Second Roundtable Looks at Role of Private Sector and Civil Society in Attribution

Sarah Lohmann

Sarah Lohmann

AICGS Senior Cyber Fellow

Dr. Sarah Lohmann is currently the Senior Cyber Fellow with the American Institute for Contemporary German Studies at Johns Hopkins University. She manages projects which aim to increase agreement between Germany and the United States on improving cybersecurity and creating cybernorms. Since 2010, Dr. Lohmann has served as a university instructor at the Universität der Bundeswehr. She achieved her doctorate in political science there in 2013, when she became a senior researcher working for the political science department. Dr. Lohmann also serves as Communications Lead Faculty at the University of Washington, where she teaches classes on big data and preventing disinformation and misinformation and has helped develop a new Emerging Technology Certificate.

Prior to her tenure at the Universität der Bundeswehr, Dr. Lohmann was a press spokesman for the U.S. Department of State for human rights as well as for the Bureau of Near Eastern Affairs (MEPI). Before her government service, she was a journalist. She has been published in multiple books, including a handbook on digital transformation, Redesigning Organizations: Concepts for the Connected Society (Springer, 2020) and written over a thousand articles in international press outlets. Her current areas of research include cybersecurity as it relates to election security, national security, transatlantic relations, energy, international law, and big data.

Defense and tech experts from the United States and Germany gathered in the conference room of the American Institute for Contemporary German Studies in Washington, DC, on May 23 to discuss the greatest hurdles for cybersecurity for the transatlantic community. The second German-American Cyber Roundtable co-hosted by Microsoft examined what actors should work together to identify those responsible for malicious cyber incidents.

Setting the tone for the meeting, Prof. John Davis, a senior information scientist at RAND and professor of the Pardee RAND Graduate School, discussed the challenges of attribution and the motivations and methods of actors who conduct illegal cyber intrusions. His study Stateless Attribution: Toward International Accountability in Cyberspace proposes an attribution organization independent from the state, similar to the International Atomic Energy Agency, which would be made up of companies from the private sector and civil society. This independent organization would not be concerned with punitive mechanisms, he said, but should focus on synergy of methodology and confidence from the participants to correctly identify actors conducting illegal intrusions.

Laura Rosenberger, who founded the Alliance for Securing Democracy, talked about the challenges for governments when making attribution public, and the role the private sector and civil society can play to galvanize government action and provide public transparency.

Michael Ngo, the new CSO of ORock Technologies, provided an operational perspective, and the value of connecting intelligence, sensor data, and operational reporting to mitigate against cyber-attacks and illegal intrusions. There was a diversity of opinion among the participants about the degree to which governments, the military, and intelligence agencies should be left out of an attribution coalition altogether, and who should provide accountability for bad actors.

A second panel, which included Professor Tom Wingfield of the National Defense University, Steve Bucci of Heritage, Kaja Ciglic of Microsoft, and Todd Oja of U.S. Cyber Command, discussed the layers of authorities needed to identify malicious cybersecurity actors and the motivators that can be used for compelling lawful behavior. Here, access, authorities, and resources all play a role, especially in terms of coordinating with partners in Europe.

Ms. Ciglic discussed the Cybersecurity Tech Accord as a solution to increased malicious cybersecurity threats to users from both cybercriminals and nation states. The Accord, which was launched in April, has been signed by over forty companies, and the signatories agree to share threat information, protect users from cyber-attacks, to not help governments launch offensive attacks which are harmful to “innocent” citizens, and to report publicly on their progress.

While the role of the government in interacting with an attribution coalition or in responding to the private sector’s desire to protect their users’ privacy was hotly debated, all agreed that civil society had a greater role to play in identifying bad cyber actors, assisting in technical cooperation, and sharing threat information. The next Cyber Roundtable will take place in Brussels in the fall.

The views expressed are those of the author(s) alone. They do not necessarily reflect the views of the American Institute for Contemporary German Studies.