to investigate cyber incidents using a diverse set of methodologies and would publish its findings for public review,” the researchers noted.

“In addition to providing a credible and transparent judgment of attribution, the Consortium’s investigations would help standardize diffuse methodological approaches, naming conventions, and confidence metrics that would advance shared understanding in cyberspace and promote global cybersecurity.”

Finally, the Consortium’s findings could be used by law enforcement to bring perpetrators in, but also to improve defenses and prevent future attacks.

The issue of credibility

Given the enormous amount of cyber attacks carried out each year, the Consortium should be able to pick and choose which of them to look into. It, naturally, has to have the technical competency to collect and asses the evidence and come up with results. And, above all, it has to be able to persuasively communicate their findings and offer a good assessment on how confident they are in their assessment.

“Credibility hinges on several factors: strong evidence, demonstration of the requisite knowledge and skills for reaching a correct conclusion, a track record of accuracy and precision, a reputation for objective and unbiased analysis, and a transparent methodology that includes an independent review process,” the report explains.

Cyber attackers often try to muddy the waters. Sometimes the attackers have an interest in making the investigators believe that a specific other entity is responsible for the attack (nation-state sponsored attackers in particular), other times they are content with just pointing the finger away from themselves. Unfortunately, it’s very easy to plant evidence that will take investigators in the wrong direction – either temporarily or permanently.

The researchers acknowledge that, in some cases, decisively and explicitly tying specific individuals to attacks or attributing an attack to a state entity will be impossible – but it all depends on the nature and strength of the evidence.