ARP 2017 Report, FINAL...Investigation, Mandiant’s APT1, Mumbai Terrorist Attack Investigation,...
Transcript of ARP 2017 Report, FINAL...Investigation, Mandiant’s APT1, Mumbai Terrorist Attack Investigation,...
CyberattaCk attributionA Blueprint for privAte Sector leAderShip
ReseaRch Fellows
Justin Collins
Cameron Evans
Chris Kim
Kayley Knopf
Selma Sadzak
Nicholas Steele
Julia Summers
Alison Wendler
senioR ReseaRch Fellows
Allison Anderson
Stacia Lee
Faculty lead
Jessica Beyer
ThisreportisaproductoftheAppliedResearchProgramintheHenryM.JacksonSchoolofInternationalStudiesattheUniversityofWashington.TheAppliedResearchProgrammatchesteamsoftop-achievingJacksonSchoolstudentswithprivateandpublicsectororganizationsseekingdynamic,impactful,andinternationally-mindedanalysestosupporttheirstrategicandoperationalobjectives.FormoreinformationabouttheAppliedResearchProgrampleasecontactusatjsisarp@uw.edu.
i
ExecutiveSummary Afterthreedecadesofdevelopment,adoption,andinnovation,theInternetstandsatthecoreofmodernsociety.Thesamenetworkthatconnectsfamilyandfriendsacrosstheworldsimilarlytiestogetherallaspectsofdailylife,fromthefunctioningoftheglobaleconomytotheoperationofgovernments.Thedigitizationofdailylifeisthedefiningfeatureofthe21stcentury.WhilethepervasivenessofInternet-enabledtechnologybringssignificantbenefits,italsobringsseriousthreats—notonlytooureconomyandsafety,butalsotoourtrustincomputersystems.1TheInternetiscentraltomodernlife,yetmajorstate-sponsoredcyberattackspersistindisruptingInternetaccessandfunction.Theseattacksunderminefaithingovernmentandpublictrustindemocraticinstitutions.Attributionattemptstodatehavebeenunabletodeterstatesfrombuildingmaliciouscodeforevengreaterdestructivecapabilities.Inresponse,weproposetheformationofanattributionorganizationbasedoninternationalprivatesectorcoordination.Drawinguponprivatesectorexpertisefrommultiplecountries,theproposedorganizationwillcentralizeanalysisofmajorcyberattacksthroughformalizedinvestigationsandtheproductionofacredible,timelyattributionreportfollowingmajorattacks.Theorganizationwillstreamlinetheattributionprocess,therebyplayingasubstantialroleindeterringfuturemajornationstatecyberattacksandpromotinggreaterglobalInternetsecurity.
TheAttributionChallenge
Attributioniscriticaltotheresolutionofmanycybersecurityproblems.2Attributionisimportantfortwokeyreasons.First,attributionimposesresponsibilityonthepartyorpartiesinvolvedinthecyberattack.Second,attributiondetersfuturecyberattacksbyraisingthecostofstate-sponsoredoffensiveactivity.3Despitethetendencyforcountriestoemploycybersecuritypolicythatfavorsoffensiveactionratherthandefensiveaction,attributionisfundamentaltodeterrencebecauseitraisesthecostofattack.Currently,attackersarepredominantlyanonymous,abletohidebehindcomplexcomputernetworks.Lackofattributionisaprincipalcauseforthedelugeofstate-sponsoredcyberattacksbecauseitmakesoffensivecyberactivityrelativelycost-free.4 1Forageneraloverviewontheerosionoftrustresultingfromhacksandgovernmentsurveillancesee:JackGoldsmith,“TowardGreaterTransparencyofNationalSecurityLegalWork.”JackGoldsmith,May6,2015.http://jackgoldsmith.org/toward-greater-transparency-of-national-security-legal-work/andMarcGoodman,FutureCrimes:EverythingIsConnected,EveryoneIsVulnerableandWhatWeCanDoAboutIt.NewYork:AnchorBooks,2016.2DavidA.Wheeler,andGregoryN.Larsen.“TechniquesforCyberAttackAttribution.”InstituteforDefenseAnalyses,October2003.http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA468859.3Formoreonthissee:JonR.Lindsay,“TippingtheScales:TheAttributionProblemandtheFeasibilityofDeterrenceagainstCyberattack.”JournalofCybersecurity1,no.1(September1,2015):53–67.http://cybersecurity.oxfordjournals.org/content/1/1/534JohnP.Carlin.“Detect,Disrupt,Deter:AWhole-of-GovernmentApproachtoNationalSecurityCyberThreats.”HarvardNationalSecurityJournalVol.7.HarvardUniversity,2016.https://docs.google.com/viewer?docex=1&url=https://lawfare.s3-us-west-2.amazonaws.com/staging/2016/Carlin%20FINAL.pdf
ii
Whiletheneedforattributionisclear,speedandintegrityarekeyobstaclestotheproductionofsuccessfulattributionjudgements.5Evidenceisparamounttotheproductionofacredibleattributionjudgement;afteracyberattack,expertsmustgathertechnicalandsocio-economicandpoliticaldata.Thesedatabecometheevidencerequiredforanattributionjudgement,resolvingthebasicquestionofcyberattackresponsibility.6However,sincecyberattacksoftentranscendborders,divergentlegalframeworksanddifferentstatestrategicorientationstowardsinformationsharingmakethecollectionofevidenceparticularlydifficultandslow.7Meanwhile,theintegrityofdigitalforensicsvanishesquickly.Additionally,expertinvestigatorsfromtheprivatesectorlacktheabilitytocollectnecessaryinformationfromattackedgovernmentsandothercompanies.Asaresult,whenattributionreportsaremade,theyareoftenunconvincingtothepublic.8Thereisclearlyaneedfortheformalcoordinationofstakeholderstoshare,process,andpublishatimelyattributionjudgmentfollowingmajorcyberattacks.
BlueprintforanAttributionOrganization
Themissionofourproposedattributionorganizationistoenhancethecredibility,speed,andaccuracyofattributionfollowingcyberattacks.Theorganizationwillaccomplishitsobjectivesthroughprivatesectorcooperationandfunding.Tocreateaneffectiveorganizationalblueprint,westudied23existingattributionorganizationsandinvestigativeprocesses.Drawinguponthesuccessfulproceduresofexistingorganizationsandprocesseswillenableourproposedorganizationtocentralizeanalysisofmajorstate-sponsoredcyberattacksandsafeguardtrustintechnology.Theorganizationsweevaluatedwere:AmnestyInternational,CitizenLab,EgmontGroupofFinancialIntelligenceUnits,EuropeanFinancialCoalitionAgainstChildPornography,FinancialIndustryRegulatoryAuthority,Greenpeace,InternationalAtomicEnergyAgency,InternationalCivilAviationOrganization,InternationalLaborOrganization,NATOCooperativeCyberDefenseCenterofExcellence,OrganizationfortheProhibitionofChemicalWeapons,UnitedNationsAl-QaidaSanctionsCommittee,UnitedNationsSanctionsCommitteeonNorthKorea,andtheWorldTradeOrganization’sGATTArticleXX.Theprocessesweexaminedwere:CheonanJointInvestigationGroup,DemocraticNationalCommitteeEmailLeakInvestigation,Google’sOperationAurora,theIntermediate-RangeNuclearForceTreatyinvestigativeprocess,MalaysiaAirlinesFlight17(MH17)Crash
5BruceSchneier,“AttackAttributionandCyberConflict,”SchneieronSecurity,2015.AccessedMay25,2017.https://www.schneier.com/blog/archives/2015/03/attack_attribut_1.html.6Healey,Jason.“BeyondAttribution:SeekingNationalResponsibilityinCyberspace.”AtlanticCouncil,2012.http://www.atlanticcouncil.org/publications/issue-briefs/beyond-attribution-seeking-national-responsibility-in-cyberspace.7Carlin,2016.8Schneier,2015.
iii
Investigation,Mandiant’sAPT1,MumbaiTerroristAttackInvestigation,SonyPicturesHackInvestigation,andtheStuxnetInvestigation.Basedonourresearch,wehaveidentifiedsixbestpracticestoincorporateintoourattributionorganization:
• Equitablegeographicrepresentation• Organizationaltransparency• Stakeholderoutreach• Internalaccountability• Inclusionoftechnicalandgeopoliticalexperts• Privatesectormembership
Inaddition,wearticulatedsevenchallengesthatmightaccompanyorganizationaloperation:
• Earningpublictrust• Cooperationamongcompetitors• Industrycompliancewithorganizationalnorms• Legalchallengesofinformationsharing• Collectingsensitiveandconfidentialcyberincidentinformation• Methodsofinformationsharing• SharinginformationwithChinaandRussia
Ourreportdetailseachofthelistedbestpracticesandoutlineshoweachpracticewillbeintegratedintoanorganizationtaskedwithcyberattackattribution.WealsoaddresseachpotentialchallengeandproposesolutionsthatwillpromoteinternationalcooperationandenhanceglobalInternetsecurity.Table1illustratesourorganizationalblueprint.Asanon-governmentalorganizationfundedentirelybyprivatesectormembers,theorganizationwillderiveitslegitimacyandauthorityfromitsreputationforneutrality,transparency,andstringentevidentiaryrequirements.Theorganizationwillalsoincorporatetransparentdecision-makingprocesses,includinguseofExecutiveCouncilsupermajorityvotingprocedurespriortopublishingattributionjudgements,expert-ledinvestigationcommittees,andpeerreviewoffindingsthroughexpertreviewcommittees.Theorganizationwilldisseminateattributionjudgementstoavarietyofmediaoutlets,ratherthanbeingannouncedbyanindividualgovernmentorgivenexclusivelytoonenewsorganization.
iv
Table1:OrganizationalBlueprint
Actors
Private Sector - Company representatives, industry experts, independent academics
Actions - Leads neutral, private sector investigations of major state-sponsored cyberattacks to determine attribution.
