ARP 2017 Report, FINAL...Investigation, Mandiant’s APT1, Mumbai Terrorist Attack Investigation,...

CyberattaCk attributionA Blueprint for privAte Sector leAderShip

ReseaRch Fellows

Justin Collins

Cameron Evans

Chris Kim

Kayley Knopf

Selma Sadzak

Nicholas Steele

Julia Summers

Alison Wendler

senioR ReseaRch Fellows

Allison Anderson

Stacia Lee

Faculty lead

Jessica Beyer

ThisreportisaproductoftheAppliedResearchProgramintheHenryM.JacksonSchoolofInternationalStudiesattheUniversityofWashington.TheAppliedResearchProgrammatchesteamsoftop-achievingJacksonSchoolstudentswithprivateandpublicsectororganizationsseekingdynamic,impactful,andinternationally-mindedanalysestosupporttheirstrategicandoperationalobjectives.FormoreinformationabouttheAppliedResearchProgrampleasecontactusatjsisarp@uw.edu.

i

ExecutiveSummary Afterthreedecadesofdevelopment,adoption,andinnovation,theInternetstandsatthecoreofmodernsociety.Thesamenetworkthatconnectsfamilyandfriendsacrosstheworldsimilarlytiestogetherallaspectsofdailylife,fromthefunctioningoftheglobaleconomytotheoperationofgovernments.Thedigitizationofdailylifeisthedefiningfeatureofthe21stcentury.WhilethepervasivenessofInternet-enabledtechnologybringssignificantbenefits,italsobringsseriousthreats—notonlytooureconomyandsafety,butalsotoourtrustincomputersystems.1TheInternetiscentraltomodernlife,yetmajorstate-sponsoredcyberattackspersistindisruptingInternetaccessandfunction.Theseattacksunderminefaithingovernmentandpublictrustindemocraticinstitutions.Attributionattemptstodatehavebeenunabletodeterstatesfrombuildingmaliciouscodeforevengreaterdestructivecapabilities.Inresponse,weproposetheformationofanattributionorganizationbasedoninternationalprivatesectorcoordination.Drawinguponprivatesectorexpertisefrommultiplecountries,theproposedorganizationwillcentralizeanalysisofmajorcyberattacksthroughformalizedinvestigationsandtheproductionofacredible,timelyattributionreportfollowingmajorattacks.Theorganizationwillstreamlinetheattributionprocess,therebyplayingasubstantialroleindeterringfuturemajornationstatecyberattacksandpromotinggreaterglobalInternetsecurity.

TheAttributionChallenge

Attributioniscriticaltotheresolutionofmanycybersecurityproblems.2Attributionisimportantfortwokeyreasons.First,attributionimposesresponsibilityonthepartyorpartiesinvolvedinthecyberattack.Second,attributiondetersfuturecyberattacksbyraisingthecostofstate-sponsoredoffensiveactivity.3Despitethetendencyforcountriestoemploycybersecuritypolicythatfavorsoffensiveactionratherthandefensiveaction,attributionisfundamentaltodeterrencebecauseitraisesthecostofattack.Currently,attackersarepredominantlyanonymous,abletohidebehindcomplexcomputernetworks.Lackofattributionisaprincipalcauseforthedelugeofstate-sponsoredcyberattacksbecauseitmakesoffensivecyberactivityrelativelycost-free.4 1Forageneraloverviewontheerosionoftrustresultingfromhacksandgovernmentsurveillancesee:JackGoldsmith,“TowardGreaterTransparencyofNationalSecurityLegalWork.”JackGoldsmith,May6,2015.http://jackgoldsmith.org/toward-greater-transparency-of-national-security-legal-work/andMarcGoodman,FutureCrimes:EverythingIsConnected,EveryoneIsVulnerableandWhatWeCanDoAboutIt.NewYork:AnchorBooks,2016.2DavidA.Wheeler,andGregoryN.Larsen.“TechniquesforCyberAttackAttribution.”InstituteforDefenseAnalyses,October2003.http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA468859.3Formoreonthissee:JonR.Lindsay,“TippingtheScales:TheAttributionProblemandtheFeasibilityofDeterrenceagainstCyberattack.”JournalofCybersecurity1,no.1(September1,2015):53–67.http://cybersecurity.oxfordjournals.org/content/1/1/534JohnP.Carlin.“Detect,Disrupt,Deter:AWhole-of-GovernmentApproachtoNationalSecurityCyberThreats.”HarvardNationalSecurityJournalVol.7.HarvardUniversity,2016.https://docs.google.com/viewer?docex=1&url=https://lawfare.s3-us-west-2.amazonaws.com/staging/2016/Carlin%20FINAL.pdf

ii

Whiletheneedforattributionisclear,speedandintegrityarekeyobstaclestotheproductionofsuccessfulattributionjudgements.5Evidenceisparamounttotheproductionofacredibleattributionjudgement;afteracyberattack,expertsmustgathertechnicalandsocio-economicandpoliticaldata.Thesedatabecometheevidencerequiredforanattributionjudgement,resolvingthebasicquestionofcyberattackresponsibility.6However,sincecyberattacksoftentranscendborders,divergentlegalframeworksanddifferentstatestrategicorientationstowardsinformationsharingmakethecollectionofevidenceparticularlydifficultandslow.7Meanwhile,theintegrityofdigitalforensicsvanishesquickly.Additionally,expertinvestigatorsfromtheprivatesectorlacktheabilitytocollectnecessaryinformationfromattackedgovernmentsandothercompanies.Asaresult,whenattributionreportsaremade,theyareoftenunconvincingtothepublic.8Thereisclearlyaneedfortheformalcoordinationofstakeholderstoshare,process,andpublishatimelyattributionjudgmentfollowingmajorcyberattacks.

BlueprintforanAttributionOrganization

Themissionofourproposedattributionorganizationistoenhancethecredibility,speed,andaccuracyofattributionfollowingcyberattacks.Theorganizationwillaccomplishitsobjectivesthroughprivatesectorcooperationandfunding.Tocreateaneffectiveorganizationalblueprint,westudied23existingattributionorganizationsandinvestigativeprocesses.Drawinguponthesuccessfulproceduresofexistingorganizationsandprocesseswillenableourproposedorganizationtocentralizeanalysisofmajorstate-sponsoredcyberattacksandsafeguardtrustintechnology.Theorganizationsweevaluatedwere:AmnestyInternational,CitizenLab,EgmontGroupofFinancialIntelligenceUnits,EuropeanFinancialCoalitionAgainstChildPornography,FinancialIndustryRegulatoryAuthority,Greenpeace,InternationalAtomicEnergyAgency,InternationalCivilAviationOrganization,InternationalLaborOrganization,NATOCooperativeCyberDefenseCenterofExcellence,OrganizationfortheProhibitionofChemicalWeapons,UnitedNationsAl-QaidaSanctionsCommittee,UnitedNationsSanctionsCommitteeonNorthKorea,andtheWorldTradeOrganization’sGATTArticleXX.Theprocessesweexaminedwere:CheonanJointInvestigationGroup,DemocraticNationalCommitteeEmailLeakInvestigation,Google’sOperationAurora,theIntermediate-RangeNuclearForceTreatyinvestigativeprocess,MalaysiaAirlinesFlight17(MH17)Crash

5BruceSchneier,“AttackAttributionandCyberConflict,”SchneieronSecurity,2015.AccessedMay25,2017.https://www.schneier.com/blog/archives/2015/03/attack_attribut_1.html.6Healey,Jason.“BeyondAttribution:SeekingNationalResponsibilityinCyberspace.”AtlanticCouncil,2012.http://www.atlanticcouncil.org/publications/issue-briefs/beyond-attribution-seeking-national-responsibility-in-cyberspace.7Carlin,2016.8Schneier,2015.

iii

Investigation,Mandiant’sAPT1,MumbaiTerroristAttackInvestigation,SonyPicturesHackInvestigation,andtheStuxnetInvestigation.Basedonourresearch,wehaveidentifiedsixbestpracticestoincorporateintoourattributionorganization:

• Equitablegeographicrepresentation• Organizationaltransparency• Stakeholderoutreach• Internalaccountability• Inclusionoftechnicalandgeopoliticalexperts• Privatesectormembership

Inaddition,wearticulatedsevenchallengesthatmightaccompanyorganizationaloperation:

• Earningpublictrust• Cooperationamongcompetitors• Industrycompliancewithorganizationalnorms• Legalchallengesofinformationsharing• Collectingsensitiveandconfidentialcyberincidentinformation• Methodsofinformationsharing• SharinginformationwithChinaandRussia

Ourreportdetailseachofthelistedbestpracticesandoutlineshoweachpracticewillbeintegratedintoanorganizationtaskedwithcyberattackattribution.WealsoaddresseachpotentialchallengeandproposesolutionsthatwillpromoteinternationalcooperationandenhanceglobalInternetsecurity.Table1illustratesourorganizationalblueprint.Asanon-governmentalorganizationfundedentirelybyprivatesectormembers,theorganizationwillderiveitslegitimacyandauthorityfromitsreputationforneutrality,transparency,andstringentevidentiaryrequirements.Theorganizationwillalsoincorporatetransparentdecision-makingprocesses,includinguseofExecutiveCouncilsupermajorityvotingprocedurespriortopublishingattributionjudgements,expert-ledinvestigationcommittees,andpeerreviewoffindingsthroughexpertreviewcommittees.Theorganizationwilldisseminateattributionjudgementstoavarietyofmediaoutlets,ratherthanbeingannouncedbyanindividualgovernmentorgivenexclusivelytoonenewsorganization.

iv

Table1:OrganizationalBlueprint

Actors

Private Sector - Company representatives, industry experts, independent academics

Actions - Leads neutral, private sector investigations of major state-sponsored cyberattacks to determine attribution.

Authority - Reputational

Structure - Decision making done through supermajority voting of member companies in the Executive Council

- Expert Investigation Committee leads nation-state cyberattack investigations

- Expert Review Committee reviews validity of attribution judgment upon request

Norms - Peer-review, high transparency, evidentiary framework

Attribution - Investigation report articulates attribution - The Communications Committee disseminates attribution report, with full

transparency, to mainstream news organizations

Budget and Funding Source(s)

- $40 million for year one and $30 million/year for subsequent years - Funded by mandatory contributions from member companies

Figure1,below,capturesthedirectionofinformationflow.Asthefigureillustrates,informationarrivesattheorganizationthroughaninformationrepository.Asevidenceiscollected,anExpertInvestigationCommitteeverifiestheveracityandauthenticityoftheevidence.AnExpertReviewCommitteealsoexaminestheevidenceandthefindingsofbothgroupscreatethesubstanceoftheattributionreport.TheExpertReviewCommitteedisseminatestheattributionreporttotheCommunicationCommittee.TheCommunicationCommitteeworkswiththemediatopublicizetheresultsofthereview.Figure1alsoillustratestheorganization’sauthorityandaccountabilityhierarchy.MembercompaniespopulateanExecutiveCouncilofCompanyRepresentativesandaBudgetCommittee.TheExecutiveCouncilprovidesresourcesandoversighttothetwoexpertsgroups.Italsoassistswiththedisseminationoftheorganization’sfindings.TheExecutiveCouncilmembersserveunderfour-yeartermlimits.TermlimitsareincorporatedintotheExecutiveCouncil’sdesignasagovernancemechanismtoensurediversitywithintheexecutiveleadership.

v

Figure1:OrganizationalChart

Theproposedorganizationwillhavetheabilitytoprovidewidelylegitimateattributionjudgementsfollowingmajorcyberattacks.Diversityofmembershipandproceduraltransparencywillbolstertheorganization’sreputationalauthority,whilethecoordinationofaglobalbodyoftechnicalexpertswillleadaneutralinvestigationofattacks.Aprivate-sectorledattributionorganizationwillcentralizeandoptimizetheattributionprocess,therebyholdingpartiesresponsibleforcyberattackswhileincreasingthecostofperpetration.Suchanorganizationwillultimatelyfosterimprovedglobalcybersecurity.

ExecutiveCouncilofCompanyRepresentatives

ExpertInvestigationCommittee

ExpertReviewCommittee

CommunicationsCommittee

BudgetCommittee

InformationRepository

SourcesofInformation

AttributionReport

MainstreamNews

Organizations

Evaluatestheveracityandauthenticityofevidence

Reviewprocess

AttributionReportDissemination

DirectionofinformationflowDirectionofauthorityandaccountability

MemberCompanies

Determinesnation-stateresponsibility

Evidencecollection

vi

TableofContents

ExecutiveSummary.............................................................................................................................iTheAttributionChallenge.............................................................................................................................iBlueprintforanAttributionOrganization....................................................................................................ii

Table1:OrganizationalBlueprint...........................................................................................................ivFigure1:OrganizationalChart.................................................................................................................v

Introduction........................................................................................................................................1BlueprintforanAttributionOrganization....................................................................................................3

Table1:OrganizationalBlueprint............................................................................................................5Figure1:OrganizationalChart.................................................................................................................7Figure2:IncorporationofBestPractices..................................................................................................8

CreatingACyberattackAttributionOrganization..............................................................................9Mission.........................................................................................................................................................9Methodology..............................................................................................................................................11

Actors.....................................................................................................................................................12Actions....................................................................................................................................................12Authority................................................................................................................................................12Structure.................................................................................................................................................12Norms.....................................................................................................................................................12Attribution..............................................................................................................................................12BudgetingandFundingSources.............................................................................................................12Figure3:SpectrumofStateAuthority....................................................................................................13

IncorporatingBestPractices.............................................................................................................14EquitableGeographicRepresentation.......................................................................................................14

EquitableGeographicDistribution:Greenpeace,OPCW,andtheCheonanJointInvestigationGroup..15AdoptingEquitableGeographicalRepresentation.................................................................................16

OrganizationalTransparency.....................................................................................................................16LowTransparencyModel:TheCheonanJointInvestigationGroup.......................................................17HighTransparencyModel:Mandiant’sAPT1Report.............................................................................19AdoptingTransparency..........................................................................................................................20

StakeholderOutreach................................................................................................................................20StakeholderOutreachModels:OPCWandtheEgmontGroup..............................................................21AdoptingStakeholderOutreach.............................................................................................................22

InternalAccountability...............................................................................................................................22InternalAccountabilityModels:UNISILandal-QaidaSanctionsCommitteeandtheINFTreaty..........23AdoptingofInternalAccountability.......................................................................................................23

InclusionofTechnicalandGeopoliticalExperts.........................................................................................24ExpertInclusionModels:TheCheonanInvestigationandtheIAEA.......................................................24AdoptingExpertInclusioninInvestigations............................................................................................25

vii

PrivateSectorMembership........................................................................................................................26PrivateSectorMembershipModels:TheSonyHackInvestigationandtheEgmontGroup...................26AdoptingPrivateSectorMembership.....................................................................................................28

TheDesignoftheProposedOrganization.......................................................................................31ExecutiveCouncil.......................................................................................................................................31ExpertInvestigationCommittee................................................................................................................31ExpertReviewCommittee..........................................................................................................................32CommunicationsCommittee.....................................................................................................................33BudgetCommittee.....................................................................................................................................33InformationFlow........................................................................................................................................34

Figure1:OrganizationalChart...............................................................................................................35

ChallengesfortheProposedOrganization......................................................................................36EarningPublicTrust....................................................................................................................................36

MaintainingIndependentFunding.........................................................................................................37FunctioningasaPublicResource...........................................................................................................37

CooperationamongCompetitors...............................................................................................................38IncentivizingCooperationthroughAccesstoResources........................................................................39EncouragingCooperationthroughPrivacyAssurances..........................................................................41

IndustryCompliancewithOrganizationalNorms......................................................................................41RationalistBehaviorTheory...................................................................................................................42ConstructivistTheory..............................................................................................................................42UsingTheorytoUnderstandCompliance...............................................................................................43

LegalChallengesofInformationSharing....................................................................................................44AutomatingDataAnalysis......................................................................................................................44

CollectingSensitiveandConfidentialCyberIncidentInformation.............................................................45SecureDrop:AToolforAnonymityandSensitiveDataCollectionfromthePublic.................................46Tearlines:AMechanismforReceivingGovernmentInformation...........................................................47

MethodsofInformationSharing................................................................................................................48AdoptinganAd-HocMethodofExchange.............................................................................................49TowardaFormalizedMethodofExchange............................................................................................50

SharingInformationwithChinaandRussia...............................................................................................51EngagingthePrivateSector...................................................................................................................52

Conclusion.........................................................................................................................................54

Appendix1:InternationalOrganizations.........................................................................................55AmnestyInternational...............................................................................................................................56CitizenLab..................................................................................................................................................57EgmontGroupofFinancialIntelligenceUnits............................................................................................58EuropeanFinancialCoalitionAgainstChildPornography(EFCACP)...........................................................59TheFinancialIndustryRegulatoryAuthority(FINRA).................................................................................60Greenpeace................................................................................................................................................61

viii

InternationalAtomicEnergyAgency(IAEA)...............................................................................................62InternationalCivilAviationOrganization(ICAO)........................................................................................63InternationalLaborOrganization(ILO)......................................................................................................64NATOCooperativeCyberDefenseCenterofExcellence(CCDCOE)...........................................................65OrganizationfortheProhibitionofChemicalWeapons(OPCW)...............................................................66UnitedNationsAl-QaidaSanctionsCommittee.........................................................................................67UnitedNationsSanctionsCommitteeonNorthKorea..............................................................................68WorldTradeOrganization(WTO)GATTArticleXX.....................................................................................69

Appendix2:InvestigativeProcesses................................................................................................70CheonanJointInvestigationGroup(JIG)....................................................................................................71DemocraticNationalCommittee(DNC)EmailLeakInvestigation.............................................................72Google’sOperationAurora........................................................................................................................73Intermediate-RangeNuclearForce(INF)TreatyInvestigativeProcess......................................................74MalaysiaAirlinesFlight17(MH17)CrashInvestigation.............................................................................75Mandiant’sAPT1........................................................................................................................................76MumbaiTerroristAttackInvestigation......................................................................................................77SonyPicturesHackInvestigation...............................................................................................................78StuxnetInvestigation.................................................................................................................................79

Appendix3:ProposedBudget..........................................................................................................80Table2:ProposedBudgetforYear1andSubsequentYears..................................................................81

Bibliography......................................................................................................................................82

1

IntroductionInApril2007,EstoniawascutofffromtheInternet.9Forthreeweeks,aseriesofcoordinated

botnetattacksfloodedthecountry’sWeb,email,anddomainnamesystemservers.The

distributeddenial-of-serviceattackseemedlikeaconcertedefforttoprotestEstonia’sremoval

ofaSovieteramonumentinTallinn,itscapitalcity.Oneobserverlikenedtheattackto“Web

WarOne."10ThesurpriseattackhadaprofoundimpactonEstonia’scriticalinfrastructure,

disruptinggovernmentcommunicationsaswellasfinancialinstitutions,universities,andmedia.

AlthoughtheEstoniangovernmentaccusedRussiaofthecyberattack,theextenttowhichthe

Russiangovernmentactivelysupportedtheattackersremainsamystery.11Failureto

conclusivelyidentifytheperpetratorsoftheEstoniaattackmarkedaturningpointinthenature

ofcyberwarfare,signalingtostatesthatoffensivecyberactivitycanberisk-free.Without

definitiveattribution,theoutcomeoftheEstonianattackemboldenedfutureattackers.

TheEstoniancaseillustratesthechallengesofcyberattackattribution.Notonlydoesthe

anonymityoftheInternetmaskattackers,gatheringdigitalevidencetoidentifyanattackeris

difficult.Accumulatingevidencealsotakestime,creatingspacebetweentheattackandany

attribution,whichcontributestotheambiguityoverwhotheattackerisandwhattheirmotives

are.Governments’andcompanies’inabilitytoconsistentlyidentifybadactorshasmeantthat

reliableattributionhasremainedintangible.

WhileordinaryInternetusersmayhavearestrictedunderstandingofcybersecurity,attackers

arebothindiscriminateinselectingvictimsandthoughtfulinchoosingtargetsthatadvance

9JoshuaDavis,“HackersTakeDowntheMostWiredCountryinEurope,”Wired,August21,2007,accessedMay17,2017,https://www.wired.com/2007/08/ff-estonia/.10"Warinthefifthdomain.Arethemouseandkeyboardthenewweaponsofconflict?,"TheEconomist,July1,2010,accessedMay17,2017,http://www.economist.com/node/1647879211ArthurBright,"EstoniaaccusesRussiaof‘cyberattack’,"CSMonitor.com,May7,2017,accessedMay17,2017,http://www.csmonitor.com/2007/0517/p99s01-duts.html;IanTraynor,“RussiaaccusedofunleashingcyberwartodisableEstonia,”TheGuardian,May16,2007,accessedMay17,2017,https://www.theguardian.com/world/2007/may/17/topstories3.russia;“The2007EstonianCyberattacks:NewFrontiersinInternationalConflict,”CyberWarHarvardLawBlog,December21,2012,accessedMay17,2017,https://blogs.harvard.edu/cyberwar43z/2012/12/21/estonia-ddos-attackrussian-nationalism/;“EstoniaFinesManfor‘CyberWar,’”BBC.com,January25,2008.AccessedMay2017athttp://news.bbc.co.uk/2/hi/technology/7208511.stm

2

nationstategoals.Inbothcases,theycapitalizeupontheInternet’sever-expandingnumberof

vulnerabilities.Inthepastfewyearsalone,RussiahasinfiltratedtheemailsoftheDemocratic

NationalCommitteeandChinahassupportedso-called“AdvancedPersistentThreats”in

stealingbillionsofdollarsoftradesecretsandothersensitivedatafromcorporations.These

politicalandpersonalriskswillonlymultiplyinthefuture,asInternetofThingstechnology

expandstoconnectanunprecedentednumberofdevicesacrosstheworld.12

Attribution,ortheidentificationofanattacker,isachallengeatthecoreofmanycybersecurity

problems.13Duetothecomplexnatureofcyberattacks,wheresophisticatedattackersoften

usenetworkcomputerstocarryoutmaliciousactivity,attributionreferstoaspectrumof

identification.Thespectrumcanrangefromtheproxycomputer,totheindividualculpableof

“pressingthekey,”tothenationstatesponsoringthehackers.14Onegoalofattributionisto

answerwhowasreallybehindtheattack.Anothergoalistodeterfutureattacksbyraisingthe

costoftheactivity.15

Despitethecurrenttendencyfornationstatecybersecuritytofavoroffensiveactionover

defensiveaction,attributionisfundamentaltodeterrencebecausefearofretaliationcould

dissuadeattacks.16Theattacker’sinvisibilityisaprincipalcauseforthedelugeofcyberthreats

becauseitmakeshisorheractionsrelativelycost-free.17

Therefore,attributionraisesthecostofhacking.Confidenceinattributionisdeterminedbythe

strengthofevidencedrawnonseveraldimensions—technicalforensics,humanintelligence,

12BruceSchneier,“ClickHeretoKillEveryonewiththeInternetofThings,we’rebuildingaworld-sizerobot.Howarewegoingtocontrolit?,”NewYorkMagazine,January,2017,http://nymag.com/selectall/2017/01/the-internet-of-things-dangerous-future-bruce-schneier.html13DavidA.Wheeler,andGregoryN.Larsen.“TechniquesforCyberAttackAttribution.”InstituteforDefenseAnalyses,October2003,http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA46885914HerbertLin."AttributionofMaliciousCyberIncidents:FromSouptoNuts,"JournalofInternationalAffairs70(1)(2016):75-137,11.;DavidClarkandSusanLandau.“UntanglingAttribution.”MassachusettsInstituteofTechnology,2011.http://static.cs.brown.edu/courses/csci1950-p/sources/lec12/ClarkandLandau.pdf;JasonHealey.“BeyondAttribution:SeekingNationalResponsibilityinCyberspace.”AtlanticCouncil,2012.http://www.atlanticcouncil.org/publications/issue-briefs/beyond-attribution-seeking-national-responsibility-in-cyberspace.15Formoreonthissee:JonR.Lindsay,“TippingtheScales:TheAttributionProblemandtheFeasibilityofDeterrenceagainstCyberattack.”JournalofCybersecurity1,no.1(September1,2015):53–67.http://cybersecurity.oxfordjournals.org/content/1/1/5316ClarkandLandau,2011.17JohnP.Carlin.“Detect,Disrupt,Deter:AWhole-of-GovernmentApproachtoNationalSecurityCyberThreats.”HarvardNationalSecurityJournalVol.7.HarvardUniversity,2016.https://docs.google.com/viewer?docex=1&url=https://lawfare.s3-us-west-2.amazonaws.com/staging/2016/Carlin%20FINAL.pdf.

3

signalsintelligence,andgeopolitics.18Withthisinformation,expertscanproduceanattribution

judgmentresolvingthebasicquestionofresponsibility.19Yetcompoundingthetechnical

challengesofdeterminingresponsibilityarenationstatelegalbarrierspreventingvictimsand

therelevantsecuritycommunitiesfrominvestigatingthoroughly.TheInternetand

multinationalcorporationsalikebypasssovereignborders,problematizingthelawsgoverning

thecollectionofevidenceandinformationsharing.20

Governmentandindustryresponsibilitysurroundingattributioniscurrentlyunclear.For

instance:Whoisresponsibleforinvestigatingcyberattacks?Whatroleshouldthegovernment

andindustryplayincollectingevidence?Whatistheacceptablethresholdofevidencerequired

tomakeanattributionjudgement?Withoutanswers,deterrenceisundermined.Ourreport

stepsintothisgap,addressingthesekeyquestions,andproposesaneworganizationbasedon

thesuccessesofexistingattributionorganizationsandprocesses.

BlueprintforanAttributionOrganization

Themissionofourproposedattributionorganizationistoenhancethecredibility,speed,and

accuracyofattributionfollowingcyberattacks.Theorganizationwillaccomplishitsobjectives

throughprivatesectorcooperationandfunding.

Tocreateaneffectiveorganizationalblueprint,westudied23existingattributionorganizations

andinvestigativeprocesses.Drawinguponthesuccessfulproceduresofexistingorganizations

andprocesseswillenableourproposedorganizationtocentralizeanalysisofmajorstate-

sponsoredcyberattacksandsafeguardtrustintechnology.

Theorganizationsweevaluatedwere(Appendix1):AmnestyInternational,CitizenLab,Egmont

GroupofFinancialIntelligenceUnits,EuropeanFinancialCoalitionAgainstChildPornography,

FinancialIndustryRegulatoryAuthority,Greenpeace,InternationalAtomicEnergyAgency,

18Lin,2016,11.19Healey,2012.20Carlin,2016.

4

InternationalCivilAviationOrganization,InternationalLaborOrganization,NATOCooperative

CyberDefenseCenterofExcellence,OrganizationfortheProhibitionofChemicalWeapons,

UnitedNationsAl-QaidaSanctionsCommittee,UnitedNationsSanctionsCommitteeonNorth

Korea,andtheWorldTradeOrganization’sGATTArticleXX.

Theprocessesweexaminedwere(Appendix2):CheonanJointInvestigationGroup,Democratic

NationalCommitteeEmailLeakInvestigation,Google’sOperationAurora,theIntermediate-

RangeNuclearForceTreatyinvestigativeprocess,MalaysiaAirlinesFlight17(MH17)Crash

Investigation,Mandiant’sAPT1,MumbaiTerroristAttackInvestigation,SonyPicturesHack

Investigation,andtheStuxnetInvestigation.

Basedonourresearch,wehaveidentifiedsixbestpracticestoincorporateintoourattribution

organization:

• Equitablegeographicrepresentation• Organizationaltransparency• Stakeholderoutreach• Internalaccountability• Inclusionoftechnicalandgeopoliticalexperts• Privatesectormembership

Inaddition,wehaveidentifiedsevenchallengesthatmightaccompanyorganizational

operation:

• Earningpublictrust• Cooperationamongcompetitors• Industrycompliancewithorganizationalnorms• Legalchallengesofinformationsharing• Collectingsensitiveandconfidentialcyberincidentinformation• Methodsofinformationsharing• SharinginformationwithChinaandRussia

Ourreportdetailseachofthelistedbestpracticesandoutlineshoweachpracticewillbe

integratedintoanorganizationtaskedwithcyberattackattribution.Wealsoaddresseach

5

potentialchallengeandproposesolutionsthatwillpromoteinternationalcooperationand

enhanceglobalInternetsecurity.

Table1illustratesourorganizationalblueprint.Asanon-governmentalorganizationfunded

entirelybyprivatesectormembers,theorganizationwillderiveitslegitimacyandauthority

fromitsreputationforneutrality,transparency,andstringentevidentiaryrequirements.The

organizationwillalsoincorporatetransparentdecision-makingprocesses,includinguseof

ExecutiveCouncilsupermajorityvotingprocedurespriortopublishingattributionjudgements,

expert-ledinvestigationcommittees,andpeerreviewoffindingsthroughexpertreview

committees.Theorganizationwilldisseminateattributionjudgementstoavarietyofmedia

outlets,ratherthanbeingannouncedbyanindividualgovernmentorgivenexclusivelytoone

newsorganization.

Table1:OrganizationalBlueprint

Actors

Private Sector - Company representatives, industry experts, independent academics

Actions - Leads neutral, private sector investigations of major state-sponsored cyberattacks to determine attribution.


Structure - Decision making done through supermajority voting of member companies in the Executive Council

- Expert Investigation Committee leads nation-state cyberattack investigations

- Expert Review Committee reviews validity of attribution judgment upon request

Norms - Peer-review, high transparency, evidentiary framework

Attribution - Investigation report articulates attribution - The Communications Committee disseminates attribution report, with full

transparency, to mainstream news organizations

Budget and Funding Source(s)

- $40 million for year one and $30 million/year for subsequent years - Funded by mandatory contributions from member companies

Figure1,below,capturesthedirectionofinformationflow.Asthefigureillustrates,information

arrivesattheorganizationthroughaninformationrepository.Asevidenceiscollected,an

6

ExpertInvestigationCommitteeverifiestheveracityandauthenticityoftheevidence.AnExpert

ReviewCommitteealsoexaminestheevidenceandthefindingsofbothgroupscreatethe

substanceoftheattributionreport.TheExpertReviewCommitteedisseminatestheattribution

reporttotheCommunicationCommittee.TheCommunicationCommitteeworkswiththe

mediatopublicizetheresultsofthereview.

Figure1alsoillustratestheorganization’sauthorityandaccountabilityhierarchy.Member

companiespopulateanExecutiveCouncilofCompanyRepresentativesandaBudget

Committee(budgetisoutlinedinAppendix3).TheExecutiveCouncilprovidesresourcesand

oversighttothetwoexpertsgroups.Italsoassistswiththedisseminationoftheorganization’s

findings.TheExecutiveCouncilmembersserveunderfour-yeartermlimits.Termlimitsare

incorporatedintotheExecutiveCouncil’sdesignasagovernancemechanismtoensure

diversitywithintheexecutiveleadership.

7


Figure2outlineshowtheorganizationadoptsthebestpracticesweidentifiedthroughthe

courseofourresearch.Whileeveryelementoftheorganizationdoesnotincludeeverybest

practice,eachelementincorporatesthepracticesmostsuitedtoitsfunction.





