IGF 2018 WS #163
An International Attribution Organization

Organizer 1: Cristin Goodwin, Microsoft Corporation
Organizer 2: Milton Mueller, Georgia Tech Internet Governance Project
Organizer 3: Farzaneh Badii, Internet Governance Project

Speaker 1: Cristin Goodwin, Private Sector, Western European and Others Group (WEOG)
Speaker 2: Brenden Kuerbis, Civil Society, Western European and Others Group (WEOG)
Speaker 3: Deborah Brown, Civil Society, Western European and Others Group (WEOG)
Speaker 4: Arun Sukumar, Technical Community, Asia-Pacific Group


Milton Mueller

Online Moderator

Karl Grindal


Microsoft and IGP will agree on a rapporteur to synthesize the discussion and prepare a report using the standard report format.


Round Table - 90 Min


Interventions from major private sector platform provider (Microsoft) will document the scope of the problem of nation-state attacks and the relevance of the issue to every day operations in cyberspace. Another private sector law firm from Singapore will explain how the problem looks from an Asian perspective. We also have the perspective of academic researchers on Internet governance institutions and international relations (IGP and Observer Research Foundation), who can provide an independent analysis of the challenges of forming an international attribution organization. A civil society advocacy group (APC) will explain how such an organization might level the playing field for smaller nations and organizations, and also raise some of the human rights concerns. Technical experts from a government agency and academia will supplement the analysis by discussing the science of attribution. Although there will be 5 or 6 panelists, due to widespread interest in this topic we expect audience members to bring additional perspectives, and so have left 30 minutes for interaction. We expect the audience to contain additional governmental, technical, academic and civil society perspectives.


There is good gender balance on the panel. We have combined experts from WEOG, Asian and Middle East region, as well as a good mix of stakeholder groups (private sector, civil society, academia, government).

The session will begin with background information from the moderator and recognized experts. This will be followed by reactions from the different stakeholders and a discussion of proposed solutions and various issues related to a transnational attribution organization.
Interventions. A tentative plan for the roundtable discussion is as follows:
1. Overview of attribution of state-sponsored attacks (20 min)
a. What is it, why is it needed?
i. Attribution for criminal prosecution
ii. Attribution for nation state deterrence
iii. Attribution for customer protection and defense
iv. Attribution for technical understanding and research
b. How has attribution worked in practice? A study of actor incentives and strategies.
i. Malware based attribution for private sector
ii. Exercise of legal authorities to attribute by a nation state
1. Attribution to a state actor
2. Attribution to an individual for the purposes of indictment
c. Standardizing attribution – what consistent, repeatable elements must be present to make an attribution decision technically credible?

2. Proposed solution(s), issues, and stakeholder perspectives (20 mins)
a. Elements needed to get to an attribution organization?
b. Self-attestation versus a “review and approval” model
c. Organizational alternatives, a university-based attribution consortium?
d. Legal risks, information sharing, and other operational challenges
i. If the goal is deterrence, does creating this type of international AO change how international law addresses attribution?
1. Does this level of attribution change how international law looks at internationally wrongful acts and attribution of
those acts under the Doctrine of State Responsibility?

3. Audience interaction (30 mins)

We will facilitate discussion by having a clear agenda, keeping panelists comments concise, identifying the key controversial questions emerging from their discussion, and then soliciting audience interaction around those questions. We will take two or three questions at a time from the floor so that more people have a chance to get their comments and questions in, and the panelists don't use up all the available time with their responses.

This session deals with two policy issues: 1) would an international attribution organization, as proposed by several parties, improve accountability and trust in cyberspace? 2) if an international attribution organization or process would help, how should it be organized and funded?

Attribution is defined as identifying with an understood degree of confidence who is responsible for a cyberattack. This issue is highly relevant because cyber incidents with geopolitical implications have been attributed to state actors, and these attribution findings have received high-profile press coverage, such as US accusations regarding Russian hacking or attribution of the Stuxnet worm to the U.S. and Israel. But performing attribution is as much an art as a science. The reasons to attribute can be as varied as the parties doing the attribution. While nation states may have political motivations, private sector entities have commercial motivations that may drive attribution decisions. And while attribution can be public and specific, there is often significant concern over making the technical details of an attribution public. While governments can use legal authorities to potentially attribute a nation state attack down to a named individual, in order to bring that person or persons to justice, most attributions do not progress that far. Nonstate actors produce technical evidence and also make credible attributions, although more often private also sector entities will attribute behavior to a threat actor or activity group, rather than to a specific nation state. Adding to the complexity, attribution claims are often based on intelligence or privately collected data that parties are not willing to publicly share, which may engender persistent questions about how their findings were reached and whether they are credible. The impacts of the lack of standardization in the practice of attribution, the variety of authorities held by the parties making the attribution, the wide range of naming conventions used when attributing an attack, and the benefits of greater consistency in this space all need further investigation and thought.

Online Participation

Including online participants in the discussions have always been our top priority at IGF workshops. The moderator and all the participants will be informed about the importance of including remote participants and will be encouraged to log into the WebEX which is important for interactions and seeing the discussions that are happening on the online interface. Our remote moderator will also monitor Twitter and brings the viewpoints forward, the hashtag will be #Cyberattribution and will be publicized widely. We will also publicize the workshop at Georgia Tech and persuade the students to join remote hubs to watch IGF and this session.