Second Roundtable Looks at Role of Private Sector and Civil Society in Attribution
Defense and tech experts from the United States and Germany gathered in the conference room of the American Institute for Contemporary German Studies in Washington, DC, on May 23 to discuss the greatest hurdles for cybersecurity for the transatlantic community. The second German-American Cyber Roundtable co-hosted by Microsoft examined what actors should work together to identify those responsible for malicious cyber incidents.
Setting the tone for the meeting, Prof. John Davis, a senior information scientist at RAND and professor of the Pardee RAND Graduate School, discussed the challenges of attribution and the motivations and methods of actors who conduct illegal cyber intrusions. His study Stateless Attribution: Toward International Accountability in Cyberspace proposes an attribution organization independent from the state, similar to the International Atomic Energy Agency, which would be made up of companies from the private sector and civil society. This independent organization would not be concerned with punitive mechanisms, he said, but should focus on synergy of methodology and confidence from the participants to correctly identify actors conducting illegal intrusions.
Laura Rosenberger, who founded the Alliance for Securing Democracy, talked about the challenges for governments when making attribution public, and the role the private sector and civil society can play to galvanize government action and provide public transparency.
Michael Ngo, the new CSO of ORock Technologies, provided an operational perspective, and the value of connecting intelligence, sensor data, and operational reporting to mitigate against cyber-attacks and illegal intrusions. There was a diversity of opinion among the participants about the degree to which governments, the military, and intelligence agencies should be left out of an attribution coalition altogether, and who should provide accountability for bad actors.
A second panel, which included Professor Tom Wingfield of the National Defense University, Steve Bucci of Heritage, Kaja Ciglic of Microsoft, and Todd Oja of U.S. Cyber Command, discussed the layers of authorities needed to identify malicious cybersecurity actors and the motivators that can be used for compelling lawful behavior. Here, access, authorities, and resources all play a role, especially in terms of coordinating with partners in Europe.
Ms. Ciglic discussed the Cybersecurity Tech Accord as a solution to increased malicious cybersecurity threats to users from both cybercriminals and nation states. The Accord, which was launched in April, has been signed by over forty companies, and the signatories agree to share threat information, protect users from cyber-attacks, to not help governments launch offensive attacks which are harmful to “innocent” citizens, and to report publicly on their progress.
While the role of the government in interacting with an attribution coalition or in responding to the private sector’s desire to protect their users’ privacy was hotly debated, all agreed that civil society had a greater role to play in identifying bad cyber actors, assisting in technical cooperation, and sharing threat information. The next Cyber Roundtable will take place in Brussels in the fall.