BudgetCommittee



AttributionReport

MainstreamNews

Organizations


Reviewprocess



MemberCompanies


Evidencecollection

8

Figure2:IncorporationofBestPractices Theproposedorganizationwillhavetheabilitytoprovidewidelylegitimateattribution

judgementsfollowingmajorcyberattacks.Diversityofmembershipandprocedural

transparencywillbolstertheorganization’sreputationalauthority,whilethecoordinationofa

globalbodyoftechnicalexpertswillleadaneutralinvestigationofattacks.Aprivate-sectorled

attributionorganizationwillcentralizeandoptimizetheattributionprocess,therebyholding

partiesresponsibleforcyberattackswhileincreasingthecostofperpetration.Suchan

organizationwillultimatelyfosterimprovedglobalcybersecurity.

ExecutiveCouncil• Equitablegeographicrepresentation

• Organizationaltransparency• Internalaccountability• Privatesectormembership


• Equitablegeographicrepresentation

• Organizationaltransparency• Internalaccountability• Inclusionoftechnicalandgeopoliticalexperts

• Privatesectormembership

BudgetCommittee• Equitablegeographicrepresentation

• Organizationaltransparency• Internalaccountability• Privatesectormembership



• Organizationaltransparency• Stakeholderoutreach• Internalaccountability• Privatesectormembership

MemberCompanies

• Organizationaltransparency

• Stakeholderoutreach• Equitablegeographicrepresentation




• Organizationaltransparency• Internalaccountability• Inclusionoftechnicalandgeopoliticalexperts


9

CreatingACyberattackAttributionOrganizationThecyberattackattributionorganization’spurposeistomakepromptandaccurateattribution

judgmentsbycoordinatingprivatesectorinformationsharing.Today,state-sponsored

cyberattackattributionsuffersfromtwochiefproblems:speedandintegrity.21Theprocessof

collectingandanalyzingevidenceisslow,andthereliabilityofdigitalforensicsvanishesquickly.

Publicacceptanceofgovernments’attributionreportsisunderminedbecausetheiruseof

confidentialevidencehinderstransparency,whiletheprivatesectoroftenlackstheabilityto

collectnecessaryinformation.Asaresult,evenwhenattributionreportsarecreated,theyare

unconvincingtothepublic.22Thereisaneedfortheformalcoordinationofstakeholdersto

shareandprocessdataandpublishanattributionjudgment.Anorganizationtaskedwith

sharingcyberevidenceandcentralizingtheanalysisofdigitalforensicsandinformationwill

enhancetheprocessofattribution.

Credibleattributionjudgementsrequireinternational,privatesectorcoordination.Although

completeneutralityisimpossibletoachieve,privatesectormembershipcontributes

substantiallytothisgoal.Byformalizingtheinvestigationandcreationofacredible,unbiased

attributionreportfollowingmajorcyberattacks,theorganizationwillplayasubstantialrolein

deterringfuturemajornationstatecyberattacks.

Mission

Themissionoftheproposedorganizationissimple;itaimstoenhancetheneutrality,speed,

andaccuracyofattributionthroughprivatesectorcooperation.Doingsowilldiminishthe

numberofcyberattacksasthelikelihoodincreasesthatnationstatesareheldaccountablefor

theiractions.

Thedesignoftheproposedorganizationaddressestheproblemofneutralityinanattribution

21BruceSchneier,“AttackAttributionandCyberConflict,”SchneierOnSecurity,March9,2015,accessedMay23,2017,https://www.schneier.com/blog/archives/2015/03/attack_attribut_1.html22Ibid.

10

investigation.Theproposedorganizationaimstoleveragetheprivatesector’saccesstocritical

informationwithaneutralandtransparentinvestigationprocess.Becauseprivatecompanies

shareamissiontoprotectcustomersonlineanddeterfuturestate-sponsoredattacksthatmay

threatentheirbottom-line,theyofferaneutralinvestigativeparty.Themarketincentivizes

companyneutralityinawaythatdoesnotexistforstateactors.

Safeguardingtrustintechnologyunderpinstheworkofthisorganization.TheInternetstands

centraltomodernlife,andyetmajorstate-sponsoredcyberattackspersistindisruptingits

accessandfunction.Previousattributionreportswereunabletodeterstatesfrombuilding

maliciouscodeforevengreaterdestructivecapabilities.Thus,thepublic’sskepticismof

attributionreportserodestheirperceptionofsafetyonline.Thelackoftrustemanatesfromthe

timedelaybetweenwhentheattackoccursandwhentheattributionreportispublished,the

confidentialnatureofgovernmentattributionreports,andtheshortageofconclusiveevidence

used.23

Thepotentialforspeedandaccuracystemsfromthecentralizedcollectionofcyberattack

information,suchasthreatsignaturesformalware,Internetprotocoladdressesanddomain

namesinvolvedincyberattacks,anddescriptionsofspecificcyberattacks.24Theupshotisthat

theproposedorganizationwillhavetheevidenceandexpertisetoinvestigateamajor

cyberattack.Whentheproposedorganizationpublishesareport,thediversityofits

membershipandproceduraltransparencywillbolstersitsauthority.Thecoordinationofa

globalbodyoftechnicalexpertsfromtheprivatesectorwillleadaneutralinvestigationofa

majorstate-sponsoredcyberattacks.

Therefore,themissionoftheproposedorganizationistofulfiltheneedforanunbiasedand

transparentprocessfortheattributionofstate-sponsoredcyberattacks.Atthesametime

providingaccurateattributionwillprotectcustomersandimprovetheirconfidenceinindustry,

23JeffreyHunker,BobHutchinsonandJonathanMargulies,“RoleandChallengesforSufficientCyber-AttackAttribution,”InstituteforInformationInfrastructureProtection(2008),accessedMay17,2017,http://www.scis.nova.edu/%7Ecannady/ARES/hunker.pdf24“Cyber-SecuritytaskForce:Public-PrivateInformationSharing,”BipartisanPolicyReview(2012),http://bipartisanpolicy.org/wp-content/uploads/sites/default/files/Public-Private%20Information%20Sharing.pdf.

11

itwillincreasethepublic'strustintheInternet.Takentogether,ourargumentisthatwith

enoughdatapoints,attributionispossible,butgettingmemberstoshareinformationrequires

atrustworthyorganization.

Methodology

Inpreparingablueprintfortheproposedattributionorganization,weengagedinalandscape

analysisofthebasicstructures,processes,andbestpracticesofexistingattribution

organizationsandprocesses.Weanalyzedthesuccessesandfailuresof23different

organizationsandprocesseswhosemissionsrangefromnuclearnonproliferationto

environmentalactivismandthepreventionofmoneylaundering.Tablesexaminingeachofthe

organizationsindetailareavailableinAppendix1andAppendix2.

Theorganizationsweevaluatedwere:AmnestyInternational,EgmontGroupofFinancial

IntelligenceUnits,EuropeanFinancialCoalitionAgainstChildPornography,FinancialIndustry

RegulatoryAuthority,Greenpeace,InternationalAtomicEnergyAgency,InternationalCivil

AviationOrganization,InternationalLaborOrganization,NATOCooperativeCyberDefense

CenterofExcellence,OrganizationfortheProhibitionofChemicalWeapons,UnitedNationsAl-

QaidaSanctionsCommittee,UnitedNationsSanctionsCommitteeonNorthKorea,andthe

WorldTradeOrganization’sGATTArticleXX.

Theprocessesweexaminedwere:CheonanJointInvestigationGroup,DemocraticNational

CommitteeEmailLeakInvestigation,Google’sOperationAurora,theIntermediate-Range

NuclearForceTreatyinvestigativeprocess,MalaysiaAirlinesFlight17(MH17)Crash

Investigation,Mandiant’sAPT1,MumbaiTerroristAttackInvestigation,SonyPicturesHack

Investigation,andtheStuxnetInvestigation.

Wefocusedourreviewonsevenkeyelementsthatarecentraltotheoperationofattribution

bodies.Theseelementsare:actors,actions,authority,structure,norms,attribution,and

budgetingandfundingsource(s).Weoperationalizethesetermsasfollows:

12

Actors.Actorsarethepartyorpartiesthatcomposethemainbodiesofanorganizationorinvestigativeprocess.Actorscarryouttheorganizationorinvestigativeprocess’smainfunctions.Actorscomefromarangeoffieldsandbackgrounds,fromgovernmentofficialstogovernmentagencies,academics,researchers,andprivatecompanies.Actions.Actionsarethestepsthatactorstaketofurtheranorganizationorinvestigationprocesses’mission.Theactionsofanorganizationarethechiefdutiesandgoalstheorganizationorinvestigationworkstoaccomplish.Authority.Authoritydenotesthelegitimacyofjudgmentandpower.Intheorganizationorinvestigativeprocess,authorityreferstotherighttoexercisejudgment.Authoritystemsfromanindividual’stechnicalorgeopoliticalknowledge,oranorganization’sreputation.Structure.Structurereferstothearrangementofactorswithintheorganization.Norms.Normsrefertoexpectedbehavioralpracticesofactorswithinanorganizationorinvestigativeprocess.Attribution.Attributionreferstohowanorganizationorinvestigativeprocesspublishestheirfindingsandarticulatesresponsibility.BudgetingandFundingSources.Thebudgetreferstotheoperationalcostsoforganizationsorinvestigativeprocess.Fundingreferstothesourceofthebudget.

Ourlandscapeanalysisprovedusefulinidentifyingsuccessfulcorefunctionsofattribution

organizationsandconsideringtheapplicationofthesebestpracticestocybersecurity.While

eachorganizationorprocesshasitsowntableofdataintheAppendices,Figure3providesan

overviewofthespectrumofstateauthorityintheinternationalorganizationsand

investigationswesurveyed.Here,stateauthorityreferstotheinfluenceandcontrolwieldedby

agovernmentwithinagivenorganizationorinvestigation.Anincreaseinsizeandbureaucracy

isacorollaryofanorganizationorinvestigation’slegalauthority.Thus,thenumberofformal

treatiesincreasewiththepresenceofgovernmentactors.

13

Figure3:SpectrumofStateAuthority

Bureaucratic Ad-hoc

Examples:• IAEA• UNSanctions• WTOArticleXX• AmnestyInternational

• NATOCCDCOE

Examples:• ILO• EgmontGroup• EFCACP

Examples:• MumbaiInvestigation

• OPCW• ICAO

Examples:• Google’s‘OperationAurora’

• CheonanJIG

Examples:• DNCHack

Examples:• Stuxnet• Mandiant

APT1

InternationalOrganizations• Formalauthority• Nonprofit• Memberstateand

privatefunding• Ratifiedtreaties

Tools

• Bilateral,multilateraltreatise• Agreementsbetweengovernments• Partnershipsamonggovernmentalagencies

andNGOinstitutions

InternationalInvestigations• PrivateEnterprises• Informalauthority• For-profitmissiondriven

strategies• Ad-hocinformation-

sharing

Greaternumberofparticipants,lessspecific

Fewernumberofparticipants,morespecific

14

IncorporatingBestPracticesThepurposeoftheproposedorganizationistoenhancetheneutrality,speed,andaccuracyof

state-sponsoredcyberattackattribution.Toachievethismission,thedesignoftheproposed

organizationwillbuilduponthebestpracticesoftheorganizationsandinvestigationsinour

landscapeanalysis.Inthisreport,wedefinebestpracticesasatechniqueorprocesssuperiorto

alternatives.Bestpracticesformtheorganizations’andinvestigations’standardmethodof

procedure—fromcollectingevidencetocomplyingwithlocallaws.Inthefollowing,wewill

detailthebestpracticesofthereviewedorganizationsandinvestigationsandexplainhowthe

proposedorganizationincorporatesthebestpracticesintoitsdesign.Thesebestpractices

include:


• Organizationaltransparency

• Stakeholderoutreach

• Internalaccountability

• Inclusionoftechnicalandgeopoliticalexperts


EquitableGeographicRepresentation

Equitableglobaldistributionofanorganization’sdecision-makingbodiesiskeyforan

organization’sreputationandauthority.Geographicallydiversemembershipbolstersthe

credibilityoftheorganization’smissionandactionsbecauseitbalancesdifferentregional

perspectives.Thetransnationalnatureofcyberattacksmakesthispracticeevenmorecritical.

Anyorganizationtaskedwithglobalattributionfacespressuretoupholdpoliticalneutralityand

independencefromanyonecountry.Thisisparticularlyimportantwhenconsidering

interactionswithmajorpowerswithglobalagendas,suchasChina,Russia,andtheUnited

States.

15

EquitableGeographicDistribution:Greenpeace,OPCW,andtheCheonanJointInvestigationGroup

Severaloftheorganizationsweexaminedexemplifythebenefitofequitablegeographic

distribution.InthecaseofGreenpeace,physicalbrickandmortarregionalbranchesfoster

greaterglobalcooperationbecausetheyincreasetheorganization’sabilitytoconnectwithlocal

sourcesforresearchandinformationgatheringpurposes.25Havingaphysicalglobalpresence

createsanimageofGreenpeaceasaglobalactor,ratherthananorganizationassociatedwith

anyonecountryandallowsfortheorganizationtodrawuponideasfromallpartsoftheglobe.

TheOrganizationfortheProhibitionofChemicalWeapons(OPCW)usesthepracticeof

equitablegeographicdistributiontofostergreaterrepresentationandcooperationinits

governingbodies.TheOPCWhasstrictquotasforgeographicrepresentationineachofits

governingbodies.Forexample,theExecutiveCounciloftheOPCWalwayshasnine

representativesfromAfrica,ninefromAsia,fivefromEasternEurope,sevenfromLatin

America,andtenfromWesternEuropeandNorthAmerica.26Theirstructureensuresthat,in

rotation,eachstatepartyhastherightandopportunitytoserveontheExecutiveCounciland

activelyparticipateintheorganization’sdecision-makingprocess,therebypromotinganimage

ofanorganizationthatistrulyinternationalandindependent.Geographicdiversityisalso

representedintheOPCW’sScientificAdvisoryBoard,whichconductsresearchandinspection

ofchemicalweaponsmaterial.Diversegeographicrepresentationamongthebody’sscientists

andinspectorsisimportantforincreasingthepoliticalneutralityoftheorganization’s

investigationsintochemicalweapons.27

TheinvestigationintothesinkingoftheSouthKoreannavalvesselCheonanisanotherexample

ofgeographicinclusion.TheCheonaninvestigationwasconductedbyindividualsandexperts

fromdiversegeographicalbackgrounds,signalinggreatercommitmenttoneutralityandits

25"Greenpeacestructureandorganization."GreenpeaceInternational2017,accessedApril30,2017.http://www.greenpeace.org/international/en/about/how-is-greenpeace-structured/26“MembershipandFunctions,”OrganizationfortheProhibitionofChemicalWeapons,AccessedApril30,2017,https://www.opcw.org/about-opcw/executive-council/membership-and-functions/27“RulesandProcedurefortheScientificAdvisoryBoardandTemporaryWorkingGroupsofScientificExperts,”OrganizationfortheProhibitionofChemicalWeapons.AccessedMay10,2017.

16

abilitytoproducecrediblefindingstotheinternationalcommunity.28Theinvestigativeteam

wasformedbytheSouthKoreangovernmentbutcontainedexpertsfromAustralia,Canada,

SouthKorea,Sweden,theUnitedKingdom,andtheUnitedStates.29SouthKorea’sdeliberate

internationalizationoftheinvestigationmadeitharderforNorthKoreatodismissthe

accusationsoftheinvestigationbeingpoliticallymotivated.30Inthiscase,geographicdiversity

enhancedthecredibilityoftheinvestigationasbeingpoliticallyneutral.

AdoptingEquitableGeographicalRepresentation

Ensuringgeographicrepresentationcanbefulfilledthroughtheprocessofproportionally

allocatingthenumberofcompaniessharinginformationwithintheproposedorganizationto

thenumberofmajorcybersecurityattackshappeningwithinthatregionorcountryovera

certainperiod.Theproportionatenumberofregionalfirmswithintheorganizationswill

contributetoefficientandpertinentamountofinformationsharingandwillensureallregions

andcountriesareequitablyrepresented.Additionally,theproposedorganizationwillhavesix

globalofficesencompassingthefollowingregions:Africa,Asia,RussiaandtheCommonwealth

ofIndependentStates,EuropeandMiddleEast,LatinAmerica,andNorthAmerica.

OrganizationalTransparency

Theproposedorganizationshouldadopttransparencyasabestpracticebecausetransparency

enhancesanorganization’scredibility.Wedefinetransparencyasabehavioralnormguiding

theorganizationsdecisiontodiscloseinformation.Ahigh-degreeoftransparencydescribesthe

extenttowhichanorganizationdisclosesinformationtothepublic.

Transparencyplaysakeyroleinfosteringanorganization’sreputationalauthority.Here,

reputationalauthorityreferstotheperceptionofanorganization’scredibility.Ensuringthe

organizationalcredibilityisimportantfortheorganization’sattributionreportstobe

28“SecurityCouncilCondemnsAttackonRepublicofKoreaNavalShip‘Cheonan’,StressesNeedtoPreventFurtherAttacks,OtherHostilitiesinRegion,”UnitedNations.July9,2010.29“LetterDated4June2010fromthePermanentRepresentativeoftheRepublicofKoreatotheUnitedNationsAddresstothePresidentoftheSecurityCouncil.”(UnitedNationsSecurityCouncil,June4,2010).30MarkLandler,“DiplomaticStormBrewingOverKoreanPeninsula,”TheNewYorkTimes,May19,2010,accessedMay17,2017,http://www.nytimes.com/2010/05/20/world/asia/20diplo.html

17

consideredvalidandforensuringthatprivatesectorcompanieswilljointheorganization.31In

thefollowing,wewillanalyzetwoinvestigationswheretransparencyplayedasubstantialrole

inthepublic’sconfidenceintheattributionreport.Twoofthecasesweexaminedoffer

examplesofattributionjudgementswithvaryinglevelsoftransparency.First,theCheonanJoint

InvestigationGrouphadalow-degreeoftransparency,andtherefore,limitedcredibility.In

contrast,theMandiantAPT1reportisamodelofhigh-degreetransparencyandahighlevelof

credibility.

LowTransparencyModel:TheCheonanJointInvestigationGroup

TheCheonanJointInvestigationGroup’sattributionreportisanexampleofaninstancein

whichalowleveloftransparencycreatedfindingsthatwereviewedasnotcredible.Thereport

wasmetwithwidespreadskepticismbecauseoftheinvestigation’slackoftransparency.On

March26,2010,theSouthKoreanwarshipCheonansankneartheNorthernLimitLine,ade

factojurisdictionalborderwithNorthKorea,killing46servicemen.32TheSouthKorean

governmentwithheldformalindictmentsimmediatelyafterthesinking,althoughtheincident

heightenedtensionsbetweenthetwoKoreas.33Todeterminetheperpetratoroftheattack,the

SouthKoreangovernmentlaunchedanindependentinvestigationtaskedwiththeanalysisof

forensicevidencefromtheattack.34However,theinvestigation’ssecretiveprocesswashighly

controversial,particularlyamongotherforensicscientistsandthepublic.35Whenthefinal

reportconcludedthatNorthKoreawasresponsiblefortheattack,controversyoverthevalidity

oftheexpert’sforensicanalysisundermineditsauthority.Indeed,theUnitedNationsSecurity

Councilcondemnedtheattack,butdidnotnameNorthKoreaastheaggressor,citing“deep

concern”overthereportsattribution.36

31NeilPatel,“WhyaTransparentCultureIsGoodforBusiness,”FastCompany,October9,2014,https://www.fastcompany.com/3036794/why-a-transparent-culture-is-good-for-business32Landler,2010.33Landler,2010.34“InvestigationResultontheSinkingofROKS"Cheonan,"TheJointMilitary-CivilianInvestigationGroup(2010),accessedMay17,2017,http://news.bbc.co.uk/nol/shared/bsp/hi/pdfs/20_05_10jigreport.pdf35DavidCyranoski,“ControversyoverSouthKorea'ssunkenship,”NatureJournal,July14,2010,accessedMay22,2017,http://www.nature.com/news/2010/100708/full/news.2010.343.html36HarveyMorris,“NKoreaescapesblameovershipsinking,”FinancialTimes,July9,2017,accessedMay22,2017,https://www.ft.com/content/4208c344-8b6e-11df-ab4d-00144feab49a.

18

ThecontroversyovertheJointInvestigationGroup’sfindingscentersontheinvestigation’s

failuretoexplainitsanalysisofevidence.Thestrongestcriticsoftheinvestigation’sreportclaim

theevidenceofthetorpedoattackwasmisinterpretedorfabricated,contradictingtestimony

fromwitnessesoftheship’ssinking.37Forensicscientistscriticizedtheinvestigationfornot

publishingthedatausedintheanalysisofforensicevidence.Disclosingsuchinformationwould

haveallowedpeer-reviewerstocorroboratewiththeinvestigation’sconclusionanddiscredit

otherspeculations.38

Subsequentresearchfromscientistsfurtherraisedthepossibilitythatthesinkingwascaused

byotherfactors.39AnoversightboardfortheSouthKoreanmilitaryaccusedtheinvestigationof

analyzinginformationdistortedbytheSouthKoreannavalleaders.40Criticsspeculatedthatthe

reasonfornotdisclosinginformationistoprotecttheSouthKoreanarmyfromliability.41A

SouthKoreangovernmentwatchdogorganizationsentanopenlettertotheUnitedNations

SecurityCouncilquestioningthefindingsoftheJointInvestigationGroupsreport,highlighting

theproblemwiththeinvestigationslackoftransparency.Theleaderoftheorganizationwas

subsequentlychargedwithalibelsuit,worseningthepublictrustinthepoliticalautonomyof

theinvestigation.42

TheCheonanexampleillustrateswhyattributioninvestigationsofstate-sponsoredattacks

shouldprioritizetransparencyandprovideanopenpeer-reviewprocess.43Inthiscase,the

skepticismfromtheSouthKoreanpublicandcriticismfromscientificcommunitysuggeststhat

thefailuretoshareinformationwiththepubliccanfueldistrustandlegitimatealternative

37BarbaraDemickandJohnM.Glionna,"DoubtssurfaceonNorthKorea'sroleinshipsinking,"LosAngelesTimes,July23,2010,accessedMay22,2017,http://articles.latimes.com/2010/jul/23/world/la-fg-korea-torpedo-20100724.38DavidCyranoski,“ControversyoverSouthKorea'ssunkenship,”NatureJournal,July14,2010,accessedMay22,2017,http://www.nature.com/news/2010/100708/full/news.2010.343.htmlandSeunghunLeeandJ.J.Suh,"PolicyForum10-039:RushtoJudgment:InconsistenciesinSouthKorea’sCheonanReport",NAPSNetPolicyForum,July15,2010,http://nautilus.org/napsnet/napsnet-policy-forum/rush-to-judgment-inconsistencies-in-south-koreas-cheonan-report/39HwangSuKimandMauroCaresta,"WhatReallyCausedtheROKSCheonanWarshipSinking?"AdvancesinAcousticsandVibration(2014),accessedMay22,2017,https://www.hindawi.com/journals/aav/2014/514346/.40DemickandGlionna,2010.41Ibid.42"Ex-Pres.SecretarySuedforSpreadingCheonanRumors,"TheDong-AIlbo(EnglishEdition),May8,2010,accessedMay22,2017,http://english.donga.com/List/3/all/26/264989/143“MostS.KoreansSkepticalAboutCheonanFindings,SurveyShows,”TheChosunIlbo(EnglishEdition),September8,2010,accessedMay17,2017,http://english.chosun.com/site/data/html_dir/2010/09/08/2010090800979.html

19

interpretationsoftheattack.Providingaccesstoforensicevidenceandtechnicalmethodology

wouldallowthepublicandexternalexpertstoreviewpotentialflawsintheattributionprocess.

Suchtransparencycanserveaspartofasystemofcheckandbalanceswithinaninvestigation.

HighTransparencyModel:Mandiant’sAPT1Report

Becauseopennessmitigatesagainstdistrust,theMandiant’sAPT1reportoffersavaluable

modelforgatheringandsharingatransparentattributionreport.44Theimportanceof

Mandiant’sreportcomesfromthebreadthofevidencedisclosedtothepublicandengagement

withthepress.45Mandiant,anAmericanprivatesecurityfirm,spentsixyearscollecting

evidenceonaseriesofnetworkattacksinorganizationsacrosstheworld.Thefinalreport

accusedChina’sPeople'sLiberationArmyastheperpetratorresponsible.46The60-pagereport

detailstheunprecedentedvolume,sophistication,andpersistenceoftheseattacks,calling

them“APT1”or“advancedpersistentthreat1.”

Mandiant’sAPT1attributionreportillustratesthelegitimacyderivedfromprovidingpublic

accesstodataandfull-disclosureevidence.Forinstance,thereportmapstheInternetprotocol

addressesandotherdigitalevidence,includingdrawingalinefromtheirevidencetoaspecific

buildinglocationinShanghai.Using3,000addressesandindicators,thereportalsoidentifies

specificindividualsresponsibleforlaunchingtheattacks.Thereportincludesananalysisofthe

Chinesehackers,inadditiontopicturesoftheattackers’socialmediaprofiles.47

Inaddition,Mandiantsharedthetechnicaltoolsandproceduresusedtogatherevidenceand

explainedinnontechnicallanguagethemethodofanalysis.48Indoingso,Mandiantbolstered

44Mandiant,“APT1:ExposingOneofChina’sCyberEspionageUnits,”accessedApril29,2017,https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pd45DavidE.Sanger,DavidBarbozaandNicolePerlroth,"ChineseArmyUnitIsSeenasTiedtoHackingAgainstU.S.,"NewYorkTimes,February29,2013,accessedApril29,2017,https://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html46BenjaminWittes,“MandiantReporton‘APT1’,”Lawfare.org,February20,2013,accessedApril29,2017,https://lawfareblog.com/mandiant-report-apt1;WilliamWanandEllenNakashima,"ReporttiescyberattacksonU.S.computerstoChinesemilitary,"WashingtonPost,January19,2013,accessedApril29,2017,https://www.washingtonpost.com/world/report-ties-100-plus-cyber-attacks-on-us-computers-to-chinese-military/2013/02/19/2700twenty-two8e-7a6a-11e2-9a75-dab0201670da_story.html47Mandiant,“APT1:ExposingOneofChina’sCyberEspionageUnits,”accessedApril29,2017,https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pd48WadeWilliamson,“LessonsfromMandiant’sAPT1Report,”SECURITYWEEK,February29,2013,accessedApril29,2017,http://www.securityweek.com/lessons-mandiant%E2%80%99s-apt1-report

20

thecredibilityofitsattributionjudgmentbyallowingextensivepeer-reviewandpublic

discussion.49Mandiant’stransparencyservedtobolsterthereport'scredibilityandprovide

actionableinformationtothesecurityindustry.Thereport’sextensiveanalysisoftheChinese

organizationresponsiblefortheattackwilllikelydetersimilaronesinthefuture.

AdoptingTransparency

Ourcasestudiesofferevidencethatpublicaccesstoinformationisimportanttothecredibility

ofattributionorganizationsandthattransparencymeasurescanbebuiltintothedesignofthe

proposedorganization.Therefore,theproposedorganizationshouldadoptbehavioralnorms

fortransparency,suchasthepublicdisclosureofinformationandengagementwiththepublic

duringtheinvestigatoryprocess.Doingsowilllendfurthercredibilitytoanyinvestigation.

Additionally,fulldisclosurewillprovidethepublicaccesstoallsourcesusedinanattribution

judgementandaddressthelackoftrustinstate-sponsoredcyberattackattributionjudgments.

Sharingtherationalebehinddecisionmakingwithinthetechnicalandgeopoliticsexpertpanel

willsimilarlyactasaninstrumentofaccountability.

Inlinewiththis,theproposedorganizationshouldproducereportsthatareunclassifiedand

canundergoextensivepeer-reviewfromindependentsecurityanalysts.Notonlywillthe

organization’sopennessandpublicengagementhelptodeterstate-sponsoredcyberattacks,

disclosureofevidenceandforensicanalysiswillbuttresstheorganization'scredibilityinthe

publiceye.

StakeholderOutreach

Employingstakeholderindustrytrainingandoutreachisanotherbestpracticetheproposed

organizationwilladopt.Industryengagementintheformoftrainingandoutreachcampaigns

canfacilitatestrongercooperationandcohesionbetweenmultiplestakeholdersandacross

differentsectorsandregionsoftheworld.Notonlycanstakeholderoutreachcampaigns

49Sanger,Barboza,andPerlroth,2013.

21

bolsteranorganization’spublicreputation,thesepracticesalsoworktoinformandimprove

industryknowledgeandincreasechannelsfortheengagementofawidevarietyofindustry

stakeholders.50Theproposedorganizationwilladoptpracticesofstakeholderoutreach,

incorporatingthemodelsforsuchprocessesusedbytheOrganizationfortheProhibitionof

ChemicalWeaponsandtheEgmontGroupofFinancialIntelligenceUnits.

StakeholderOutreachModels:OPCWandtheEgmontGroup

TheOrganizationfortheProhibitionofChemicalWeapons(OPCW)successfullyutilizes

practicesofstakeholderoutreachtopromotethetransnationalawarenessofOPCWchemical

industryobjectives.TheOPCWholdsofficialcoursesatchemicalindustrymeetingsevery

monthforrelevantindustryandgovernmentstakeholders.Forexample,inMay2017,the

OPCWheldcoursesonanalyticalchemistry,onhowtorespondtoincidentsofchemical

warfare,aswellasassistanceandprotectiontrainingprograms.51IncludedintheOPCW’s

organizationstructureisanAdvisoryBoardonEducationandOutreachtopromotethe

implementationoftheChemicalWeaponsConventionandaidnationalgovernmentsand

chemicalindustryinitsdisarmamentobjectives.

TheEgmontGroupofFinancialIntelligenceUnitsalsoemploysoutreachandindustrytraining

measures.Likethecybersecurityindustry,theEgmontGroupworksinanindustrywithdiverse

stakeholders,includinggovernmentalfinancialintelligenceunits,non-governmental

organizations,academia,media,andthepublic.52TheEgmontGroup’soutreach

communicationstrategyaimstoincreasetheirorganization’seffectivenessbyraising

understandingandsupportofincreasedinformationsharingandtopicawareness.TheEgmont

Groupconductsstakeholderregionalmeetingsandtechnicalworkshopsandseminarsinthe

promotionoftheGroup’smission.

50“SuggestedBestPracticesforIndustryOutreachProgramstoStakeholders”(FederalEnergyRegulatoryCommission,July2015),https://www.ferc.gov/industries/gas/enviro/guidelines/stakeholder-brochure.pdf.;“CreateaStrategicOutreachCampaigntoAddValuetoYourOrganization,”Prowl,May23,2011,http://prowlpublicrelations.blogspot.com/2011/06/create-strategic-outreach-campaign-to.html?m=0.51“OPCWCalendarofEvents,”OrganizationfortheProhibitionofChemicalWeapons,n.d.,https://www.opcw.org/events-calendar/.52“EgmontGroupCommunicationStrategy,”EgmontGroupofFinancialIntelligenceUnits,(2015).

22

AdoptingStakeholderOutreach

Ourcasestudiesofferevidencethatstakeholderoutreachcanbecentraltofacilitatingstronger

cooperationamongstmultiplestakeholderswhoaregeographicallydispersed.Therefore,the

proposedorganizationforcyberattributionshouldadoptsimilarpracticesofboththe

OrganizationfortheProhibitionofChemicalWeaponsandtheEgmontGroupinthe

establishmentofitsownoutreachcampaigns.

