Most nations share the view that existing international legal rules and ordinances hold in cyberspace. Enforcement of these standards, however, is difficult. Malicious cyber activities are usually shrouded in secrecy and anonymity, making definite attribution difficult and even impossible at times.
ICT4Peace has prepared the following thought piece, that takes into account the technical and political challenges related to effective attribution, and presents a simple proposal for improvement, namely the setting up of an independent network of organisations engaging in attribution peer-review.
Attribution
For laws and norms to be effective in regulating conduct in cyberspace, violations of the former must be detected, and perpetrations attributed beyond reasonable doubt. The process of assigning blame for cyber attacks requires intricate political and technical forensics and skills, “weaving together […] clues concerning past attack methods, current operational techniques, and knowledge of adversaries’ geopolitical objectives to identify a likely [culprit]”.
With a view to achieving higher levels of confidence vis-a-vis ascribing blame for nefarious behaviour in cyberspace and introducing accountability, some experts have suggested the creation of an international attribution body similar to established enforcement mechanisms such as the International Atomic Energy Authority. There are, however, profound differences between nuclear and information technologies, and the nature of nuclear arms and cyber weapons, respectively.
Plea for a Global Cyber Attribution Network
In order to curb adverse effects stemming from the misuse of offensive cyber capabilities, effective, technically mature and above all trustworthy attribution is indispensable. “There are an increasing number of government entities, private firms, and research organisations that have the capability to undertake investigations to attribute the source of cyber attacks. However, these entities do not follow a standardised research methodology and employ different naming conventions for cyber threat actors and confidence metrics for their findings”.
With a view to addressing these inconsistencies and contributing to a more secure and stable digital environment, ICT4Peace proposes the setting up of an independent network of organisations engaging in attribution peer-review.
For international legal provisions to be effective and accountability for malicious cyber activities to take hold high levels of confidence and publicly persuasive attribution of responsibility are required. In cyberspace, where establishing proof claims beyond reasonable doubt is still challenging, secrecy and mistrust are prevailing, and multiple factors (economic, political, technical) need to be taken into regard, collaborative attribution practices seem most promising.
The full paper can be found here.