Authority - Reputational
Structure - Decision making done through supermajority voting of member companies in the Executive Council
- Expert Investigation Committee leads nation-state cyberattack investigations
- Expert Review Committee reviews validity of attribution judgment upon request
Norms - Peer-review, high transparency, evidentiary framework
Attribution - Investigation report articulates attribution - The Communications Committee disseminates attribution report, with full
transparency, to mainstream news organizations
Budget and Funding Source(s)
- $40 million for year one and $30 million/year for subsequent years - Funded by mandatory contributions from member companies
Figure1,below,capturesthedirectionofinformationflow.Asthefigureillustrates,informationarrivesattheorganizationthroughaninformationrepository.Asevidenceiscollected,anExpertInvestigationCommitteeverifiestheveracityandauthenticityoftheevidence.AnExpertReviewCommitteealsoexaminestheevidenceandthefindingsofbothgroupscreatethesubstanceoftheattributionreport.TheExpertReviewCommitteedisseminatestheattributionreporttotheCommunicationCommittee.TheCommunicationCommitteeworkswiththemediatopublicizetheresultsofthereview.Figure1alsoillustratestheorganization’sauthorityandaccountabilityhierarchy.MembercompaniespopulateanExecutiveCouncilofCompanyRepresentativesandaBudgetCommittee.TheExecutiveCouncilprovidesresourcesandoversighttothetwoexpertsgroups.Italsoassistswiththedisseminationoftheorganization’sfindings.TheExecutiveCouncilmembersserveunderfour-yeartermlimits.TermlimitsareincorporatedintotheExecutiveCouncil’sdesignasagovernancemechanismtoensurediversitywithintheexecutiveleadership.
v
Figure1:OrganizationalChart
Theproposedorganizationwillhavetheabilitytoprovidewidelylegitimateattributionjudgementsfollowingmajorcyberattacks.Diversityofmembershipandproceduraltransparencywillbolstertheorganization’sreputationalauthority,whilethecoordinationofaglobalbodyoftechnicalexpertswillleadaneutralinvestigationofattacks.Aprivate-sectorledattributionorganizationwillcentralizeandoptimizetheattributionprocess,therebyholdingpartiesresponsibleforcyberattackswhileincreasingthecostofperpetration.Suchanorganizationwillultimatelyfosterimprovedglobalcybersecurity.
ExecutiveCouncilofCompanyRepresentatives
ExpertInvestigationCommittee
ExpertReviewCommittee
CommunicationsCommittee
BudgetCommittee
InformationRepository
SourcesofInformation
AttributionReport
MainstreamNews
Organizations
Evaluatestheveracityandauthenticityofevidence
Reviewprocess
AttributionReportDissemination
DirectionofinformationflowDirectionofauthorityandaccountability
MemberCompanies
Determinesnation-stateresponsibility
Evidencecollection
vi
TableofContents
ExecutiveSummary.............................................................................................................................iTheAttributionChallenge.............................................................................................................................iBlueprintforanAttributionOrganization....................................................................................................ii
Table1:OrganizationalBlueprint...........................................................................................................ivFigure1:OrganizationalChart.................................................................................................................v
Introduction........................................................................................................................................1BlueprintforanAttributionOrganization....................................................................................................3
Table1:OrganizationalBlueprint............................................................................................................5Figure1:OrganizationalChart.................................................................................................................7Figure2:IncorporationofBestPractices..................................................................................................8
CreatingACyberattackAttributionOrganization..............................................................................9Mission.........................................................................................................................................................9Methodology..............................................................................................................................................11
Actors.....................................................................................................................................................12Actions....................................................................................................................................................12Authority................................................................................................................................................12Structure.................................................................................................................................................12Norms.....................................................................................................................................................12Attribution..............................................................................................................................................12BudgetingandFundingSources.............................................................................................................12Figure3:SpectrumofStateAuthority....................................................................................................13
IncorporatingBestPractices.............................................................................................................14EquitableGeographicRepresentation.......................................................................................................14
EquitableGeographicDistribution:Greenpeace,OPCW,andtheCheonanJointInvestigationGroup..15AdoptingEquitableGeographicalRepresentation.................................................................................16
OrganizationalTransparency.....................................................................................................................16LowTransparencyModel:TheCheonanJointInvestigationGroup.......................................................17HighTransparencyModel:Mandiant’sAPT1Report.............................................................................19AdoptingTransparency..........................................................................................................................20
StakeholderOutreach................................................................................................................................20StakeholderOutreachModels:OPCWandtheEgmontGroup..............................................................21AdoptingStakeholderOutreach.............................................................................................................22
InternalAccountability...............................................................................................................................22InternalAccountabilityModels:UNISILandal-QaidaSanctionsCommitteeandtheINFTreaty..........23AdoptingofInternalAccountability.......................................................................................................23
InclusionofTechnicalandGeopoliticalExperts.........................................................................................24ExpertInclusionModels:TheCheonanInvestigationandtheIAEA.......................................................24AdoptingExpertInclusioninInvestigations............................................................................................25
vii
PrivateSectorMembership........................................................................................................................26PrivateSectorMembershipModels:TheSonyHackInvestigationandtheEgmontGroup...................26AdoptingPrivateSectorMembership.....................................................................................................28
TheDesignoftheProposedOrganization.......................................................................................31ExecutiveCouncil.......................................................................................................................................31ExpertInvestigationCommittee................................................................................................................31ExpertReviewCommittee..........................................................................................................................32CommunicationsCommittee.....................................................................................................................33BudgetCommittee.....................................................................................................................................33InformationFlow........................................................................................................................................34
Figure1:OrganizationalChart...............................................................................................................35
ChallengesfortheProposedOrganization......................................................................................36EarningPublicTrust....................................................................................................................................36
MaintainingIndependentFunding.........................................................................................................37FunctioningasaPublicResource...........................................................................................................37
CooperationamongCompetitors...............................................................................................................38IncentivizingCooperationthroughAccesstoResources........................................................................39EncouragingCooperationthroughPrivacyAssurances..........................................................................41
IndustryCompliancewithOrganizationalNorms......................................................................................41RationalistBehaviorTheory...................................................................................................................42ConstructivistTheory..............................................................................................................................42UsingTheorytoUnderstandCompliance...............................................................................................43
LegalChallengesofInformationSharing....................................................................................................44AutomatingDataAnalysis......................................................................................................................44
CollectingSensitiveandConfidentialCyberIncidentInformation.............................................................45SecureDrop:AToolforAnonymityandSensitiveDataCollectionfromthePublic.................................46Tearlines:AMechanismforReceivingGovernmentInformation...........................................................47
MethodsofInformationSharing................................................................................................................48AdoptinganAd-HocMethodofExchange.............................................................................................49TowardaFormalizedMethodofExchange............................................................................................50
SharingInformationwithChinaandRussia...............................................................................................51EngagingthePrivateSector...................................................................................................................52
Conclusion.........................................................................................................................................54
Appendix1:InternationalOrganizations.........................................................................................55AmnestyInternational...............................................................................................................................56CitizenLab..................................................................................................................................................57EgmontGroupofFinancialIntelligenceUnits............................................................................................58EuropeanFinancialCoalitionAgainstChildPornography(EFCACP)...........................................................59TheFinancialIndustryRegulatoryAuthority(FINRA).................................................................................60Greenpeace................................................................................................................................................61
viii
InternationalAtomicEnergyAgency(IAEA)...............................................................................................62InternationalCivilAviationOrganization(ICAO)........................................................................................63InternationalLaborOrganization(ILO)......................................................................................................64NATOCooperativeCyberDefenseCenterofExcellence(CCDCOE)...........................................................65OrganizationfortheProhibitionofChemicalWeapons(OPCW)...............................................................66UnitedNationsAl-QaidaSanctionsCommittee.........................................................................................67UnitedNationsSanctionsCommitteeonNorthKorea..............................................................................68WorldTradeOrganization(WTO)GATTArticleXX.....................................................................................69
Appendix2:InvestigativeProcesses................................................................................................70CheonanJointInvestigationGroup(JIG)....................................................................................................71DemocraticNationalCommittee(DNC)EmailLeakInvestigation.............................................................72Google’sOperationAurora........................................................................................................................73Intermediate-RangeNuclearForce(INF)TreatyInvestigativeProcess......................................................74MalaysiaAirlinesFlight17(MH17)CrashInvestigation.............................................................................75Mandiant’sAPT1........................................................................................................................................76MumbaiTerroristAttackInvestigation......................................................................................................77SonyPicturesHackInvestigation...............................................................................................................78StuxnetInvestigation.................................................................................................................................79
Appendix3:ProposedBudget..........................................................................................................80Table2:ProposedBudgetforYear1andSubsequentYears..................................................................81
Bibliography......................................................................................................................................82
1
IntroductionInApril2007,EstoniawascutofffromtheInternet.9Forthreeweeks,aseriesofcoordinated
botnetattacksfloodedthecountry’sWeb,email,anddomainnamesystemservers.The
distributeddenial-of-serviceattackseemedlikeaconcertedefforttoprotestEstonia’sremoval
ofaSovieteramonumentinTallinn,itscapitalcity.Oneobserverlikenedtheattackto“Web
WarOne."10ThesurpriseattackhadaprofoundimpactonEstonia’scriticalinfrastructure,
disruptinggovernmentcommunicationsaswellasfinancialinstitutions,universities,andmedia.
AlthoughtheEstoniangovernmentaccusedRussiaofthecyberattack,theextenttowhichthe
Russiangovernmentactivelysupportedtheattackersremainsamystery.11Failureto
conclusivelyidentifytheperpetratorsoftheEstoniaattackmarkedaturningpointinthenature
ofcyberwarfare,signalingtostatesthatoffensivecyberactivitycanberisk-free.Without
definitiveattribution,theoutcomeoftheEstonianattackemboldenedfutureattackers.
TheEstoniancaseillustratesthechallengesofcyberattackattribution.Notonlydoesthe
anonymityoftheInternetmaskattackers,gatheringdigitalevidencetoidentifyanattackeris
difficult.Accumulatingevidencealsotakestime,creatingspacebetweentheattackandany
attribution,whichcontributestotheambiguityoverwhotheattackerisandwhattheirmotives
are.Governments’andcompanies’inabilitytoconsistentlyidentifybadactorshasmeantthat
reliableattributionhasremainedintangible.