Theproposedorganization’sExecutiveCouncilshouldbetaskedwitharrangingbiannual

industrymeetingsofmemberandnon-membercompaniestoreviewandanalyzetheproposed

organization’spractices,addresspotentialimprovementsfortheorganizationmovingforward,

anddiscusspracticesofprivate-sectorinformationsharing.Biannualmeetingsacrossall

regionalindustryactorscouldincreaseawarenessfortheorganizationandhelpincorporate

dategatheringandtechnicalknowledgefromnon-memberregionalprivatefirms.Thelong-

termgoaloftheCommittee’soutreachcampaignswouldbetofostergreaterglobalindustry

engagementwiththeproposedorganization.Globalindustryrepresentative’sparticipationin

biannualmeetingswouldhelptobolstersbothtransnationalawarenessandengagementofthe

proposedorganization’smission.

InternalAccountability

Internalaccountabilityisanimportantpracticethatservestoincreasecredibilityandtrustinan

attributionorganization’sreportsandinvestigativeprocesses.Accountabilityisfosteredwhen

anorganizationprovidesmechanismsforinternalchecksandbalances,suchasframeworksfor

self-assessment,disputeresolution,andpeer-review.Examplesofsuccessfulinternal

accountabilitycreatingcredibilityinfindingscanbeseeninexamplesoftheUnitedNationsISIL

(Da’esh)andal-QaidaSanctionsCommitteeandtheIntermediate-RangeNuclearForcesTreaty

investigativeprocess.

23

InternalAccountabilityModels:UNISILandal-QaidaSanctionsCommitteeandtheINFTreaty

TheUnitedNationsISIL(Da’esh)andal-QaidaSanctionsCommitteeoffersanexampleofa

successfulinternalaccountabilityframework,particularlyitsOfficeoftheOmbudsperson.The

OfficeoftheOmbudspersonisanindependentbodytaskedwithoverseeingtheappeals

processesofindividualsorgroupsbelievedtobeunlawfullysanctioned.53TheOmbudsperson

providesdetailedanalysisandobservationsonallinformationrelevanttoasanctionsappeal

beforeprovidingtheCommitteewitharecommendationondelisting.54TheOfficeofthe

OmbudspersonhelpstostrengthentheCommittee’spositionagainstcomplaintsofviolating

thelegalrightsofsanctionedindividualsandisanimportantstepinenhancingfairnessand

transparencywithinthesanctionsregime.55

DisarmamentbodiessuchastheIntermediate-RangeNuclearForcesTreaty(INF)investigative

processalsoprovidekeyexamplesofinternalaccountabilityframeworks.TheINFSpecial

VerificationCommissionservesasaforumthroughwhichstatepartiescanresolveconcerns

andquestionsregardingcomplianceandtreatyimplementation.56Memberstatescancall

meetingsoftheSpecialVerificationCommissiontovoicecomplaintsaboutstateparty

complianceandtotryandreachagreementoninspectionprocedures.TheUnitedStatesand

SovietUnionagreedthateithercountrycouldcallaSpecialVerificationCommissionmeetingto

resolveissuesofcomplianceanddiscussnewmeasuresneededtoimprovethetreaty’s

effectiveness.57

AdoptingofInternalAccountability

Ourresearchillustratestheimportancethatinternalaccountabilityhasincreatingacredible

organization.Thus,itisimportantthattheproposedorganizationdevelopitsowninternal

53“ApproachandStandard,”OfficeoftheOmbudspersonoftheSecurityCouncil’s1267Committee,n.d.,https://www.un.org/sc/suborg/en/ombudsperson/approach-and-standard54Ibid.55“SpeakersinSecurityCouncilCallforUnified,GlobalCounter-TerrorismEffort,FollowingBriefingsbyChairsofCommitteesSetUptoSpearheadFight,”UnitedNations,May11,2010.56AmyF.Woolf,“RussianCompliancewiththeIntermediateRangeNuclearForces(INF)Treaty:BackgroundandIssuesforCongress”CongressionalResearchService,(2017).57Ibid.

24

frameworkforbothindependentreviewandpeer-reviewedcompliance.Doingsowillhelpto

strengthentheattributionorganization’sexternalcredibilityandbuildtrustintheprivate

sector.

Assuch,theproposedorganizationshouldhaveanindependentreviewbodylikethatofthe

UnitedNationsOfficeoftheOmbudsperson.Partieswhofeeltheyhavebeenwrongfully

attributedforanationstatecyberattackcouldthensubmitaformalcomplainttothe

organization’sindependentreviewbody.Thereviewbodywillthenanalyzetheinvestigation

processofthedisputedattributiontoensureneutralityandevidentiarystandardswereupheld.

Theywillthenpubliclysubmittheirreportontheinvestigationwiththeirconclusiononthe

attribution’slegitimacy.Thisbodywillprovideanimportantcheckonthemaininvestigative

team.

InclusionofTechnicalandGeopoliticalExperts

Privatesectorandacademicexpertiseisessentialtotheproposedorganizationbecausethe

credibilityoftheseexpertsstemsfromtheirprofessionalbackgroundandreputation—and

neutrality.Expertiseinbothtechnicalforensicanalysisandgeopoliticsallowsorganizationsto

ensurethatfindingswillbeperceivedaslegitimate.Twoexamplesfromourresearchstandout

inthisrespect—theCheonaninvestigationandtheIAEA.

ExpertInclusionModels:TheCheonanInvestigationandtheIAEA

Despiteitslackoftransparency,theCheonaninvestigationisagoodexampleofincorporating

technicalexpertsintotheattributionprocess.TheCheonansinkinginvestigationisakeycase

studyforcombiningprofessionalexpertiseandgovernmentauthorityforreachingattribution

judgments.Asoutlinedabove,in2010,theSouthKoreanwarshipCheonansanknearNorth

Korea,killing46servicemen.TheincidentheightenedtensionsbetweentheKoreaseven

thoughtheNorthKoreangovernmentdeniedculpability.TheUnitedNationsSecurityCouncil

publiclycondemnedtheattackwithoutidentifyingtheperpetrator.WithChinese,Russian,and

USengagementgrowingintheregion,thisincidenthadramificationsbeyondthepeninsula.

25

Tomaintainregionalstability,andmitigateagainstfurtherescalation,SouthKorealauncheda

multinationalteamcomprisedofexpertstodeterminethecauseofCheonan’ssinking.The

groupwascomposedofexpertsorganizedintofourteams:scientificinvestigation,explosive

analysis,shipstructuremanagementandintelligenceanalysis.Theirfinalreport,releasedtothe

publicinMay2010,determinedwitha“highpossibility”thatNorthKoreawasresponsiblefor

theattack.58TheJointInvestigationGrouputilizedaninternationalbodyofexpertstoattribute

theattack.ThemeasurestheJointInvestigationOrganizationtook,toincludeindividualswith

relevantexpertiseanddiversegeographicalbackgrounds,bolsteredtheefficiencytodetermine

theresponsibleadversaryintheCheonanattack.

AnotherexampleofawaytoincorporatepeerreviewintoinvestigationsistheInternational

AtomicEnergyAgency’s(IAEA)model.TheIAEAclearlyoutlinesthecomponentsofanuclear

facilityinspectionsothepubliccanhaveconfidencethatallvariablesareaccountedforinthe

process.59Byoutliningthesesteps,theexpertsestablishtransparentproceduralnorms.

CreatingtheseproceduralnormsiscriticalinlegitimizingtheIAEA’sfindings.

AdoptingExpertInclusioninInvestigations

Ultimately,credibilityisthegoaloftheproposedorganization’sattributioninvestigations.Like

theCheonaninvestigation,theproposedorganizationcouldadopttheuseofindependent

expertsfromdiversegeographicalbackgrounds,intoitsstructure,whileavoidingtheCheonan

investigation’stransparencymissteps.Inaddition,theIAEA’stransparencyandinclusionof

expertsoffersapathwaytolegitimacy.

Putintopractice,theproposedorganizationwoulddrawuponapanelofindependentcyber

expertstoconducttheinvestigationandattributionofcyberattacks.Theexpertsresponsible

58“SecurityCouncilCondemnsAttackonRepublicofKoreaNavalShip‘Cheonan’,StressesNeedtoPreventFurtherAttacks,OtherHostilitiesinRegion|MeetingsCoverageandPressReleases”UnitedNationsSecurityCouncil(2010),accessedMay16,2017,https://www.un.org/press/en/2010/sc9975.doc.htm59"InspectionandEnforcementbytheRegulatoryBody."4.1.3.2.Methodsofinspection.AccessedMay11,2017.https://www.iaea.org/ns/tutorials/regcontrol/inspect/insp4132.htm

26

forforensicanalysiswouldrepresentdiversegeographicrepresentationsamongglobalprivate

sectorinformationsecurityfirms.

Thedetailsofthemethodologiesandfindingsfromtheexperts’attributionprocesswouldtobe

releasedtoholdtheiractionsaccountable.Releasingsuchproceduralinformationwillcreate

transparencybecausetheinternationalcommunitywillbeabletoreviewpotentialflawsinthe

attributionprocess.Additionally,publiclydisclosingtheattributionprocessesencouragesthe

expertstotransparentlyconducttheirinvestigations.Clearlycommunicatingtheexperts’

operationscanleavethepublicmoreconfidentinfindings.

PrivateSectorMembershipInadditiontotheabovebestpractices,anyattributionorganizationmeanttotacklestate-

sponsoredcyberattackwillbeunderahighlevelofscrutiny,makingtheappearanceof

neutralityparticularlyimportant.Whilemanyoftheattributionorganizationsandprocesseswe

examinedinvolvegovernmentsinattributingresponsibility,inthecaseofthisorganizationit

willbeimperativetoremainindependentfromperceivednationstateinfluence.Therefore,the

proposedorganizationmustbemadeupofprivatesectoractors—butcouldincludeexperts

drawnfromothersectors.TheSonyHackInvestigationandtheEgmontGroupoffersupportfor

theneedtoseparatetheorganizationfromgovernments.

PrivateSectorMembershipModels:TheSonyHackInvestigationandtheEgmontGroup

Theproposedorganizationwillnotincludeanypublicsectororgovernmentalbodies.

Incorporationofgovernmentsintotheproposedorganizationwouldunderminethe

organizationbecausegovernmentinvolvementbringslackoftransparencyandissuesof

credibility.

Becausegovernments’primaryresponsibilityistoprotectindividualnationstatesecurity,they

areoftenunwillingtoshareinformationandfrequentlyoperatewithouttransparency—

particularlysecurityagencies.TheSonyHackInvestigationhighlightstheindependentand

27

exclusivenatureofthegovernment.TheFBIinvestigatedtheattackforreasonsofnational

security,whileatthesametimeSonyhiredFireEye,anAmericanprivatecybersecurityfirm,to

investigate.Althoughitwouldhavefacilitatedamorerobustinvestigation,thereisnoevidence

ofcollaborationbetweenthetwoentities.Inaddition,theFBIdidnotreleaseanydetailed

informationofitsinvestigationoritsattributionreport.Theonlyreleaseofinformationwasa

vagueone-pagestatementindicatingNorthKoreaastheculprit.60Asaresult,theexpert

communityviewedtheFBI’sfindingswithskepticism,somethingthatcontinuestothisday.

Becausegovernmentsdonotoperateinatransparentmanner,theylackthecredibilitythat

thirdpartieshaveandthatisneededtorunanattributionorganization.Inmanyofourcase

studies,itisapparentthatathirdpartyisbroughtintoeitherattributeattacksortoprovide

thetoolstoattributethoseattacks.AnexampleofthisistheEgmontGroupofFinancial

IntelligenceUnits.Itsmissionistocombatmoneylaunderingandterrorismfinancing

operationsaroundtheglobe.Tofacilitateeffectiveattribution,theEgmontGroupfollowsaset

ofproceduralnormssetoutbytheFinancialActionTaskForce,anon-governmentalbody

specializingincreatingandupdatingstandardsforthefightagainstmoneylaunderingand

terrorismfinancing.61TheEgmontGroupusesproceduralnormstotraintheirintelligenceunits

andhasaccountabilitygroupsthattrackwhethertheseproceduralnormsarefollowed.

Furthermore,thestandardsthattheEgmontGroupfollowarebasedonmultipleUnited

Nationsconventionsoutliningthespecificmethodsincounteringmonetarycriminalactivity.

Thus,creatingdistancebetweenthosethatsetupnormsandtheattributorswhousethose

norms,theEgmontGroup,portrayslegitimacyandneutrality.Inthesameway,havingan

independentgroupofprivatesectororganizationsattributinganotherlevelofactors(nation

states),consequentlyprovidesalevelofdistancebetweenthosewhoattributefault,andthose

whoarepotentiallycommittingthecrimeitself.

60“UpdateonSonyInvestigation,”PressRelease,FederalBureauofInvestigation,accessedMay23,2017,https://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation.61FinancialActionTaskForce.“INTERNATIONALSTANDARDSONCOMBATINGMONEYLAUNDERINGANDTHEFINANCINGOFTERRORISM&PROLIFERATION.”FAFTA/OECD,2013.http://www.fatfgafi.org/media/fatf/documents/recommendations/pdfs/FATF_Recommendations.pdf

28

AdoptingPrivateSectorMembership

Ourresearch,combinedwiththedistinctchallengesinherentinacybersecurityattribution

organization,indicatestheneedfortheproposedorganizationtobeaprivatesectorrun

organization.Theneedforprivatesectorleadershipisbecausemarketpressureswillensure

companyneutralityandhardwork.Privatesectorentitiesalsohaveaccesstovaluable

informationforattributingcyberattack.Finally,theyhavetheadvantageofspeedand

flexibility.

Marketpressurewillensurethatcompaniesworkhardtoattributecyberattack—andmarket

pressureswillalsohelptomakesurecompaniesremainneutralinattribution.Companieshave

agrowingstakeintheirownsecurityasthefrequencyandcostofcyberattacksincrease.62An

expected$3trillionincostsby2020willbeattributedtocybercrime.63Therefore,private

corporationsareincreasinglyconcernedabouttheirownsecurityandprotectingshareholder

value.Joiningtheproposedorganizationprovidesanavenuetobolsterprotection.

Additionally,privatesectormembershaveawideswathofcyberattackinformationand

technicalforensicswithintheirnetworksystems.Sharingthisinformationisessentialtomake

convincingattributionjudgements.DrawingontheexampleoftheEgmontGroup,weseethat

privatesectorinformationisinstrumentalinmakingattributionjudgementsformoney

launderingandterrorismfinancing.TheFinancialActionTaskForceRecommendations

mentionedearlierspecificallyoutlinesthelistofbodiesfromwhichFinancialIntelligenceUnits

shouldreceivetransactionalinformation.TheUnitutilizesbothcash-transactionreportsand

suspicious-transactionreportstohelpmakecriminalattributionjudgement.Thebodiesthat

mustsubmitthesereportstoFinancialIntelligenceUnitsincludebanks,securitiesdealers,

insurers,casinos,andevenlawyersandaccountants.64Thisdiversearrayofreportingentities

providesFinancialIntelligenceUnitswithacomprehensivedatabaseofpertinentinformation

62RileyWalters,“CyberAttacksonU.S.CompaniesSinceNovember2014,”TheHeritageFoundation,accessedMay23,2017,http://www.heritage.org/cybersecurity/report/cyber-attacks-us-companies-november-201463ProtectingandDefendingagainstCyberthreatsinUncertainTimes|USA2017|RSAConference,”accessedMay23,2017,http://www.rsaconference.com/events/us17/agenda/sessions/7577-keynote-speaker-brad-smith-president-and-chief.64InternationalMonetaryFundandWorldBank,“FinancialIntelligenceUnits:AnOverview,”2004,https://www.imf.org/external/pubs/ft/FIU/fiu.pdf

29

thatcanbeanalyzedandthentransmittedtolaw-enforcementorprosecutorialentitiesas

needed.Theproposedorganization,likewise,shouldhaveprivatesectorfirmsfromawide

arrayofindustriescontributetoasingularsourceofnationstatecyberattackinformationthat

canbeanalyzedthoroughlybyindustryexpertsanddisseminatedinthemostappropriate

fashion.

Finally,asopposedtogovernmentbodies,privatesectorcompanieshavetheadvantageof

speedandflexibilityinsharinginformationandsupportingattributionjudgementsbecausethey

arenotimpededbydissimilarjurisdictionspresentinmultinationalgovernments.65Theywould

beabletorelativelyeasilyprovideinformationtotheumbrellaorganization’sutilizationof

SecureDrop,anopensourcesoftwareplatformforanonymouscommunicationchannels.

Potential Membership Privatesectorfirmsthatwouldbeinterestedinjoiningtheproposedorganizationwould

includelargemultinationalsfromaroundtheworldandfrommyriadofindustries.The

proposedorganizationmightincludecompaniesfromthebanking,manufacturing,technology,

andretailssectors,suchasGoldmanSachs,Samsung,Sberbank,Sinopec,ThyssenKrupp,or

Zara.Manyofthememberfirmswillbecompaniesthathavealreadysufferedamajor

cyberattack,whileotherswillhaveonlyexperiencedminorinformationsecuritybreaches.Still

otherswillwanttojointobetterunderstandandpreventfuturecyberthreats.Whateverthe

motivesofthesefirmsforjoiningtheproposedorganization,thetraceevidenceheldbythese

companiesisinvaluabletoholdinrepositoriesforfurtherattributioninthefuture.

MembershipwouldalsoextendtocompaniesintheITorcybersecurityindustry.Companiesin

theserespectiveindustrieswillhavedatafromclientstheyhaveserved.However,onlyraw

data,notanalyses,willbesharedfromthesesecurityfirms.Wediscussthepotentialchallenge

ofcybersecurityfirmssharingdatainthePrivateSectorCooperationsectionofourreport.The

keyhereistodevelopastrongbaseofneededinformationsharingfrombothcompaniesthat

65J.E.Messerschmidt,“Hacback:PermittingRetaliatoryHackingbyNon-StateActorsasProportionateCountermeasurestoTransboundaryCyberharm,”ColumbiaJournalofTransnationalLaw,Vol.52,No.1,p.293andNealKatyal,“CommunitySelf-Help,”JournalofLaw,EconomicsandPolicy,Vol.1,(2005),accessedmay17,2017,http://scholarship.law.georgetown.edu/cgi/viewcontent.cgi?article=1532&context=facpub

30

haveexperiencedcybersecuritybreaches,aswellasthecompaniesthathelppatchthose

cybersecuritybreaches.

Infocusingmembershiponprivatesectorfirms,wedonotproposeacompletedenialof

governmentinvolvement.Infact,itwillbeimportanttohavegovernments’supportandinput.

Theproposedorganizationincludesaplantogaingovernments’ownattributionjudgementsin

aconfidentialmannerthatretaintheiranonymity;thissectionwillbefurtherelaboratedinthe

SensitiveandConfidentialCyberIncidentInformationsection.Byhavingtop-notchexperts

analyzebothprivatesectorcyberattackinformationandpublicsectorinformation,the

proposedorganizationwillmakeagreatleapinbolsteringcyberdefensearoundtheglobe

whilereducingcoststoprivatesectorfirmsandpublicsectorgovernments.

31

TheDesignoftheProposedOrganizationTheproposedorganizationisdividedintofivemainbodiesandmadeupofprivatesector

membercompanies:(1)theExecutiveCouncilofCompanyRepresentatives,(2)theExpert

InvestigationCommittee,(3)theExpertReviewCommittee,(4)theCommunications

Committee,and(5)theBudgetCommittee.

ExecutiveCouncil

Thehighest-leveldecision-makingbodyistheExecutiveCouncil,composedofrepresentatives

frommembercompanies.TheExecutiveCouncilvotesonwhichcyberattacksundergo

investigationbytheorganization.Theprocessofselectingcaseswillalsoundergoatwo-thirds

majorityvoteforapproval.MembercompaniesappointrepresentativestotheExecutive

Councilforfour-yearterms.Termlimitsareaformalorganizationalpracticetoensurea

rotatingcastofindustrystakeholdersintheExecutiveCouncil.Councilmembersunanimously

votetosuspendfirmmembershipintheorganization.Therepresentativesarealsoresponsible

forappointingexpertstotheExpertInvestigationCommitteecomposedofgeopoliticaland

technicalexperts.Eachcompanyrepresentativeappointsexpertsandfinaldecisiontoapprove

appointmentrequiresatwo-thirdsmajorityvoteoftheExecutiveCouncil.TheReview

Committee,bycontrast,iscomposedofindependentacademicsandtechnicalexperts.

TheExecutiveCounciladoptsthebestpracticesofequitablegeographicrepresentation,

organizationaltransparency,internalaccountability,andprivatesectorparticipation.


TheExpertInvestigationCommitteeisresponsibleforinvestigatingmajorstatesponsored

cyberattackspassedthroughtheExecutiveCouncil.WithdirectaccesstotheInformation

Repository,theExpertInvestigationCommitteeoperatesonanevidentiaryframeworkthat

evaluatestheveracityandvalidityofinformationfromtherepository.Expertscanalsosubmit

formalrequestsofinformationfrommemberfirmsforgatheringtechnicalforensicsduring

theirinvestigation.

32

TheExpertInvestigationCommittee’sattributionreportwilldevelopanevidentiaryframework

similartothelegalburdenofproof.TheevidentiaryframeworkwillensurethattheExpert

InvestigationCommitteebuildsanattributionjudgmentbasedoninculpatoryevidence.Since

theproposedorganizationdoesnotprosecuteadefendantforacyberattack,theExpert

InvestigationCommittee’slegalburdenislowerthanconventionalcriminallaw.Rather,the

onusisontheExpertInvestigationCommitteetoconstructacoherentdepictionofanation

state’sinvolvementwithacombinationoftechnicalandgeopoliticalevidence.Thecore

responsibilityfortheExpertInvestigationCommitteeistodeterminethenationstate’s

responsibilityandmotivationforanattack.

TheExpertInvestigationCommitteeadoptsthebestpracticesofequitablegeographic

representation,organizationaltransparency,internalaccountability,inclusionoftechnicaland

geopoliticalexperts,andprivatesectorparticipation.


TheExpertReviewCommitteeholdstheExpertInvestigationCommitteeaccountableforthe

qualityofevidenceusedintheattribution.TheExpertReviewCommitteeisthepeer-review

processfortheproposedorganization.TheCommittee,composedofindependentacademics

andprivatesectorresearchers,reviewstheExpertInvestigationCommittee’sattributionreport

priortheofficialrelease.TheCommitteeisbasedonopt-inparticipationandisvoluntary;the

ExecutiveCouncilofCountryCouncilscanvetospecificExpertReviewCommitteemembers

withtwo-thirdsmajorityvote.Itprovidestheimprimaturfortheproposedorganization,

indicatingbroadconsensusontheattributionjudgment.Aboveall,theReviewCommitteeis

themechanismthatupholdstheproposedorganization’scommitmenttoofneutralityand

evidentiarystandards.

33

TheExpertReviewCommitteeadoptsthebestpracticesofequitablegeographic

representation,organizationaltransparency,internalaccountability,inclusionoftechnicaland

geopoliticalexperts,andprivatesectorparticipation.


TheCommunicationsCommitteeisresponsibleforreceivingthefinalattributionreportsfrom

theExpertReviewCommitteeaswellasthedisseminationofthereporttothepublic.The

CommunicationsCommitteefollowsawell-definedframeworkthatmaintainsaccountabilityto

thepublicandopenness.Allevidenceusedintheattributionreportwillbedisclosedtothe

public.ThemembercompaniesappointtheCommittee’smembers,upholdingthepracticeof

geographicdiverserepresentationintheorganizationsstaff.MembersoftheCommunications

Committeewillworkcloselywiththemediaandinsurethemediapublishesthefindings

accurately.Likemediaorganizationswhoretainageneralcounsel,theCommunications

Committeewillworkwithlawyersintheeventofalegalchallenges.

TheCommunicationsCommitteeadoptsthebestpracticesofequitablegeographic

representation,organizationaltransparency,internalaccountability,stakeholderoutreachand

privatesectormembership.

BudgetCommittee

MembercompaniesalsoappointrepresentativesofBudgetCommittee.TheBudget

Committee’sresponsibilitiesincludemanagingandcollectingthebudgetoftheproposed

organization.TheBudgetCommitteewilldiscloseanycaseswheremembercompany’sfailto

upholdtheirmonetarycontributions.TheBudgetCommitteewillpresentthesecasesofnon-

compliancetotheExecutiveCouncilwhowillthendeterminateanappropriateresponse.The

BudgetCommitteedeterminesindividualmembercompany’scontributions.

Appendix3summarizestheprojectedcostsoftheproposedorganization.Webreakdownthe

costsintosixdifferentcategories,theExpertInvestigationCommittee,theExpertReview

34

Committee,theCommunicationsCommittee,theBudgetCommittee,OutreachandMember

Relations,andInfrastructureandOperationscosts.TheExecutiveCouncilwillnotbepaidas

theirworkisminimal,althoughthereputationalbenefitsarehigh.Theprojectedtotalcostof

theproposedorganizationwillbenearly$40millioninthefirstyearandanestimated$30

millionayearinsubsequentyears.

TheBudgetCommitteeadoptsthebestpracticesofequitablegeographicrepresentation,

organizationaltransparency,internalaccountability,andprivatesectormembership.

InformationFlow

Figure1,includedagainbelow,capturesthedirectionofinformationflow.Asthefigure

illustrates,informationarrivesattheorganizationthroughaninformationrepository.As

evidenceiscollected,anExpertInvestigationCommitteeverifiestheveracityandauthenticity

oftheevidence.AnExpertReviewCommitteealsoexaminestheevidenceandthefindingsof

bothgroupscreatethesubstanceoftheattributionreport.TheExpertReviewCommittee

disseminatestheattributionreporttotheCommunicationCommittee.TheCommunication

Committeeworkswiththemediatopublicizetheresultsofthereview.

35






BudgetCommittee



AttributionReport

MainstreamNews

Organizations


Reviewprocess



MemberCompanies


Evidencecollection

36

ChallengesfortheProposedOrganizationAsanewinternationalorganization,theproposedattributionorganizationwillfaceserious

challengesasitgathersevidenceandproducesattributionjudgementsfollowingmajor

cyberattacks.Inthefollowingsection,weidentifysevenchallengesanddrawuponexamples

fromourresearchtocraftsolutionstoeachpotentialchallenge.Thesemajorchallenges

include:

• Earningpublictrust

• Cooperationamongcompetitors

• Industrycompliancewithorganizationalnorms

• Legalchallengesofinformationsharing

• Collectingsensitiveandconfidentialcyberincidentinformation

• Methodsofinformationsharing

• SharinginformationwithChinaandRussia

EarningPublicTrust

Oneofthecentralgoalsoftheproposedorganizationistopublishandwidelydisseminate

attributionjudgementsinatimelymanner.Toeffectivelyaccomplishitsmissionofholding

cyberattackperpetratorsaccountableanddissuadingthemfromfutureattacks,the

organizationmustbecredibletothepublic.Withoutcredibility,theproposedorganization’s

judgementsareeasilydismissedandcyberattackersarefreetocontinueunderminingglobal

Internetsecurity.

Theproposedattributionorganizationwilloperateindependentlyfromnationalgovernments

andbecomposedentirelyofmembersfromtheprivatesector.Whileitsnon-governmental

statusandtransparentorganizationalstructuresignaladegreeofpoliticalneutrality,the

organizationmustactivelyworktopromoteitsindependenceifitistoholdareputationasa

credibleattributionbody.Whileearningpublictrustisapotentialchallengetoanyinternational

organization,letaloneanascentattributionbody,wecanborrowfromthepoliciesof

37

GreenpeaceandtheInternationalAtomicEnergyAgency(IAEA)tobestfostertheattribution

organization’spoliticalneutralityandearnpublicconfidence.

MaintainingIndependentFunding

Greenpeaceprovidesanexampleofexclusivelyapolitical,independentfunding.Greenpeace

doesnotacceptdonationsfromgovernments,corporations,orpoliticalparties,andrejects

donationsfromprivateentitiesthatitsgoverningbodybelievescouldcompromiseits

independence,objectives,andintegrity.66TheindependenceofGreenpeacefundingsuggests

thatGreenpeaceisanorganizationthatcannotbeboughtorquieted;Greenpeaceisonly

interestedinfurtheringitsmissionofpublicenvironmentalawarenessandengagement.

Greenpeace’sfundingmodelhasprovensuccessfulandservesasamodelthattheattribution

organizationshouldadopttoencouragepublictrustinitsfunctions.Althoughitsmethodsare

oftencontroversial,thepubliclargelyviewsGreenpeaceasanauthorityonenvironmental

issues.Subsequently,initsfortyyearsofexistence,Greenpeacehasgrownfromtenactivists

operatinginAlaskatoanorganizationwith2.9millionmembersconductingoperationsin55

countries.67Additionally,Greenpeaceisresponsibleforimpactfulenvironmentalcampaigns,

rangingfrominitiativestostopdrillingintheArcticandstoppingtheflowtoxicwasteintothe

ocean.68Theattributionorganizationcanovercomechallengestopubliccredibilitybymakinga

similarpromisetorejectpoliticalfunding,allowingittofocussolelyonitsneutralcyberattack

investigations.

FunctioningasaPublicResource

Theattributionorganizationcanpositionitselfasapublicresourcethatnotonlyattributes

cyberattacks,butprovidesinformationaboutitsmissioninaneasilycomprehensiblemanner.

TheIAEAisanexampleofanorganizationthathasgainedpublictrustthroughitsclear,

informativecommunicationstrategy.Inrecentyears,useofnuclearenergyhasgrown

66“WhoWeAre.”GreenpeaceInternational.AccessedMay17,2017.http://www.greenpeace.org/international/en/about/our-mission/67"Greenpeacestructureandorganization."GreenpeaceInternational.2017.AccessedMay9,2017.http://www.greenpeace.org/international/en/about/how-is-greenpeace-structured/68“WhoWeAre,”2017.

38

increasinglycontroversial,andnuclearenergyisalsohighlytechnical,oftentoocomplexforthe

publictounderstand,furtherexacerbatingmistrustinitsuse.69Tocombatpublic

misconceptions,theIAEAsharescomplexinformationsurroundingnuclearenergyinacoherent

mannerthatiseasilyunderstoodbythepublic,intheformoffactsheets,podcasts,regular

bulletins,andinformationalbooklets.70WhenthepublicseestheIAEAasaninformational

resourcewhosemissionisclearandunderstandable,theIAEAisfundamentallymorecredible

andabletomoreeffectivelygovernnucleartechnologyandsafety.

Theattributionorganizationcanearnpublictrustinasimilarmanner.Likenucleartechnology,

themechanicsofamajorcyberattackarehighlycomplexandabstracttoeverydaycitizens.By

engagingtheglobalpublicinthecybersecurityissuesitinvestigates,theorganizationcanbuild

publictrustthatwillinturnyieldcredencetoitsattributionjudgements,thus,hopefully

contributingtothedeclineofmajorstate-sponsoredcyberattacksovertime.

CooperationamongCompetitors

Oneofthegreatestchallengesindevelopingaprivatesectorblueprintforcyberattack

attributionisexploringhowtheproposedorganizationcouldadvocateandincentivizeprivate

sectorcompaniestocommittoaprocessofinformationsharingandcoordinatingcommon

resourceswithfirmsthatareoftentheircompetitors.Mostcompaniesaimtoprevent

cyberattacksthroughfocusingonstrengtheningtheirinternalnetworksratherthan

coordinatingwithcompetitors.

