Promoting Accountability in Cyberspace

The attribution of a malicious cyber incident consists of identifying the responsible party behind the activity. A cyber attribution finding is a necessary prerequisite for holding actors accountable for malicious activity. Recently, several cyber incidents with geopolitical implications and the attribution findings associated with those incidents have received high-profile press coverage. Several of these attribution findings were disputed and many segments of the general public questioned the credibility of the declared attributions. In an effort to address these concerns, RAND researchers recommend creating an independent, international cyber attribution consortium —a "stateless" organization—tasked with investigating and publicly attributing major cyber attacks.

In this video hosted by mechanical engineer and science correspondent Shini Somara, RAND researchers John Davis, Jonathan Welburn, Benjamin Boudreaux, and Jair Aguirre review how cyber attribution is handled, presented, and received today, and consider the value of an independent, global organization whose mission consists of investigating and publicly attributing major cyber attacks. That organization would be the Global Cyber Attribution Consortium.

Isn't Cyber Attribution a Government Role?

Not necessarily. Researchers believe that the credibility and transparency of the Global Cyber Attribution Consortium (GCAC) requires that it operate without standing state participation. Three reasons underscore why states should not be officially represented:

  1. States' attribution claims are often based on evidence and intelligence that they are not willing to publicly share, which engender persistent questions about how their findings were reached and whether they are credible.
  2. States make public attribution claims for political purposes, and, as members, they would have reason to shape GCAC's findings to serve their national interests.
  3. States would have incentives to influence what cyber incidents the Consortium would investigate, and they would seek to steer GCAC away from accepting cases that might shed light on or otherwise threaten their own cyber operations.

Researchers acknowledge that there will be certain cyber attacks for which government intelligence is necessary to make an attribution decision. In cases where GCAC determines that it is not equipped to confidently arrive at an attribution decision, it can make a declaration that government intelligence is needed.