During spring quarter, one of the Jackson School’s Applied Research Program student teams was given a daunting task – help Microsoft think about President Brad Smith’s call for a Digital Geneva Convention. In addition to weighing in on current Microsoft strategy, the students found out that they were working on the exact same research task that Microsoft had asked RAND to tackle.
The team spent eight weeks surveying 23 existing international attribution organizations and processes and using these models to understand best practices for international cyberattack attribution as well as potential pitfalls. They presented their findings to Microsoft leadership, including the Corporate Vice President for Trustworthy Computing, Scott Charney, and the Senior Director of the Global Security Strategy & Diplomacy Team, Paul Nicholas. Comments during and following the presentation indicated the students had not only succeeded in producing excellent research – but had exceeded expectations.
The team was made up of eight undergraduates, two senior researchers, and a faculty member with expertise in cybersecurity. Justin Collins, Cameron Evans, Chris Kim, Kayley Knopf, Selma Sadzak, Nick Steele, Julia Summers, and Alison Wendler made up the undergraduate team. The two senior researchers, Allison Anderson and Stacia Lee, also contributed research, writing, and editing. Dr. Jessica Beyer directed the project.
The project was the fifth product of a Jackson School Applied Research collaboration with Microsoft’s Global Security Strategy & Diplomacy Team. The Applied Research Program, founded by Professor Sara Curran, matches teams of top-achieving Jackson School students with private and public sector organizations seeking dynamic, impactful, and internationally-minded analyses to support their strategic and operational objectives.
Snapshot of the Report
The report outlines findings from a survey of 23 attribution organizations and processes and, drawing on those findings, proposes the formation of a cyberattack attribution organization based on international private sector coordination. Drawing upon private sector expertise from multiple countries, the proposed organization would centralize analysis of major cyberattacks through formalized investigations and the production of a credible, timely attribution reports following major attacks. The organization would streamline the attribution process, thereby playing a substantial role in deterring future major nation state cyberattacks and promoting greater global Internet security.
The organizations surveyed were: Amnesty International, Citizen Lab, Egmont Group of Financial Intelligence Units, European Financial Coalition Against Child Pornography, Financial Industry Regulatory Authority, Greenpeace, International Atomic Energy Agency, International Civil Aviation Organization, International Labor Organization, NATO Cooperative Cyber Defense Center of Excellence, Organization for the Prohibition of Chemical Weapons, United Nations Al-Qaida Sanctions Committee, United Nations Sanctions Committee on North Korea, and theWorld Trade Organization’s GATT Article XX.
The processes examined were: Cheonan Joint Investigation Group, Democratic National Committee Email Leak Investigation, Google’s Operation Aurora, the Intermediate-Range Nuclear Force Treaty investigative process, Malaysia Airlines Flight 17 (MH17) Crash Investigation, Mandiant’s APT1, Mumbai Terrorist Attack Investigation, Sony Pictures Hack Investigation, and the Stuxnet Investigation.
The research identified six best practices from these organizations that should be incorporated into any organization tasked with cyber attack attribution:
- Equitable geographic representation
- Organizational transparency
- Stakeholder outreach
- Internal accountability
- Inclusion of technical and geopolitical experts
- Private sector membership
In addition, the team identified seven challenges that such an organization would face — including proposals for solutions drawn from existing examples of international attribution organizations. The challenges include:
- Earning public trust
- Cooperation among competitors
- Industry compliance with organizational norms
- Legal challenges of information sharing
- Collecting sensitive and confidential cyber incident information
- Methods of information sharing
- Sharing information between China, Russia, and the U.S.
Based on their research, the students proposed the following organizational blueprint.
Table 1: Organizational Blueprint
Private Sector
- Company representatives, industry experts, independent academics.
- Leads neutral, private sector investigations of major state-sponsored cyberattacks to determine attribution.
- Reputational.
- Decision making done through supermajority voting of member companies in the Executive Council.
- Expert Investigation Committee leads nation-state cyberattack investigations.
- Expert Review Committee reviews validity of attribution judgment upon request.
- Peer-review, high transparency, evidentiary framework.
- Investigation report articulates attribution
- The Communications Committee disseminates attribution reports, with full transparency, to mainstream news organizations.
- $40 million for year one and $30 million/ year for subsequent years.
- Funded by mandatory contributions from member companies.