Additionally,somecompaniesprefertoabsorblossesincurredbysecuritybreachesratherthan

revealweaknessesincybersecuritysystems—allinthenameofprotectingreputationsand

shareholdervalues.However,focusoninternalcybersecurityattheexpenseofindustry

informationsharingandcooperationishighlyimpractical,asitisnearlyimpossiblefora

69Black,Richard.“NuclearPower‘GetsLittlePublicSupportWorldwide.’”BBCNews,November25,2011,sec.Science&Environment.http://www.bbc.com/news/science-environment-1586480670IAEA.“BuildingPublicTrustinNuclearPower.”InternationalAtomicEnergyAgency,March2013.https://www.iaea.org/sites/default/files/publications/magazines/bulletin/bull54-1/54104711212.pdf

39

companytoidentifyandpatcheverycybersecurityvulnerabilityarisinginasinglenetwork.71

Informationsharingbetweencompaniesallowsforgreaterunderstandingofcybersecurity

threatscanmakeeverycompanystronger.Yetdespitegeneralacknowledgementofthe

importanceofinformationsharingandthepresenceofsectorspecificinformationsharing

bodiessuchasInformationSharingandAnalysisCenters,considerableroomforimprovement

andgreaterindustrycooperationremains.72

Toovercomethechallengeofprivatesectorcooperation,weproposeadoptinginformation

sharingpracticesthatincentivizegreaterindustrycooperation.Theglobalcollaboration

exhibitedbytheStuxnetInvestigationandtheEgmontGroupofFinancialIntelligenceUnits

offeramodelthatcanbeadaptedtobolstercyberdefenseandeffectivelydecreasethecosts

ofdefensetoallorganizationmembers.

IncentivizingCooperationthroughAccesstoResources

Asagroupof152governmentalbodies,theEgmontGroupisasuccessfulmodelofhowto

incentivizecooperationinawaythatleadstointernationalcooperation.TheEgmontGroupis

responsibleforanalyzingfinancialinformationsharedbybanksandfinancialinstitutionswith

thegoalofstoppingmoneylaunderingandterroristfinancing.73Governmentsandfinancial

institutionswillinglysharethissensitiveinformationwiththeEgmontGroup,andbyextension,

othercountries.GovernmentsmustapplytobeadmittedtotheEgmontGroup,suggestingthat

governmentswanttobepartofasystemofnormsandcollaboration.74

TheEgmontGroupincentivizescollaborationandinformationsharinginthreekeyways.First,

governmentsapplyingtotheEgmontGroupgainaccesstotheGroup’swidevarietyoftraining

resourcesandtoaccessfinancialdatafromothercountries,resourcesthatultimately

strengthenagovernment’sownfinancialsecurity.75ExamplesoftheEgmontGroup’sresources

71Gagnon,Gary.“WhyBusinessesShouldShareIntelligenceAboutCyberAttacks.”HarvardBusinessReview,June13,2013.72Gagnon,2013.73“FinancialIntelligenceUnits(FIUs)-TheEgmontGroup.”74InternationalMonetaryFund,andWorldBank.“FinancialIntelligenceUnits:AnOverview,”2004.https://www.imf.org/external/pubs/ft/FIU/fiu.pdf75InternationalMonetaryFundandWorldBank,2004.

40

includeyearlyplenariesandcommuniqueswheremembersdiscussthemostpertinentcase

studiesinfightingmoneylaunderingacrosstheglobe,trainingsessionsonimplementing

FinancialActionTaskForceRecommendations,andsystemssetoutforanti-moneylaundering

andthwartingterrorismfinancingorganizations.76EgmontGroupmembershipalsoprovides

accesstotheresourcesoftheInternationalMonetaryFundandWorldBank,whoprovide

technicalassistancetothefinancialintelligenceunitsofmembercountries.77Governmentsuse

thisinformationandassistancetomoreeffectivelyattributecriminalactivitywithintheirown

borders.Gaininginsightfromanetworkofinternationalbodiesisparticularlyusefulduetothe

transnationalnatureofmanyfinancialcrimes.

Second,theEgmontGroupincentivizesmembershipthroughitsclear,centralized

communication,fosteringefficientexchangeofinformationpertinenttotimelyattribution

judgements.TheEgmontGrouphasfourworkingbodiesspecificallydesignatedtoenhancethe

qualityandquantityofinformationbeingsharedamongFinancialIntelligenceUnits,aswellas

toenhancethemethodologiesandstandardsofcommunicationsbetweengovernments.The

benefitsreapedfromeffective,immediateinformationexchangeallowindividualgovernments

toreducetheeconomicandopportunitythecostofconductingtheirowninternational

investigation.

Lastly,Egmontencouragesinternationalcooperationthroughthereputationalbenefitsit

affordsitsmembers.Membersareincentivizedtocooperateduetotheoperationalbenefitsof

joiningalargeorganizationthatallowsmembergovernmentstomoreeffectivelycombat

activitycondemnedbynotonlyinternationallawandconventions,butmanydomesticlawsas

well.Intheeyesofdomesticandinternationalaudiences,Egmontmembershipsignalsa

commitmenttofinancialaccountability,bolsteringagovernment’slegitimacyandinternational

standing.

76“PublicStatementsandCommuniques-TheEgmontGroup.”AccessedApril3,2017.https://www.egmontgroup.org/en/document-library/9.77InternationalMonetaryFundandWorldBank,2004.

41

EncouragingCooperationthroughPrivacyAssurances

TheStuxnetInvestigationisanotherusefulmodelofprivatesectorcooperation,especially

amongcompaniesthataretraditionallycompetitors.InthewakeoftheStuxnetattack,Russian

securityfirmandanti-virusproviderKasperskyLabandtheAmericancompanySymantecledan

ad-hocinvestigationtoattributethesourceoftheattack.Theirworkwasnotonlytoattribute

responsibility,buttorebuildconsumerconfidenceinthesecurityofInternetdata.78Inaddition

toworkingwithSymantec,KasperskyLabalsoworkedwithothercompetingsecurityfirmssuch

asMacAfee,andcollaboratedwitharangeofindustryandgeopoliticalexpertstoapproachthe

investigation.79ThesecompetitorsworkedtogethertoshareevidencepertainingtoStuxnet

andmademutualassurancestokeepeachother’sdataprivate,fosteringmoredirect

cooperationanddisclosure.

IntheStuxnetInvestigation,thechallengeofconvincingcompetitorstocooperatewassolved

throughinstitutingasystemofinformationsharingwithguaranteedprivacyassurances.The

proposedattributionorganizationshouldsimilarlyinstitutionalizeprivacyassurancesinaway

thatfostersinvestigationandevidencecollectionwhilepreservingeachmembercompanies’

competitiveedge.Aslongaseachcompanyagreesuponthetypeofattackdatatheywillshare

andmakesassurancestokeepsensitivedataprivate,eachcompanyshouldbeabletoreapthe

benefitsthataccompanycooperation.80ByfollowingtheStuxnetexample,competitorscan

cooperatewhileincreasingtheirabilitytoattributemajorcyberattacksinatimelyandefficient

manner.

IndustryCompliancewithOrganizationalNormsAnotherchallengeincreatinganinternationalprivatesectorattributionorganizationis

obtainingindustrycompliance.Fortheattributionorganizationtocompleteitsobjectives,its

membersmustadheretotheproposedorganization’sprocessesandestablishedbehavioral

78KimZetter,“HowdigitaldetectivesdecipheredStuxnet,themostmenacingmalwareinhistory,”WIRED,July11,2011,accessedMay1,2017,https://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/.79DavidKushner,“TheRealStoryofStuxnet:HowKasperskyLabtrackeddownthemalwarethatstymiedIran’snuclear-fuelenrichmentprogram,”IEEESpectrum,February26,2013,accessedMay1,2017,http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet.80Gagnon,2013.

42

norms.Theproblemofcompliancestemsfromtheunwillingnessofprivatefirmstovoluntarily

disclosesensitiveinformationandvulnerabilities,includingtheirownsusceptibilityto

cyberattack.Companiesriskexposingthemselvestoliabilitysuits,awrite-downofshare-price,

andthedisclosureinformationtocompetitors.

Theissueofcompliance,however,isnotanewdilemmaforinternationalorganizations.Inthe

followingsection,weapplyrationalistandconstructivisttheorytoaddressthecompliance

questionfortheproposedorganization.Inassessingbehavioraltheory,weattempttodelineate

severalcrediblereasonscompaniesengageincompliance,principally,togainsecurityreward

andtoavoidreputationalpunishment.81Thiscanonlybeaccomplished,however,ifcompanies

trustandvalidatethebehavioralnormsandstandardstheymustadhereto.

RationalistBehaviorTheory

Rationalisttheoryarguesthatprivateandstateactorswillundergoacost-benefitanalysisand

thenonlyobserveinternationallawifcomplianceoutweighsthedisadvantagesofnon-

compliance.82However,lawsalonedonotcausecompanies,orstates,tobehaveincertain

ways.Reputationalconcernandmutualbenefitsalsoinfluencecompliancebehavior.For

example,followingtheOperationAuroraattacks,executivesatGooglebelievedthatitwas

moreimportanttoupholdapositivepublicimagethantoadheretoChina’sstrictInternet

regulations.83Thus,GooglelostbillionsofdollarsofpotentialrevenueafterexitingtheChinese

marketsinexchangeformaintainingitsreputation.Basedonthisexample,andtiedtothe

sameincentivesthatcompelcooperationamongcompetitors,itislikelythatcompanieswillsee

participationinsuchanattributionorganizationintheirbenefit.

ConstructivistTheory

Oneofthemanyfociofconstructivisttheoryexaminestheissueofreputationinrelationto

81Seee.g.HaroldHongjuKoh,“WhyDoNationsObeyInternationalLaw?,”YaleFacultyScholarshipPress(1997),accessedMay23,2017,http://digitalcommons.law.yale.edu/cgi/viewcontent.cgi?article=2897&context=fss_papers.82AbramChayesandAntoniaHandlerChayes,“TheNewSovereignty:CompliancewithInternationalRegulatoryAgreements,”HarvardUniversityPress(1998).83DougGross,“Googlevs.China:Freespeech,financesorboth?,”CNN,January13,2010,accessedMay11,2017,http://www.cnn.com/2010/TECH/01/13/google.china.analysis/index.html

43

compliancewithaninternationalorder.Constructivisttheoryplacesagreaterweightinidentity

formationandinternationalsocietytoexplaincompliancemotivationsthandorationalist

approaches.84Theconstructiviststrandofthinkingbraidstogetherrationalists’emphasison

self-interestwithsociallyconstructedinterests.Theseconstructedinterestsincluderecognized

normsandvaluesthatcancompelcompaniestoactacertainwaytomaintaintheirreputation.

Constructivistsascribesuccessfulcompliancewithbehavioralnormstothreefactors.Thethree

factorsthatfosterstrongerwillingnesstocomplywithanorganization’srulesareefficiency,

self-interest,andtrust.85Therefore,anorganizationalmodelbasedondiscourse,persuasion,

andcooperation,ratherthancoercionwillleadtoaccordancewithaninternational

organization’srules.86

UsingTheorytoUnderstandCompliance

Wecanusethesetheoriestounderstandtheprocessbywhichcompanies’pursuitoftheirbest

interestwillshapebehavior.Companiesobeypowerlessrulesbecausetheyarepulledtoward

compliancebyconsiderationsoflegitimacyandifmembersfeelthattheorganization’srules

areequallyappliedandfair.Designingtheproposedorganizationsothatbenefitsof

membershipexceedcostofmembershipisessential;thebenefitsofenhancedcompany

security,thepromotionofgeneralInternetsecurity,andenhancedcompanyreputationmust

outweightherisksofinformationsharing.Trustisessentialinmotivatingcompaniestocomply

withanorganization’sbehavioralnormsandprocesses.Generatingtrustliesinan

organization'sprocessanddesign.Certainproceduralinstrumentssuchastransparency,

streamlineddatacollection,independentverificationandexpertsupervision,andadefaultto

disclosurehelptopromoteandmaintaintrust,and,thus,compliancewiththeproposed

organization’snormsformemberbehavior.

84HaroldHongjuKoh,“WhyDoNationsObeyInternationalLaw?,”YaleFacultyScholarshipPress(1997),accessedMay23,2017,http://digitalcommons.law.yale.edu/cgi/viewcontent.cgi?article=2897&context=fss_papers.85Koh,1997.86AbramChayesandAntoniaHandlerChayes,“TheNewSovereignty:CompliancewithInternationalRegulatoryAgreements,”HarvardUniversityPress(1998).

44

LegalChallengesofInformationSharing

Acoordinatedeffortamongprivatesectoractorswillrequiresharingsensitiveaccesstocyber

incidentinformation,raisingquestionsaboutthelegalityofcross-borderinformationflows.In

ordertoproduceaccurateattributionjudgements,theproposedorganization’sinformation

repositoryislikelytoincludesensitiveinformationsuchascontrolledunclassifiedinformation

andpersonallyidentifiableinformation.Practicallyspeaking,aforensicanalystiscertainto

confrontpersonallyidentifiableinformationwheninvestigatingacompany'scomputer,or

reviewemailssuspectedofphishingattacks,87givingrisetopotentialrisksofviolationof

privacyandconfidentiality.Disclosureofsuchsensitivedatamayviolatefiatlaws,regulation,

andprivacycontracts.Inaddition,itmayrunupagainstinternationalagreements—for

example,theUNInternationalCovenantonCivilandPoliticalRights(ICCPR)outlinesprivacyas

aninternationalhumanright,88whileArticle8oftheEuropeanConventiononHumanRights

citesprivacyrightsasareasontorestrictdatasharing.89

Althoughprivacylawsmaycomplicatetheprocessofsharinginformationwiththeproposed

attributionorganization,webelievethatreconcilingthisobstacleisnotonlypossible,butthe

lynchpinforensuringthatorganizationalmembershipisdiverseandsustainable.Wedrawupon

theexampleprovidedbytheFinancialIndustryRegulatoryAuthority(FINRA)asasolutionto

legalobstaclestoinformationsharing.

AutomatingDataAnalysis

FINRAisanexcellentexampleofanorganizationthatautomatesthecollectionandprocessing

ofdatainadherencewithmajorprivacylaws.FINRAisaprivate,self-regulatoryorganization

monitoringtheUnitedStatesequitymarket.90Inthisposition,itcollectsinformationonmarket

87ChrisJohnsonetal,“GuidetoCyberThreatInformationSharing,”NationalInstituteofStandardsandTechnology(NIST)(2016),availableat:http://dx.doi.org/10.6028/NIST.SP,800-150.88“InternationalCovenantonCivilandPoliticalRights,”UnitedNationsGeneralAssembly(1966),accessedMay17,2017,http://www.ohchr.org/EN/ProfessionalInterest/Pages/CCPR.aspx.89“ConventionfortheProtectionofHumanRightsandFundamentalFreedomsRome,”(1950),accessedMay17,2017,https://rm.coe.int/1680063765.90“AboutFINRA,”finra.org,accessedMay1,2017.https://www.finra.org/about;CarrieJohnson,"SECApprovesOneWatchdogForBrokersBigandSmall,"TheWashingtonPost,July27,2007,PageD02.,accessedMay2,2017,http://www.washingtonpost.com/wp-dyn/content/article/2007/07/27/AR2007072700108_pf.html.

45

prices,equitytrading,andotherkeyvariablesinacentralizeddatabase.91Whilethisdatais

sensitiveandripeforasecuritybreach,FINRA’sdatabaseusesanautomatedprogramto

processdailytransactionsanddetectfinancialfraud,suchasmarketmanipulation,insider

trading,andcompliancebreaches.92FINRA’sautomatizeddataanalysisprovidesclear

parameterstodatacollectionwhiledevelopingnormsthatmaintainacompany'slegal

obligationstowardsinformationsharing.Bydelineatingaprocedureforcommunicationand

evidencegathering,FINRAisamodelthathandlesinformationsharinginamannerconsistent

withtheprivacyandsecurityofpersonaldata.93

TheproposedattributionorganizationcanintegrateFINRA’sautomatedinformationsharing

processesintoitsfunction,helpingtoensurecompliancewithdifferentprivacylaws.First,the

automationofdataanalysis,sorting,andextractionwillremovetheliabilityofhavinghumans

sortthroughsensitiveinformation.94Privacywillbefurtherprotectedbyestablishingformal

normsandproceduresfortheorganization’sgathering,sharing,andpreservingevidence.95

Defininghow,when,andwhatinformationcompaniescansharewillbetheprincipalmeasure

toformalizesecureinformationsharingcapabilities.Forexample,followingamajor

cyberattack,digitalevidencesuchasfilecases,networkportnumbers,andregistrykeyvalues

arefreeofpersonallyidentifiableinformation.96Aslongasmemberorganizationsagreeto

restrictthecollectionofevidencetoonlypertinentdatasurroundinganattackandsimilarly

agreetotheautomatizationofdataanalysis,privacylawscanbeeffectivelyrespectedwithout

hinderingtheattributionprocess.

CollectingSensitiveandConfidentialCyberIncidentInformation

Collectingandpublishingsensitiveinformationfromconfidentialsourcesisamajorchallenge

91“Technology|FINRA.org,”accessedMay16,2017,https://www.finra.org/about/technology.92“Technology|FINRA.org”93DeniseZhengandJamesLewis,“CyberThreatInformationSharing,”CenterforStrategicandInternationalStudies(2015),accessedMay17,2017,https://www.csis.org/analysis/cyber-threat-information-sharing.94ChrisJohnsonetal,2016.95ChrisJohnsonetal,2016.96ChrisJohnsonetal,2016.

46

fortheproposedorganization.Whiletheorganizationwillfosterregularcommunication

channelsbetweenmembersandsetclearparametersforinformationsharing,sometimes

evidencepertainingtoacyberattackcannotbeobtainedbyorganizationmembersalone.At

times,theorganizationwillrelyoninformationfromthepublictocompleteitsattribution

judgements.Atothertimes,theorganizationmayneedinformationthatonlygovernment

agenciescanprovide.

SecureDrop:AToolforAnonymityandSensitiveDataCollectionfromthePublic

Theproposedorganizationcanguaranteeanonymityofsourcesbyusingasoftwareapplication

calledSecureDrop.AsillustratedbytheStuxnetInvestigation,informationsurroundingmany

majorcyberattacksoftencomefromanonymoussourceswhoseprivacymustbeprotected.

Anonymoussourcesfunctionaswhistleblowerswhorisklosingtheirjobsandmayface

prosecution.Thus,theproposedattributionorganizationmustfindawaytoprotectsourcesof

confidential,sensitiveinformationwhilesimultaneouslymaintainingacommitmenttoa

transparentinvestigativeprocess.Solelyrelyingonclassifiedinformationcouldunderminethe

proposedorganization’slegitimacyandcommitmenttoopenness,whileomittinginformation

fromwhistleblowerstoprotecttheirinformationwouldresultinincompleteevidence

collectionandaless-credibleattributionjudgement.Incontrast,whenanattribution

judgementusesbothopenlyavailableevidenceaswellasevidenceprovidedfromsensitive

sources,ajudgementisfarmorecredibleandauthoritative.

Journalistshavelongdependedonanonymoussourcesintheirwork.TheStuxnetInvestigation

isacaseinpoint.TheWashingtonPostrelieduponananonymousgovernmentwhistleblower

tovalidatetheprivatesector’sattributionreport.Withtheinputofthisanonymous

whistleblower,theWashingtonPosthelpedbolsterthecredibilityoftheStuxnetInvestigation’s

attributionoftheattacktotheUnitedStatesandIsrael.97

SecureDropissoftwareplatformiswidelyusedbynewspaperorganizationsthatallows

97WashPostPR,“Q&AaboutSecureDroponTheWashingtonPost,"TheWashingtonPost,June5,2014,accessedMay23,2017,https://www.washingtonpost.com/pr/wp/2014/06/05/qa-about-securedrop-on-the-washington-post/?utm_term=.75a18f73a812.

47

whistleblowerstoconfidentiallyshareinformationandcommunicatewithjournalists.98

SecureDropisintegratedintoTOR,fullyencryptscommunications,cannotbeaccessedby

anyoneoutsidethenewsorganizationthatownsit,minimizesthemetadatatrailbetween

journalistsandsources,anddoesnottrackIPaddresses.99ThecodeforSecureDropisopen

sourceandavailabletoindependentoversight.Additionally,SecureDropisauditedbythe

FreedomofthePressFoundation,anon-profitfreespeechadvocacygrouptoguaranteeits

security.100SecureDropisfreeandinternationallyaccessible,makingitarealistictoolforour

proposedattributionorganization,whichwilllikelybegatheringevidencefrommanycountries

atonetime.

Tearlines:AMechanismforReceivingGovernmentInformation

Itislikelythattheproposedorganizationwillneedtoreceiveclassifiedgovernment

information,makingamechanismtoensuretheinformationissecurenecessary.Apotentially

usefulmechanismis“tearlines.”Governmentintelligenceagenciesusetearlinestoshare

classifiedinformationtopartieswithoutdisclosingthemostsensitiveinformation.

Forexample,theIntelligenceCommunityDirective209statesthattearlinesare,“writtenfor

thebroadestpossiblereadershipinaccordancewithestablishedinformationsharingpolicies,

andrequirementsinlawandpolicytoprotectintelligencesourcesandmethods.”101Essentially,

tearlineshelpUSintelligenceagenciesdisclose,whenpossible,limitedclassifiedinformationto

partiesforaninvestigation,“includingbyproviding[information]tonon-Federalentities.”102

TheuseoftearlinesisnotlimitedtotheUS.TearlineswereusedbythePakistanInter-services

Intelligence(ISI)toshareclassifiedintelligencewithIndiaforthe2008Mumbaiterrorattack

98JamesBall,“GuardianlaunchesSecureDropsystemforwhistleblowerstosharefiles,”June5,2014,accessedMay23,2017,https://www.theguardian.com/technology/2014/jun/05/guardian-launches-securedrop-whistleblowers-documents.99Ball,2014.100TrevorTimm,“SecureDropUndergoesSecondSecurityAudit,”FreedomofthePressFoundation,January20,2014,accessedMay23,2017,https://freedom.press/news-advocacy/securedrop-undergoes-second-security-audit/.101“IntelligenceCommunityDirective209-TearlineProductionandDissemination”(OfficeoftheDirectorofNationalIntelligence,September12,2012):2.102“IntelligenceCommunityDirective209-TearlineProductionandDissemination,”2012.

48

investigation.103Inregardtoacyberattackattributioncase,iftheproposedorganization

requiresclassifiedgovernmentintelligence,tearlinesmaybetheanswer.Whilethereisa

possibilitytheinformationdesiredtopiecetogetheracyberattackattributionisthesensitive

informationabovethetearline,tearlinesprovideamechanismfromwhichtobeginsecure

informationsharingbetweengovernmentsandtheproposedorganization.Havinga

mechanisminplacetokeepachannelopenforthegovernmenttoshareclassifiedinformation

canserveasausefulstartingpoint.

MethodsofInformationSharing Onceevidenceiscollected,theorganizationmustfindawaytosecurelyexchangeinformation

relatingtoitsattributionjudgement.Therearefourcommonmethodsofdisseminating

findings.First,informationsharingcanberegulatedwithaformalizedagreement,where

partiesagreewhatinformationwillbeexchanged,howitwillbeused,andhowitwillbekept

confidential.104Second,securityclearance-basedinformationsharingpracticesinvolve

protectedchannelsofcommunicationbetweenintelligencesources—butisfundamentally

narrowerinscopethanaformalizedinformationsharingagreement.105Third,organizationscan

useatrust–basedmodelofcommunicationthatlacksformalagreementandisusedbyaclosed

groupofindividuals—usuallycybersecurityprofessionalsfromdifferentcompanies—whoshare

informationwithoneanotherwhentheyseesecurityissuesofcommonconcern.106Finally,an

ad-hocmodelofexchangeoccursinresponsetoacyberattackandestablishestemporary

channelsofcommunicationpertainingspecificallytoaparticularattack.107Itisnotuncommon

foranad-hocmodeltolaythegroundworkforamoreformalizedmethodofinformation

sharinginthefuture.108

103AmitBaruah,“Pakistan‘SharedMumbaiAttacksResearchwithIndia’-BBCNews,”December4,2010,http://www.bbc.com/news/world-south-asia-11917514.104CristinGoodwinandJ.PaulNicholas,“AFrameworkforCybersecurityInformationSharingandRiskReduction”(Microsoft,January26,2015),https://www.microsoft.com/en-us/download/details.aspx?id=45516.105Ibid.106Ibid.107Ibid.108Ibid.

49

Inourresearch,wefoundthatinternationalorganizationstendedtouseaformalizedmodelof

informationsharing,whileinvestigativeprocessestendedtouseanad-hocmodel.Inthis

section,weproposethattheattributionorganizationadoptanad-hocmodelsinceitismost

inclusiveandeffectiveatreducingbarrierstoinformationsharingamongprivateactors.Inthis

recommendation,wedrawupontheexampleoftheMumbaiTerroristAttackInvestigation’s

ad-hocinformationsharingstructureasanexampletofollowintheimmediatefuture.

However,furtherdowntheroad,whentheattributionorganizationismoreestablished,amore

formalizedmodelofcommunication,suchastheoneembodiedbytheNATOCCDCOE,maybe

ofuse.

AdoptinganAd-HocMethodofExchange

TheMumbaiTerroristAttackinvestigationisastrongexampleofad-hocinformationsharing

thatcanbeeasilyadoptedbytheattributionorganization.The2008Mumbaiattackshave

manyparallelswiththetypeofstate-sponsoredcyberattackstheorganizationwillinvestigate.

TheMumbaiattacksweregeopoliticallymotivated109andoriginatedinPakistanwiththe

perpetratorshavingclosetiestoPakistaniintelligence.110BecauseoftheclosetiestoPakistani

Intelligence,theattackissimilartothewayanationstatemightperpetrateamajorcyberattack

forgeopoliticalreasons.

TheMumbaiinvestigationwasledbytheIndiangovernmentandaidedbyintelligencefromthe

USandUK,culminatinginthepresentationofanattributionjudgementtothePakistani

government.Oncetheattacktookplace,anad-hocmodelofinformationsharingwas

immediatelyemployed:intelligenceunitsfromtheUS,UK,andIndiabeganrapidlysharing

evidencewithoneanother.TimelyandopeninformationsharinghelpedIndiaproducean

effectiveattributionjudgement,identifyingindividualsresponsiblefortheattack.

109FireEye,“APT28:AWindowIntoRussia’sCyberEspionageOperations?,”IntelligenceReport,(October2014).110SebastianRotella,JamesGlanz,andDavidE.Sanger,“In2008MumbaiAttacks,PilesofSpyData,butanUncompletedPuzzle-ProPublica,”ProPublica,December21,2014,https://www.propublica.org/article/mumbai-attack-data-an-uncompleted-puzzle.

50

TheMumbaicommunicationmodelisanexamplethatwouldbethemostimmediately

applicabletoanascentattributionorganization.Followingthismodel,whenacyberattack

occurs,alltherelevantstakeholderscouldeasilyconvenetoshareinformationpertainingtothe

specificattackandproduceanattributionjudgement.Sinceeachmajorcyberattackisuniquein

someformoranotherandinvolvesdifferentvictimsandperpetrators,notallthemembersof

theattributionorganizationwouldnecessarilybeinvolvedineachinvestigation.Anad-hoc

modelisflexible,allowingfortheexclusionandinclusionofrelevantpartiesdependingonthe

natureoftheattack.

TowardaFormalizedMethodofExchange

Whilead-hocmethodsofinformationexchangeareflexibleandusefulastheproposed

attributionorganizationbeginsitsoperations,establishingaformalizedmethodofexchange

wouldbeadvisableoncetrustisfullyestablishedbetweenorganizationmembersandthe

publicandadiversesetofcompaniesbecomeorganizationmembers.Amoreformalized

channelofinformationsharingwillfostergreaterefficiency,sincethecentralizationof

resourceswillenablefasterinvestigation.

TheNATOCCDCOEservesasanexampleofformalizedinformationsharingthatcanbereadily

appliedtotheproposedattributionorganization.TheCCDCOE’smethodofinformationsharing

issaidtobeformalizedbecauseinclusionrequiresmembershipinvolvingfinancialcontributions

totheCCDCOE.111Becauseofanestablishedsystemoftrustandconfidence,CCDCOE

memberscandiscussmorethancanbecoveredinanad-hocmethodofexchange.CCDCOE

membersshareallinformationpertainingtocybersecuritywithoneanother,notjust

informationpertainingtoonecyberattack.Inthissense,CCDCOEmembershaveafullershared

understandingoftheglobalcybersecuritylandscapeandcanplanmoreeffectivelyand

efficientlyforinvestigations.Forexample,theCCDCOEhasproducedtheTallinnManual,holds

theannualCyConconference,andconductscyberattackandcyberdefenseexercises.112These

111NATO,“AboutCyberDefenceCentre|CCDCOE,”NATOCooperativeCyberDefenceCentreofExcellence,accessedApril30,2017,https://ccdcoe.org/about-us.html112“TallinnManualProcess|CCDCOE,”accessedMay4,2017,https://ccdcoe.org/tallinn-manual.html.

51

activitiesstrengthenthecybersecurityofCCDCOEmembers.Iftheattributionorganizationcan

formalizeitsmethodofinformationsharing,ithasthepotentialtoexpanditsinvestigative

capacitiesandfundamentallyenhanceglobalInternetsecurity.

SharingInformationwithChinaandRussia

Notonlyistherenouniversalapproachtoinformationsharing,butfurthercomplicating

prospectsofglobalcooperationwithintheattributionorganizationareexistinggeopolitical

rivalriesanddifferingapproachestoInternetgovernance.Whilemanymajortechnology

companiesarelocatedwithintheUS,ChinaandRussiaaretheothertwomajoractorsin

internationalcyberspace.Eachhasbarrierstosharinginformationand,alongwiththeUS,each

isapotentialsourceofstate-sponsoredcyberattacks.

TheChinesegovernmenttendstomaintainstrictercontroloverprivatesectorinformation

sharingthancountriessuchastheUnitedStates.China’s2016CybersecurityLawconstrainsthe

abilityoftheprivatesectortoshareinformationdeemed“statesecret,”whileleavingthe

definitionof“statesecret”ambiguous.Theambiguitythenmakescompanieshesitanttoshare

datawitheachother,letalonetheirinternationalcounterparts.113Furthermore,Chinese

technologycompaniestendtoadheretothegovernment’spoliciesbecausetheyarefinancially

rewardedforcompliancewiththestate.114ThisdynamicservesasadisincentiveforChinese

companiestocooperatewithentitiesoutsidethecountry.

SimilarobstaclestointernationalprivatesectorcooperationexistinRussia.Russiancompanies

havedemonstratedtheirdesiretoshareinformationwiththeirglobalcounterpartsonseveral

occasions,buttumultuousdomesticandinternationalpoliticssometimesscarecompaniesinto

silence.Forexample,theRussian-basedsecuritycompanyKasperskyLabdemonstratedits

willingnesstocooperateandshareinformationduringtheStuxnetInvestigation.However,

113ZachWarren,“AreyoureadyforthenewChinaCybersecurityLaw?,”InsideCounsel,February28,2017,accessedMay17,2017,http://www.insidecounsel.com/2017/02/28/are-you-ready-for-the-new-china-cybersecurity-law?ref=footer-news.114HaukeJohannesGierow,“CyberSecurityinChina:InternetSecurity,ProtectionismandCompetitiveness:NewChallengestoWesternBusinesses,”MERICS,April22,2015,accessedMay17,2017,http://www.merics.org/fileadmin/templates/download/china-monitor/150407_MERICS_China_Monitor_twenty-two_en.pdf.