WhileordinaryInternetusersmayhavearestrictedunderstandingofcybersecurity,attackers
arebothindiscriminateinselectingvictimsandthoughtfulinchoosingtargetsthatadvance
9JoshuaDavis,“HackersTakeDowntheMostWiredCountryinEurope,”Wired,August21,2007,accessedMay17,2017,https://www.wired.com/2007/08/ff-estonia/.10"Warinthefifthdomain.Arethemouseandkeyboardthenewweaponsofconflict?,"TheEconomist,July1,2010,accessedMay17,2017,http://www.economist.com/node/1647879211ArthurBright,"EstoniaaccusesRussiaof‘cyberattack’,"CSMonitor.com,May7,2017,accessedMay17,2017,http://www.csmonitor.com/2007/0517/p99s01-duts.html;IanTraynor,“RussiaaccusedofunleashingcyberwartodisableEstonia,”TheGuardian,May16,2007,accessedMay17,2017,https://www.theguardian.com/world/2007/may/17/topstories3.russia;“The2007EstonianCyberattacks:NewFrontiersinInternationalConflict,”CyberWarHarvardLawBlog,December21,2012,accessedMay17,2017,https://blogs.harvard.edu/cyberwar43z/2012/12/21/estonia-ddos-attackrussian-nationalism/;“EstoniaFinesManfor‘CyberWar,’”BBC.com,January25,2008.AccessedMay2017athttp://news.bbc.co.uk/2/hi/technology/7208511.stm
2
nationstategoals.Inbothcases,theycapitalizeupontheInternet’sever-expandingnumberof
vulnerabilities.Inthepastfewyearsalone,RussiahasinfiltratedtheemailsoftheDemocratic
NationalCommitteeandChinahassupportedso-called“AdvancedPersistentThreats”in
stealingbillionsofdollarsoftradesecretsandothersensitivedatafromcorporations.These
politicalandpersonalriskswillonlymultiplyinthefuture,asInternetofThingstechnology
expandstoconnectanunprecedentednumberofdevicesacrosstheworld.12
Attribution,ortheidentificationofanattacker,isachallengeatthecoreofmanycybersecurity
problems.13Duetothecomplexnatureofcyberattacks,wheresophisticatedattackersoften
usenetworkcomputerstocarryoutmaliciousactivity,attributionreferstoaspectrumof
identification.Thespectrumcanrangefromtheproxycomputer,totheindividualculpableof
“pressingthekey,”tothenationstatesponsoringthehackers.14Onegoalofattributionisto
answerwhowasreallybehindtheattack.Anothergoalistodeterfutureattacksbyraisingthe
costoftheactivity.15
Despitethecurrenttendencyfornationstatecybersecuritytofavoroffensiveactionover
defensiveaction,attributionisfundamentaltodeterrencebecausefearofretaliationcould
dissuadeattacks.16Theattacker’sinvisibilityisaprincipalcauseforthedelugeofcyberthreats
becauseitmakeshisorheractionsrelativelycost-free.17
Therefore,attributionraisesthecostofhacking.Confidenceinattributionisdeterminedbythe
strengthofevidencedrawnonseveraldimensions—technicalforensics,humanintelligence,
12BruceSchneier,“ClickHeretoKillEveryonewiththeInternetofThings,we’rebuildingaworld-sizerobot.Howarewegoingtocontrolit?,”NewYorkMagazine,January,2017,http://nymag.com/selectall/2017/01/the-internet-of-things-dangerous-future-bruce-schneier.html13DavidA.Wheeler,andGregoryN.Larsen.“TechniquesforCyberAttackAttribution.”InstituteforDefenseAnalyses,October2003,http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA46885914HerbertLin."AttributionofMaliciousCyberIncidents:FromSouptoNuts,"JournalofInternationalAffairs70(1)(2016):75-137,11.;DavidClarkandSusanLandau.“UntanglingAttribution.”MassachusettsInstituteofTechnology,2011.http://static.cs.brown.edu/courses/csci1950-p/sources/lec12/ClarkandLandau.pdf;JasonHealey.“BeyondAttribution:SeekingNationalResponsibilityinCyberspace.”AtlanticCouncil,2012.http://www.atlanticcouncil.org/publications/issue-briefs/beyond-attribution-seeking-national-responsibility-in-cyberspace.15Formoreonthissee:JonR.Lindsay,“TippingtheScales:TheAttributionProblemandtheFeasibilityofDeterrenceagainstCyberattack.”JournalofCybersecurity1,no.1(September1,2015):53–67.http://cybersecurity.oxfordjournals.org/content/1/1/5316ClarkandLandau,2011.17JohnP.Carlin.“Detect,Disrupt,Deter:AWhole-of-GovernmentApproachtoNationalSecurityCyberThreats.”HarvardNationalSecurityJournalVol.7.HarvardUniversity,2016.https://docs.google.com/viewer?docex=1&url=https://lawfare.s3-us-west-2.amazonaws.com/staging/2016/Carlin%20FINAL.pdf.
3
signalsintelligence,andgeopolitics.18Withthisinformation,expertscanproduceanattribution
judgmentresolvingthebasicquestionofresponsibility.19Yetcompoundingthetechnical
challengesofdeterminingresponsibilityarenationstatelegalbarrierspreventingvictimsand
therelevantsecuritycommunitiesfrominvestigatingthoroughly.TheInternetand
multinationalcorporationsalikebypasssovereignborders,problematizingthelawsgoverning
thecollectionofevidenceandinformationsharing.20
Governmentandindustryresponsibilitysurroundingattributioniscurrentlyunclear.For
instance:Whoisresponsibleforinvestigatingcyberattacks?Whatroleshouldthegovernment
andindustryplayincollectingevidence?Whatistheacceptablethresholdofevidencerequired
tomakeanattributionjudgement?Withoutanswers,deterrenceisundermined.Ourreport
stepsintothisgap,addressingthesekeyquestions,andproposesaneworganizationbasedon
thesuccessesofexistingattributionorganizationsandprocesses.
BlueprintforanAttributionOrganization
Themissionofourproposedattributionorganizationistoenhancethecredibility,speed,and
accuracyofattributionfollowingcyberattacks.Theorganizationwillaccomplishitsobjectives
throughprivatesectorcooperationandfunding.
Tocreateaneffectiveorganizationalblueprint,westudied23existingattributionorganizations
andinvestigativeprocesses.Drawinguponthesuccessfulproceduresofexistingorganizations
andprocesseswillenableourproposedorganizationtocentralizeanalysisofmajorstate-
sponsoredcyberattacksandsafeguardtrustintechnology.
Theorganizationsweevaluatedwere(Appendix1):AmnestyInternational,CitizenLab,Egmont
GroupofFinancialIntelligenceUnits,EuropeanFinancialCoalitionAgainstChildPornography,
FinancialIndustryRegulatoryAuthority,Greenpeace,InternationalAtomicEnergyAgency,
18Lin,2016,11.19Healey,2012.20Carlin,2016.
4
InternationalCivilAviationOrganization,InternationalLaborOrganization,NATOCooperative
CyberDefenseCenterofExcellence,OrganizationfortheProhibitionofChemicalWeapons,
UnitedNationsAl-QaidaSanctionsCommittee,UnitedNationsSanctionsCommitteeonNorth
Korea,andtheWorldTradeOrganization’sGATTArticleXX.
Theprocessesweexaminedwere(Appendix2):CheonanJointInvestigationGroup,Democratic
NationalCommitteeEmailLeakInvestigation,Google’sOperationAurora,theIntermediate-
RangeNuclearForceTreatyinvestigativeprocess,MalaysiaAirlinesFlight17(MH17)Crash
Investigation,Mandiant’sAPT1,MumbaiTerroristAttackInvestigation,SonyPicturesHack
Investigation,andtheStuxnetInvestigation.
Basedonourresearch,wehaveidentifiedsixbestpracticestoincorporateintoourattribution
organization:
• Equitablegeographicrepresentation• Organizationaltransparency• Stakeholderoutreach• Internalaccountability• Inclusionoftechnicalandgeopoliticalexperts• Privatesectormembership
Inaddition,wehaveidentifiedsevenchallengesthatmightaccompanyorganizational
operation:
• Earningpublictrust• Cooperationamongcompetitors• Industrycompliancewithorganizationalnorms• Legalchallengesofinformationsharing• Collectingsensitiveandconfidentialcyberincidentinformation• Methodsofinformationsharing• SharinginformationwithChinaandRussia
Ourreportdetailseachofthelistedbestpracticesandoutlineshoweachpracticewillbe
integratedintoanorganizationtaskedwithcyberattackattribution.Wealsoaddresseach
5
potentialchallengeandproposesolutionsthatwillpromoteinternationalcooperationand
enhanceglobalInternetsecurity.
Table1illustratesourorganizationalblueprint.Asanon-governmentalorganizationfunded
entirelybyprivatesectormembers,theorganizationwillderiveitslegitimacyandauthority
fromitsreputationforneutrality,transparency,andstringentevidentiaryrequirements.The
organizationwillalsoincorporatetransparentdecision-makingprocesses,includinguseof
ExecutiveCouncilsupermajorityvotingprocedurespriortopublishingattributionjudgements,
expert-ledinvestigationcommittees,andpeerreviewoffindingsthroughexpertreview
committees.Theorganizationwilldisseminateattributionjudgementstoavarietyofmedia
outlets,ratherthanbeingannouncedbyanindividualgovernmentorgivenexclusivelytoone
newsorganization.
Table1:OrganizationalBlueprint
Actors
Private Sector - Company representatives, industry experts, independent academics
Actions - Leads neutral, private sector investigations of major state-sponsored cyberattacks to determine attribution.
Authority - Reputational
Structure - Decision making done through supermajority voting of member companies in the Executive Council
- Expert Investigation Committee leads nation-state cyberattack investigations
- Expert Review Committee reviews validity of attribution judgment upon request
Norms - Peer-review, high transparency, evidentiary framework
Attribution - Investigation report articulates attribution - The Communications Committee disseminates attribution report, with full
transparency, to mainstream news organizations
Budget and Funding Source(s)
- $40 million for year one and $30 million/year for subsequent years - Funded by mandatory contributions from member companies
Figure1,below,capturesthedirectionofinformationflow.Asthefigureillustrates,information
arrivesattheorganizationthroughaninformationrepository.Asevidenceiscollected,an
6
ExpertInvestigationCommitteeverifiestheveracityandauthenticityoftheevidence.AnExpert
ReviewCommitteealsoexaminestheevidenceandthefindingsofbothgroupscreatethe
substanceoftheattributionreport.TheExpertReviewCommitteedisseminatestheattribution
reporttotheCommunicationCommittee.TheCommunicationCommitteeworkswiththe
mediatopublicizetheresultsofthereview.
Figure1alsoillustratestheorganization’sauthorityandaccountabilityhierarchy.Member
companiespopulateanExecutiveCouncilofCompanyRepresentativesandaBudget
Committee(budgetisoutlinedinAppendix3).TheExecutiveCouncilprovidesresourcesand
oversighttothetwoexpertsgroups.Italsoassistswiththedisseminationoftheorganization’s
findings.TheExecutiveCouncilmembersserveunderfour-yeartermlimits.Termlimitsare
incorporatedintotheExecutiveCouncil’sdesignasagovernancemechanismtoensure
diversitywithintheexecutiveleadership.
