IGF 2019 Liveblog
Day 4: Independent Attribution of Cyber-attacks
Workshop co-organized by the The Internet Governance Project (IGP) and ICT4Peace and co-chaired by Milton Mueller and Serge Droz. See also our previous post.
“With cyber-attacks an almost permanent fixture in news headlines, and with discussions between nation states on whether a cyber-attack can justify escalation “from cyber to kinetic”, the question of attribution is clearly an important one.
A discussion moderated by Milton Mueller this morning looked at the idea, initially floated by Microsoft in 2016, of an independent “attribution organisation” for cyber-attacks. This would be a non-state actor modeled on the International Atomic Energy Agency (IAEA).
Milton started the session by saying that when they had looked at this a while back, the first thing they encountered were seemingly insurmountable issues of trust. The idea might sound great in theory, but many governments would object to participation from their adversaries, and the involvement of private companies like Microsoft would lead to questions about their relation to the US Government. So in many ways this appeared to be an Internet governance problem rather than a technical one.
Serge Droz, from ICT4Peace in Switzerland, said that attribution often required the kinds of intelligence that nation states gathered but did not like to share (for political considerations, or to avoid revealing capabilities). Nevertheless, many individual organisations would have pieces of the puzzle and there could be value in seeing how they fit together.
Last summer, they held a workshop (funded by the German Foreign Office) that looked at this issue. In attendance were people from the private sector, academia, civil society and governments. One of the conclusions (PDF) was that it might be better to focus on “fact finding” rather than making a final determination. There had been some debate on this point, but the view of government participants especially was that attribution was fundamentally a state activity.
But what are the value of facts in the post-truth era? Milton used the shooting down of MH17 as an example, noting that different actors used the facts surrounding the tragedy to support very different conclusions about what happened and who was to blame. He thought the value of such an organisation would be in producing a final determination.
And what do we mean by attribution anyway? Perhaps there two kinds: a “scientific” attribution that’s about reaching a conclusion, and a second kind that is more like the determination made by a judge in a court of law. In the latter case, the judge has the authority to make a ruling, and perhaps the objections of government at the ICT4Peace workshop have some relevance here. On the other hand, maybe the key feature of a judge isn’t so much their authority as the fact that they are independent from the parties involved. Of course, if we’re talking about the anarchic world in which nation states interact and compete with one another in the absence of a higher authority, it can be harder to find the authority or independence needed – so this could instead resemble an arbitration process, perhaps managed via the UN.
At several points, attendees were reminded that this was not only about the attribution of state-on-state attacks. Such a body could also look at cyber-crime and things like botnets, and perhaps here it would be easier for governments to find common purpose. For the most part, people seemed more interested in discussing the former context.
A government speaker said that solving the question of attribution was crucial in light of ongoing discussions about the relation of international law to cyberspace – notably Article 51 in the UN Charter and whether cyber-attacks could justify “kinetic” responses. He noted that false flag operations that have been used in the past to justify attacks and perhaps cyberspace provides greater opportunities for this. They wondered if a third-arty could perform a kind of “escrow” function, which could rule on the validity of classified evidence without requiring it to be disclosed more widely. The key part was developing a mechanism that could be trusted.
Someone from the technical community reiterated that attribution was very hard. Any evidence would be incidental at best and easily falsified. Given that NATO had said cyber-attacks could warrant retaliation, the idea that you could attribute a cyber-attack to a single actor with absolute certainty was a dangerous one that could put people’s lives in danger. A reply to this was that the level of certainty would probably scale according to the severity of the response. It was also noted that nation states had an interest in keeping this space nebulous, as it gave them opportunities to do things they would never do in physical space.
There was only one comment relating to IP addresses, when someone spoke briefly about the need to better map IP addresses against geographical locations. It was encouraging that Milton was able to point out that the relation of geography to technical identifiers was blurry at best, without the discussion becoming side-tracked. Perhaps this indicates that we are starting to move on from some of these more fundamental discussions.”
Report by Antony Gollan (labs.ripe.net)
(RIPE NCC has no position on this issue, the article is intended as neutral reporting on the event https://www.ripe.net).
******
Early 2018 ICT4Peace published a report: “Trust and Attribution in Cyberspace: A proposal for an independent network of organisations engaging in attribution peer review”. The report can be found here.
At the end of August 2019, ICT4Peace Foundation, with support from the German Federal Foreign Office, conducted a two-day workshop on trusted attribution in cyberspace at ETH. The workshop was organised with the intention of inciting debates among key stakeholders concerning different attribution practices and the idea of creating an independent network of organisations engaging in peer-review assessments and substantive analyses – an idea already floated by ICT4Peace Foundation in 2018. The report on the meeting at ETH can be found here.