52

RussianauthoritiesarrestedKaspersky’sleadinginvestigatorontreasonchargesinlate2016,

allegedlyforaidingtheFBI’sinvestigationofRussianinvolvementinthe2016UnitedStates

presidentialelections.115Aroundthesametime,theUnitedStatesgovernmentrestricted

KasperskyLab’saccesstoAmericanmarketduetoitssuspectedcollaborationwithRussia’s

securityservices.116Thus,KasperskyLabhasscaledbacksignificantlyonitscooperationwith

non-Russianpartners.117

CompaniesinbothChinaandRussiaoperateinadelicatepoliticalenvironment.Ononehand,

thesecompaniesrecognizetheimportanceofinternationalinformationsharing.Ontheother

hand,theymustbalanceobediencetodomesticlaworfaceheavypoliticalandfinancial

penalties.Additionally,whenChineseandRussiacompaniescollaborateonaninternational

level,theyareoftenmetwithsuspicionfromtheothercountries.

However,differentapproachestoinformationsharingneednotbeabarriertogreater

internationalcooperationandtheproductionoftimely,effectiveattributionjudgements.We

canencouragegreaterinformationsharingandglobalcooperationwithRussiaandChina

throughjointsecurityventuresinotherpartsoftheworldandthroughthecreationof

technologyoutreachprograms.

EngagingthePrivateSector

ThekeytogainingRussianandChineseprivatesectorcooperationistobuildonthecommon

groundsharedbyalltechnologycompanies.Forexample,whileKasperskyLabmaybeviewed

controversiallyintheUnitedStates,KasperskyLabalsocompletesprojectsthatmanyAmerican

companieswouldalsoviewasimportantandnon-controversial.Forexample,KasperskyLab

sharesintelligencewithInterpolastheyinvestigatecyberattacksinSoutheastAsia.118Chinese

115DanGoodin,“KasperskyLab’stopinvestigatorreportedlyarrestedintreasonprobe,”ArsTechnica,January25,2017,accessedMay17,2017,https://arstechnica.com/security/2017/01/kaspersky-labs-top-investigator-reportedly-arrested-in-treason-probe/.116CoreyFlintoff,“KasperskyLab:BasedinRussia,DoingCybersecurityintheWest,”NPR,August10,2015,accessedMay17,2017,http://www.npr.org/sections/alltechconsidered/2015/08/10/431247980/kaspersky-lab-a-cybersecurity-leader-with-ties-to-russian-govt117Flintoff,2015.118Ians,“KasperskyLabjoinsInterpol-ledcybercrimeoperationacrossAsiannations,”TheEconomicTimes,April25,2017,accessedMay17,2017,http://economictimes.indiatimes.com/tech/internet/kaspersky-lab-joins-interpol-led-cybercrime-operation-across-asean-nations/articleshow/58360723.cms.

53

securitycompaniesalsocooperatewithothercountries.119Itappearsthatifinformation

technologysecuritycompaniesinRussiaandChinastayoutoftheirnationalgovernments’

businessandcomplywithgovernmentpoliciesoninformationsharing,thesecompaniescan

stillparticipateininternationalcyberattackinvestigationselsewhereintheworld.Thus,

informationtechnologycompaniesinRussiaandChinacanstillbecomeimportantmembersof

theproposedattributionorganizationwhileadheringtotheirnationalpolicies.

Inaddition,theattributionorganizationcanengagewiththeprivatesectorinChinaandRussia

throughaseriesofoutreachandtrainingprograms.Suchtrainingprogramscanincludecross-

borderprogramsoncombatingstate-sponsoredcyberattacksandcreatingjointtechnology

venturestobuildtrustbetweencompaniesoperatingwithdifferentpoliticalperspectives.120

Programslikethesecreategroundforgreaterinternationalcooperationandinformation

sharinginthefuture.

119Ians,2017.120DavidShukman,“OpenSesame:ScienceCenterUnveiledinJordan,”BBCNews:Science&Environment,May16,2017,accessedMay17,2017,http://www.bbc.com/news/science-environment-39927836.

54

Conclusion

Theadvantagesofformalizingtheinvestigationofcyberattackattributionintoaninternational

organizationareapparent.Throughcentralizedinformationsharingpracticesandprivatesector

cooperation,keyprocessesofattributingamajorcyberattack,suchasevidencecollectionand

analysis,canbedonebetterandfaster.Anetworkofcoordinatedprivatesectoractorscan

quicklycollectofamultitudeoftechnicalforensics,witnessstatements,andcriticalgeopolitical

information;onitsown,asinglepieceofevidenceisinsubstantial,butanarrayofevidence

createsaclearerpicture,oftenansweringthequestionofattributionfollowingamajor

cyberattack.

Theproposedorganizationcanbuildpublicconfidenceinitsattributionjudgmentsthrough

inclusionandtransparency.Ensuringthattheprocessesofcollectingevidenceanditsanalysisis

disclosedtothepublicreinforcesthecredibilityoftheattributionreport.Similarprocedural

normsthatencouragepeer-reviewwillfurtherenhanceorganizationalaccountability,while

transparent,non-governmentalmembershipfostersautonomyfromgeopoliticalinfluence.

Additionally,theproposedorganizationwillbenefitfromadiversityofperspectivesbyincluding

privatesectorcompaniesfromacrosstheglobe.

Theneedforgreaterprivatesectorcollaborationincyberspaceisclear.Asthelikelihoodof

attributionincreases,futurecyberattackswillbedeterredandperpetratorswillbeidentified.

Aninternationalorganizationtaskedwithattributionisclearlythenextstepinfosteringgreater

globalInternetsecurity,andtheprivatesectorhastheexpertiseandresourcestoseeit

through.

55

Appendix1:InternationalOrganizationsEachofthefollowingintergovernmentalornonprofitorganizationshasanestablishedsystemofauthorityandstandardsforcompliance.Wehave

identifiedbothprivateandpublicstakeholdersinvolvedwitheachorganizationandanalyzedeachorganization’sobjectives,governance,attributive

powers,andbudgetbeforecompilingasetofbestpracticesfromeachparty.

Weexaminedthefollowing14organizations:

• AmnestyInternational

• CitizenLab

• EgmontGroupofFinancialIntelligenceUnits

• EuropeanFinancialCoalitionAgainstChildPornography

• FinancialIndustryRegulatoryAuthority

• Greenpeace

• InternationalAtomicEnergyAgency

• InternationalCivilAviationOrganization

• InternationalLaborOrganization

• NATOCooperativeCyberDefenseCenterofExcellence

• OrganizationfortheProhibitionofChemicalWeapons

• UnitedNationsAl-QaidaSanctionsCommittee

• UnitedNationsSanctionsCommitteeonNorthKorea

• WorldTradeOrganization’sGATTArticleXX.

56

AmnestyInternational

Actors

Private- Researchers,journalists,non-governmentalorganizations(NGOs)

Public

Actions - Investigateshumanrightsabuses,lobbiesgovernments,andpromotesoutreachcampaigns121


Structure - Aninternationalsecretariatbodyandinternationalboardprovidegeneralleadership

- Regionalsectionsexistin70countriesaroundtheworld122

Norms - StatuteofAmnestyInternational(2005)- InternationalNon-GovernmentalOrganization(INGO)AccountabilityCharter(2006)

Attribution - Publiclypublishesresearchonhumanrightsviolations- Organizationabidesbyanopeninformationpolicy

Budgetand

FundingSource(s)

- $250million(2016)- Fundedbyindependentdonations123

BestPractices - Prominentregionaldivisionsfostergreaterinternational

cooperation

- Highleveloftransparency

121“WhoWeAre,”AmnestyInternational,accessedApril29,2017,https://www.amnesty.org/en/who-we-are/.122“StructureandPeople,”AmnestyInternational,accessedMay1,2017,https://www.amnesty.org/en/about-us/how-were-run/structure-and-people/.123“2016GlobalFinancialReport,”accessedApril29,2017,https://www.amnesty.org/en/2016-global-financial-report/.

57

CitizenLab

Actors

Private- UniversityofToronto-basedinterdisciplinaryresearchlab

Public

Actions - EngagesonthecoreissuesofInternetopennessandsecurityfromahumanrightsperspective124

- Reportsarepublishedpublicly,sometimeswithmedia125

Authority - Reputational126

Structure - Aglobalresearchnetwork127

Norms - Proceduraltransparency128- Diversegeographicrepresentation129- Academicpeer-review130- Opensourcesharingofinformationandtechnicaltools131

Attribution - Makesallfindingspublic,oftendirectlyimplicatingactors132

Budgetand

FundingSource(s)

- Privatefoundations,institutes,andorganizations133

BestPractices - Mixedmethodapproachtoinvestigationandanalysis;

combinestechnicalandgeopoliticalexpertise

- Geographicdiversity,engagesincapacitybuildingwithmembersfromtheGlobalSouth

- Stakeholderoutreachviaorganizingandparticipatinginglobalconferences

- Autonomyfromgovernmentandcommercialinterests

124BPRAdministration,“BPRInterview:CitizensLabDirectorRonaldDeibert,”BrownPoliticalReview,October21,2012,accessedJune5,2017,http://www.brownpoliticalreview.org/2012/10/interview-citizens-lab-director-ronald-deibert/.125See,forinstance,MattathiasSchwartz,“CyberwarForSale,”TheNewYorkTimesMagazine,January4,2017,accessedJune7,2017, https://www.nytimes.com/2017/01/04/magazine/cyberwar-for-sale.html.126See,forinstance,AnitaElash,“HowTheCitizenLabpoliciestheworld'sdigitalspies,”CSMonitor,December22,2016,accessedJune7,2017,http://www.csmonitor.com/World/Passcode/2016/1222/How-The-Citizen-Lab-polices-the-world-s-digital-spies.127Ibid.128EvaGalperin,MorganMarquis-Borire,andJohnScott-Railton,“QuantumofSurveillance:FamiliarActorsandPossibleFalseFlagsinSyrianMalwareCampaigns,”CitizenLab-EEF,December23,2013,accessedJune7,2017,https://www.eff.org/document/quantum-surveillance-familiar-actors-and-possible-false-flags-syrian-malware-campaigns.129“AbouttheCitizenLab,”accessedJune5,2017,https://citizenlab.org/about/;“CyberStewards,”accessedJune7,2017,https://cyberstewards.org/;and“OpenNetInitiative,”accessedJune7,2017,https://opennet.net/.130“CitizenLab|Github,”accessedJune7,2017,https://github.com/citizenlab.131Elash,2016.132Ibid.133“AbouttheCitizenLab.”

58

EgmontGroupofFinancialIntelligenceUnits

Actors

Private- Financialinstitutionsandnon-financialinstitutions

Public- FinancialIntelligenceUnits(FIU)

Actions - Submitscash-transactionandsuspiciousactivityreportstotheappropriateFIUs134

- DifferenttypesofFIUshavedifferentobjectives- SomeFIUsnotifyproperagenciestoenforcelaws,freezingandblockingsuspicioustransactionsandaccounts,andarrestsuspects135

Authority - CorporateExecutivesandBoardsofDirectors - Domesticlaw- UnitedNations(UN)Conventions136

Structure - Variesbyinstitution - EachFIUhasitsowncomplexstructure,densenetworkofinternalbodies,andprocess-specificgroups137

Norms - Managerialdiscretion- Localand/ornationallaw- 2003FinancialActionTaskForce(FATF)recommendationsbasedonViennaandPalermoConventions138

- FATFrecommendations139

Attribution - Noattributiveproperties;workssolelyasaninformation-gatheringorganization

- Nameorganizationsthatfailtoupholdreportingstandardsandlaws140- AttributioninformationissharedbetweenFIUsthroughcommuniques,plenarymeetings,andtrainings141

Budgetand

FundingSource(s)

- Budgetsvaryfrominstitutiontoinstitution- Fundsforeachinstitutionareacquiredthroughdebtandequity

- Budgetsvaryfromnationtonation- Fundingprovidedbynationalgovernments- UnitedStatesFIU(FinCEN)hasproposedbudgetofapproximately$155Min2017142

BestPractices - SuspiciousActivityReportsfunctionaspreventativemeasuresthatcanalsoprovideinformationneededto

launchcriminalinvestigations

- ProcessImprovementGroupspromoteinformationexchangeand

adherencetofinancialstandardscreatedbytheEgmontGroup

- Heavyemphasisoncommunicationandtrainingmechanismsensure

cooperationandcohesion

134InternationalMonetaryFund,andWorldBank.“FinancialIntelligenceUnits:AnOverview,”2004.https://www.imf.org/external/pubs/ft/FIU/fiu.pdf.135Ibid.136“MoneyLaunderingandtheFinancingofTerrorism-TheEgmontGroup.”AccessedApril30,2017.https://egmontgroup.org/en/content/money-laundering-and-financing-terrorism.137“StructureandOrganizationoftheEgmontGroupofFinancialIntelligenceUnits,“TheEgmontGroup.AccessedApril3,2017.https://www.egmontgroup.org/en/content/structure-and-organization-egmont-group-financial-intelligence-units.138InternationalMonetaryFund,andWorldBank,2004.139FinancialActionTaskForce.“INTERNATIONALSTANDARDSONCOMBATINGMONEYLAUNDERINGANDTHEFINANCINGOFTERRORISM&PROLIFERATION.”FAFTA/OECD,2013.http://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF_Recommendations.pdf.140“News|FinCEN.gov.”AccessedApril30,2017.https://www.fincen.gov/news-room/news.141“PublicStatementsandCommuniques-TheEgmontGroup.”AccessedApril3,2017.https://www.egmontgroup.org/en/document-library/9.142InternationalMonetaryFund,andWorldBank,2004.

59

EuropeanFinancialCoalitionAgainstChildPornography(EFCACP)

Actors

Private- Banks,paymentcompanies,Internetserviceproviders

Public- Europol,EuropeanUnion(EU)

Actions - CooperateswiththeEFCACPtodesignandlaunchinitiativestostopthesexualexploitationofchildrenonline

- Workstopreventthetransferringoffundsforchildpornographythroughcreditcardsandotheronlinepaymentmethods

- ISPsworktoimplementabettersystemfordetectingandblockingpornographiccontent143

- Fightssexualexploitationofchildrenonlinebydisruptingtheeconomicsoftheillegalindustry

- Promotesawareness,cross-sectortrainingsessions,andpolicyresearchandpromotion144

Authority - Reputational - EU

Structure - Partnershipsareestablishedonavoluntarybasis- RepresentativesfromprivateindustrysitontheSteeringCommittee145

- Bureaucratic;oneofmanyregionalbranchesoftheFinancialCoalitionAgainstChildPornography

- TheEFCACPischairedbyEuropolandledbyaSteeringCommitteeFunctionsasabranchoftheEuropeanCyberCentreatEuropol

Norms - UNConventionontheRightsoftheChild- NGO/Industrybestpractices

- UNConventionontheRightsoftheChild

Attribution - Noattributiveproperties - Noattributiveproperties,butsharesinformationwithotherEUbodies

Budgetand

FundingSource(s)

- PartofEuropol’s$114.6millionbudget(2017)- FundingprovidedbyEUmemberstates146

BestPractices - Widerangeofprivateactorsfrommultiplefieldshavea

seatatthetableandareinvolvedintheorganization’s

structureandagenda

- Theprivatesectorisdirectlyresponsibleforcarryingoutinitiativestostopanyfinancialgainrelatedtochildsexual

exploitation

- Prominentregionaldivisionsfostergreaterinternational

cooperation

143“CommercialChildPornography:ABriefSnapshotoftheFinancialCoalitionAgainstChildPornography,”NationalCenterforMissingandExploitedChildren,(2016),http://www.missingkids.com/en_US/documents/Commercial_child_pornography_-_A_brief_snapshot_of_the_FCACP_2016.pdf.144“NewsfromtheEFC:ThePast,ThePresent,TheFuture,”accessedApril28,2017,http://us11.campaign-archive1.com/?u=a39d608c8102dd5c712efbc48&id=d1ce5b24df.145“EFCMembers,”EuropeanFinancialCoalitionagainstCommercialSexualExploitationofChildrenOnline,n.d.,http://www.europeanfinancialcoalition.eu/efc_members.php.146“StatementofRevenueandExpenditureoftheEuropeanPoliceOfficefortheFinancialYear2017”(OfficeJournaloftheEuropeanUnion,n.d.).

60

TheFinancialIndustryRegulatoryAuthority(FINRA)

Actors

Private- Self-regulatingprivatecorporation

Public- SecuritiesExchangeCouncil(SEC),JusticeDepartment,andtheFederalBureauofInvestigation(FBI)

Actions - MonitorsUSequities,sharesinformationwithauthorities- ProtectsinvestorsbyupholdingtheintegrityofUSfinancialmarket,andleviesfinesagainstbrokers147

- UseFINRA'sinformationtobuildevidencefortheprosecutionofsecuritiesfraud

Authority - Performsregulatoryoversightofsecuritiesfirmssellingtopublicinvestorsthroughcontractswithstockexchanges148

- TheSecuritiesandExchangeAct;SEC’sextraterritorialexerciseofitsjurisdiction

Structure - 3,400employeesbasedinWashington,D.C.andNewYorkCitywith20regionaloffices149

- Bureaucraticagencieswithinthefederalgovernment

Norms - ComplieswiththeFederalReserveandlawsregulatingdataandinformationprivacy

- Usesanarbitrationforum- Boardmembersarepubliclyelected150

- Pressbriefings,disclosure,lawsregulatingevidencecollectionandprosecution151

Attribution - Disclosesinformationpubliclyinreportsandwithlawenforcement152

- Yes,andprosecution153

Budgetand

FundingSource(s)

- $878.6million(2012)- Fundedbythebusinessesitregulates154

- BudgetisprovidedbytheUSgovernment

BestPractices - Publicdisclosure- Useoftechnologytodetectfraud,centralizeddatabase155- Collaborationwithauthorities

- Strongnormsandlawsguideinvestigations

- Publicdisclosure- Public-privatecooperation

147“AboutFINRA,”finra.org,accessedMay1,2017.https://www.finra.org/about;CarrieJohnson,"SECApprovesOneWatchdogForBrokersBigandSmall,"TheWashingtonPost,July27,2007,PageD02.,accessedMay2,2017,http://www.washingtonpost.com/wp-dyn/content/article/2007/07/27/AR2007072700108_pf.html.148Ibid.,8149Ibid.,72.150Ibid.,72;“BoardofGovernors,”finra.org.Accessed2May2017.https://www.finra.org/about/finra-board-governors;AnOutlineoftheFINRAArbitrationProcessForCustomer-BrokerDisputes-SmileyBishop&PorterLLP,"April20,2011,accessedMay22017,http://www.sbpllplaw.com/2011/04/an-outline-of-the-finra-arbitration-process-for-customer-broker-disputes/.151MichaelFeldberg,“U.S.InsiderTradingEnforcementGoesGlobal,”Allen&OveryLLP,May2,2013.152ForananalysisofFINRA’sannuallettersee,"FINRA2014exams:Variableannuities,"PwCFinancialServicesRegulatoryPractice,January,2015,accessedMay2,2017,http://www.pwc.com/en_US/us/financial-services/regulatory-services/publications/assets/finra-exams-variable-annuities.pdf;AzamAhmed,“AmidInsiderTradingInquiry,TigerAsiaCallsItQuits,”NewYorkTimes,August14,2012,accessedMay1,2017,https://dealbook.nytimes.com/2012/08/14/amid-insider-trading-inquiry-tiger-asia-calls-it-quits/?_r=0.153SECPressRelease2012-264,HedgeFundManagertoPay$44MillionforIllegalTradinginChineseBankStocks,December12,2012,accessedMay1,2017,https://www.sec.gov/news/press-release/2012-2012-264htm.154Ibid.,8155Seeforinstance,“TechnologyFINRA,”finra.org,accessedMay12017,https://www.finra.org/about/technology;"CentralRegistrationDepository(WebCRD),”finra.org,accessedMay2,2017,http://www.finra.org/industry/compliance/registration/crd/.

61

Greenpeace

Actors

Private- Membersandvolunteers

Public

Actions - Researchandlobbyingoncasesofenvironmentaldestruction

Authority - Reputational- ConsultativestatuswithUNEconomicandSocialCouncil

Structure - 26regionalofficesreporttotheheadquartersofficeofGreenpeaceInternationalinAmsterdam

- Regionalofficesdealwithissuesatalocallevel,whiletheheadquarterstakeonissuesthathavebroaderglobalimplications156

Norms - Responsibility,nonviolence,independenceandneutrality,aslistedinGreenpeace’scorevalues157

Attribution - Operatesa"fleet”consistingoffourships,hotairballoons,inflatables,andremotesensingtacticstosurveiltheareastheyareinspecting

- Inspectionsarecarriedoutbytheirvolunteersandemployees158

Budgetand

FundingSource(s)

- $349.8million(2015),collectedfromdonationsof2.9millionmembers159

BestPractices - Independencefrompublicsector

- Strongreputationalauthority

156"Greenpeacestructureandorganization."GreenpeaceInternational.2017.accessedApril30,2017.http://www.greenpeace.org/international/en/about/how-is-greenpeace-structured/.157"Ourcorevalues."GreenpeaceInternational,accessedApril30,2017.http://www.greenpeace.org/international/en/about/our-core-values/.158"OurInflatables."GreenpeaceInternational,accessedApril30,2017.http://www.greenpeace.org/international/en/about/ships/our-inflatables/.159GreenpeaceInternationalAnnualReport2015.Report.2015,accessed,April30,2017,http://www.greenpeace.org/international/Global/international/publications/greenpeace/2016/2015-Annual-Report-Web.pdf.

62

InternationalAtomicEnergyAgency(IAEA)

Actors

Private- Atomicenergyexpertsandemployees

Public- 168memberstates

Actions - Setnuclearsafetystandards- Helpmemberstatesmeetsafetystandards- Verifycompliancewithinternationalsafeguards160

- ComplywithSafeguards/AdditionalProtocol- Declareallnuclearfacilitiesandmaterials,aidothermemberstates161

Authority - UN - IndividualmemberstatesreporttotheBoardofGovernors,GeneralConference

Structure - TheSecretariatconsistsoffiveofficesandsixdepartmentsstaffedbyexpertsfromtheprivatesector

- BoardofGovernorsconsistingofrepresentativesfrom22memberstates;eachstatemustbeelectedbytheGeneralConference

- TheGeneralConferencecontainsdelegatesofall168memberstatesthatmeetonceayeartoapproveactionsandbudgets

- Nationalenergyagencies,suchastheUSNuclearRegulatoryCommissionandtheDepartmentofEnergy,workalongsideIAEAofficesanddepartments162

Norms - Basedaroundthepolicyofnuclearnon-proliferation - EachstateisboundtotheSafeguards/AdditionalProtocol

Attribution - Attributesafetyviolationsthroughmaterialsandfacilitiesinspections163

- Statescanattributedomesticproblemsbyconductingself-evaluationandpeer-reviewinspectionsbeforeofficialIAEAinspections

Budgetand

FundingSource(s)

- $391.5million(2016)164- Fundedbymemberstatesandotherdonations

- Eachmemberstatehasitsownenergybudget

BestPractices - Politicalneutrality- Collaborationwithintheprivatesector- Differentbranchesoftheorganizationserveasaformof

checksandbalances

- Emphasisoncooperationbetweengovernmentagencies

- Provideaframeworkforself-assessment

- Haveformalagreements,suchasthefoundingstatuteandSafeguard,

thatactasthebasisforIAEAoperation

160"InternationalAtomicEnergyAgency(IAEA)IAEAHome,"iaea.org,accessedApril30,2017,https://www.iaea.org/OurWork/.161"IAEASafeguardsOverview,"iaea.org,accessedApril30,2017,https://www.iaea.org/publications/factsheets/iaea-safeguards-overview.162"MemberStates'CompetentAuthorities,"iaea.org,accessedApril30,2017,http://www-ns.iaea.org/tech-areas/emergency/member-states-competent-authorities.asp?s=1.163“IAEASafetyStandards,”iaea.org,accessedApril30,2017,http://www-ns.iaea.org/standards/.164“TheAgency’sProgrammeandBudget2016–2017,”Rep.N.p.:IAEA,2015.,accessedApril30,2017,https://www.iaea.org/About/Policy/GC/GC59/GC59Documents/English/gc59-2_en.pdf.

63

InternationalCivilAviationOrganization(ICAO)

Actors

Private- Airlines,tourismoffices,andairplanemanufacturers165

Public- 191UNmemberstates

Actions - CollaboratewithUNagenciestofurthercivilaviation’sprogressandstrategizenon-stateactorinvolvementwiththeICAO166

- OfferconsultationservicestoICAOwhenrequested,usuallyregardingtheadoptionofnewstandardsandpractices167

- UsesconsensusonStandardsandRecommendedPractices(SARPs)madebyMemberStatestoconductsafetyandsecurityaudits168

Authority - Reputational - UN- ChicagoConventiononInternationalCivilAviation

Structure - MemberstatessitonanAssemblytovoteonallSARPs- Memberstateselectacouncilof36statesthatprovideoveralldirectionoforganizationandelectsapresident

Norms - ICAOSARPs- ChicagoConventiononInternationalCivilAviation

- ChicagoConventiononInternationalCivilAviation

Attribution - Noattributiveproperties;sharesreviewswithICAO169 - Publiclysharessafetyauditresults,namingbreachingparties- Securityauditsremaininternal,andnoattributionforsecuritybreachesarepubliclynamed170

Budgetand

FundingSource(s)

- $221.12million(for2017-2019)- Fundedbymemberstatesandprivateindustry171

BestPractices - Collaborationwiththepublicsector- Utilizationofprivatesectorexpertise

- Keepsupdatednormstomeettechnologicaladvancements172

- Incorporationofprivateindustriesandtheirspecialties

165"About."JoinOurProject-BasedInitiatives,”icao.int,accessedApril30,2017,http://www.icao.int/about-icao/partnerships/Pages/default.aspx.166Ibid.,36167"MakinganICAOStandard,"icao.int,accessedApril30,2017,http://www.icao.int/safety/airnavigation/Pages/standard.aspx#4.168“AboutICAO,"icao.int,accessedApril30,2017,http://www.icao.int/about-icao/Pages/default.aspx.169"ICAO:FrequentlyAskedQuestions,"icao.org,accessedApril30,2017,http://www.icao.int/about-icao/FAQ/Pages/icao-frequently-asked-questions-faq-2.aspx.170Ibid.,40171"BudgetoftheOrganization2017-2018-2019,"icao.int,accessedApril29,2017,http://www.icao.int/publications/Documents/10074_en.pdf.172"ICAO'sResponsetoGlobalChallenges,"ActGlobal,2009,accessedApril29,2017,http://www.icao.int/Newsroom/News%20Doc/copenhaguen-complete134ec9.pdf.

64

InternationalLaborOrganization(ILO)

Actors

Private Public- 187memberstates

Actions - Representsemploymentandworkers,registerscomplaints,setsgloballaborstandards,173andinvestigatesviolationsofworkers’rights174

Authority - UNCharter- ILOConventions

Structure - ILOfunctionsasa“ParliamentofLabor,”whereaGoverningBodyoverseestheInternationalLaborConference,wheregovernment,employer,andworkerdelegatesfromeachcountrydebatepolicy

Norms - Routinemonitoring,freeandopendebate,175declarationoffundamentalofprinciples,176equalgeographicrepresentation,andatripartitegovernmentstructure

Attribution - Releasefindingsafteraprocessofevidencecollection,standardization,assessmentoflegalburden,andareviewprocess177

Budgetand

FundingSource(s)

- $225.7million(2015)- Fundedbycontributionsfrommemberstatesanddonations178

BestPractices - Anefficientsystemtolaunchcomplaintsandestablishtransparency

reports

173“MissionandImpactoftheILO,”ilo.org,accessedMay3,2017.http://ilo.org/global/about-the-ilo/mission-and-objectives/lang--en/index.htm.174“Government’sRecentLabourInterventionsHighlyUnusual,ExpertsSay,”CBCNews,accessedMay3,2017.http://www.cbc.ca/news/canada/government-s-recent-labour-interventions-highly-unusual-experts-say-1.977658.175“InternationalLabourConference,”ilo.org,accessedMay3,2017,http://ilo.org/global/about-the-ilo/how-the-ilo-works/international-labour-conference/lang--en/index.htm.176“ILODeclarationonFundamentalPrinciplesandRightsatWork(DECLARATION),”accessedMay3,2017,http://www.ilo.org/declaration/lang--en/index.htm.177OnhowtheILOactsasavehicletoinvestigatenoncompliancesee:Berik,GünseliandYanaVanderMeulenRodgers,"Optionsforenforcinglabourstandards:LessonsfromBangladeshandCambodia,"JournalofInternationalDevelopment22(2008):56-85,accessedApril30,2017,www.interscience.wiley.com.178“ProgrammeandBudget,”ilo.org,accessedMay3,2017,http://embargo.ilo.org/global/about-the-ilo/how-the-ilo-works/programme-and-budget/lang--en/index.htm.

65

NATOCooperativeCyberDefenseCenterofExcellence(CCDCOE)

Actors

Private- Companiesinthedefenseindustry,suchasSiemens,ThreodSystems,CyberTestSystems,andmore

Public- NATOmemberstatesandcooperatingnon-memberstates

Actions - Promotecooperativecyberdefense,establishcyberspacenorms,andconfidence-buildingmeasures179

Authority - NATO

Structure - Internationalsteeringcommitteeconsistingofcenter’ssponsoringnations- TheCCDCOEisnotpartofNATO’smilitarycommandorforcestructure,andismadeupofmilitary,government,anddefenseindustryprofessionals

- Centerconsistsofresearchers,analysts,trainers,educators180

Norms - TallinnManual181

Attribution - Attributescyberattacksinpublishedarticles,butismostlyfocusedonbuildingcyberinfrastructure,andcyberdefensecapabilities182183

Budgetand

FundingSource(s)

- FundedbyNATOandNon-NATOmembers

BestPractices - Multinationalinformationsharing

- Promotingcollectivecyberdefense

- Accumulating,creating,anddisseminatinginternationalcyberexpertise

179NATO,“AboutCyberDefenceCentre|CCDCOE,”NATOCooperativeCyberDefenceCentreofExcellence,accessedApril30,2017,https://ccdcoe.org/about-us.html.180Structure|CCDCOE,”accessedMay4,2017,https://ccdcoe.org/structure-0.html.

181TallinnManualProcess|CCDCOE,”accessedMay4,2017,https://ccdcoe.org/tallinn-manual.html.182JeffreyCarr,“ResponsibleAttribution:APrerequisiteForAccountability,”NATOCCDCOE,TheTallinnPapers,no.No.6(2014):1–8.

183JasonRiveraandForrestHare,“TheDeploymentofAttributionAgnosticCyberdefenseConstructsandInternallyBasedCyberthreatCountermeasures,”CCDCOE,6thInternationalConferenceonCyberConflict,2014,100–116.