7
Figure1:OrganizationalChart
Figure2outlineshowtheorganizationadoptsthebestpracticesweidentifiedthroughthe
courseofourresearch.Whileeveryelementoftheorganizationdoesnotincludeeverybest
practice,eachelementincorporatesthepracticesmostsuitedtoitsfunction.
ExecutiveCouncilofCompanyRepresentatives
ExpertInvestigationCommittee
ExpertReviewCommittee
CommunicationsCommittee
BudgetCommittee
InformationRepository
SourcesofInformation
AttributionReport
MainstreamNews
Organizations
Evaluatestheveracityandauthenticityofevidence
Reviewprocess
AttributionReportDissemination
DirectionofinformationflowDirectionofauthorityandaccountability
MemberCompanies
Determinesnation-stateresponsibility
Evidencecollection
8
Figure2:IncorporationofBestPractices Theproposedorganizationwillhavetheabilitytoprovidewidelylegitimateattribution
judgementsfollowingmajorcyberattacks.Diversityofmembershipandprocedural
transparencywillbolstertheorganization’sreputationalauthority,whilethecoordinationofa
globalbodyoftechnicalexpertswillleadaneutralinvestigationofattacks.Aprivate-sectorled
attributionorganizationwillcentralizeandoptimizetheattributionprocess,therebyholding
partiesresponsibleforcyberattackswhileincreasingthecostofperpetration.Suchan
organizationwillultimatelyfosterimprovedglobalcybersecurity.
ExecutiveCouncil• Equitablegeographicrepresentation
• Organizationaltransparency• Internalaccountability• Privatesectormembership
ExpertInvestigationCommittee
• Equitablegeographicrepresentation
• Organizationaltransparency• Internalaccountability• Inclusionoftechnicalandgeopoliticalexperts
• Privatesectormembership
BudgetCommittee• Equitablegeographicrepresentation
• Organizationaltransparency• Internalaccountability• Privatesectormembership
CommunicationsCommittee
• Equitablegeographicrepresentation
• Organizationaltransparency• Stakeholderoutreach• Internalaccountability• Privatesectormembership
MemberCompanies
• Organizationaltransparency
• Stakeholderoutreach• Equitablegeographicrepresentation
• Privatesectormembership
ExpertReviewCommittee
• Equitablegeographicrepresentation
• Organizationaltransparency• Internalaccountability• Inclusionoftechnicalandgeopoliticalexperts
• Privatesectormembership
9
CreatingACyberattackAttributionOrganizationThecyberattackattributionorganization’spurposeistomakepromptandaccurateattribution
judgmentsbycoordinatingprivatesectorinformationsharing.Today,state-sponsored
cyberattackattributionsuffersfromtwochiefproblems:speedandintegrity.21Theprocessof
collectingandanalyzingevidenceisslow,andthereliabilityofdigitalforensicsvanishesquickly.
Publicacceptanceofgovernments’attributionreportsisunderminedbecausetheiruseof
confidentialevidencehinderstransparency,whiletheprivatesectoroftenlackstheabilityto
collectnecessaryinformation.Asaresult,evenwhenattributionreportsarecreated,theyare
unconvincingtothepublic.22Thereisaneedfortheformalcoordinationofstakeholdersto
shareandprocessdataandpublishanattributionjudgment.Anorganizationtaskedwith
sharingcyberevidenceandcentralizingtheanalysisofdigitalforensicsandinformationwill
enhancetheprocessofattribution.
Credibleattributionjudgementsrequireinternational,privatesectorcoordination.Although
completeneutralityisimpossibletoachieve,privatesectormembershipcontributes
substantiallytothisgoal.Byformalizingtheinvestigationandcreationofacredible,unbiased
attributionreportfollowingmajorcyberattacks,theorganizationwillplayasubstantialrolein
deterringfuturemajornationstatecyberattacks.
Mission
Themissionoftheproposedorganizationissimple;itaimstoenhancetheneutrality,speed,
andaccuracyofattributionthroughprivatesectorcooperation.Doingsowilldiminishthe
numberofcyberattacksasthelikelihoodincreasesthatnationstatesareheldaccountablefor
theiractions.
Thedesignoftheproposedorganizationaddressestheproblemofneutralityinanattribution
21BruceSchneier,“AttackAttributionandCyberConflict,”SchneierOnSecurity,March9,2015,accessedMay23,2017,https://www.schneier.com/blog/archives/2015/03/attack_attribut_1.html22Ibid.
10
investigation.Theproposedorganizationaimstoleveragetheprivatesector’saccesstocritical
informationwithaneutralandtransparentinvestigationprocess.Becauseprivatecompanies
shareamissiontoprotectcustomersonlineanddeterfuturestate-sponsoredattacksthatmay
threatentheirbottom-line,theyofferaneutralinvestigativeparty.Themarketincentivizes
companyneutralityinawaythatdoesnotexistforstateactors.
Safeguardingtrustintechnologyunderpinstheworkofthisorganization.TheInternetstands
centraltomodernlife,andyetmajorstate-sponsoredcyberattackspersistindisruptingits
accessandfunction.Previousattributionreportswereunabletodeterstatesfrombuilding
maliciouscodeforevengreaterdestructivecapabilities.Thus,thepublic’sskepticismof
attributionreportserodestheirperceptionofsafetyonline.Thelackoftrustemanatesfromthe
timedelaybetweenwhentheattackoccursandwhentheattributionreportispublished,the
confidentialnatureofgovernmentattributionreports,andtheshortageofconclusiveevidence
used.23
Thepotentialforspeedandaccuracystemsfromthecentralizedcollectionofcyberattack
information,suchasthreatsignaturesformalware,Internetprotocoladdressesanddomain
namesinvolvedincyberattacks,anddescriptionsofspecificcyberattacks.24Theupshotisthat
theproposedorganizationwillhavetheevidenceandexpertisetoinvestigateamajor
cyberattack.Whentheproposedorganizationpublishesareport,thediversityofits
membershipandproceduraltransparencywillbolstersitsauthority.Thecoordinationofa
globalbodyoftechnicalexpertsfromtheprivatesectorwillleadaneutralinvestigationofa
majorstate-sponsoredcyberattacks.
Therefore,themissionoftheproposedorganizationistofulfiltheneedforanunbiasedand
transparentprocessfortheattributionofstate-sponsoredcyberattacks.Atthesametime
providingaccurateattributionwillprotectcustomersandimprovetheirconfidenceinindustry,
23JeffreyHunker,BobHutchinsonandJonathanMargulies,“RoleandChallengesforSufficientCyber-AttackAttribution,”InstituteforInformationInfrastructureProtection(2008),accessedMay17,2017,http://www.scis.nova.edu/%7Ecannady/ARES/hunker.pdf24“Cyber-SecuritytaskForce:Public-PrivateInformationSharing,”BipartisanPolicyReview(2012),http://bipartisanpolicy.org/wp-content/uploads/sites/default/files/Public-Private%20Information%20Sharing.pdf.
11
itwillincreasethepublic'strustintheInternet.Takentogether,ourargumentisthatwith
enoughdatapoints,attributionispossible,butgettingmemberstoshareinformationrequires
atrustworthyorganization.
Methodology
Inpreparingablueprintfortheproposedattributionorganization,weengagedinalandscape
analysisofthebasicstructures,processes,andbestpracticesofexistingattribution
organizationsandprocesses.Weanalyzedthesuccessesandfailuresof23different
organizationsandprocesseswhosemissionsrangefromnuclearnonproliferationto
environmentalactivismandthepreventionofmoneylaundering.Tablesexaminingeachofthe
organizationsindetailareavailableinAppendix1andAppendix2.
Theorganizationsweevaluatedwere:AmnestyInternational,EgmontGroupofFinancial
IntelligenceUnits,EuropeanFinancialCoalitionAgainstChildPornography,FinancialIndustry
RegulatoryAuthority,Greenpeace,InternationalAtomicEnergyAgency,InternationalCivil
AviationOrganization,InternationalLaborOrganization,NATOCooperativeCyberDefense
CenterofExcellence,OrganizationfortheProhibitionofChemicalWeapons,UnitedNationsAl-
QaidaSanctionsCommittee,UnitedNationsSanctionsCommitteeonNorthKorea,andthe
WorldTradeOrganization’sGATTArticleXX.
Theprocessesweexaminedwere:CheonanJointInvestigationGroup,DemocraticNational
CommitteeEmailLeakInvestigation,Google’sOperationAurora,theIntermediate-Range
NuclearForceTreatyinvestigativeprocess,MalaysiaAirlinesFlight17(MH17)Crash
Investigation,Mandiant’sAPT1,MumbaiTerroristAttackInvestigation,SonyPicturesHack
Investigation,andtheStuxnetInvestigation.
Wefocusedourreviewonsevenkeyelementsthatarecentraltotheoperationofattribution
bodies.Theseelementsare:actors,actions,authority,structure,norms,attribution,and
budgetingandfundingsource(s).Weoperationalizethesetermsasfollows:
12
Actors.Actorsarethepartyorpartiesthatcomposethemainbodiesofanorganizationorinvestigativeprocess.Actorscarryouttheorganizationorinvestigativeprocess’smainfunctions.Actorscomefromarangeoffieldsandbackgrounds,fromgovernmentofficialstogovernmentagencies,academics,researchers,andprivatecompanies.Actions.Actionsarethestepsthatactorstaketofurtheranorganizationorinvestigationprocesses’mission.Theactionsofanorganizationarethechiefdutiesandgoalstheorganizationorinvestigationworkstoaccomplish.Authority.Authoritydenotesthelegitimacyofjudgmentandpower.Intheorganizationorinvestigativeprocess,authorityreferstotherighttoexercisejudgment.Authoritystemsfromanindividual’stechnicalorgeopoliticalknowledge,oranorganization’sreputation.Structure.Structurereferstothearrangementofactorswithintheorganization.Norms.Normsrefertoexpectedbehavioralpracticesofactorswithinanorganizationorinvestigativeprocess.Attribution.Attributionreferstohowanorganizationorinvestigativeprocesspublishestheirfindingsandarticulatesresponsibility.BudgetingandFundingSources.Thebudgetreferstotheoperationalcostsoforganizationsorinvestigativeprocess.Fundingreferstothesourceofthebudget.
