An international body, operating via consensus and staffed by a globally diverse team of technical experts from governments and the private sector, should be set up to establish peer-reviewed technical attribution for major cyberattacks, Microsoft recommends in a policy paper out Thursday.
‘The IAEA is renowned for its technical expertise, its board of governors and other organizational elements are made up representatives from around the world,’ and its inspectors carry out their work of verifying compliance with the global nuclear Non-Proliferation Treaty, or NPT, based upon well-established consensual criteria, the report notes.
‘At its core, this organization would consist of technical experts from across governments, the private sector, academia, and civil society with the capability to examine tactics, techniques, and procedures used by nation-state attackers, as well as indicators of compromise that suggest a given attack was by a nation-state,’ the report says.
‘Its essential output would be a technical analysis of the attack and evidence of attribution. In some cases, based on agreed-upon criteria, it might publish its findings,’ the authors state, noting that in some cases it might not only be perpetrators who are opposed to making public accusations.
Victims, especially private companies, ‘may be concerned that notifying the attacker will provoke a change in tactics, thus making detection and remediation more difficult. Additionally, an attacking nation-state may be a customer and any accusation … may have serious business repercussions.’
The paper notes that — as global norms for nation-state behavior in cyberspace have begun to take hold among the world’s governments — attribution has emerged as a key problem
‘Cybersecurity norms are unlikely to be effective as a policy tool without further development of cyber attack attribution,’ writes Microsoft Vice President for Trustworthy Computing Scott Charney in a blog post unveiling the paper Thursday.
In addition to recommending the IAEA-type body, and reiterating the offensive and defensive norms it believes governments should follow, Microsoft also lays out, in this latest paper, six cybersecurity norms the global IT and telecommunications sectors should follow.
Companies should refrain from backdooring their products; engage in responsible and coordinated vulnerability disclosure; stay out of the black market for zero days; work together to improve cyber defenses; cooperate with authorities to respond to and mitigate attacks; and ensure that all vulnerabilities are patched, no matter which attackers might be exploiting them, Microsoft says.