66

OrganizationfortheProhibitionofChemicalWeapons(OPCW)

Actors

Private- IndependentscientistsandNGOs

Public- 192membercountries

Actions - Overseeoutreachandtrainingprogramswithchemicalindustry

- Collaboratestoreviewprocessesofverificationandchemicalweaponsdisarmament

- Carriesoutverificationmeasures,facilitateschemicalweaponsinspections,andnegotiatesagreementswithstateparties184

Authority - Reputational - UN

Structure - IndependentscientistssitontheScientificAdvisoryBoard- INGOsliketheInternationalUnionofPureandAppliedChemistryprovideaconsultativeandoutreachrole

- PrivatecompaniescansignaMemorandumofUnderstandingwiththeOPCWtosolidifycooperation185

- LedbyaDirector-General- Equitablegeographicdistributionindecision-makingbodies

Norms - OPCWandInternationalUnionofPureandAppliedChemistrycodeofethicalprinciplesofchemistry186

- 1997ConventiononChemicalWeapons

Attribution - Nopublicattributiveproperties;privateactorsdonotreleaseinformationaboutongoinginvestigations

- Nopublicattributiveproperties;donotreleaseinformationaboutongoinginvestigations

Budgetand

FundingSource(s)

- $95Million(2012)- Fundedbymemberstates,whosecontributioniscalculatedbasedontheUNscaleofassessment187

BestPractices - Involveschemicalindustryinoutreachtrainingprograms

andnormsbuilding

- Scientistsactivelyparticipateinadvisingandfacilitatingdisarmamentonarotationalandelectedbasis

- Equitablegeographicdistributionamongallbodiesoftheorganization

- On-the-groundinspectionsandfact-findingmissionsgivetheOPCWa

tangiblepresenceinmembercountries

- Broadinternationaltreatygivestheorganizationaclearlegalmandate

andsetofduties

184“OPCWMissionStatement,”OrganizationfortheProhibitionofChemicalWeapons,n.d.,accessedApril30,2017,https://www.opcw.org/about-opcw/mission/.185“IUPACandtheOrganizationfortheProhibitionofChemicalWeaponsTakePartnershiptoNewLevel|InternationalUnionofPureandAppliedChemistry,”IUPAC,InternationalUnionofPureandAppliedChemistry,December1,2016,accessedApril30,2017,https://iupac.org/iupac-opcw-take-partnership-new-level/.186“InternationalUnionofPure&AppliedChemistry,”IUPAC,InternationalUnionofPureandAppliedChemistry,accessedApril28,2017,https://iupac.org/who-we-are/.187“OrganizationfortheProhibitionofChemicalWeapons,”NIT:BuildingaSaferWorld,April28,2017,accessedApril30,2017,http://www.nti.org/learn/treaties-and-regimes/organization-for-the-prohibition-of-chemical-weapons/.

67

UnitedNationsAl-QaidaSanctionsCommittee

Actors

Private- MonitoringTeamcomprisedofindependentresearchersandexperts

Public- UNmemberstates

Actions - AssistscommitteeandUNmemberstatesinidentifyingandgatheringinformationonsanctionedindividualsandmonitorscasesofstatenon-compliancewithsanctionoperations188

- Imposesatravelban,freezesassets,andimposesarmsembargosanctionsontoindividualsorentitiesbelievedtobeinconnectiontoISILorAl-Qaida189

Authority - UN - UN

Structure - IndependentbranchoftheSanctionsCommittee - Decision-makingdonethroughmemberstateconsensus- AllmembersoftheUNSCarerepresented190

Norms - UnitedNationsSecurityCouncil(UNSC)Resolution1267 - UNSCResolution1267

Attribution - PresentsfindingstoUNSC/UNSanctionsCommittee - Publiclydisclosesthesanctionslist

Budgetand

FundingSource(s)

- PartofCommitteebudget - $39.6million(2015)forallSanctionsCommittees- FundedbycontributionsfromUNmemberstates191

BestPractices - Cooperatedirectlywithmemberstatesinimplementation

andinformation-gathering

- Conductsindependentassessmentsandensurecompliance

andstateaccountability192

- Ombudspersonhelpswithlegalcredibilityandinternalaccountability193

- HighlevelofcooperationwithmultipleUNandnon-UNorganizations

demonstratesreputationalauthorityandservesasanexampleof

efficacyacrosssectorsandborders

188“Resolution2253(2015)”UnitedNationsSecurityCouncil,December17,2015,accessedApril29,2017,http://www.un.org/en/ga/search/view_doc.asp?symbol=S/RES/2253(2015).189“GuidelinesoftheCommitteefortheConductofItsWorld”UnitedNationsSecurityCouncil,December23,2016,accessedApril25,2017,https://www.un.org/sc/suborg/sites/www.un.org.sc.suborg/files/guidelines_of_the_committee_for_the_conduct_of_its_work.pdf.190Ibid.,55191“GeneralAssembly,onFifthCommittee’sRecommendation,AdoptsRaftofTextson2014-2015BienniumBudgetAppropriations,CommonSystem,Peacekeeping,”UnitedNations,accessedApril27,2017,https://www.un.org/press/en/2014/ga11608.doc.htm.192“WorkandMandate,”UnitedNationsSecurityCouncilSubsidiaryOrgans,accessedApril29,2017,https://www.un.org/sc/suborg/en/sanctions/1267/monitoring-team/work-and-mandate.193“Procedure,”OfficeoftheOmbudspersonoftheSecurityCouncil’s1267Committee,accessedApril29,2017,https://www.un.org/sc/suborg/en/ombudsperson/procedure.

68

UnitedNationsSanctionsCommitteeonNorthKorea

Actors

Private- PanelofExpertscomposedofprofessionalsfromnuclear,

weaponofmassdestruction,import/exportcontrols,andfinancialindustries194

Public- UNmemberstates

Actions - HelpstheSanctionsCommitteegatherevidence,analyzeinformation,andassesstheimplementationofsanctions

- AdvisesSanctionsCommitteeastheydecidehowtoutilizesanctions195

- Imposesconstraintsondiplomats,inspectssuspiciouscargo,andexpandsablacklistofitemsNorthKoreaisprohibitedfromimporting196

Authority - UN,USlaw- Reputational

- UN

Structure - PanelactsunderthedirectionoftheSanctionsCommittee- PanelistsareappointedbyUNSecretaryGeneral197

- Centralizedbureaucracywithdecision-makingdonethroughmemberstateconsensus198

- AllmembersoftheUNSCarerepresented

Norms - Purelyinformational,advisoryrolewithnodecision-makingcapacities199

- Asystemofroutinemonitoring,narrowmandate,impromptumeetings,adeclarationoffundamentalprinciples,200andgeographicrepresentation201governUNSCResolutionsrelatingtoNorthKorea

Attribution - Publiclypublishreportsonfindingsonanannualbasis202 - Sanctionslistispublic,namingspecificindustries

Budgetand

FundingSource(s)

- FundedbyUNSanctionsCommittee,UNmemberstates - PartoftheUNbudgetfortheSecurityCouncilandSanctionsCommittees203

- FundedbycontributionsfromUNmemberstates

BestPractices - Integrationofprivatesectorexpertsintothedecisionsofalarge,inter-governmentalbody

- Usefulmodelformanycountriesthatagreeuponattributionto

coordinateandassessfaultandcompliance

194“WorkandMandate.”SecurityCouncilCommitteeEstablishedPursuanttoResolution1718(2006),n.d.https://www.un.org/sc/suborg/en/sanctions/1718/panel_experts/work_mandate.195Ibid.196“UnitedNationsResolution1718,”globalpolicy.org,accessedMay3,2017,https://www.globalpolicy.org/images/pdfs/1014reso1718.pdf.197Ibid.198“FunctionsandPowersoftheUnitedNationsSecurityCouncil,”un.org,accessedMay3,2017,http://www.un.org/en/sc/about/functions.shtml.199MaryBethNiktin,MarkE.Manyin,EmmaChanlett-Avery,andDickK.Nanto.“NorthKorea’sSecondNuclearTest:ImplicationsofU.N.SecurityCouncilResolution1874.”CongressionalResearchService,April15,2010.https://fas.org/sgp/crs/nuke/R40684.pdf.200“ChapterI|UnitedNations,”un.org,accessedMay3,2017,http://www.un.org/en/sections/un-charter/chapter-i/index.html.201“MembersoftheUnitedNationsSecurityCouncil,”un.org,accessedMay3,2017,http://www.un.org/en/sc/members/.202“Reports,”n.d.https://www.un.org/sc/suborg/en/sanctions/1718/panel_experts/reports.203SusanKurtas,“ResearchGuides:UNDocumentation:SecurityCouncil:Introduction,”Research.un.org,accessedMay3,2017.http://research.un.org/en/docs/sc/introduction.

69

WorldTradeOrganization(WTO)GATTArticleXX

Actors

Private- Environmentalactivists

Public- WTOmemberstates

Actions - AimtobroadenthescopeofArticleXX204 - Promotefreetradewhileprotectingandrespectingtheenvironment205

Authority - Reputational - WTO

Structure - Disputesaremediatedthroughthepanelprocess206- WTOgovernanceiscentralizedandbureaucratic,withaGeneralCouncilandcommitteesregulatingdifferentaspectsoftrade

Norms - Promoteenvironmentallysustainableeconomicpractices - GATTArticleXX

Attribution - Memberstatescanattributeviolationstootherstates207

Budgetand

FundingSource(s)

- $198million(2016)208- FundingisprovidedbycontributingMemberStatetrustfundsandWTOpublications209

BestPractices - Cooperatedirectlywithmemberstatesinimplementation

andinformation-gathering

- Conductsindependentassessmentstoensurecompliance

andstateaccountability210

- Disputesettlementstructure

204ThomasH.Oatley,“DebatesinInternationalPoliticalEconomy,”(Boston:Longman,2012.)Print.205"WTOTradeandEnvironment,"WTO.org,accessedApril30,2017,https://www.wto.org/english/tratop_e/envir_e/envt_rules_exceptions_e.htm.206"WTOUnderstandingtheWTO-Auniquecontribution,"WTO.org,accessedApril30,2017,https://www.wto.org/english/thewto_e/whatis_e/tif_e/disp1_e.htm.207Ibid.,69208"AnnualReport2016-SecretariatandBudget,"WTOSecretariat,2016,accessedApril29,2017.https://www.wto.org/english/res_e/booksp_e/anrep_e/anrep16_chap9_e.pdf.209"WTOBudgetfortheyear2015,"WTO.org,accessedApril29,2017,https://www.wto.org/english/thewto_e/secre_e/budget_e.htm.210“WorkandMandate,”UnitedNationsSecurityCouncilSubsidiaryOrgans,accessedApril29,2017,https://www.un.org/sc/suborg/en/sanctions/1267/monitoring-team/work-and-mandate.

70

Appendix2:InvestigativeProcessesEachoftheseinvestigativeprocesseswasformulatedandgovernedinanad-hocmanner,borrowingauthorityandstructurefromavarietyofdifferent

sources.Wehaveidentifiedbothprivateandpublicstakeholdersinvolvedwitheachinvestigativeprocessandanalyzedeachprocesses’objectives,

governance,attributivepowers,andbudgetbeforecompilingasetofbestpracticesfromeachparty.

Weexaminedthefollowingnineinvestigativeprocesses:

• CheonanJointInvestigationGroup

• DemocraticNationalCommitteeEmailLeakInvestigation

• Google’sOperationAurora

• Intermediate-RangeNuclearForceTreatyInvestigativeProcess

• MalaysiaAirlinesFlight17(MH17)CrashInvestigation

• Mandiant’sAPT1

• MumbaiTerroristAttackInvestigation

• SonyPicturesHackInvestigation

• StuxnetInvestigation

71

CheonanJointInvestigationGroup(JIG)

Actors

Private- Media,academia,independentresearchers211

Public- SouthKoreanGovernment,technicalandforensicexpertsintheJointInvestigationGroup212

Actions - TestandverifytheJIG’sreport - DeterminethecauseofCheonan’ssinkinganddeescalatetensionswithNorthKorea213

Authority - Credibilityofindividualorganizations - Expertscredentials,government

Structure - Thejointcivilian-militaryteamconsistsof25expertsfromtendomesticprofessionalinstitutes,22militaryexperts,threelawmakersand24foreignexpertsfromtheUS,Australia,theUnitedKingdom,andSweden

- TheJIGwasdividedintofourdepartments:forensicscience,explosivepatternanalysis,hullstructure,anddataanalysis214

- State-integrated,non-bureaucratic

Norms - Peer-review,high-degreeoftransparency

Attribution - Evidenceanalysisandattributionjudgment215 - Publishedanattributionreportdetailingevidencecollection,evidencestandardandanalysis,andmadefinaljudgementinreport216

Budgetand

FundingSource(s)

- FundedbySouthKoreangovernment

BestPractices - Decentralizedpeer-review- Accessibility,low-barriertoentry

- Objectivereadingofevidence,defaulttoneutrality- Quickinvestigation- Bodycomposedofforensicandtechnicalexperts

211Seeforinstance,"HowDidN.KoreaSinkTheCheonan?"ChosunIlbo,May21,2010,accessedMay1,2017,http://english.chosun.com/site/data/html_dir/2010/05/21/2010052100698.html;YoichiShimatsu,"DidanAmericanMineSinkSouthKoreanShip?"NewAmericaMedia,May27,2010,accessedMay1,2017,http://newamericamedia.org/2010/05/did-an-american-mine-sink-the-south-korean-ship.php;“RussianNavyExpertTeam'sanalysisontheCheonanincident,"TheHankyoreh,July27,2010,accessedMay1,2017,http://english.hani.co.kr/arti/english_edition/e_northkorea/432230.html;KimMyongChol,"PyongyangseesUSroleinCheonansinking,"AsiaTimesOnline,May5,2010,accessedApril29,2017,http://www.atimes.com/atimes/Korea/LE05Dg01.html.212"InvestigationResultontheSinkingofROKSCheonan–reportstatement,"MinistryofNationalDefenseR.O.K.,May20,2010.NewsitemNo592.,accessedMay1,2017,http://www.mnd.go.kr/webmodule/htsboard/template/read/engbdread.jsp?typeID=16&boardid=88&seqno=871&c=TITLE&t=&pagenum=3&tableName=ENGBASIC&pc=undefined&dc=&wc=&lu=&vu=&iu=&du=&st=.213PeterFosterandMalcolmMoore,“NorthKoreathreatens'all-outwar'overwarshipsinkingreport,”TheTelegraph,May20,2010,accessedMay1,2017,http://www.telegraph.co.uk/news/worldnews/asia/northkorea/7745370/North-Korea-threatens-all-out-war-over-warship-sinking-report.html.214“ResultsConfirmNorthKoreaSankCheonan,"DailyNK,May20,2010,accessedMay1,2017http://www.dailynk.com/english/read.php?cataId=nk00100&num=6392.215"Cheonansinking:toptenconspiracytheories,"TheDailyTelegraph,June4,2010,accessedMay1,2017,http://blogs.telegraph.co.uk/news/peterfoster/100042229/cheonan-sinking-top-ten-conspiracy-theories/.216Editorial,“TheSinkingoftheCheonan,”NewYorkTimes,May20,2010,accessedMay1,2017,http://www.nytimes.com/2010/05/21/opinion/21fri2.html.

72

DemocraticNationalCommittee(DNC)EmailLeakInvestigation

Actors

Private- DNC,Crowdstrike,FireEye

Public- FBI,CentralIntelligenceAgency(CIA),DepartmentofHomelandSecurity(DHS),DirectorofNationalIntelligence

Actions - DNCtaskedCrowdstriketoinvestigateandattributespearphishinganddatatheftoftheircampaign217

- FireEyehadanongoinginvestigationsince2007218andconductedseparateattributioninvestigation

- FBIinitiallynotifiedDNCofsophisticatedspearphishing219andagenciesinvestigatedforattribution

Authority - CredibilityofCrowdstrikeasindependentorganizationandFireEyeasoneofthetopfourcybersecurityfirms220

- USlaw

Structure - Ad-hocindividualnon-coordinatedinvestigation - Ad-hocnon-integratedinvestigationsexceptFBI&Dept.HomelandSecurity

Norms - Crowdstrike:nopeerreview,low-degreeoftransparency- FireEye:nopeerreview,medium-degreeoftransparency

Attribution - Crowdstrikedidnotpublishareportoftheirfindings,insteadtheyinformedthepublicofRussianattributionthroughtheirwebsiteblog221

- FireEyereleasedareportoftheirongoinginvestigationofAPT28&29222

- FBI&DHSpublishedareportofattribution223DirectorofNationalIntelligencealsoproducedareportofattribution224

- AllreportsseparatelyattributedRussianinvolvementintheDNChacks

Budgetand

FundingSource(s)

- ProvidedbyDNC - Unknown

BestPractices - Informationsharing

- ExpertAnalysis- ReportRelease- Shorter(thanpublic)investigationtime

- Publicreleaseofreport- Cross-verificationmechanisms

217EricLipton,DavidE.Sanger,andScottShane,“ThePerfectWeapon:HowRussianCyberpowerInvadedtheU.S.,”TheNewYorkTimes,December13,2016,accessedApril25,2017,https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html?_r=0.218FireEye,“APT28:AWindowIntoRussia’sCyberEspionageOperations?,”IntelligenceReport,(October2014).219Ibid.,79220“10TopCybersecurityCompanies,”accessedMay2,2017,http://investingnews.com/daily/tech-investing/cybersecurity-investing/top-cyber-security-companies/.221DmitriAlperovitch,“BearsintheMidst:IntrusionintotheDemocraticNationalCommittee,”CROWDSTRIKEBLOG,June15,2016,accessedApril29,2017,https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/.222FireEye,“APT28:AttheCenteroftheStorm,RussiaStrategicallyEvolvesItsCyberOperations,”IntelligenceReport,(January2017).223FederalBureauofInvestigationandU.S.DepartmentofHomelandSecurity,“GRIZZLYSTEPPERussianMaliciousCyberActivity,”JointAnalysisU.S.GovernmentReport,(December29,2016).224OfficeoftheDirectorofNationalIntelligence,“Backgroundto‘AssessingRussianActivitiesandIntentionsinRecentUSElections’:TheAnalyticProcessandCyberIncidentAttribution,”U.S.Government,NationalIntelligenceCouncil,(January6,2017).

73

Google’sOperationAurora

Actors

Private- Google,othertechfirms,privatesecurityfirms,themedia225

Public- USintelligenceagencies226

Actions - InvestigatedattackonGoogleandthetheftofIPandattribution227

- AssistedGoogleastheyinvestigatedattacks

Authority - Reputational - LegalauthoritywithintheUSandoverseastocollectandsharedata228

Structure - Independent,non-bureaucratic,state-integrated - Bureaucratic,withlimitedcollaborationwithindustry229

Norms - BrokewithnormsbyviolatingUSComputerFraudandAbuseAct’scriminalprovisions230

- Confidentialinformation,lackoftransparency,governedbytheNationalSecurityActof1947,interagencycooperation

Attribution - Collectedevidenceandreleasedfindings231 - PlayedaroleinevidencecollectionanddidnotattributeexplicitlybutcondemnedChinaexplicitly232

Budgetand

FundingSource(s)

- Fundedbyfor-profittechcompanies - $49billion(2013)233- FundedbytheUSgovernment

BestPractices - Publicdisclosure- Public-privatecollaborationandinformationsharing

- Collaborationwithtechindustryinevidencecollection234

225KennethCorbin,“'Aurora'CyberAttackersWereReallyRunningCounter-Intelligence,”CIO.com,April22,2013,accessedApril29,2017,http://www.cio.com/article/2386547/government/-aurora--cyber-attackers-were-really-running-counter-intelligence.html;MichaelJosephGross,“EntertheCyber-Dragon,”VANITYFAIR,September,2011,at222,accessedApril29,2017,http://www.vanityfair.com/culture/features/2011/09/chinese-hacking-201109.226ShaneHarris,“Google’sSecretNSAAlliance:TheterrifyingdealsbetweenSiliconValleyandtheSecurityState,”Salon,November16,2014,accessedApril29,2017,http://www.salon.com/2014/11/16/googles_secret_nsa_alliance_the_terrifying_deals_between_silicon_valley_and_the_security_state.227KimZetter,“‘Google’HackersHadAbilitytoAlterSourceCode,”Wired,March3,2010,accessedApril27,2017,https://www.wired.com/2010/03/source-code-hacks.228“BestPracticesforVictimResponseandReportingofCyberIncidents,”CybersecurityUnit,ComputerCrime&IntellectualPropertySection,U.S.DepartmentofJustice,April29,2015,accessedApril27,2017,https://www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29/criminal_division_guidance_on_best_practices_for_victim_response_and_reporting_cyber_incidents.pdf.229Ibid.,64230ShaneHuang,"ProposingaSelf-HelpPrivilegeforVictimsofCyberAttacks."GeorgeWashingtonLawReview82(2014):1229-858..;18U.S.C.§1030(a)(2)(2012).231DavidDrummond,“ANewApproachtoChina,”GoogleOfficialBlog,January12,2010,accessedApril25,2017,http://googleblog.blogspot.com/2010/01/new-approach-to-china.html.232HillaryRodhamClinton,U.S.SecofState,StatementonGoogleOperationsinChina,January12,2010,accessedApril29,2017,https://2009-2017.state.gov/secretary/20092013clinton/rm/2010/01/135105.htm.233"DNIReleasesBudgetFigurefor2013NationalIntelligenceProgram,"OfficeoftheDirectorofNationalIntelligence,October30,2013,accessedMay2,2017,http://www.dni.gov/index.php/newsroom/press-releases/191-press-releases-2013/957-dni-releases-budget-figure-for-2013-national-intelligence-program.234JohnMarkoff,“HackersSaidtoBreachGooglePasswordSystem,”NewYorkTimes,April20,2010,atA1.,accessedApril29,2017,http://www.nytimes.com/2010/04/20/technology/20google.html.

74

Intermediate-RangeNuclearForce(INF)TreatyInvestigativeProcess

Actors

Private

Public- USBureauofArmsControl,VerificationandCompliance(AVC)- USandRussiangovernments,inter-governmentalorganizationsthatverifyadherencetoINFTreaty

Actions - Conducton-siteinspectionsandverifications,235inter-stateinformationexchange,236reconnaissanceanddataanalyses237

Authority - USDepartmentofState

Structure - Centralizedbureaucracy,government-to-governmentdiscussionsandnegotiations

Norms - INFTreatyprovisionedprotocols238

Attribution - Bothnationshaveattributedtreatyviolationstotheothernation239

Budgetand

FundingSource(s)

- $32million(2017)forcompliance240- FundedbytheUSDepartmentofState

BestPractices - Informationexchangebetweennations

- Processbuildsconfidencebetweennations- StrongdefinitionssectionintheINFTreaty- Usefuldisputeresolutionmechanism

235AmyF.Woolf,MonitoringandVerificationinArmsControl,CongressionalResearchService,December23,2011,accessedMay2,2017,https://fas.org/sgp/crs/nuke/R41201.pdf236Ibid.237Ibid.238U.S.DepartmentofState,“TreatyBetweentheUnitedStatesOfAmericaAndTheUnionOfSovietSocialistRepublicsonTheEliminationofTheirIntermediate-RangeandShorter-RangeMissiles(INFTreaty),accessedMay1,2017,https://www.state.gov/t/avc/trty/102360.htm239U.S.DepartmentofState,“AdherencetoandCompliancewithArmsControl,Nonproliferation,andDisarmamentAgreementsandCommitments,”unclassified,July2014,accessedMay1,2017,https://www.state.gov/documents/organization/230108.pdf240CongressionalBudgetJustification,Appendix1:DepartmentofStateDiplomaticEngagement,Fiscalyear2017,TheSecretaryofState,accessedMay2,2017,https://www.state.gov/documents/organization/252732.pdf.

75

MalaysiaAirlinesFlight17(MH17)CrashInvestigation

Actors

Private- Bellingcat,anonlineinvestigationhub,themedia

Public- DutchSafetyBoard(DSB)- JointInvestigationTeam(JIT)memberstates(theNetherlands,Australia,Belgium,Malaysia,andUkraine)

- PublicProsecutionService(DutchMinistryofJustice)

Actions - Onlineintelligencegathering- Publishingofanalyses241

- Widespectrumcrashinvestigation242andinformationsharing

Authority - Reputational - DutchGovernment,JITmemberstates,UN

Structure - Independentcontributors,243ad-hoc,community-drivenapproach

- Bureaucratic

Norms - Rulesoftransparency,verifiabilityofdata - ICAOstandardsforevidencecollection

Attribution - Releasedfindingsafterevidencecollectionandareviewprocess244

- AttributionjudgementwasreleasedbyPublicProsecutionService245

Budgetand

FundingSource(s)

- Totalbudgetunknown- Fundedthroughpublicpledges,246donations,andgrants247

- 36millionEuro(2014)248- FundedbythegovernmentoftheNetherlands

BestPractices - Employmentofinformationsharingmechanisms

- Engagementofindependentinternationalcontributorsand

thepoolingofmultinationalexpertise

- Adherencetoevidencecollectionmethodsandstandards

- Inter-statecollaborationandinformationexchange

- Releaseofpreliminaryandfinalreports

- Confidencebuildingmeasures

241“Bellingcat:Thehomeofonlineinvestigations,”bellingcat.com,accessedMay1,2017,https://www.bellingcat.com/?s=MH+17.242DutchSafetyBoard,“InvestigationcrashMH17,17July2014”,accessedMay1,2017https://www.onderzoeksraad.nl/en/onderzoek/2049/investigation-crash-mh17-17-july-2014.243CameronColquhoun,“ABriefHistoryofOpenSourceIntelligence,”bellingcat.com,July14,2016,accessedMay2,2017,https://www.bellingcat.com/resources/articles/2016/07/14/a-brief-history-of-open-source-intelligence/.244BenSullivan,“BellingcatWantsYourHelptoDebunkFakeNews,”ViceMotherboard,March7,2017,accessedMay2,2017,https://motherboard.vice.com/en_us/article/bellingcat-wants-your-help-to-debunk-fake-news.245LizzieDearden,“MH17report:298victimsrememberedasDutchSafetyBoardreportrevealscause,”TheIndependent,October13,2015,accessedMay2,2017,http://www.independent.co.uk/news/world/europe/mh17-report-names-of-the-298-victims-as-dutch-safety-board-reveals-cause-of-crash-a6691941.html.246“SohowisBellingcatfunded?,”whathappendetoflightmh17.com,March25,2016,http://www.whathappenedtoflightmh17.com/so-how-is-bellingcat-funded/.247Ibid.,111248Igrindstad,“OVER€36MSPENTONMH17INVESTIGATIONSOFAR,”NLTimes,November21,2014,accessedMay2,2017,http://nltimes.nl/2014/11/21/eu36m-spent-mh17-investigation-far.

76

Mandiant’sAPT1

Actors

Private- Mandiant,privatesecurityfirms,themedia,academia249

Public

Actions - Investigateglobalattacks,attributetospecificindividuals,shareactionableinformationtopreventfutureattacks250

Authority - Oneofthe‘TopFour’cybersecurityfirms,composedofelitestaff251

Structure - Centralizedinvestigation,peer-reviewfromothersecurityfirmsandthemedia

Norms - Full-disclosure,technicalforensicnorms,Informationsharing,XMLSchema252

Attribution - Finalattributionmadeinareport,detailsevidencecollectionandanalysis253

Budgetand

FundingSource(s)

- Fundedbyprivate,for-profitfirm

BestPractices - Publicdisclosure254- Publishedanalysisofevidence- Providedindicators:

- Domainsusedbytheattackinginfrastructure,SSLcerts,

MDShashesofAPT1malware,opensource‘indicatorsof

compromise’255

249BenjaminWittes,“MandiantReporton‘APT1’,”Lawfare.org,February20,2013,accessedApril29,2017,https://lawfareblog.com/mandiant-report-apt1.250WilliamWanandEllenNakashima,"ReporttiescyberattacksonU.S.computerstoChinesemilitary,"WashingtonPost,January19,2013,accessedApril29,2017,https://www.washingtonpost.com/world/report-ties-100-plus-cyber-attacks-on-us-computers-to-chinese-military/2013/02/19/2700228e-7a6a-11e2-9a75-dab0201670da_story.html.251PiaRivera,“TopCybersecurityCompanies,”INVESTINGNEWS,March28,2017,accessedApril29,2017,http://investingnews.com/daily/tech-investing/cybersecurity-investing/top-cyber-security-companies/;BradStoneandMichaelRiley,“Mandiant,theGo-ToSecurityFirmforCyber-EspionageAttacks,”Bloomberg,February8,2013,accessedApril28,2017,https://www.bloomberg.com/news/articles/2013-02-07/mandiant-the-go-to-security-firm-for-cyber-espionage-attacks.252WadeWilliamson,“LessonsfromMandiant’sAPT1Report,”SECURITYWEEK,February29,2013,accessedApril29,2017,http://www.securityweek.com/lessons-mandiant%E2%80%99s-apt1-report.253Mandiant,“APT1:ExposingOneofChina’sCyberEspionageUnits,”accessedApril29,2017,https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pd;DavidE.Sanger,DavidBarbozaandNicolePerlroth,"ChineseArmyUnitIsSeenasTiedtoHackingAgainstU.S.,"NewYorkTimes,February29,2013,accessedApril29,2017,https://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html.254“APT1:ExposingOneofChina'sCyberEspionageUnits”onYouTube,accessedApril29,2017,https://www.youtube.com/watch?v=6p7FqSav6Ho.255WadeWilliamson(2017)at46.

77

MumbaiTerroristAttackInvestigation

Actors

Private

Public- IntelligenceagenciesofUS,UnitedKingdom,Australia,andPakistan

Actions - Conductedacriminalinvestigation,establishedcross-borderintelligencesharing,andpressuredPakistantobecomeinvolvedintheinvestigation256

Authority - Ad-hocandsubjectedtothelegalauthorityofcountriesinvolved

Structure - Stateintegrated,non-bureaucratic

Norms - Notpeer-reviewed,butfollowedstandardanalysisofforensicevidence,low-degreeoftransparency,257geographicrepresentation

Attribution - Releasedfindingsandspecificallyattributedattacktoaterroristgroup,andnamedindividualsbehindtheplanning258

Budgetand

FundingSource(s)

- Unknown

BestPractices - Informationandevidencesharingbetweenmultiplenations

- Transnationaldatacollection

256SebastianRotella,JamesGlanzandDavidE.Sanger,“In2008MumbaiAttacks,PilesofSpyData,butanUncompletedPuzzle,”ProPublica,December21,2014,accessedApril29,2017,https://www.propublica.org/article/mumbai-attack-data-an-uncompleted-puzzle.257SebastianRotella,“FourDisturbingQuestionsAbouttheMumbaiTerror”FRONTLINEPBS,February22,2013,accessedApril28,2017,http://www.pbs.org/wgbh/frontline/article/four-disturbing-questions-about-the-mumbai-terror-attack/.258Ibid.,115

78

SonyPicturesHackInvestigation

Actors

Private- FireEyeandMandiant

Public- FBI

Actions - Investigatedsourceofattack - Investigatedsourceofattack

Authority - Reputational–rosetoprominenceafterimplicatingChinesecyberespionagein2013

- USgovernment

Structure - Fiveconsultingofferings,“incidentresponseandpreparednesslifecycle”259

- Cyberdivision,56fieldofficeswithcyberteams93computercrimestaskforces

- PartnershipswithDepartmentofDefense,HomelandSecurity)260

Norms - PoliciessetoutbyFBI- USlaw

Attribution - Nodirectattribution - FBIconcludedthatNorthKoreaisresponsiblefortheattack261

Budgetand

FundingSource(s)

- $8.6million(2016)262- Fundsraisedprimarilyfromventureinvestor

- Budgetforthisinvestigationunknown- FundedbyDepartmentofJustice263

BestPractices - Calledonformostmajorcybersecurityattacks - Exemplifiescollaborationandcooperationacrossdepartments

259“Services,”FireEye,accessedMay1,2017,https://www.fireeye.com/services.html.260“CyberCrime,”FederalBureauofInvestigation,accessedMay1,2017,https://www.fbi.gov/investigate/cyber.261“FBIConcludesNorthKoreaResponsibleforSonyHack,”MSNBC,December19,2014,accessedApril29,2017,http://www.msnbc.com/msnbc/fbi-concludes-north-korea-responsible-sony-hack.262“FireEyeReportsFourthQuarterandFiscalYear2016FinancialResults(None:FEYE),”investors.com,accessedMay1,2017,http://investors.fireeye.com/releasedetail.cfm?ReleaseID=1010252.263“FederalBureauofInvestigationFY2017BudgetRequestataGlance,”justice.gov,accessedApril29,2017,https://www.justice.gov/jmd/file/822286/download.