Ourlandscapeanalysisprovedusefulinidentifyingsuccessfulcorefunctionsofattribution
organizationsandconsideringtheapplicationofthesebestpracticestocybersecurity.While
eachorganizationorprocesshasitsowntableofdataintheAppendices,Figure3providesan
overviewofthespectrumofstateauthorityintheinternationalorganizationsand
investigationswesurveyed.Here,stateauthorityreferstotheinfluenceandcontrolwieldedby
agovernmentwithinagivenorganizationorinvestigation.Anincreaseinsizeandbureaucracy
isacorollaryofanorganizationorinvestigation’slegalauthority.Thus,thenumberofformal
treatiesincreasewiththepresenceofgovernmentactors.
13
Figure3:SpectrumofStateAuthority
Bureaucratic Ad-hoc
Examples:• IAEA• UNSanctions• WTOArticleXX• AmnestyInternational
• NATOCCDCOE
Examples:• ILO• EgmontGroup• EFCACP
Examples:• MumbaiInvestigation
• OPCW• ICAO
Examples:• Google’s‘OperationAurora’
• CheonanJIG
Examples:• DNCHack
Examples:• Stuxnet• Mandiant
APT1
InternationalOrganizations• Formalauthority• Nonprofit• Memberstateand
privatefunding• Ratifiedtreaties
Tools
• Bilateral,multilateraltreatise• Agreementsbetweengovernments• Partnershipsamonggovernmentalagencies
andNGOinstitutions
InternationalInvestigations• PrivateEnterprises• Informalauthority• For-profitmissiondriven
strategies• Ad-hocinformation-
sharing
Greaternumberofparticipants,lessspecific
Fewernumberofparticipants,morespecific
14
IncorporatingBestPracticesThepurposeoftheproposedorganizationistoenhancetheneutrality,speed,andaccuracyof
state-sponsoredcyberattackattribution.Toachievethismission,thedesignoftheproposed
organizationwillbuilduponthebestpracticesoftheorganizationsandinvestigationsinour
landscapeanalysis.Inthisreport,wedefinebestpracticesasatechniqueorprocesssuperiorto
alternatives.Bestpracticesformtheorganizations’andinvestigations’standardmethodof
procedure—fromcollectingevidencetocomplyingwithlocallaws.Inthefollowing,wewill
detailthebestpracticesofthereviewedorganizationsandinvestigationsandexplainhowthe
proposedorganizationincorporatesthebestpracticesintoitsdesign.Thesebestpractices
include:
• Equitablegeographicrepresentation
• Organizationaltransparency
• Stakeholderoutreach
• Internalaccountability
• Inclusionoftechnicalandgeopoliticalexperts
• Privatesectormembership
EquitableGeographicRepresentation
Equitableglobaldistributionofanorganization’sdecision-makingbodiesiskeyforan
organization’sreputationandauthority.Geographicallydiversemembershipbolstersthe
credibilityoftheorganization’smissionandactionsbecauseitbalancesdifferentregional
perspectives.Thetransnationalnatureofcyberattacksmakesthispracticeevenmorecritical.
Anyorganizationtaskedwithglobalattributionfacespressuretoupholdpoliticalneutralityand
independencefromanyonecountry.Thisisparticularlyimportantwhenconsidering
interactionswithmajorpowerswithglobalagendas,suchasChina,Russia,andtheUnited
States.
15
EquitableGeographicDistribution:Greenpeace,OPCW,andtheCheonanJointInvestigationGroup
Severaloftheorganizationsweexaminedexemplifythebenefitofequitablegeographic
distribution.InthecaseofGreenpeace,physicalbrickandmortarregionalbranchesfoster
greaterglobalcooperationbecausetheyincreasetheorganization’sabilitytoconnectwithlocal
sourcesforresearchandinformationgatheringpurposes.25Havingaphysicalglobalpresence
createsanimageofGreenpeaceasaglobalactor,ratherthananorganizationassociatedwith
anyonecountryandallowsfortheorganizationtodrawuponideasfromallpartsoftheglobe.
TheOrganizationfortheProhibitionofChemicalWeapons(OPCW)usesthepracticeof
equitablegeographicdistributiontofostergreaterrepresentationandcooperationinits
governingbodies.TheOPCWhasstrictquotasforgeographicrepresentationineachofits
governingbodies.Forexample,theExecutiveCounciloftheOPCWalwayshasnine
representativesfromAfrica,ninefromAsia,fivefromEasternEurope,sevenfromLatin
America,andtenfromWesternEuropeandNorthAmerica.26Theirstructureensuresthat,in
rotation,eachstatepartyhastherightandopportunitytoserveontheExecutiveCounciland
activelyparticipateintheorganization’sdecision-makingprocess,therebypromotinganimage
ofanorganizationthatistrulyinternationalandindependent.Geographicdiversityisalso
representedintheOPCW’sScientificAdvisoryBoard,whichconductsresearchandinspection
ofchemicalweaponsmaterial.Diversegeographicrepresentationamongthebody’sscientists
andinspectorsisimportantforincreasingthepoliticalneutralityoftheorganization’s
investigationsintochemicalweapons.27
TheinvestigationintothesinkingoftheSouthKoreannavalvesselCheonanisanotherexample
ofgeographicinclusion.TheCheonaninvestigationwasconductedbyindividualsandexperts
fromdiversegeographicalbackgrounds,signalinggreatercommitmenttoneutralityandits
25"Greenpeacestructureandorganization."GreenpeaceInternational2017,accessedApril30,2017.http://www.greenpeace.org/international/en/about/how-is-greenpeace-structured/26“MembershipandFunctions,”OrganizationfortheProhibitionofChemicalWeapons,AccessedApril30,2017,https://www.opcw.org/about-opcw/executive-council/membership-and-functions/27“RulesandProcedurefortheScientificAdvisoryBoardandTemporaryWorkingGroupsofScientificExperts,”OrganizationfortheProhibitionofChemicalWeapons.AccessedMay10,2017.
16
abilitytoproducecrediblefindingstotheinternationalcommunity.28Theinvestigativeteam
wasformedbytheSouthKoreangovernmentbutcontainedexpertsfromAustralia,Canada,
SouthKorea,Sweden,theUnitedKingdom,andtheUnitedStates.29SouthKorea’sdeliberate
internationalizationoftheinvestigationmadeitharderforNorthKoreatodismissthe
accusationsoftheinvestigationbeingpoliticallymotivated.30Inthiscase,geographicdiversity
enhancedthecredibilityoftheinvestigationasbeingpoliticallyneutral.
AdoptingEquitableGeographicalRepresentation
Ensuringgeographicrepresentationcanbefulfilledthroughtheprocessofproportionally
allocatingthenumberofcompaniessharinginformationwithintheproposedorganizationto
thenumberofmajorcybersecurityattackshappeningwithinthatregionorcountryovera
certainperiod.Theproportionatenumberofregionalfirmswithintheorganizationswill
contributetoefficientandpertinentamountofinformationsharingandwillensureallregions
andcountriesareequitablyrepresented.Additionally,theproposedorganizationwillhavesix
globalofficesencompassingthefollowingregions:Africa,Asia,RussiaandtheCommonwealth
ofIndependentStates,EuropeandMiddleEast,LatinAmerica,andNorthAmerica.
OrganizationalTransparency
Theproposedorganizationshouldadopttransparencyasabestpracticebecausetransparency
enhancesanorganization’scredibility.Wedefinetransparencyasabehavioralnormguiding
theorganizationsdecisiontodiscloseinformation.Ahigh-degreeoftransparencydescribesthe
extenttowhichanorganizationdisclosesinformationtothepublic.
Transparencyplaysakeyroleinfosteringanorganization’sreputationalauthority.Here,
reputationalauthorityreferstotheperceptionofanorganization’scredibility.Ensuringthe
organizationalcredibilityisimportantfortheorganization’sattributionreportstobe
28“SecurityCouncilCondemnsAttackonRepublicofKoreaNavalShip‘Cheonan’,StressesNeedtoPreventFurtherAttacks,OtherHostilitiesinRegion,”UnitedNations.July9,2010.29“LetterDated4June2010fromthePermanentRepresentativeoftheRepublicofKoreatotheUnitedNationsAddresstothePresidentoftheSecurityCouncil.”(UnitedNationsSecurityCouncil,June4,2010).30MarkLandler,“DiplomaticStormBrewingOverKoreanPeninsula,”TheNewYorkTimes,May19,2010,accessedMay17,2017,http://www.nytimes.com/2010/05/20/world/asia/20diplo.html
17
consideredvalidandforensuringthatprivatesectorcompanieswilljointheorganization.31In
thefollowing,wewillanalyzetwoinvestigationswheretransparencyplayedasubstantialrole
inthepublic’sconfidenceintheattributionreport.Twoofthecasesweexaminedoffer
examplesofattributionjudgementswithvaryinglevelsoftransparency.First,theCheonanJoint
InvestigationGrouphadalow-degreeoftransparency,andtherefore,limitedcredibility.In
contrast,theMandiantAPT1reportisamodelofhigh-degreetransparencyandahighlevelof
credibility.
LowTransparencyModel:TheCheonanJointInvestigationGroup
TheCheonanJointInvestigationGroup’sattributionreportisanexampleofaninstancein
whichalowleveloftransparencycreatedfindingsthatwereviewedasnotcredible.Thereport
wasmetwithwidespreadskepticismbecauseoftheinvestigation’slackoftransparency.On
March26,2010,theSouthKoreanwarshipCheonansankneartheNorthernLimitLine,ade
factojurisdictionalborderwithNorthKorea,killing46servicemen.32TheSouthKorean
governmentwithheldformalindictmentsimmediatelyafterthesinking,althoughtheincident
heightenedtensionsbetweenthetwoKoreas.33Todeterminetheperpetratoroftheattack,the
SouthKoreangovernmentlaunchedanindependentinvestigationtaskedwiththeanalysisof
forensicevidencefromtheattack.34However,theinvestigation’ssecretiveprocesswashighly
controversial,particularlyamongotherforensicscientistsandthepublic.35Whenthefinal
reportconcludedthatNorthKoreawasresponsiblefortheattack,controversyoverthevalidity
oftheexpert’sforensicanalysisundermineditsauthority.Indeed,theUnitedNationsSecurity
Councilcondemnedtheattack,butdidnotnameNorthKoreaastheaggressor,citing“deep
concern”overthereportsattribution.36
31NeilPatel,“WhyaTransparentCultureIsGoodforBusiness,”FastCompany,October9,2014,https://www.fastcompany.com/3036794/why-a-transparent-culture-is-good-for-business32Landler,2010.33Landler,2010.34“InvestigationResultontheSinkingofROKS"Cheonan,"TheJointMilitary-CivilianInvestigationGroup(2010),accessedMay17,2017,http://news.bbc.co.uk/nol/shared/bsp/hi/pdfs/20_05_10jigreport.pdf35DavidCyranoski,“ControversyoverSouthKorea'ssunkenship,”NatureJournal,July14,2010,accessedMay22,2017,http://www.nature.com/news/2010/100708/full/news.2010.343.html36HarveyMorris,“NKoreaescapesblameovershipsinking,”FinancialTimes,July9,2017,accessedMay22,2017,https://www.ft.com/content/4208c344-8b6e-11df-ab4d-00144feab49a.
