Microsoft’s free thinkers have come up with a radical idea for containing global cyberattacks: set up a non-governmental organisation (NGO) whose job it would be to name perpetrators.
It sounds simple enough and, as the A-Team’s Hannibal used to say, “it’s so crazy it just might work.” Or is it just plain crazy?
Undoubtedly, Microsoft has been doing a lot of thinking on the matter, sponsoring a lengthy Rand Corporation report, Stateless Attribution – Toward international accountability in Cyberspace, that explores the issues that bedevil cyber-attribution.
This was quietly announced last week at the NATO Cycon conference in Tallinn by Paul Nicholas, head of Microsoft’s Global Security Strategy and Diplomacy Team.
The NGO would be called the Global Cyber Attribution Consortium, he explained in remarks reported by AFP:
“This is something that we don’t have today: a trusted international organisation for cyber-attribution.”
Attribution had become a game whose rules are understood only by those in the know:
“The main actors look at each other and they sort of know who they think it was, but nobody wants to make an affirmation.”
Military incidents are quickly attributed to aggressors, which neutrals accept on the balance of probability. With cyberattacks, it’s almost exactly the opposite.
Country A accuses Country B of hacking its computers, something Country B denies. A security vendor then backs up Country A’s assertion with a forensic analysis that ends up being disputed by experts from rival vendors who draw different conclusions from the same evidence. In many cases, incidents go unreported anyway.
Appointing an NGO could impose a universal methodology for assessing evidence, the report argues, as well as tame the confusing identification system in which each vendor (including, ironically, Microsoft) uses a different name for the same threat actor.
An immediate question is where the proposed NGO would get its data from. The report’s answer is that it would need to be collaborative across vendors, countries and sources, including independent researchers:
“It is crucial that the Consortium includes broad membership across geopolitical lines to foster a diversity of perspectives and to minimize the possibility that its findings are tainted by political influence.”
The venue for Nicholas’s remarks, Tallinn, is no coincidence: it was here in 2012 that NATO’s Cooperative Cyber Defense Center of Excellence (CCDCOE), launched Tallinn 1.0, the first attempt to define how conflicts in cyberspace might relate to international laws. Recently, Tallinn 2.0 updated this.
A workable idea? Microsoft has form in thinking through the larger implications of cybersecurity, setting up its Digital Crimes Unit (DCU) years before governments and rivals vendors had woken up to the complexity of the problem. Earlier this year, chief legal officer Brad Smith floated the idea of a cyber Geneva Convention to establish norms of behaviour.
As the report acknowledges, there are numerous hurdles, mostly political. The chances of getting a meaningful range of countries to take part seem slim.
Another, more subtle problem was glimpsed last week when President Putin denied Russian involvement in cyberattacks on other countries while appearing to praise the “patriotically-minded” individuals who might be responsible.
It’s as if Putin’s Russia quite likes being blamed. Cyberattacks go down well with a domestic audience, and make Russia feel important. The same might also apply to North Korea. Perhaps carrying out cyber-campaigns with a sly smile is, shockingly, acquiring currency. No fancy NGO can battle this.
Mahhn
Sounds like fun, but also sounds like vigilantism, which might be a legal issue.
Wilderness
They didn’t say that this NGO would attack anybody, just analyze and announce who is responsible for others’ attacks.
jkwilborn
All I can see is someone who will tell me (and the rest of the world) what they should be doing. It will leave the cybersecurity arena and move into the private citizen lives and homes, much like we have today with our current laws. Will they be able to get world wide warrants to confirm their results?
Any international group has a direction, much like the control the UN has over us. The UN stated you didn’t have a right to protect yourself, this is not for most of us. Many of these countries produce laws that are just moral based, like our prohibition laws. When they are wrong on their selection of who did what, who pays the people that were screwed?
Anyone who uses the phrase “establish norms of behaviour” tells me they are making moral decisions. We each have our own own morality and it can’t be legislated.
Mark Stockley
Not sure what you mean by “UN stated you didn’t have a right to protect yourself”. Article 51 of the UN charter reads:
“Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defence shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security.”
Wilderness
He’s probably referring to the UN Small Arms Treaty, which initiates a gun registry.
The U.S. Constitution says that a treaty cannot override the Second Amendment nor any of the other principles encased within the Bill of Rights of the United States Constitution. The following excerpt from Article VI of the United States Constitution, is very clear in stating: “This Constitution, and the Laws of the United States which shall be made in Pursuance thereof; and all Treaties made, or which shall be made, under the Authority of the United States, shall be the supreme Law of the Land; and the Judges in every State shall be bound thereby, anything in the Constitution or Laws of any State to the Contrary notwithstanding.”
Therefore, I would agree wholeheartedly with jkwilborn that such a treaty is inadmissible in the U.S.
Martin Taylor
Good trick, to blame the end user for the security weaknesses in the systems you produce and sell. I await with interest Joe Soap’s reaction to being asked to shoulder the blame for being hijacked into a Windows botnet.
Mark Stockley
I honestly can’t see this making the slightest difference. The idea came from one of the most famous US brands in the world and was announced at a NATO conference. Those things alone will surely give any country that isn’t closely allied with the USA or a member of NATO a reason or excuse to question its impartiality.
Imagine how the USA or the UK would react if Russia, China and North Korea got together and announced the creation of an impartial NGO for investigating cybercrime at a joint summit.
John E Dunn
In fairness to Microsoft, the idea was to involve as many countries as possible, including ones beyond NATO (which it would have no connections with). It would also operate within the bounds of international co-operation and would be solely for attribution, not direct action.
Through today’s lens, it might look and sound US-centric. Perhaps in years to come when countries such as China and Russia have been on the receiving end of cyberattacks (which inevitably, they will) its appeal will grow.
Mark Stockley
My guess is that Russian and China are under constant attack already (not least from each other) but the various political systems in each major territory make the consequences of making noise about state-sponsored cybercrime quite different. Thanks to ShadowBrokers we know that the USA has some serious cyberkit in its inventory and I assume the NSA makes use of it.
To me it makes sense that the USA is most vocal about the attacks rather than most commonly the victim (though, as I say, I’m guessing). It needs to drum up public support for putting money into cyber defence, it has to justify its unpopular dragnet surveillance and it has a vast private sector technology industry that needs to be told why investing in security is worthwhile. All those things are served by talking about the problem. It also has a vibrant free press that would make not talking about that problem quite difficult. I see the incentives for Russia and China being quite the opposite so I’d expect them to suppress news of cyberattacks.
H Davis
It seems such an NGO would only be providing useful feedback to the bad guys enabling them to improve their product. If they were constantly identified as the originators of cyber attacks wouldn’t they make changes? Especially if the identification gave details of the detection. If I were the US for instance I’d be inclined to publicly report a false source for attacks to bias any corrective action by the perpetrators in a wrong direction.