79

StuxnetInvestigation

Actors

Private- Symantec,VirusBlockAda,KasperskyLabs,McAfee,othersecurityfirms,industryandgeopoliticalexperts,themedia

Public- NSA,DHS,IAEA

Actions - Workedondiscovery,264informationsharing,265technicalanalyses,266andgeopoliticalanalyses267

- NSAemployeesleakedclassifiedinformation- IAEAVerifiedIran’scompliancewiththenon-proliferationtreaty- ProvidedcontexttoStuxnetattributionjudgements

Authority - Reputational - USgovernment,IAEA

Structure - Ad-hoc268withSymantec269andKasperskyLabs270takingleadershiproles

- Nation-statesupportwasnotactiveorstructuredintheinvestigation- Allpartieswereonlydirectorindirectinformationproviders

Norms - Informationtechnologycommunitybestpractices,transparency

- TheStatuteofIAEA,informationconfidentialitypracticesandnon-disclosurelaws271

Attribution - Finalattributionaljudgementsweredrawnbymedia272whilethefirmscollectedevidence,completedanalyses

- Confirmedalreadyestablishedattributionjudgments273

Budgetand

FundingSource(s)

- Budgetunknown- Eachpartyfundedindependently

- Totalamountisunknown- NotclearwhetherNSA/DHSemployeeswerecompensated

BestPractices - Informationsharingmechanisms

- Confidencebuilding- Poolingofmultinationalexpertise

- Evidencecollectionmethods

- Informationretrievalmethodsfromstateentities

264VirusBlokAda,“Modulesofcurrentmalwarewerefirsttimedetectedby‘VirusBlokAda’companyspecialistsonthe17thofJune2010…”,accessedMay1,2017,http://anti-virus.by/en/tempo.shtml.265BrianKrebs,“ExpertsWarnofNewWindowsShortcutFlaw,”KrebsOnSecurity,July10,2010,accessedMay1,2017,http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/.266NocolasFalliere,LiamOMurchuandEricChien,“W32.StuxnetDossier,version1.4,”SymantecSecurityResponse(February,2011),accessedMay1,2017,https://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices.267Stratfor,“TheU.S.-IsraeliStuxnetAlliance,”Stratfor.com,January17,2011,accessedMay1,2017,https://www.stratfor.com/analysis/us-israeli-stuxnet-alliance.268KimZetter,“HowdigitaldetectivesdecipheredStuxnet,themostmenacingmalwareinhistory,”WIRED,July11,2011,accessedMay1,2017,https://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/.269Ibid.,126270DavidKushner,“TheRealStoryofStuxnet:HowKasperskyLabtrackeddownthemalwarethatstymiedIran’snuclear-fuelenrichmentprogram,”IEEESpectrum,February26,2013,accessedMay1,2017,http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet.271NationalSecurityAgency,“NSA/CSSPolicyManual1-52,”May,232014,accessedMay1,2017,https://www.nsa.gov/news-features/declassified-documents/nsa-css-policies/assets/files/Policy_Manual_1-52.pdf.272WilliamJ.Broad,JohnMarkoffandDavidE.Sager,“IsraeliTestonWormCalledCrucialinIranNuclearDelay,”NewYorkTimes,January15,2011,accessedMay1,2017,http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html.273JasonKoebler,“NSABuiltStuxnet,butRealTrickIsBuildingCrewofHackers,”U.S.News,June8,2012,accessedMay1,2017,https://www.usnews.com/news/articles/2012/06/08/nsa-built-stuxnet-but-real-trick-is-building-crew-of-hackers.

80

Appendix3:ProposedBudgetThetablebelowsummarizestheexpectedcostsoftheproposedorganization.Webreakdownthecostsintosixdifferentcategories,theExpertInvestigationCommittee,theExpertReviewCommittee,theCommunicationsCommittee,theBudgetCommittee,OutreachandMemberRelations,andInfrastructureandOperations.TheExecutiveCouncilwillnotbepaidastheirworkisminimalwhilethereputationalbenefitsarehigh.Thepositionsintheproposedorganizationaremodelledafterandchosenfrompreviousinvestigativeprocesses,largeprivatecorporations,andnon-governmentalorganizations.TheExpertInvestigationandExpertReviewCommitteeswillincludebothtechnicalcybersecurityexpertsandgeopoliticalexpertsfromacademiaandindustry.ThesepositionsaremodelledaftermajorcorporationssuchasMicrosoftandAmazonwhoalsohavegeopoliticalexpertsworkingwithorintechnicalcybersecurityteamstogivecontexttothecyberenvironment.TheExpertReviewCommitteememberswillsupporttheproposedorganizationonapart-timeconsultingbasis.TheCommunicationsCommitteewillincludepublicrelationsassociatestoprovideupdatesinattributioninvestigationsanddisseminateattributionreportstothepublic.Thiscommitteewillalsohousethelegalteam.TheOutreachandMemberRelationsCommitteewillberesponsibleforthebiannualmeetings.Finally,theproposedorganizationwillincludestaffforInfrastructureandOperations.Theone-timecostsincludeinitialtechnologypurchasesandofficepurchasesinallsixregionsoftheproposedorganization.Themiscellaneousoperatingexpensesincludesthemaintenanceandyearlycostsofofficespace,supplies,andoperations.Thesalariesandcostshavebeencalculatedbasedonindustryaveragesandcomparablesalariesoftheassociatedpositions.Theinfrastructurecostshavealsobeencalculatedatofficespacepricesintherespectiveregions.

81

Table2:ProposedBudgetforYear1andSubsequentYears

TypeofCosts PositionNamePerpositioncost/year Totalcost/year


4IndustryCyberLeads $500,000 $2,000,00012IndustryCyberExperts $300,000 $3,600,0006GeopoliticalLeads $500,000 $3,000,00012GeopoliticalAnalysts $280,000 $3,360,000


8Part-timeCybersecurityConsultants $150,000 $1,200,000

8Part-timeGeopoliticalExperts $150,000 $1,200,000


1PublicRelationsDirector $500,000 $500,000

5PublicRelationsAssociates $160,000 $800,0001GeneralCounsel $500,000 $500,0003Attorneys $320,000 $960,000

BudgetCommittee1FinanceDirector $360,000 $360,0004FinancialAdministrators $120,000 $480,000

Outreach&MemberRelations BiannualMemberMeetings $2,000,000 $4,000,00018OutreachCoordinators $120,000 $2,160,000

Infrastructure&Operations

8AdministrativePositions $160,000 $1,280,00012ServerAdministrators $160,000 $1,920,000MiscellaneousOperatingExpenses $1,000,000

One-timeinfrastructurecost $10,560,000 FirstYearProjectedBudget $38,880,000 SubsequentYearsProjectedBudget $28,320,000

82

Bibliography“10TopCybersecurityCompanies.”InvestingNewsNetwork,March28,2017.

http://investingnews.com/daily/tech-investing/cybersecurity-investing/top-cyber-security-companies/.

“2016GlobalFinancialReport.”AccessedApril29,2017.https://www.amnesty.org/en/2016-global-financial-report/.

“2016ReportonAdherencetoandComplianceWithArmsControl,Nonproliferation,andDisarmamentAgreementsandCommitments.”U.S.DepartmentofState.AccessedApril13,2017.http://www.state.gov/t/avc/rls/rpt/2016/255651.htm.

“ABreakdownandAnalysisoftheDecember2014SonyHack.”AccessedApril30,2017.https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack/.

“ADayintheLifeofaSafeguardsInspector|IAEA.”AccessedMay4,2017.https://www.iaea.org/newscenter/news/a-day-in-the-life-of-a-safeguards-inspector.

“ANewApproachtoChina.”OfficialGoogleBlog,May2,2017.https://googleblog.blogspot.com/2010/01/new-approach-to-china.html.

“About.”JoinOurProject-BasedInitiatives.AccessedMay2,2017.http://www.icao.int/about-icao/partnerships/Pages/default.aspx.

“About.”AccessedMay2,2017.http://www.icao.int/about-icao/partnerships/Pages/default.aspx.

“AboutCyberDefenceCentre|CCDCOE.”NATOCooperativeCyberDefenceCentreofExcellence.AccessedApril30,2017.https://ccdcoe.org/about-us.html.

“AboutFINRA|FINRA.org.”AccessedMay2,2017.https://www.finra.org/about.AboutICAO.”AccessedMay2,2017.http://www.icao.int/about-icao/Pages/default.aspx.“AboutOurResearch.”HumanRightsWatch,April21,2015.https://www.hrw.org/about-our-

research.“AbouttheCitizenLab,”accessedJune5,2017,https://citizenlab.org/about/“AdherencetoandCompliancewithArmsControl,Nonproliferation,andDisarmament

AgreementsandCommitments.”U.S.DepartmentofState,July2014.https://www.state.gov/documents/organization/230108.pdf.

Aftergood,Steven.“CommercialSatellitesas‘NationalTechnicalMeans.’”FederationofAmericanScientists,March5,2008.https://fas.org/blogs/secrecy/2008/03/commercial_satellites_as_natio/.

Ahmed,Azam,“AmidInsiderTradingInquiry,TigerAsiaCallsItQuits,”NewYorkTimes,August14,2012,accessedMay1,2017,https://dealbook.nytimes.com/2012/08/14/amid-insider-trading-inquiry-tiger-asia-calls-it-quits/?_r=0.

“AirNavigationCommission.”AccessedMay2,2017.http://www.icao.int/about-icao/AirNavigationCommission/Pages/default.aspx.

Alperovitch,Dmitri.“BearsintheMidst:IntrusionintotheDemocraticNationalCommittee ».”CROWDSTRIKEBLOG,June15,2016.https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/.

83

“AmidInsiderTradingInquiry,TigerAsiaCallsItQuits-TheNewYorkTimes,”May2,2017.https://dealbook.nytimes.com/2012/08/14/amid-insider-trading-inquiry-tiger-asia-calls-it-quits/?_r=1.

“AnOutlineoftheFINRAArbitrationProcessForCustomer-BrokerDisputes.”SmileyBishop&PorterLLP,April20,2011.http://www.sbpllplaw.com/an-outline-of-the-finra-arbitration-process-for-customer-broker-disputes/.

“Anti-MoneyLaundering.”PwC.AccessedApril30,2017.https://www.pwc.com/gx/en/services/advisory/forensics/economic-crime-survey/anti-money-laundering.html.

“ApproachandStandard.”OfficeoftheOmbudspersonoftheSecurityCouncil’s1267Committee.https://www.un.org/sc/suborg/en/ombudsperson/approach-and-standard.

“APT1:ExposingOneofChina’sCyberEspionageUnits.”AccessedApril29,2017.https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf.

“APT1:ExposingOneofChina’sCyberEspionageUnits-YouTube,”May2,2017.https://www.youtube.com/watch?v=6p7FqSav6Ho.

“APT28:AWindowIntoRussia’sCyberEspionageOperations?”FireEye,October2014.“AsiaTimesOnline:KoreaNewsandKoreanBusinessandEconomy,PyongyangNews,”May2,

2017.http://www.atimes.com/atimes/Korea/LE05Dg01.html.“‘Aurora’CyberAttackersWereReallyRunningCounter-Intelligence|CIO,”May2,2017.

http://www.cio.com/article/2386547/government/-aurora--cyber-attackers-were-really-running-counter-intelligence.html.

Ball,James.“GuardianLaunchesSecureDropSystemforWhistleblowerstoShareFiles|Technology|TheGuardian.”TheGuardian,June5,2014.https://www.theguardian.com/technology/2014/jun/05/guardian-launches-securedrop-whistleblowers-documents.

Barrett,Devlin.“FBISaysNorthKoreaBehindSonyHack.”WallStreetJournal,December19,2014,sec.US.http://www.wsj.com/articles/fbi-says-north-korea-behind-sony-hack-1419008924.

Baruah,Amit.“Pakistan‘SharedMumbaiAttacksResearchwithIndia’-BBCNews,”December4,2010.http://www.bbc.com/news/world-south-asia-11917514.

BPRAdministration,“BPRInterview:CitizensLabDirectorRonaldDeibert,”BrownPoliticalReview,October21,2012,accessedJune5,2017,http://www.brownpoliticalreview.org/2012/10/interview-citizens-lab-director-ronald-deibert/.

Bright,Arthur.“EstoniaAccusesRussiaof‘Cyberattack.’”ChristianScienceMonitor,May17,2007.AccessedMay17,2017.https://www.csmonitor.com/2007/0517/p99s01-duts.html.

Broad,WilliamJ.,andJohnMarkoff,andDavidE.Sanger."IsraelTestsonWormCalledCrucialinIranNuclearDelay,"NewYorkTimes,January15,2011.AccessedMay23,2017,https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=1&ref=general&src=me&pagewanted=all.

84

Broggi,Jeremy.“BuildingonExecutiveOrder13,636ToEncourageInformationSharingforCybersecurityPurposes.”AccessedMay24,2017.http://www.harvard-jlpp.com/wp-content/uploads/2014/05/37_2_653_Broggi.pdf.

“BudgetoftheOrganization2017-2018-2019.”Montreal:ICAO,October2016.http://www.icao.int/publications/Documents/10074_en.pdf.

“BuildingPublicTrustinNuclearPower.”InternationalAtomicEnergyAgency,March2013.https://www.iaea.org/sites/default/files/publications/magazines/bulletin/bull54-1/54104711212.pdf

Carr,Jeffrey.“ResponsibleAttribution:APrerequisiteforAccountability.”NATOCCDCOE,TheTallinnPapers,no.No.6(2014):1–8.https://ccdcoe.org/sites/default/files/multimedia/pdf/Tallinn%20Paper%20No%20%206%20Carr.pdf.

Carlin,JohnP.,“Detect,Disrupt,Deter:AWhole-of-GovernmentApproachtoNationalSecurityCyberThreats.”AccessedMay17,2017.HarvardNationalSecurityJournal/Vol.7.https://docs.google.com/viewer?docex=1&url=https://lawfare.s3-us-west-2.amazonaws.com/staging/2016/Carlin%20FINAL.pdf.

“CETS005-ConventionfortheProtectionofHumanRightsandFundamentalFreedoms-1680063765.”AccessedMay17,2017.https://rm.coe.int/1680063765.

“CFTCases-TheEgmontGroup.”AccessedApril3,2017.https://egmontgroup.org/en/document-library/12.

“ChapterI|UnitedNations.”AccessedMay4,2017.http://www.un.org/en/sections/un-charter/chapter-i/index.html.

Charney,Scott,ErinEnglish,AaronKleiner,NemanjaMalisevic,AngelaMcKay,JanNeutze,andPaulNicholas.“FromArticulationtoImplementation:EnablingProgressonCybersecurityNorms,”June2016.https://mscorpmedia.azureedge.net/mscorpmedia/2016/06/Microsoft-Cybersecurity-Norms_vFinal.pdf.

Chayes,Abram,andAntoniaHandlerChayes.TheNewSovereignty:CompliancewithInternationalRegulatoryAgreements.HarvardUniversityPress,1998.https://www.amazon.com/New-Sovereignty-Compliance-International-Regulatory/dp/0674617835.

“China’sInternet:TheGreatFirewall.”TheEconomist,April6,2013.http://www.economist.com/news/special-report/21574631-chinese-screening-online-material-abroad-becoming-ever-more-sophisticated.

“CitizenLab|Github,”accessedJune7,2017,https://github.com/citizenlab.Clark,David,andSusanLandau.“UntanglingAttribution.”MassachusettsInstituteof

Technology,2011.http://static.cs.brown.edu/courses/csci1950-p/sources/lec12/ClarkandLandau.pdf.

“Clinton’sSpeechonInternetFreedom,January2010.”CouncilonForeignRelations,May2,2017.http://www.cfr.org/internet-policy/clintons-speech-internet-freedom-january-2010/p21253.

“CreateaStrategicOutreachCampaigntoAddValuetoYourOrganization.”Prowl,May23,2011.http://prowlpublicrelations.blogspot.com/2011/06/create-strategic-outreach-campaign-to.html?m=0.

85

Colquhoun,Cameron.“ABriefHistoryofOpenSourceIntelligence.”Bellingcat,July14,2016.https://www.bellingcat.com/resources/articles/2016/07/14/a-brief-history-of-open-source-intelligence/.

“CommercialChildPornography:ABriefSnapshotoftheFinancialCoalitionAgainstChildPornography.”NationalCenterforMissingandExploitedChildren,2016.http://www.missingkids.com/en_US/documents/Commercial_child_pornography_-_A_brief_snapshot_of_the_FCACP_2016.pdf.

“CongressionalBudgetJustification,Appendix1:DepartmentofStateDiplomaticEngagement,FiscalYear2017.”TheSecretaryofState.AccessedMay2,2017.https://www.state.gov/documents/organization/252732.pdf.

“CrashMH17.”Politie(Police).AccessedMay1,2017.https://www.politie.nl/themas/flight-mh17-2.html.

“CrashofMalaysiaAirlinesFlightMH17.”DutchSafetyBoard,October22,2015.https://onderzoeksraad.nl/uploads/phase-docs/1006/debcd724fe7breport-mh17-crash.pdf.

“CrashofMalaysiaAirlinesFlightMH17,FinalReport.”DutchSafetyBoard,October22,2015.https://www.onderzoeksraad.nl/uploads/phase-docs/1006/debcd724fe7breport-mh17-crash.pdf.

“Cross-BorderImplicationsofTheSECWhistleblowerReport.”Law360,May2,2017.https://www.law360.com/articles/395744/cross-border-implications-of-the-sec-whistleblower-report.

“CyberCrime.”FederalBureauofInvestigation.AccessedMay1,2017.https://www.fbi.gov/investigate/cyber.

“CyberCrime—FBI.”AccessedApril13,2017.https://www.fbi.gov/investigate/cyber.CyberattackonGoogleSaidtoHitPasswordSystem-TheNewYorkTimes,”May2,2017.

http://www.nytimes.com/2010/04/20/technology/20google.html.“Cybersecurity|HomelandSecurity.”AccessedApril13,2017.

https://www.dhs.gov/topic/cybersecurity.“Cyber-SecurityTaskForce:Public-PrivateInformationSharing,”BipartisanPolicyReview,July

2012.AccessedMay17,2017.http://bipartisanpolicy.org/wp-content/uploads/sites/default/files/PublicPrivateInformationSharing.pdf

“CyberStewards,”accessedJune7,2017,https://cyberstewards.org/Cyranoski,David.“ControversyoverSouthKorea'ssunkenship,”NatureJournal,July14,2010.

AccessedMay22,2017.http://www.nature.com/news/2010/100708/full/news.2010.343.html.

“DataPrivacyLawsAroundtheWorld,”BakerMcKenzie(2016).AccessedMay23,2017,https://globalcompliancenews.com/data-privacy/data-privacy-laws-around-the-world/.

Davis,Joshua.“HackersTakeDowntheMostWiredCountryinEurope.”WIRED.AccessedMay17,2017.https://www.wired.com/2007/08/ff-estonia/.

Dearden,Lizzie.“MH17Report:298VictimsRememberedasDutchSafetyBoardReportRevealsCause.”INDEPENDENT,October13,2015.http://www.independent.co.uk/news/world/europe/mh17-report-names-of-the-298-victims-as-dutch-safety-board-reveals-cause-of-crash-a6691941.html.

86

Demick,Barbara,andJohnM.Glionna,“DoubtsSurfaceonNorthKorea’sRoleinShipSinking.”LosAngelesTimes,July23,2010.http://articles.latimes.com/2010/jul/23/world/la-fg-korea-torpedo-20100724.

“DepartmentofSafeguards.”Text,July26,2016.https://www.iaea.org/about/organizational-structure/department-of-safeguards.

“DepartmentofTechnicalCooperation.”Text,August17,2016.https://www.iaea.org/about/organizational-structure/department-of-technical-cooperation.

“DidanAmericanMineSinkSouthKoreanShip?-NewAmericaMedia,”May2,2017.http://newamericamedia.org/2010/05/did-an-american-mine-sink-the-south-korean-ship.php.

“EFCMembers.”EuropeanFinancialCoalitionagainstCommercialSexualExploitationofChildrenOnline,n.d.http://www.europeanfinancialcoalition.eu/efc_members.php.

“EgmontGroupCommunicationStrategy.”EgmontGroupofFinancialIntelligenceUnits,July2015.https://egmontgroup.org/en/document-library/8

Elash,Anita,“HowTheCitizenLabpoliciestheworld'sdigitalspies,”CSMonitor,December22,2016,accessedJune7,2017,http://www.csmonitor.com/World/Passcode/2016/1222/How-The-Citizen-Lab-polices-the-world-s-digital-spies.

“EntertheCyber-Dragon|VanityFair,”May2,2017.http://www.vanityfair.com/news/2011/09/chinese-hacking-201109.

“EstoniaFinesManfor‘CyberWar.’”BBCNews,January25,2008.http://news.bbc.co.uk/2/hi/technology/7208511.stm.

“Ex-Pres.SecretarySuedforSpreadingCheonanRumors,"TheDong-AIlbo(EnglishEdition),May8,2010.AccessedMay22,2017,http://english.donga.com/List/3/all/26/264989/1

Falliere,Nicolas.“StuxnetIntroducestheFirstKnownRootkitforIndustrialControlSystems.”SymantecBlog,August6,2010.https://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices.

Falliere,Nicolas,LiamO.Murchu,andEricChien.“W32.StuxnetDossier,Version1.4.”SymantecSecurityResponse,February2011.https://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices.

“FATF-GAFI.ORG-FinancialActionTaskForce(FATF).”AccessedApril3,2017.http://www.fatf-gafi.org/.

“FBIConcludesNorthKoreaResponsibleforSonyHack.”MSNBC,December19,2014.http://www.msnbc.com/msnbc/fbi-concludes-north-korea-responsible-sony-hack.

“FBIOffersNewEvidenceConnectingNorthKoreaToSonyHack.”NPR.org.AccessedApril30,2017.http://www.npr.org/2015/01/07/375671935/fbi-offers-new-evidence-connecting-north-korea-to-sony-hack.

“FederalBureauofInvestigation-Facts&Figures.”AccessedApril30,2017.https://www2.fbi.gov/facts_and_figures/accountability_compliance.htm.

“FederalBureauofInvestigationFY2017BudgetRequestataGlance,”n.d.https://www.justice.gov/jmd/file/822286/download.

87

FederalBureauofInvestigation,andU.S.DepartmentofHomelandSecurity.“GRIZZLYSTEPPE-RussianMaliciousCyberActivity.”JointAnalysisU.S.GovernmentReport,December29,2016.

“FinancialIntelligenceUnits:AnOverview,”InternationalMonetaryFund,andWorldBank.2004.https://www.imf.org/external/pubs/ft/FIU/fiu.pdf.

“FinancialIntelligenceUnits(FIUs)-TheEgmontGroup.”AccessedApril3,2017.https://www.egmontgroup.org/en/content/financial-intelligence-units-fius.

“FINRA2015Exams:VariableAnnuities.”RegulatoryBrief:APublicationofPwC’sFinancialServicesRegulatoryPractice,January2015.http://www.pwc.com/us/en/financial-services/regulatory-services/publications/assets/finra-exams-variable-annuities.pdf.

“FINRABoardofGovernors|FINRA.org.”AccessedMay2,2017.https://www.finra.org/about/finra-board-governors.

“FireEye|Crunchbase.”AccessedApril30,2017.https://www.crunchbase.com/organization/fireeye.

“FireEyeReportsFourthQuarterandFiscalYear2016FinancialResults(None:FEYE).”AccessedMay1,2017.http://investors.fireeye.com/releasedetail.cfm?ReleaseID=1010252.

Flintoff,Corey.“KasperskyLab:BasedinRussia,DoingCybersecurityintheWest.”NPR,August10,2015.http://www.npr.org/sections/alltechconsidered/2015/08/10/431247980/kaspersky-lab-a-cybersecurity-leader-with-ties-to-russian-govt.

“FOIA.gov-FreedomofInformationAct:WheretoMakeaFOIARequest.”AccessedApril17,2017.https://www.foia.gov/report-makerequest.html.

“FunctionsandPowersoftheUnitedNationsSecurityCouncil.”AccessedMay3,2017.http://www.un.org/en/sc/about/functions.shtml.

“FY2017President’sBudget.”FinancialCrimesEnforcementNetwork(FinCEN,February9,2016.https://www.treasury.gov/about/budget-performance/CJ17/14.%20FinCEN%20FY%202017%20CJ.PDF.

Gagnon,Gary.“WhyBusinessesShouldShareIntelligenceAboutCyberAttacks.”HarvardBusinessReview,June13,2013.https://hbr.org/2013/06/why-businesses-should-share-intelligence-abo.

Galperin,Eva,Marquis-Borire,Morgan,andScott-Railton,John,“QuantumofSurveillance:FamiliarActorsandPossibleFalseFlagsinSyrianMalwareCampaigns,”CitizenLab-EEF,December23,2013,accessedJune7,2017,https://www.eff.org/document/quantum-surveillance-familiar-actors-and-possible-false-flags-syrian-malware-campaigns.

“GeneralAssembly,onFifthCommittee’sRecommendation,AdoptsRaftofTextson2014-2015BienniumBudgetAppropriations,CommonSystem,Peacekeeping.”UnitedNations,https://www.un.org/press/en/2014/ga11608.doc.htm.

Gierow,HaukeJohannes.“CyberSecurityinChina:InternetSecurity,ProtectionismandCompetitiveness.NewChallengestoWesternBusinesses.”MERICS,April22,2015.AccessedMay17,2017.http://www.merics.org/fileadmin/templates/download/china-monitor/150407_MERICS_China_Monitor_twenty-two_en.pdf.

Gladstone,Rick,andDavidE.Sanger.“NewSanctionsonNorthKoreaOverNuclearTest.”TheNewYorkTimes,March7,2013.

88

http://www.nytimes.com/2013/03/08/world/asia/north-korea-warns-of-pre-emptive-nuclear-attack.html.

Glazer,Emily,andChristinaRexrode.“WellsFargoFinedforAnti-Money-Laundering‘Failures.’”WallStreetJournal,December18,2014,sec.Markets.http://www.wsj.com/articles/wells-fargo-fined-for-anti-money-laundering-failures-1418913816.

Goldsmith,Jack.“TowardGreaterTransparencyofNationalSecurityLegalWork,”(May2015).http://jackgoldsmith.org/toward-greater-transparency-of-national-security-legal-work/.Goodin,Dan.“KasperskyLab’sTopInvestigatorReportedlyArrestedinTreasonProbe.”

ArsTechnica,January25,2017.https://arstechnica.com/security/2017/01/kaspersky-labs-top-investigator-reportedly-arrested-in-treason-probe/.

Goodman,Marc.FutureCrimes:EverythingIsConnected,EveryoneIsVulnerableandWhatWeCanDoaboutIt.Firsted.NewYork:Doubleday,2015.

“GoogleHackersHadAbilitytoAlterSourceCode|WIRED,”May2,2017.https://www.wired.com/2010/03/source-code-hacks.

“Google’sSecretNSAAlliance:TheTerrifyingDealsbetweenSiliconValleyandtheSecurityState-Salon.com,”May2,2017.http://www.salon.com/2014/11/16/googles_secret_nsa_alliance_the_terrifying_deals_between_silicon_valley_and_the_security_state/

“Government’sRecentLabourInterventionsHighlyUnusual,ExpertsSay.”CBCNews.AccessedMay3,2017.http://www.cbc.ca/news/canada/government-s-recent-labour-interventions-highly-unusual-experts-say-1.977658.

“GreenpeaceInternationalAnnualReport2015.”GreenpeaceInternational.AccessedApril27,2017.http://www.greenpeace.org/international/Global/international/publications/greenpeace/2016/2015-Annual-Report-Web.pdf.

“GreenpeaceStructureandOrganization.”GreenpeaceInternational.AccessedMay3,2017.http://www.greenpeace.org/international/en/about/how-is-greenpeace-structured/.

“GreenpeaceVictoriesandSuccesses.”AccessedMay4,2017.http://www.greenpeace.org/international/Global/international/code/2016/victory-timeline/index.html.

“GuidelinesoftheCommitteefortheConductofItsWorld.”UnitedNationsSecurityCouncil,December23,2016.https://www.un.org/sc/suborg/sites/www.un.org.sc.suborg/files/guidelines_of_the_committee_for_the_conduct_of_its_work.pdf.

Gross,Doug.“Googlevs.China:FreeSpeech,FinancesorBoth?-CNN.com,”January13,2010.http://www.cnn.com/2010/TECH/01/13/google.china.analysis/index.html.

Gross,MichaelJoseph."ADeclarationofCyber-War,"VanityFair,April2011.AccessedMay23,2017.https://www.vanityfair.com/news/2011/03/stuxnet-201104.Haggard,Stephan,andJonR.Lindsay.“NorthKoreaandtheSonyHack:ExportingInstability

ThroughCyberspace.”AsiaPacificIssues,no.117(May2015):1–8.Healey,Jason.“BeyondAttribution:SeekingNationalResponsibilityforCyberAttacks.”Atlantic

Council,CyberStatecraftInitiative,2011.

89

http://www.atlanticcouncil.org/images/files/publication_pdfs/403/022212_ACUS_NatlResponsibilityCyber.PDF.

Hesseldahl,Arik.“SonyPicturesInvestigatesNorthKoreaLinkInHackAttack.”Recode,November28,2014.https://www.recode.net/2014/11/28/11633356/sony-pictures-investigates-north-korea-link-in-hack-attack.

Holgate,JonWolfsthal,andLauraS.H.“CuttingFundingtotheIAEAIsaHorribleIdea.”CarnegieEndowmentforInternationalPeace.AccessedMay3,2017.http://carnegieendowment.org/2017/03/27/cutting-funding-to-iaea-is-horrible-idea-pub-68413.

“HowDidN.KoreaSinktheCheonan?,”May2,2017.http://english.chosun.com/site/data/html_dir/2010/05/21/2010052100698.html.

Hunker,Jeffrey,BobHutchinson,andJonathanMargulies.“RoleandChallengesforSufficientCyber-AttackAttribution.”InstituteforInformationInfrastructureProtection,January2008.http://www.scis.nova.edu/%7Ecannady/ARES/hunker.pdf.

“IAEABudget.”Text,June8,2016.https://www.iaea.org/about/overview/budget.“IAEASafetyStandards.”AccessedMay2,2017.http://www-ns.iaea.org/standards/.Ians.“KasperskyLabJoinsInterpol-LedCybercrimeOperationacrossAsianNations.”The

EconomicTimes,April25,2017.http://economictimes.indiatimes.com/tech/internet/kaspersky-lab-joins-interpol-led-cybercrime-operation-across-asean-nations/articleshow/58360723.cms.