18
ThecontroversyovertheJointInvestigationGroup’sfindingscentersontheinvestigation’s
failuretoexplainitsanalysisofevidence.Thestrongestcriticsoftheinvestigation’sreportclaim
theevidenceofthetorpedoattackwasmisinterpretedorfabricated,contradictingtestimony
fromwitnessesoftheship’ssinking.37Forensicscientistscriticizedtheinvestigationfornot
publishingthedatausedintheanalysisofforensicevidence.Disclosingsuchinformationwould
haveallowedpeer-reviewerstocorroboratewiththeinvestigation’sconclusionanddiscredit
otherspeculations.38
Subsequentresearchfromscientistsfurtherraisedthepossibilitythatthesinkingwascaused
byotherfactors.39AnoversightboardfortheSouthKoreanmilitaryaccusedtheinvestigationof
analyzinginformationdistortedbytheSouthKoreannavalleaders.40Criticsspeculatedthatthe
reasonfornotdisclosinginformationistoprotecttheSouthKoreanarmyfromliability.41A
SouthKoreangovernmentwatchdogorganizationsentanopenlettertotheUnitedNations
SecurityCouncilquestioningthefindingsoftheJointInvestigationGroupsreport,highlighting
theproblemwiththeinvestigationslackoftransparency.Theleaderoftheorganizationwas
subsequentlychargedwithalibelsuit,worseningthepublictrustinthepoliticalautonomyof
theinvestigation.42
TheCheonanexampleillustrateswhyattributioninvestigationsofstate-sponsoredattacks
shouldprioritizetransparencyandprovideanopenpeer-reviewprocess.43Inthiscase,the
skepticismfromtheSouthKoreanpublicandcriticismfromscientificcommunitysuggeststhat
thefailuretoshareinformationwiththepubliccanfueldistrustandlegitimatealternative
37BarbaraDemickandJohnM.Glionna,"DoubtssurfaceonNorthKorea'sroleinshipsinking,"LosAngelesTimes,July23,2010,accessedMay22,2017,http://articles.latimes.com/2010/jul/23/world/la-fg-korea-torpedo-20100724.38DavidCyranoski,“ControversyoverSouthKorea'ssunkenship,”NatureJournal,July14,2010,accessedMay22,2017,http://www.nature.com/news/2010/100708/full/news.2010.343.htmlandSeunghunLeeandJ.J.Suh,"PolicyForum10-039:RushtoJudgment:InconsistenciesinSouthKorea’sCheonanReport",NAPSNetPolicyForum,July15,2010,http://nautilus.org/napsnet/napsnet-policy-forum/rush-to-judgment-inconsistencies-in-south-koreas-cheonan-report/39HwangSuKimandMauroCaresta,"WhatReallyCausedtheROKSCheonanWarshipSinking?"AdvancesinAcousticsandVibration(2014),accessedMay22,2017,https://www.hindawi.com/journals/aav/2014/514346/.40DemickandGlionna,2010.41Ibid.42"Ex-Pres.SecretarySuedforSpreadingCheonanRumors,"TheDong-AIlbo(EnglishEdition),May8,2010,accessedMay22,2017,http://english.donga.com/List/3/all/26/264989/143“MostS.KoreansSkepticalAboutCheonanFindings,SurveyShows,”TheChosunIlbo(EnglishEdition),September8,2010,accessedMay17,2017,http://english.chosun.com/site/data/html_dir/2010/09/08/2010090800979.html
19
interpretationsoftheattack.Providingaccesstoforensicevidenceandtechnicalmethodology
wouldallowthepublicandexternalexpertstoreviewpotentialflawsintheattributionprocess.
Suchtransparencycanserveaspartofasystemofcheckandbalanceswithinaninvestigation.
HighTransparencyModel:Mandiant’sAPT1Report
Becauseopennessmitigatesagainstdistrust,theMandiant’sAPT1reportoffersavaluable
modelforgatheringandsharingatransparentattributionreport.44Theimportanceof
Mandiant’sreportcomesfromthebreadthofevidencedisclosedtothepublicandengagement
withthepress.45Mandiant,anAmericanprivatesecurityfirm,spentsixyearscollecting
evidenceonaseriesofnetworkattacksinorganizationsacrosstheworld.Thefinalreport
accusedChina’sPeople'sLiberationArmyastheperpetratorresponsible.46The60-pagereport
detailstheunprecedentedvolume,sophistication,andpersistenceoftheseattacks,calling
them“APT1”or“advancedpersistentthreat1.”
Mandiant’sAPT1attributionreportillustratesthelegitimacyderivedfromprovidingpublic
accesstodataandfull-disclosureevidence.Forinstance,thereportmapstheInternetprotocol
addressesandotherdigitalevidence,includingdrawingalinefromtheirevidencetoaspecific
buildinglocationinShanghai.Using3,000addressesandindicators,thereportalsoidentifies
specificindividualsresponsibleforlaunchingtheattacks.Thereportincludesananalysisofthe
Chinesehackers,inadditiontopicturesoftheattackers’socialmediaprofiles.47
Inaddition,Mandiantsharedthetechnicaltoolsandproceduresusedtogatherevidenceand
explainedinnontechnicallanguagethemethodofanalysis.48Indoingso,Mandiantbolstered
44Mandiant,“APT1:ExposingOneofChina’sCyberEspionageUnits,”accessedApril29,2017,https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pd45DavidE.Sanger,DavidBarbozaandNicolePerlroth,"ChineseArmyUnitIsSeenasTiedtoHackingAgainstU.S.,"NewYorkTimes,February29,2013,accessedApril29,2017,https://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html46BenjaminWittes,“MandiantReporton‘APT1’,”Lawfare.org,February20,2013,accessedApril29,2017,https://lawfareblog.com/mandiant-report-apt1;WilliamWanandEllenNakashima,"ReporttiescyberattacksonU.S.computerstoChinesemilitary,"WashingtonPost,January19,2013,accessedApril29,2017,https://www.washingtonpost.com/world/report-ties-100-plus-cyber-attacks-on-us-computers-to-chinese-military/2013/02/19/2700twenty-two8e-7a6a-11e2-9a75-dab0201670da_story.html47Mandiant,“APT1:ExposingOneofChina’sCyberEspionageUnits,”accessedApril29,2017,https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pd48WadeWilliamson,“LessonsfromMandiant’sAPT1Report,”SECURITYWEEK,February29,2013,accessedApril29,2017,http://www.securityweek.com/lessons-mandiant%E2%80%99s-apt1-report
20
thecredibilityofitsattributionjudgmentbyallowingextensivepeer-reviewandpublic
discussion.49Mandiant’stransparencyservedtobolsterthereport'scredibilityandprovide
actionableinformationtothesecurityindustry.Thereport’sextensiveanalysisoftheChinese
organizationresponsiblefortheattackwilllikelydetersimilaronesinthefuture.
AdoptingTransparency
Ourcasestudiesofferevidencethatpublicaccesstoinformationisimportanttothecredibility
ofattributionorganizationsandthattransparencymeasurescanbebuiltintothedesignofthe
proposedorganization.Therefore,theproposedorganizationshouldadoptbehavioralnorms
fortransparency,suchasthepublicdisclosureofinformationandengagementwiththepublic
duringtheinvestigatoryprocess.Doingsowilllendfurthercredibilitytoanyinvestigation.
Additionally,fulldisclosurewillprovidethepublicaccesstoallsourcesusedinanattribution
judgementandaddressthelackoftrustinstate-sponsoredcyberattackattributionjudgments.
Sharingtherationalebehinddecisionmakingwithinthetechnicalandgeopoliticsexpertpanel
willsimilarlyactasaninstrumentofaccountability.
Inlinewiththis,theproposedorganizationshouldproducereportsthatareunclassifiedand
canundergoextensivepeer-reviewfromindependentsecurityanalysts.Notonlywillthe
organization’sopennessandpublicengagementhelptodeterstate-sponsoredcyberattacks,
disclosureofevidenceandforensicanalysiswillbuttresstheorganization'scredibilityinthe
publiceye.
StakeholderOutreach
Employingstakeholderindustrytrainingandoutreachisanotherbestpracticetheproposed
organizationwilladopt.Industryengagementintheformoftrainingandoutreachcampaigns
canfacilitatestrongercooperationandcohesionbetweenmultiplestakeholdersandacross
differentsectorsandregionsoftheworld.Notonlycanstakeholderoutreachcampaigns
49Sanger,Barboza,andPerlroth,2013.
21
bolsteranorganization’spublicreputation,thesepracticesalsoworktoinformandimprove
industryknowledgeandincreasechannelsfortheengagementofawidevarietyofindustry
stakeholders.50Theproposedorganizationwilladoptpracticesofstakeholderoutreach,
incorporatingthemodelsforsuchprocessesusedbytheOrganizationfortheProhibitionof
ChemicalWeaponsandtheEgmontGroupofFinancialIntelligenceUnits.
StakeholderOutreachModels:OPCWandtheEgmontGroup
TheOrganizationfortheProhibitionofChemicalWeapons(OPCW)successfullyutilizes
practicesofstakeholderoutreachtopromotethetransnationalawarenessofOPCWchemical
industryobjectives.TheOPCWholdsofficialcoursesatchemicalindustrymeetingsevery
monthforrelevantindustryandgovernmentstakeholders.Forexample,inMay2017,the
OPCWheldcoursesonanalyticalchemistry,onhowtorespondtoincidentsofchemical
warfare,aswellasassistanceandprotectiontrainingprograms.51IncludedintheOPCW’s
organizationstructureisanAdvisoryBoardonEducationandOutreachtopromotethe
implementationoftheChemicalWeaponsConventionandaidnationalgovernmentsand
chemicalindustryinitsdisarmamentobjectives.
TheEgmontGroupofFinancialIntelligenceUnitsalsoemploysoutreachandindustrytraining
measures.Likethecybersecurityindustry,theEgmontGroupworksinanindustrywithdiverse
stakeholders,includinggovernmentalfinancialintelligenceunits,non-governmental
organizations,academia,media,andthepublic.52TheEgmontGroup’soutreach
communicationstrategyaimstoincreasetheirorganization’seffectivenessbyraising
understandingandsupportofincreasedinformationsharingandtopicawareness.TheEgmont
Groupconductsstakeholderregionalmeetingsandtechnicalworkshopsandseminarsinthe
promotionoftheGroup’smission.
