Microsoft’s free thinkers have come up with a radical idea for containing global cyberattacks: set up a non-governmental organisation (NGO) whose job it would be to name perpetrators.
It sounds simple enough and, as the A-Team’s Hannibal used to say, “it’s so crazy it just might work.” Or is it just plain crazy?
Undoubtedly, Microsoft has been doing a lot of thinking on the matter, sponsoring a lengthy Rand Corporation report, Stateless Attribution – Toward international accountability in Cyberspace, that explores the issues that bedevil cyber-attribution.
This was quietly announced last week at the NATO Cycon conference in Tallinn by Paul Nicholas, head of Microsoft’s Global Security Strategy and Diplomacy Team.
The NGO would be called the Global Cyber Attribution Consortium, he explained in remarks reported by AFP:
“This is something that we don’t have today: a trusted international organisation for cyber-attribution.”
Attribution had become a game whose rules are understood only by those in the know:
“The main actors look at each other and they sort of know who they think it was, but nobody wants to make an affirmation.”
Military incidents are quickly attributed to aggressors, which neutrals accept on the balance of probability. With cyberattacks, it’s almost exactly the opposite.
Country A accuses Country B of hacking its computers, something Country B denies. A security vendor then backs up Country A’s assertion with a forensic analysis that ends up being disputed by experts from rival vendors who draw different conclusions from the same evidence. In many cases, incidents go unreported anyway.
Appointing an NGO could impose a universal methodology for assessing evidence, the report argues, as well as tame the confusing identification system in which each vendor (including, ironically, Microsoft) uses a different name for the same threat actor.
An immediate question is where the proposed NGO would get its data from. The report’s answer is that it would need to be collaborative across vendors, countries and sources, including independent researchers:
“It is crucial that the Consortium includes broad membership across geopolitical lines to foster a diversity of perspectives and to minimize the possibility that its findings are tainted by political influence.”
The venue for Nicholas’s remarks, Tallinn, is no coincidence: it was here in 2012 that NATO’s Cooperative Cyber Defense Center of Excellence (CCDCOE), launched Tallinn 1.0, the first attempt to define how conflicts in cyberspace might relate to international laws. Recently, Tallinn 2.0 updated this.
A workable idea? Microsoft has form in thinking through the larger implications of cybersecurity, setting up its Digital Crimes Unit (DCU) years before governments and rivals vendors had woken up to the complexity of the problem. Earlier this year, chief legal officer Brad Smith floated the idea of a cyber Geneva Convention to establish norms of behaviour.
As the report acknowledges, there are numerous hurdles, mostly political. The chances of getting a meaningful range of countries to take part seem slim.
Another, more subtle problem was glimpsed last week when President Putin denied Russian involvement in cyberattacks on other countries while appearing to praise the “patriotically-minded” individuals who might be responsible.
It’s as if Putin’s Russia quite likes being blamed. Cyberattacks go down well with a domestic audience, and make Russia feel important. The same might also apply to North Korea. Perhaps carrying out cyber-campaigns with a sly smile is, shockingly, acquiring currency. No fancy NGO can battle this.