At IGF 2019 in Berlin, on Friday, November 29, 12:00 – 13:00, ICT4Peace, in cooperation with The Internet Governance Project (IGP) is organising an “Open Work Meeting on Cyber-Accountability: Building Attribution Capability.”
Early 2018 ICT4Peace published a report: “Trust and Attribution in Cyberspace: A proposal for an independent network of organisations engaging in attribution peer review”. The report can be found here.
At the end of August, ICT4Peace Foundation, with support from the German Federal Foreign Office, conducted a two-day workshop on trusted attribution in cyberspace at ETH. The workshop was organised with the intention of inciting debates among key stakeholders concerning different attribution practices and the idea of creating an independent network of organisations engaging in peer-review assessments and substantive analyses – an idea already floated by ICT4Peace Foundation in 2018. The report on the meeting at ETH can be found here.
Attribution is defined as identifying with an understood degree of confidence who is responsible for a cyber-attack. It is important, particularly in view of emerging norms for responsible state-behaviour in cyberspace, because it contributes to the accountability of actors in cyberspace. This meeting will address the following policy questions:
- What is wrong with how cyber-attributions are conducted today?
- How can we make the cyber-attribution process more objective, scientific, transparent and widely accepted?
- Will making neutral, accurate and authoritative cyber-attributions improve accountability and help reduce cyber-attacks?
Description
This meeting will aim to inform participants about an ongoing effort to form a global network of cybersecurity researchers who want to cooperate to develop attribution capabilities and perform cyber-attributions of state-sponsored cyber-attacks. It will describe the results of an initial meeting at the University of Toronto as well as a multi-stakeholder attribution workshop conducted in Zurich at ETH this summer, and describe our plans for the next steps. The goal is to perform attributions that are considered scientific and credible by the community. Accountability for cyber-attacks has increasing geopolitical significance. Attribution made by one nation-state is unlikely to be accepted as neutral and authoritative by other nation-states, especially if those states are rivals or hostile. Various commentators on this issue have proposed that a transnational attribution organization exclude governments and be led by experts in academia and business. The Internet Governance Project (IGP), ICT4Peace, and several other organizations are forming the nucleus of an informal network of universities and civil society organizations who want to become involved in cyber-attribution and attribution research. This meeting is organized as an informational and discussion session amongst any researchers and businesses who are engaged in or interested in cyber-attribution. However, discussion will be led and moderated by people who attended the two workshops and will have input from the Cyber Peace Institute. They will update the group on the formation of the network and facilitate the engagement of new people and organizations.
Discussants
Mlton Mueller, IGP, USA, academia
Serge Droz, ICT4Peace, Switzerland, private sector
Lennart Maschmeyer, Senior Researcher, ETH Zurich, Center for Security Studies, academia
Jacqueline Eggenschwiler, Oxford, UK, academia
Stéphane Duguin, Europol, government
Moderators
Milton Mueller, IGP, USA, academia
Serge Droz, ICT4Peace