50“SuggestedBestPracticesforIndustryOutreachProgramstoStakeholders”(FederalEnergyRegulatoryCommission,July2015),https://www.ferc.gov/industries/gas/enviro/guidelines/stakeholder-brochure.pdf.;“CreateaStrategicOutreachCampaigntoAddValuetoYourOrganization,”Prowl,May23,2011,http://prowlpublicrelations.blogspot.com/2011/06/create-strategic-outreach-campaign-to.html?m=0.51“OPCWCalendarofEvents,”OrganizationfortheProhibitionofChemicalWeapons,n.d.,https://www.opcw.org/events-calendar/.52“EgmontGroupCommunicationStrategy,”EgmontGroupofFinancialIntelligenceUnits,(2015).
22
AdoptingStakeholderOutreach
Ourcasestudiesofferevidencethatstakeholderoutreachcanbecentraltofacilitatingstronger
cooperationamongstmultiplestakeholderswhoaregeographicallydispersed.Therefore,the
proposedorganizationforcyberattributionshouldadoptsimilarpracticesofboththe
OrganizationfortheProhibitionofChemicalWeaponsandtheEgmontGroupinthe
establishmentofitsownoutreachcampaigns.
Theproposedorganization’sExecutiveCouncilshouldbetaskedwitharrangingbiannual
industrymeetingsofmemberandnon-membercompaniestoreviewandanalyzetheproposed
organization’spractices,addresspotentialimprovementsfortheorganizationmovingforward,
anddiscusspracticesofprivate-sectorinformationsharing.Biannualmeetingsacrossall
regionalindustryactorscouldincreaseawarenessfortheorganizationandhelpincorporate
dategatheringandtechnicalknowledgefromnon-memberregionalprivatefirms.Thelong-
termgoaloftheCommittee’soutreachcampaignswouldbetofostergreaterglobalindustry
engagementwiththeproposedorganization.Globalindustryrepresentative’sparticipationin
biannualmeetingswouldhelptobolstersbothtransnationalawarenessandengagementofthe
proposedorganization’smission.
InternalAccountability
Internalaccountabilityisanimportantpracticethatservestoincreasecredibilityandtrustinan
attributionorganization’sreportsandinvestigativeprocesses.Accountabilityisfosteredwhen
anorganizationprovidesmechanismsforinternalchecksandbalances,suchasframeworksfor
self-assessment,disputeresolution,andpeer-review.Examplesofsuccessfulinternal
accountabilitycreatingcredibilityinfindingscanbeseeninexamplesoftheUnitedNationsISIL
(Da’esh)andal-QaidaSanctionsCommitteeandtheIntermediate-RangeNuclearForcesTreaty
investigativeprocess.
23
InternalAccountabilityModels:UNISILandal-QaidaSanctionsCommitteeandtheINFTreaty
TheUnitedNationsISIL(Da’esh)andal-QaidaSanctionsCommitteeoffersanexampleofa
successfulinternalaccountabilityframework,particularlyitsOfficeoftheOmbudsperson.The
OfficeoftheOmbudspersonisanindependentbodytaskedwithoverseeingtheappeals
processesofindividualsorgroupsbelievedtobeunlawfullysanctioned.53TheOmbudsperson
providesdetailedanalysisandobservationsonallinformationrelevanttoasanctionsappeal
beforeprovidingtheCommitteewitharecommendationondelisting.54TheOfficeofthe
OmbudspersonhelpstostrengthentheCommittee’spositionagainstcomplaintsofviolating
thelegalrightsofsanctionedindividualsandisanimportantstepinenhancingfairnessand
transparencywithinthesanctionsregime.55
DisarmamentbodiessuchastheIntermediate-RangeNuclearForcesTreaty(INF)investigative
processalsoprovidekeyexamplesofinternalaccountabilityframeworks.TheINFSpecial
VerificationCommissionservesasaforumthroughwhichstatepartiescanresolveconcerns
andquestionsregardingcomplianceandtreatyimplementation.56Memberstatescancall
meetingsoftheSpecialVerificationCommissiontovoicecomplaintsaboutstateparty
complianceandtotryandreachagreementoninspectionprocedures.TheUnitedStatesand
SovietUnionagreedthateithercountrycouldcallaSpecialVerificationCommissionmeetingto
resolveissuesofcomplianceanddiscussnewmeasuresneededtoimprovethetreaty’s
effectiveness.57
AdoptingofInternalAccountability
Ourresearchillustratestheimportancethatinternalaccountabilityhasincreatingacredible
organization.Thus,itisimportantthattheproposedorganizationdevelopitsowninternal
53“ApproachandStandard,”OfficeoftheOmbudspersonoftheSecurityCouncil’s1267Committee,n.d.,https://www.un.org/sc/suborg/en/ombudsperson/approach-and-standard54Ibid.55“SpeakersinSecurityCouncilCallforUnified,GlobalCounter-TerrorismEffort,FollowingBriefingsbyChairsofCommitteesSetUptoSpearheadFight,”UnitedNations,May11,2010.56AmyF.Woolf,“RussianCompliancewiththeIntermediateRangeNuclearForces(INF)Treaty:BackgroundandIssuesforCongress”CongressionalResearchService,(2017).57Ibid.
24
frameworkforbothindependentreviewandpeer-reviewedcompliance.Doingsowillhelpto
strengthentheattributionorganization’sexternalcredibilityandbuildtrustintheprivate
sector.
Assuch,theproposedorganizationshouldhaveanindependentreviewbodylikethatofthe
UnitedNationsOfficeoftheOmbudsperson.Partieswhofeeltheyhavebeenwrongfully
attributedforanationstatecyberattackcouldthensubmitaformalcomplainttothe
organization’sindependentreviewbody.Thereviewbodywillthenanalyzetheinvestigation
processofthedisputedattributiontoensureneutralityandevidentiarystandardswereupheld.
Theywillthenpubliclysubmittheirreportontheinvestigationwiththeirconclusiononthe
attribution’slegitimacy.Thisbodywillprovideanimportantcheckonthemaininvestigative
team.
InclusionofTechnicalandGeopoliticalExperts
Privatesectorandacademicexpertiseisessentialtotheproposedorganizationbecausethe
credibilityoftheseexpertsstemsfromtheirprofessionalbackgroundandreputation—and
neutrality.Expertiseinbothtechnicalforensicanalysisandgeopoliticsallowsorganizationsto
ensurethatfindingswillbeperceivedaslegitimate.Twoexamplesfromourresearchstandout
inthisrespect—theCheonaninvestigationandtheIAEA.
ExpertInclusionModels:TheCheonanInvestigationandtheIAEA
Despiteitslackoftransparency,theCheonaninvestigationisagoodexampleofincorporating
technicalexpertsintotheattributionprocess.TheCheonansinkinginvestigationisakeycase
studyforcombiningprofessionalexpertiseandgovernmentauthorityforreachingattribution
judgments.Asoutlinedabove,in2010,theSouthKoreanwarshipCheonansanknearNorth
Korea,killing46servicemen.TheincidentheightenedtensionsbetweentheKoreaseven
thoughtheNorthKoreangovernmentdeniedculpability.TheUnitedNationsSecurityCouncil
publiclycondemnedtheattackwithoutidentifyingtheperpetrator.WithChinese,Russian,and
USengagementgrowingintheregion,thisincidenthadramificationsbeyondthepeninsula.
25
Tomaintainregionalstability,andmitigateagainstfurtherescalation,SouthKorealauncheda
multinationalteamcomprisedofexpertstodeterminethecauseofCheonan’ssinking.The
groupwascomposedofexpertsorganizedintofourteams:scientificinvestigation,explosive
analysis,shipstructuremanagementandintelligenceanalysis.Theirfinalreport,releasedtothe
publicinMay2010,determinedwitha“highpossibility”thatNorthKoreawasresponsiblefor
theattack.58TheJointInvestigationGrouputilizedaninternationalbodyofexpertstoattribute
theattack.ThemeasurestheJointInvestigationOrganizationtook,toincludeindividualswith
relevantexpertiseanddiversegeographicalbackgrounds,bolsteredtheefficiencytodetermine
theresponsibleadversaryintheCheonanattack.
AnotherexampleofawaytoincorporatepeerreviewintoinvestigationsistheInternational
AtomicEnergyAgency’s(IAEA)model.TheIAEAclearlyoutlinesthecomponentsofanuclear
facilityinspectionsothepubliccanhaveconfidencethatallvariablesareaccountedforinthe
process.59Byoutliningthesesteps,theexpertsestablishtransparentproceduralnorms.
CreatingtheseproceduralnormsiscriticalinlegitimizingtheIAEA’sfindings.
AdoptingExpertInclusioninInvestigations
Ultimately,credibilityisthegoaloftheproposedorganization’sattributioninvestigations.Like
theCheonaninvestigation,theproposedorganizationcouldadopttheuseofindependent
expertsfromdiversegeographicalbackgrounds,intoitsstructure,whileavoidingtheCheonan
investigation’stransparencymissteps.Inaddition,theIAEA’stransparencyandinclusionof
expertsoffersapathwaytolegitimacy.
Putintopractice,theproposedorganizationwoulddrawuponapanelofindependentcyber
expertstoconducttheinvestigationandattributionofcyberattacks.Theexpertsresponsible
58“SecurityCouncilCondemnsAttackonRepublicofKoreaNavalShip‘Cheonan’,StressesNeedtoPreventFurtherAttacks,OtherHostilitiesinRegion|MeetingsCoverageandPressReleases”UnitedNationsSecurityCouncil(2010),accessedMay16,2017,https://www.un.org/press/en/2010/sc9975.doc.htm59"InspectionandEnforcementbytheRegulatoryBody."4.1.3.2.Methodsofinspection.AccessedMay11,2017.https://www.iaea.org/ns/tutorials/regcontrol/inspect/insp4132.htm
26
forforensicanalysiswouldrepresentdiversegeographicrepresentationsamongglobalprivate
sectorinformationsecurityfirms.
Thedetailsofthemethodologiesandfindingsfromtheexperts’attributionprocesswouldtobe
releasedtoholdtheiractionsaccountable.Releasingsuchproceduralinformationwillcreate
transparencybecausetheinternationalcommunitywillbeabletoreviewpotentialflawsinthe
attributionprocess.Additionally,publiclydisclosingtheattributionprocessesencouragesthe
expertstotransparentlyconducttheirinvestigations.Clearlycommunicatingtheexperts’
operationscanleavethepublicmoreconfidentinfindings.