“ICAO:FrequentlyAskedQuestions.”AccessedMay2,2017.http://www.icao.int/about-icao/FAQ/Pages/icao-frequently-asked-questions-faq-2.aspx.

“ICAO’sPoliciesonChargesforAirportsandAirNavigationServices.”EighthEdition.Montreal,Quebec,Canada:ICAO,2009.http://www.icao.int/publications/Documents/9082_8ed_en.pdf.

“ICAO’sResponsetoGlobalChallenges.”ICAO.AccessedApril29,2017.http://www.icao.int/Newsroom/News%20Doc/copenhaguen-complete134ec9.pdf.

“IEWGPlanonaPage.”EgmontGroup,2016.https://www.egmontgroup.org/sites/default/files/IEWG%20Plan%20on%20a%20page%2016082016.pdf.

Igrindstad.“OVER€36MSPENTONMH17INVESTIGATIONSOFAR.”NLTimes,November21,2014.http://nltimes.nl/2014/11/21/eu36m-spent-mh17-investigation-far.

“ILODeclarationonFundamentalPrinciplesandRightsatWork(DECLARATION).”AccessedMay3,2017.http://www.ilo.org/declaration/lang--en/index.htm.

“InformationExchangeWorkingGroup,”n.d.https://www.egmontgroup.org/sites/default/files/IEWG%20Plan%20on%20a%20page%2016082016.pdf.

“Intermediate-RangeNuclearForcesTreaty(INFTreaty).”U.S.DepartmentofState.AccessedApril10,2017.http://www.state.gov/t/avc/trty/102360.htm.

“InternationalAtomicEnergyAgency(IAEA)‘LacksTransparency’,Agency’sSecrecy|GlobalResearch-CentreforResearchonGlobalization.”AccessedMay3,2017.http://www.globalresearch.ca/international-atomic-energy-agency-lacks-transparency-observers-and-researchers-say/5446187.

“InternationalLaborConference,”http://www.ilo.org/.

90

“InternationalLabourConference.”AccessedMay3,2017.http://ilo.org/global/about-the-ilo/how-the-ilo-works/international-labour-conference/lang--en/index.htm.

“InternationalLabourOrganization.”AccessedMay3,2017.http://www.ilo.org/global/lang--en/index.htm.

“InternationalStandardsonCombatingMoneyLaunderingandtheFinancingofTerrorism&Proliferation.”TheFATFRecommendations.FATF,February2012.http://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF_Recommendations.pdf.

“InternationalUnionofPure&AppliedChemistry.”IUPAC|InternationalUnionofPureandAppliedChemistry.AccessedApril28,2017.https://iupac.org/who-we-are/.

"InspectionandEnforcementbytheRegulatoryBody."4.1.3.2.MethodsofInspection.AccessedMay11,2017.https://www.iaea.org/ns/tutorials/regcontrol/inspect/insp4133.htm.

“IntelligenceCommunityDirective209-TearlineProductionandDissemination.”AccessedMay25,2017.https://fas.org/irp/dni/icd/icd-209.pdf.

“InvestigationResultontheSinkingofROKS‘Cheonan.’”AccessedMay2,2017.http://news.bbc.co.uk/nol/shared/bsp/hi/pdfs/20_05_10jigreport.pdf.

“InvestigationMH17Crash,July2014.”DutchSafetyBoard.AccessedMay1,2017.https://www.onderzoeksraad.nl/en/onderzoek/2049/investigation-crash-mh17-17-july-2014.

“IUPACandtheOrganisationfortheProhibitionofChemicalWeaponsTakePartnershiptoNewLevel|InternationalUnionofPureandAppliedChemistry.”IUPAC|InternationalUnionofPureandAppliedChemistry,December1,2016.

https://iupac.org/iupac-opcw-take-partnership-new-level/.Jakobi,Anja.“Non-StateActorsandGlobalCrimeGovernance:ExplainingtheVarianceof

Public-PrivateInteraction.”TheBritishJournalofPoliticsandInternationalRelations18,no.1(2016):72–89.

JasonRivera,andForrestHare.“TheDeploymentofAttributionAgnosticCyberdefenseConstructsandInternallyBasedCyberthreatCountermeasures.”CCDCOE,6thInternationalConferenceonCyberConflict,2014,100–116.

Johnson,ChrisandLeeBadger,DavidWaltermire,JulieSnyder,ClemSkorupka.“GuidetoCyberThreatInformationSharing,”NationalInstituteofStandardsand

Technology(NIST),April2016.http://csrc.nist.gov/publications/drafts/800-150/sp800_150_second_draft.pdf.

Kaytal,Neal.“CommunitySelfHelp.”GeorgetownUniversityLawCenterJournalofLaw,EconomicsandPolicy,2005.http://scholarship.law.georgetown.edu/cgi/viewcontent.cgi?article=1532&context=facpub.

Keizer,Gregg.“IsStuxnetthe‘Best’MalwareEver?”InfoWorld,September16,2010.http://www.infoworld.com/article/2626009/malware/is-stuxnet-the--best--malware-ever-.html.

Kim,HwangSu,andMauroCaresta."WhatReallyCausedtheROKSCheonanWarshipSinking?"AdvancesinAcousticsandVibration(2014).AccessedMay22,2017.https://www.hindawi.com/journals/aav/2014/514346/.

91

Koebler,Jason.“NSABuiltStuxnet,butRealTrickIsBuildingCrewofHackers.”U.S.News,June8,2012.https://www.usnews.com/news/articles/2012/06/08/nsa-built-stuxnet-but-real-trick-is-building-crew-of-hackers.

Koh,HaroldHongju.“WhyDoNationsObeyInternationalLaw?,”YaleFacultyScholarshipPress(1997).AccessedMay23,2017.http://digitalcommons.law.yale.edu/cgi/viewcontent.cgi?article=2897&context=fss_papers.

Krebs,Brian.“ExpertsWarnofNewWindowsShortcutFlaw.”KrebsOnSecurity:In-DepthSecurityNewsandInvestigation,July10,2010.http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/.

Kurtas,Susan.“ResearchGuides:UNDocumentation:SecurityCouncil:Introduction.”Researchguide.AccessedMay3,2017.http://research.un.org/en/docs/sc/introduction.

Kushner,David.“TheRealStoryofStuxnet:HowKasperskyLabTrackeddowntheMalwareThatStymiedIran’sNuclear-FuelEnrichmentProgram.”EEESpectrum,February26,2013.AccessedMay17,2017.http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet.

Landler,Mark.“DiplomaticStormBrewingOverKoreanPeninsula.”TheNewYorkTimes,May19,2010.http://www.nytimes.com/2010/05/20/world/asia/20diplo.html.

“LatestNewsandHighlights.”AccessedMay2,2017.http://www.icao.int/newsroom/Pages/default.aspx.

“LessonsfromMandiant’sAPT1Report|SecurityWeek.Com.”AccessedMay2,2017.http://www.securityweek.com/lessons-mandiant%E2%80%99s-apt1-report.

“LetterDated4June2010fromthePermanentRepresentativeoftheRepublicofKoreatotheUnitedNationsAddressedtothePresidentoftheSecurityCouncil.”UnitedNationsSecurityCouncil,June4,2010.http://www.un.org/en/sc/repertoire/2010-2011/Part%20I/2010-2011_letterKorea.pdf.

Lin,HerbertS.“AttributionofMaliciousCyberIncidents:FromSouptoNuts.”SSRNScholarlyPaper.Rochester,NY:SocialScienceResearchNetwork,September2,2016.https://papers.ssrn.com/abstract=2835719.

Lindsay,JonR.“Tippingthescales:theattributionproblemandthefeasibilityofdeterrenceagainstcyberattack,”JournalofCybersecurity1(1):115,2015,http://cybersecurity.oxfordjournals.org/content/1/1/53

Lipton,Eric,DavidE.Sanger,andScottShane.“ThePerfectWeapon:HowRussianCyberpowerInvadedtheU.S.-TheNewYorkTimes.”TheNewYorkTimes,December13,2016.https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html?_r=0.

“ListofParticipatingInternationalOrganizationsandIndustry.”AccessedMay2,2017.http://www.icao.int/Meetings/ICAN2015/Pages/List-of-Participating-Industry-and-International-Organizations.aspx.

MacAfeeReport,THEECONOMICIMPACTOFCYBERCRIMEANDCYBERESPIONAGE,CenterforStrategicandInternationalStudies,(July,2013).https://docs.google.com/viewer?docex=1&url=http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime.pdf.

“MakinganICAOStandard.”AccessedMay2,2017.http://www.icao.int/safety/airnavigation/Pages/standard.aspx#4.

92

“MandiantReporton‘APT1.’”Lawfare,February20,2013.https://lawfareblog.com/mandiant-report-apt1.

“Mandiant,theGo-ToSecurityFirmforCyber-EspionageAttacks-Bloomberg,”May2,2017.https://www.bloomberg.com/news/articles/2013-02-07/mandiant-the-go-to-security-firm-for-cyber-espionage-attacks.

“MembershipandFunctions.”OrganizationfortheProhibitionofChemicalWeapons,https://www.opcw.org/about-opcw/executive-council/membership-and-functions/.

“MemberStates’CompetentAuthorities.”AccessedMay3,2017.http://www-ns.iaea.org/tech-areas/emergency/member-states-competent-authorities.asp?s=1.

“MembersoftheUnitedNationsSecurityCouncil.”AccessedMay3,2017.http://www.un.org/en/sc/members/.

“Mission&Priorities.”Folder.FederalBureauofInvestigation.AccessedMay1,2017.https://www.fbi.gov/about/mission.

“MissionandImpactoftheILO.”AccessedMay3,2017.http://ilo.org/global/about-the-ilo/mission-and-objectives/lang--en/index.htm.

“MoneyLaunderingandtheFinancingofTerrorism.”EgmontGroup,n.d.https://www.egmontgroup.org/en/content/money-laundering-and-financing-terrorism.

“MoneyLaunderingandtheFinancingofTerrorism-TheEgmontGroup.”AccessedApril30,2017.https://egmontgroup.org/en/content/money-laundering-and-financing-terrorism.

Morris,Harvey.“NKoreaEscapesBlameoverShipSinking.”FinancialTimes,July9,2010.https://www.ft.com/content/4208c344-8b6e-11df-ab4d-00144feab49a.

“MostS.KoreansSkepticalAboutCheonanFindings,SurveyShows.”TheChosunIlbo(EnglishEdition),September8,2010.AccessedMay17,2017.http://english.chosun.com/site/data/html_dir/2010/09/08/2010090800979.html.

Nakashima,Ellen."StuxnetwasworkofU.S.andIsraeliexperts,officialssay,"TheWashingtonPost,June2,2012.AccessedMay23,2017.https://www.washingtonpost.com/world/national-security/stuxnet-was-work-of-us-and-israeli-experts-officials-say/2012/06/01/gJQAlnEy6U_story.html.

“News|FinCEN.gov.”AccessedApril30,2017.https://www.fincen.gov/news-room/news.“NewsfromtheEFC:ThePast,ThePresent,TheFuture.”AccessedApril28,2017.

http://us11.campaign-archive1.com/?u=a39d608c8102dd5c712efbc48&id=d1ce5b24df.Nikitin,MaryBeth,MarkE.Manyin,EmmaChanlett-Avery,andDickK.Nanto.“NorthKorea’s

SecondNuclearTest:ImplicationsofU.N.SecurityCouncilResolution1874.”CongressionalResearchService,April15,2010.https://fas.org/sgp/crs/nuke/R40684.pdf.

“NorthKoreaThreatens‘All-outWar’overWarshipSinkingReport-Telegraph,”May2,2017.http://www.telegraph.co.uk/news/worldnews/asia/northkorea/7745370/North-Korea-threatens-all-out-war-over-warship-sinking-report.html.

Oatley,ThomasH.DebatesinInternationalPoliticalEconomy.Boston:Longman,2012.“ObserversandInternationalPartners-TheEgmontGroup.”AccessedApril3,2017.

https://egmontgroup.org/en/document-library/13.OfficeoftheDirectorofNationalIntelligence.“Backgroundto‘AssessingRussianActivitiesand

IntentionsinRecentUSElections’:TheAnalyticProcessandCyberIncidentAttribution.”U.S.Government.NationalIntelligenceCouncil,January6,2017.

93

“OHCHR|InternationalCovenantonCivilandPoliticalRights.”1966.AccessedMay18,2017.http://www.ohchr.org/EN/ProfessionalInterest/Pages/CCPR.aspx.

“OneorMoreUnknownTradersintheSecuritiesofFortressInvestmentGroup,LLC(ReleaseNo.LR-23760;Feb.28,2017).”AccessedMay2,2017.https://www.sec.gov/litigation/complaints/2017/comp23760.pdf.

“OPCWCalendarofEvents.”OrganizationfortheProhibitionofChemicalWeapons.https://www.opcw.org/events-calendar/.

“OPCW.”OPCW.AccessedApril13,2017.https://opcw.unmissions.org/.“OPCWMissionStatement.”OrganizationfortheProhibitionofChemicalWeapons,n.d.

https://www.opcw.org/about-opcw/mission/.“OPCWPressReleaseonAllegationsofChemicalWeaponsUseinSouthernIdli,Syria.”

OrganizationfortheProhibitionofChemicalWeapons,April4,2017.“OpenNetInitiative,”accessedJune7,2017,https://opennet.net/.“OrganizationfortheProhibitionofChemicalWeapons.”NIT:BuildingaSaferWorld,April28,

2017.http://www.nti.org/learn/treaties-and-regimes/organization-for-the-prohibition-of-chemical-weapons/.

“OurCodeofEthics&BusinessConduct:LivingOurVision&Values.”WellsFargo.AccessedApril30,2017.https://www08.wellsfargomedia.com/assets/pdf/about/corporate/code-of-ethics.pdf.

“OurCoreValues|GreenpeaceInternational.”AccessedMay4,2017.http://www.greenpeace.org/international/en/about/our-core-values/.

“OurShips|GreenpeaceInternational.”AccessedMay4,2017.http://www.greenpeace.org/international/en/about/ships/.

Patel,Neil.“WhyaTransparentCultureIsGoodforBusiness.”FastCompany,October9,2014.https://www.fastcompany.com/3036794/why-a-transparent-culture-is-good-for-business.

Parket,Landelijik.“JIT:FlightMH17WasShotdownbyaBUKMissilefromaFarmlandnearPervomaiskyi.”OpenbaarMinisterie,September28,2016.https://www.om.nl/onderwerpen/mh17-crash/@96068/jit-flight-mh17-shot/.

Parket,Landelijk.“JointInvestigationTeam’sReactiontoOVVReport.”OpenbaarMinisterie,October13,2015.https://www.om.nl/onderwerpen/mh17-crash/@91208/joint-investigation-0/.

“Procedure.”OfficeoftheOmbudspersonoftheSecurityCouncil’s1267Committee,n.d.https://www.un.org/sc/suborg/en/ombudsperson/procedure.

“ProgrammeandBudget.”AccessedMay3,2017.http://embargo.ilo.org/global/about-the-ilo/how-the-ilo-works/programme-and-budget/lang--en/index.htm.

“ProposingaSelf-HelpPrivilegeforVictimsofCyberAttacks,”May2,2017.https://www.researchgate.net/publication/298414555_Proposing_a_Self-Help_Privilege_for_Victims_of_Cyber_Attacks.

“ProtectingandDefendingagainstCyberthreatsinUncertainTimes|USA2017|RSAConference.”AccessedMay23,2017.http://www.rsaconference.com/events/us17/agenda/sessions/7577-keynote-speaker-brad-smith-president-and-chief.

94

“PublicStatementsandCommuniques-TheEgmontGroup.”AccessedApril3,2017.https://www.egmontgroup.org/en/document-library/9.

“Q&AaboutSecureDroponTheWashingtonPost.”WashingtonPost,June5,2014.https://www.washingtonpost.com/pr/wp/2014/06/05/qa-about-securedrop-on-the-washington-post/.

“ReportTiesCyberattacksonU.S.ComputerstoChineseMilitary-TheWashingtonPost,”May2,2017.https://www.washingtonpost.com/world/report-ties-100-plus-cyber-attacks-on-us-computers-to-chinese-military/2013/02/19/2700228e-7a6a-11e2-9a75-dab0201670da_story.html?utm_term=.5cd49327297e.

“Reports|UnitedNationsSecurityCouncilSubsidiaryOrgans.”AccessedMay24,2017.https://www.un.org/sc/suborg/en/sanctions/1718/panel_experts/reports.

Resolution1718(2006),S/RES/1718(2006)§(2006).https://www.globalpolicy.org/images/pdfs/1014reso1718.pdf.

“Resolution2253(2015).”UnitedNationsSecurityCouncil,December17,2015.http://www.un.org/en/ga/search/view_doc.asp?symbol=S/RES/2253(2015).

“ResultsConfirmNorthKoreaSankCheonan-DailyNK,”May2,2017.http://www.dailynk.com/english/read.php?cataId=nk00100&num=6392.

Rid,Thomas,andBenBuchanan.“AttributingCyberAttacks.”JournalofStrategicStudies38,no.1–2(January2,2015):4–37.doi:10.1080/01402390.2014.977382.

Rotella,Sebastian.“FourDisturbingQuestionsAbouttheMumbaiTerrorAttack|AmericanTerrorist|FRONTLINE|PBS,”February22,2013.http://www.pbs.org/wgbh/frontline/article/four-disturbing-questions-about-the-mumbai-terror-attack/.

Rotella,Sebastian,JamesGlanz,andDavidE.Sanger.“In2008MumbaiAttacks,PilesofSpyData,butanUncompletedPuzzle-ProPublica.”ProPublica,December21,2014.https://www.propublica.org/article/mumbai-attack-data-an-uncompleted-puzzle.

“RulesandProcedurefortheScientificAdvisoryBoardandTemporaryWorkingGroupsofScientificExperts”.OrganizationfortheProhibitionofChemicalWeapons.AccessedMay10,2017.https://www.opcw.org/about-opcw/subsidiary-bodies/scientific-advisory-board/rules-of-procedure/

“RussianNavyExpertTeam’sAnalysisontheCheonanIncident :NorthKorea :News :TheHankyoreh,”May2,2017.http://english.hani.co.kr/arti/english_edition/e_northkorea/432230.html.

“SanctionsListMaterials.”UnitedNationsSecurityCouncilSubsidiaryOrgans,n.d.https://www.un.org/sc/suborg/en/sanctions/1267/aq_sanctions_list.

Sanger,DavidE.,DavidBardoza,andNicolePerlroth.“China’sArmyIsSeenasTiedtoHackingAgainstU.S.”TheNewYorkTimes,February18,2013.http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html.

Schneier,Bruce.“AttackAttributionandCyberConflict.”SchneierOnSecurity.March9,2015.AccessedMay23,2017.https://www.schneier.com/blog/archives/2015/03/attack_attribut_1.html.

Schneier,Bruce.“ClickHeretoKillEveryonewiththeInternetofThings,we’rebuildingaworld-sizerobot.Howarewegoingtocontrolit?,”NewYorkMagazine,(January,2017)

95

http://nymag.com/selectall/2017/01/the-internet-of-things-dangerous-future-bruce-schneier.html

Schwartz,Mattathias,“CyberwarForSale,”TheNewYorkTimesMagazine,January4,2017,accessedJune7,2017,https://www.nytimes.com/2017/01/04/magazine/cyberwar-for-sale.html.

“SECApprovesOneWatchdogforBrokersBigandSmall.”AccessedMay2,2017.http://www.washingtonpost.com/wp-dyn/content/article/2007/07/27/AR2007072700108_pf.html.

“SEC.gov|HedgeFundManagertoPay$44MillionforIllegalTradinginChineseBankStocks,”May2,2017.https://www.sec.gov/news/press-release/2012-2012-264htm.

“SecretariatandBudget.”AnnualReport.WTO,2016.https://www.wto.org/english/res_e/booksp_e/anrep_e/anrep16_chap9_e.pdf.

“Services.”FireEye.AccessedMay1,2017.https://www.fireeye.com/services.html.“SecurityCouncilCondemnsAttackonRepublicofKoreaNavalShip‘Cheonan’,StressesNeed

toPreventFurtherAttacks,OtherHostilitiesinRegion|MeetingsCoverageandPressReleases.”AccessedMay16,2017.https://www.un.org/press/en/2010/sc9975.doc.htm.

Shamsi,JawwadA.,SheraliZeadally,FarehaSheikh,andAngelynFlowers.“AttributioninCyberspace:TechniquesandLegalImplications.”SecurityandCommunicationNetworks9(n.d.):2886–2900.

Shukman,David.“OpenSesame:ScienceCenterUnveiledinJordan.”BBCNews,May16,2017,sec.Science&Environment.http://www.bbc.com/news/science-environment-39927836.

“SinkingReport.doc-20_05_10jigreport.pdf,”May2,2017.http://news.bbc.co.uk/nol/shared/bsp/hi/pdfs/20_05_10jigreport.pdf.

“SoHowIsBellingcatFunded?,”March25,2016.http://www.whathappenedtoflightmh17.com/so-how-is-bellingcat-funded/.

“SonyHiresMandiantafterCyberAttack,FBIStartsProbe.”Reuters,December1,2014.http://www.reuters.com/article/us-sony-cybersecurity-mandiant-idUSKCN0JE0YA20141201.

“SouthKoreaWarshipSinking:TheTop10ConspiracyTheories-Telegraph,”May2,2017.http://www.telegraph.co.uk/news/worldnews/asia/northkorea/7803376/South-Korea-warship-sinking-the-top-10-conspiracy-theories.html.

“SpeakersinSecurityCouncilCallforUnified,GlobalCounter-TerrorismEffort,FollowingBriefingsbyChairsofCommitteesSetUptoSpearheadFight,”UnitedNations,May

11,2010.http://www.un.org/press/en/2010/sc9923.doc.htm.“SpecialVerificationCommission(INFTreaty)Held30thSessionNovember15-16inGeneva »

USMissionGeneva.”AccessedApril10,2017.https://geneva.usmission.gov/2016/11/18/special-verification-commission-inf-treaty-held-30th-session-november-15-16-in-geneva/.

Soldatov,Andrei,andIrinaBorogan.“PutinBringsChina’sGreatFirewalltoRussiainCybersecurityPact.”TheGuardian,November29,2016.https://www.theguardian.com/world/2016/nov/29/putin-china-internet-great-firewall-russia-cybersecurity-pact.

96

“StatementofRevenueandExpenditureoftheEuropeanPoliceOfficefortheFinancialYear2017.”OfficeJournaloftheEuropeanUnion.

“StatementonGoogleOperationsinChina.”U.S.DepartmentofState,May2,2017.“StatementtotheBoard–NuclearVerificationinIran.”Text,March3,2008.

https://www.iaea.org/newscenter/multimedia/videos/statement-board-%E2%80%93-nuclear-verification-iran.

Stone,BradandMichaelRiley,“Mandiant,theGo-ToSecurityFirmforCyber-EspionageAttacks.”Bloomberg,February8,2013.AccessedApril28,2017.https://www.bloomberg.com/news/articles/2013-02-07/mandiant-the-go-tosecurity-firm-for-cyberespionage-attacks.

“Structure|CCDCOE.”AccessedMay4,2017.https://ccdcoe.org/structure-0.html.“StructureandOrganizationoftheEgmontGroupofFinancialIntelligenceUnits-TheEgmont

Group.”AccessedApril3,2017.https://www.egmontgroup.org/en/content/structure-and-organization-egmont-group-financial-intelligence-units.

“StructureandPeople.”AmnestyInternational.AccessedMay1,2017.https://www.amnesty.org/en/about-us/how-were-run/structure-and-people/.

“SuggestedBestPracticesforIndustryOutreachProgramstoStakeholders.”FederalEnergyRegulatoryCommission,July2015.https://www.ferc.gov/industries/gas/enviro/guidelines/stakeholder-brochure.pdf.

Sullivan,Ben.“BellingcatWantsYourHelptoDebunkFakeNews.”Motherboard,March7,2017.https://motherboard.vice.com/en_us/article/bellingcat-wants-your-help-to-debunk-fake-news.

“TallinnManualProcess|CCDCOE.”AccessedMay4,2017.https://ccdcoe.org/tallinn-manual.html.

“Technology|FINRA.org.”AccessedMay16,2017.https://www.finra.org/about/technology.“The2007EstonianCyberattacks:NewFrontiersinInternationalConflict.”OnCyberWay

HarvardLawSchoolBlog.AccessedMay17,2017.https://blogs.harvard.edu/cyberwar43z/2012/12/21/estonia-ddos-attackrussian-nationalism/.

“TheAgency’sProgrammeandBudget2016-2017.”IAEA,July2015.https://www.iaea.org/About/Policy/GC/GC59/GC59Documents/English/gc59-2_en.pdf.

“TheEgmontGroupStrategicPlan2014–2017,”May2015.https://egmontgroup.org/en/filedepot_download/1658/40.

“TheSinkingoftheCheonan-TheNewYorkTimes,”May2,2017.http://www.nytimes.com/2010/05/21/opinion/21fri2.html.

“TheStakesandChallengesofInternationalCivilAviation.”Montreal:ICAO,February17,2011.http://www.icao.int/Newsroom/Speeches/THE%20STAKES%20AND%20CHALLENGES%20OF%20INTERNATIONAL%20CIVIL%20AVIATION%20-%20Secretary%20General%20Raymond%20Benjamin.pdf.

“TheU.S.-IsraeliStuxnetAlliance.”Stratfor,January17,2017.https://www.stratfor.com/analysis/us-israeli-stuxnet-alliance.

“TigerAsiaManagement,LLC,etAl.(ReleaseNo.LR-22569;December13,2012),”May2,2017.https://www.sec.gov/litigation/litreleases/2012/lr22569.htm.

97

Timm,Trevor.“SecureDropUndergoesSecondSecurityAudit.”FreedomofthePressFoundation,January20,2014.https://freedom.press/news-advocacy/securedrop-undergoes-second-security-audit/.

“TreatyBetweentheUnitedStatesofAmericaAndTheUnionOfSovietSocialistRepublicsonTheEliminationofTheirIntermediate-RangeandShorter-RangeMissiles(INFTreaty).”U.S.DepartmentofState.AccessedMay1,2017.https://www.state.gov/t/avc/trty/102360.htm.

UAEGeneralCivilAviationAuthority.“GapsinGlobalEffectiveness.”http://www.icao.int/Meetings/AMC/SAR2010/Documents/21June2010-1030-Brian_Day-Gaps_in_Global_Effectiven.pdf.

“UpdateonSonyInvestigation.”PressRelease.FederalBureauofInvestigation.AccessedApril30,2017.https://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation.

“U.S.HackedintoIran’sCriticalCivilianInfrastructureforMassiveCyberattack,NewFilmClaims.”Buzzfeed,May16,2016.https://www.buzzfeed.com/jamesball/us-hacked-into-irans-critical-civilian-infrastructure-for-ma?utm_term=.nxgZMvM1z#.eclLmVmWX.

“VIENNADOCUMENT2011ONCONFIDENCE-ANDSECURITY-BUILDINGMEASURES.”OSCE.AccessedMay1,2017.http://www.osce.org/fsc/86597?download=true.

“VirusBlokAda.”VirusBlokAda.AccessedMay1,2017.http://anti-virus.by/en/tempo.shtml.Walters,Riley.“CyberAttacksonU.S.CompaniesSinceNovember2014.”TheHeritage

Foundation.November18,2015.AccessedMay23,2017.http://www.heritage.org/cybersecurity/report/cyber-attacks-us-companies-november-2014.

“WarintheFifthDomain.”TheEconomist,July1,2010.AccessedMay17,2017.http://www.economist.com/node/16478792.

Warren,Zach.“AreYouReadyfortheNewChinaCybersecurityLaw?”InsideCounsel,February28,2017.http://www.insidecounsel.com/2017/02/28/are-you-ready-for-the-new-china-cybersecurity-law?ref=footer-news.

Wheeler,DavidandGregoryLarsen.InstituteforDefenseAnalysis,TechniquesforCyberAttackAttributionES.October2003.http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA468859.

“WhoWeAre.”AmnestyInternational.AccessedApril29,2017.https://www.amnesty.org/en/who-we-are/.

“WhyAmericaShouldKeepSupportingtheIAEA|TheNationalInterestBlog.”AccessedMay4,2017.http://nationalinterest.org/blog/the-buzz/why-america-should-keep-supporting-the-iaea-20485.

“WilderSecurity.”WilderSecurityForums.AccessedMay1,2017.https://www.wilderssecurity.com/threads/son-of-stuxnet.310195/.

Williamson,Wade.“LessonsfromMandiant’sAPT1Report,”SECURITYWEEK,February29,2013.AccessedApril29,2017,http://www.securityweek.com/lessons-mandiant%E2%80%99s-apt1-report.

Wittes,Benjamin,“MandiantReporton‘APT1’,”Lawfare.org,February20,2013.AccessedApril29,2017,https://lawfareblog.com/mandiant-report-apt1.Woolf,AmyF.“MonitoringandVerificationinArmsControl.”CongressionalResearchService,

December23,2011.https://fas.org/sgp/crs/nuke/R41201.pdf.

98

“WorkandMandate.”SecurityCouncilCommitteeEstablishedPursuanttoResolution1718(2006),n.d.https://www.un.org/sc/suborg/en/sanctions/1718/panel_experts/work_mandate.

“WorkandMandate.”UnitedNationsSecurityCouncilSubsidiaryOrgans,n.d.https://www.un.org/sc/suborg/en/sanctions/1267/monitoring-team/work-and-mandate.

“WTO|BudgetfortheYear2013.”AccessedMay2,2017.https://www.wto.org/english/thewto_e/secre_e/budget_e.htm.

“WTO|TradeandEnvironment.”AccessedMay2,2017.https://www.wto.org/english/tratop_e/envir_e/envt_rules_exceptions_e.htm.

“WTO|UnderstandingtheWTO-AUniqueContribution.”AccessedMay2,2017.https://www.wto.org/english/thewto_e/whatis_e/tif_e/disp1_e.htm.

Zetter,Kim."BlockbusterWormAimedforInfrastructure,ButNoProofIran...."WIRED,September23,2010.AccessedMay23,2017,

https://www.wired.com/2010/09/stuxnet-2/.Zetter,Kim."CyberwarIssuesLikelytoBeAddressedOnlyAfteraCatastrophe,"WIRED,

February17,2011.AccessedMay23,2017.https://www.wired.com/threatlevel/2011/02/cyberwar-issues-likely-to-be-addressed-only-after-a-catastrophe.

Zetter,Kim.“HowDigitalDetectivesDecipheredStuxnet,theMostMenacingMalwareinHistory.”WIRED.July11,2011.AccessedMay24,2017.https://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/.

Zheng,Denise,andJamesLewis.“CyberThreatInformationSharing.”CenterforStrategicandInternationalStudies,March10,2015.AccessedMay17,2017.https://www.csis.org/analysis/cyber-threat-information-sharing.

ARP 2017 Report, FINAL...Investigation, Mandiant’s APT1, Mumbai Terrorist Attack Investigation,...

Documents

Transcript of ARP 2017 Report, FINAL...Investigation, Mandiant’s APT1, Mumbai Terrorist Attack Investigation,...