On Tuesday, July 17th, the Center for Long-Term Cybersecurity partnered with Microsoft to host a one-day workshop focused on “Digital Accountability: Designing Futures for Cyberattack Attribution.” Held at The Faculty Club on the UC Berkeley campus, the workshop brought together participants from industry, academia, civil society, and government to explore the recent history and possible futures of cyberattack attribution, with an emphasis on the shifting roles of the private and public sectors.
The workshop was organized into three sessions: “Where have we been?” “Where are we going?” and “Designing for the future.” Each session included several provocations from designated participants who shared a diverse range of research questions and experiences related to cyberattack attribution; the provocations were followed by in-depth discussions. During a breakout exercise in the third session, participants worked through a series of questions centered around a future scenario and identified a number of approaches for improving tangible problems in the attribution landscape.
Leading up to the workshop, CLTC Research Fellow Jessica Cussins produced a research document to provide background and frameworks for discussion. She wrote that the “definition of success is to enrich our understanding of where we have been and where we are going; to clearly identify opportunities and threats; and to think creatively about how we could improve accountability and stability in the digital world.” We interviewed Cussins to learn more about the workshop (answers have been lightly edited for content).
Why is attribution an important topic in cybersecurity? What’s the underlying challenge—and why does it matter?
For this workshop, we wanted to reframe the question of cyberattack attribution beyond more traditional notions of deterrence to think about what is at stake for digital accountability if attribution continues to happen in a segmented, non-standardized, and non-transparent way. Part of the challenge is that there are different actors involved with attribution—the intelligence community, cybersecurity firms, technology companies, and civil society organizations—but they have different methods and objectives, and even different definitions of what counts as attribution. It is unlikely that we will see greater cyber stability if we just continue with the status quo, especially when we look out to some of the future challenges and shifts we can expect to see in the digital world. This matters because cyberattacks are on the rise, including by foreign state actors against civilians. People and organizations probably shouldn’t have to bear the costs of cybercrime on their own, but it isn’t clear today who they can count on and under what circumstances. Attribution is about so much more than simply identifying a ‘return address’ for a deterrence strategy.
How did this workshop come to be?
Microsoft has been exploring the idea of a Digital Geneva Convention since Brad Smith [Microsoft’s president and legal officer] first announced the idea at the RSA conference in 2017. One part of that idea is the possibility of instituting a global attribution organization, and several groups, including RAND and the Atlantic Council, have developed really interesting and thoughtful proposals for what different variations of a global attribution organization could look like. Microsoft was interested in working with the CLTC on this idea in order to take a step back and think more broadly about some of the context of these ideas. Does the world need a new organization to solve this problem? We wanted to go back to first principles and re-think how the problem is understood. So the first thing we did was research the recent history of cyberattack attribution to see what has occurred and changed over the last ten years.
What kinds of changes did you uncover through this initial research?
We identified four major shifts in cyberattack attribution to nation-states between 2007 and today. The first shift is scale: the number of attribution claims made against nation-states has increased, with the number of prominent examples we cited more than doubling in the second half of the time range. The second shift is origin: many prominent attribution claims in the last few years have come from governments, but prior to that it was more common for them to originate from the private sector. The other shifts we identified are increased transparency and coordination. These features are not always present, but there is increased pressure both to share greater evidence to substantiate an attribution claim, and to share information within and between sectors.
How would you summarize the “where we are going” part of the workshop? What are the key trends shaping attribution today and going forward?
Workshop participants disagreed about the degree to which emerging technologies will have an impact on attribution in the future. We discussed the ways in which technological innovations such as blockchain, AI, IoT, and quantum computing could enhance the sophistication of attacks, and potentially make it harder to know the origin of attacks, but we also discussed how the same technologies are also improving the ability to defend and in some cases attribute the source of attacks as well (though these two capabilities don’t always go together). There was seemingly more agreement that policy changes, particularly related to data and privacy policies such as the European General Data Protection Regulation (GDPR), will affect how attribution is carried out, largely because of the requirement to report such a wide array of security breaches so quickly. We also discussed how a greater number of actors are now involved in attribution, and how in 5-10 years time, we may see a different set of countries leading the debate at the global level.
Did any surprising or unexpected insights come out of the workshop?
This isn’t totally surprising since it was a goal of the workshop, but the conversation did go far beyond the idea of an attribution organization. Some key insights that emerged include the importance of developing a taxonomy of cyberattacks and attribution, and improving the availability of shared language to enable and encourage greater collaboration. For many people, attribution is not the end in itself, but one piece that can help contribute to accountability and security alongside things like preventative security measures. Another interesting insight related to the depth of cultural differences—even within the U.S.—when it comes to relationships between industry and government and how that continues to shape the attribution landscape.
How would you summarize the future scenario at the heart of the third part of the workshop?
The future scenario was set in 2025 and imagines a world not so different from today’s, but where we see much greater reliance on information and communication technology, along with significantly more divergent responses to this fact. The scenario includes three different models of states in this world, each of which has different formations of power and uses of technology to achieve different aims. The goal of the exercise was to think about how each of these states would experience vulnerability to systemic cyber risk in different ways, as well as what kinds of tools, institutions, or processes might be useful for them.
How would you summarize the frameworks included in your initial write-up?
The first framework we presented was a timeline of key cyberattack attributions to nation-states over the last ~10 years. We differentiated the attributions that originated in industry from those that originated in governments, and this helped us to identify a number of trends and shifts. The second model we presented was a decision tree that highlights the key “moves” made by different actors in relation to attribution: who made the first attribution, whether the attribution was confirmed by others, and whether it led to any action. This was an experiment to see if we could learn anything interesting by seeing the different paths that different attribution claims have taken. We were also interested to consider whether certain paths were potentially more problematic than others for different actors. In general, we found that attribution claims that had greater consensus and led to action are perceived to be more “successful” than others.
What’s next for this project? Are there any future events or follow-up activities planned?
A lot of good ideas emerged at the workshop, and we are continuing to work with our partners at Microsoft to explore ways to keep this momentum going and develop follow-up research initiatives and activities down the road. Attribution is going to be a continuing source of interest and controversy for governments, firms, and of course for the citizens that any Digital Geneva Convention initiative would seek to protect.