PrivateSectorMembershipInadditiontotheabovebestpractices,anyattributionorganizationmeanttotacklestate-
sponsoredcyberattackwillbeunderahighlevelofscrutiny,makingtheappearanceof
neutralityparticularlyimportant.Whilemanyoftheattributionorganizationsandprocesseswe
examinedinvolvegovernmentsinattributingresponsibility,inthecaseofthisorganizationit
willbeimperativetoremainindependentfromperceivednationstateinfluence.Therefore,the
proposedorganizationmustbemadeupofprivatesectoractors—butcouldincludeexperts
drawnfromothersectors.TheSonyHackInvestigationandtheEgmontGroupoffersupportfor
theneedtoseparatetheorganizationfromgovernments.
PrivateSectorMembershipModels:TheSonyHackInvestigationandtheEgmontGroup
Theproposedorganizationwillnotincludeanypublicsectororgovernmentalbodies.
Incorporationofgovernmentsintotheproposedorganizationwouldunderminethe
organizationbecausegovernmentinvolvementbringslackoftransparencyandissuesof
credibility.
Becausegovernments’primaryresponsibilityistoprotectindividualnationstatesecurity,they
areoftenunwillingtoshareinformationandfrequentlyoperatewithouttransparency—
particularlysecurityagencies.TheSonyHackInvestigationhighlightstheindependentand
27
exclusivenatureofthegovernment.TheFBIinvestigatedtheattackforreasonsofnational
security,whileatthesametimeSonyhiredFireEye,anAmericanprivatecybersecurityfirm,to
investigate.Althoughitwouldhavefacilitatedamorerobustinvestigation,thereisnoevidence
ofcollaborationbetweenthetwoentities.Inaddition,theFBIdidnotreleaseanydetailed
informationofitsinvestigationoritsattributionreport.Theonlyreleaseofinformationwasa
vagueone-pagestatementindicatingNorthKoreaastheculprit.60Asaresult,theexpert
communityviewedtheFBI’sfindingswithskepticism,somethingthatcontinuestothisday.
Becausegovernmentsdonotoperateinatransparentmanner,theylackthecredibilitythat
thirdpartieshaveandthatisneededtorunanattributionorganization.Inmanyofourcase
studies,itisapparentthatathirdpartyisbroughtintoeitherattributeattacksortoprovide
thetoolstoattributethoseattacks.AnexampleofthisistheEgmontGroupofFinancial
IntelligenceUnits.Itsmissionistocombatmoneylaunderingandterrorismfinancing
operationsaroundtheglobe.Tofacilitateeffectiveattribution,theEgmontGroupfollowsaset
ofproceduralnormssetoutbytheFinancialActionTaskForce,anon-governmentalbody
specializingincreatingandupdatingstandardsforthefightagainstmoneylaunderingand
terrorismfinancing.61TheEgmontGroupusesproceduralnormstotraintheirintelligenceunits
andhasaccountabilitygroupsthattrackwhethertheseproceduralnormsarefollowed.
Furthermore,thestandardsthattheEgmontGroupfollowarebasedonmultipleUnited
Nationsconventionsoutliningthespecificmethodsincounteringmonetarycriminalactivity.
Thus,creatingdistancebetweenthosethatsetupnormsandtheattributorswhousethose
norms,theEgmontGroup,portrayslegitimacyandneutrality.Inthesameway,havingan
independentgroupofprivatesectororganizationsattributinganotherlevelofactors(nation
states),consequentlyprovidesalevelofdistancebetweenthosewhoattributefault,andthose
whoarepotentiallycommittingthecrimeitself.
60“UpdateonSonyInvestigation,”PressRelease,FederalBureauofInvestigation,accessedMay23,2017,https://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation.61FinancialActionTaskForce.“INTERNATIONALSTANDARDSONCOMBATINGMONEYLAUNDERINGANDTHEFINANCINGOFTERRORISM&PROLIFERATION.”FAFTA/OECD,2013.http://www.fatfgafi.org/media/fatf/documents/recommendations/pdfs/FATF_Recommendations.pdf
28
AdoptingPrivateSectorMembership
Ourresearch,combinedwiththedistinctchallengesinherentinacybersecurityattribution
organization,indicatestheneedfortheproposedorganizationtobeaprivatesectorrun
organization.Theneedforprivatesectorleadershipisbecausemarketpressureswillensure
companyneutralityandhardwork.Privatesectorentitiesalsohaveaccesstovaluable
informationforattributingcyberattack.Finally,theyhavetheadvantageofspeedand
flexibility.
Marketpressurewillensurethatcompaniesworkhardtoattributecyberattack—andmarket
pressureswillalsohelptomakesurecompaniesremainneutralinattribution.Companieshave
agrowingstakeintheirownsecurityasthefrequencyandcostofcyberattacksincrease.62An
expected$3trillionincostsby2020willbeattributedtocybercrime.63Therefore,private
corporationsareincreasinglyconcernedabouttheirownsecurityandprotectingshareholder
value.Joiningtheproposedorganizationprovidesanavenuetobolsterprotection.
Additionally,privatesectormembershaveawideswathofcyberattackinformationand
technicalforensicswithintheirnetworksystems.Sharingthisinformationisessentialtomake
convincingattributionjudgements.DrawingontheexampleoftheEgmontGroup,weseethat
privatesectorinformationisinstrumentalinmakingattributionjudgementsformoney
launderingandterrorismfinancing.TheFinancialActionTaskForceRecommendations
mentionedearlierspecificallyoutlinesthelistofbodiesfromwhichFinancialIntelligenceUnits
shouldreceivetransactionalinformation.TheUnitutilizesbothcash-transactionreportsand
suspicious-transactionreportstohelpmakecriminalattributionjudgement.Thebodiesthat
mustsubmitthesereportstoFinancialIntelligenceUnitsincludebanks,securitiesdealers,
insurers,casinos,andevenlawyersandaccountants.64Thisdiversearrayofreportingentities
providesFinancialIntelligenceUnitswithacomprehensivedatabaseofpertinentinformation
62RileyWalters,“CyberAttacksonU.S.CompaniesSinceNovember2014,”TheHeritageFoundation,accessedMay23,2017,http://www.heritage.org/cybersecurity/report/cyber-attacks-us-companies-november-201463ProtectingandDefendingagainstCyberthreatsinUncertainTimes|USA2017|RSAConference,”accessedMay23,2017,http://www.rsaconference.com/events/us17/agenda/sessions/7577-keynote-speaker-brad-smith-president-and-chief.64InternationalMonetaryFundandWorldBank,“FinancialIntelligenceUnits:AnOverview,”2004,https://www.imf.org/external/pubs/ft/FIU/fiu.pdf
29
thatcanbeanalyzedandthentransmittedtolaw-enforcementorprosecutorialentitiesas
needed.Theproposedorganization,likewise,shouldhaveprivatesectorfirmsfromawide
arrayofindustriescontributetoasingularsourceofnationstatecyberattackinformationthat
canbeanalyzedthoroughlybyindustryexpertsanddisseminatedinthemostappropriate
fashion.
Finally,asopposedtogovernmentbodies,privatesectorcompanieshavetheadvantageof
speedandflexibilityinsharinginformationandsupportingattributionjudgementsbecausethey
arenotimpededbydissimilarjurisdictionspresentinmultinationalgovernments.65Theywould
beabletorelativelyeasilyprovideinformationtotheumbrellaorganization’sutilizationof
SecureDrop,anopensourcesoftwareplatformforanonymouscommunicationchannels.
Potential Membership Privatesectorfirmsthatwouldbeinterestedinjoiningtheproposedorganizationwould
includelargemultinationalsfromaroundtheworldandfrommyriadofindustries.The
proposedorganizationmightincludecompaniesfromthebanking,manufacturing,technology,
andretailssectors,suchasGoldmanSachs,Samsung,Sberbank,Sinopec,ThyssenKrupp,or
Zara.Manyofthememberfirmswillbecompaniesthathavealreadysufferedamajor
cyberattack,whileotherswillhaveonlyexperiencedminorinformationsecuritybreaches.Still
otherswillwanttojointobetterunderstandandpreventfuturecyberthreats.Whateverthe
motivesofthesefirmsforjoiningtheproposedorganization,thetraceevidenceheldbythese
companiesisinvaluabletoholdinrepositoriesforfurtherattributioninthefuture.
MembershipwouldalsoextendtocompaniesintheITorcybersecurityindustry.Companiesin
theserespectiveindustrieswillhavedatafromclientstheyhaveserved.However,onlyraw
data,notanalyses,willbesharedfromthesesecurityfirms.Wediscussthepotentialchallenge
ofcybersecurityfirmssharingdatainthePrivateSectorCooperationsectionofourreport.The
keyhereistodevelopastrongbaseofneededinformationsharingfrombothcompaniesthat
65J.E.Messerschmidt,“Hacback:PermittingRetaliatoryHackingbyNon-StateActorsasProportionateCountermeasurestoTransboundaryCyberharm,”ColumbiaJournalofTransnationalLaw,Vol.52,No.1,p.293andNealKatyal,“CommunitySelf-Help,”JournalofLaw,EconomicsandPolicy,Vol.1,(2005),accessedmay17,2017,http://scholarship.law.georgetown.edu/cgi/viewcontent.cgi?article=1532&context=facpub
30
haveexperiencedcybersecuritybreaches,aswellasthecompaniesthathelppatchthose
cybersecuritybreaches.
Infocusingmembershiponprivatesectorfirms,wedonotproposeacompletedenialof
governmentinvolvement.Infact,itwillbeimportanttohavegovernments’supportandinput.
Theproposedorganizationincludesaplantogaingovernments’ownattributionjudgementsin
aconfidentialmannerthatretaintheiranonymity;thissectionwillbefurtherelaboratedinthe
SensitiveandConfidentialCyberIncidentInformationsection.Byhavingtop-notchexperts
analyzebothprivatesectorcyberattackinformationandpublicsectorinformation,the
proposedorganizationwillmakeagreatleapinbolsteringcyberdefensearoundtheglobe
whilereducingcoststoprivatesectorfirmsandpublicsectorgovernments.
31
TheDesignoftheProposedOrganizationTheproposedorganizationisdividedintofivemainbodiesandmadeupofprivatesector
membercompanies:(1)theExecutiveCouncilofCompanyRepresentatives,(2)theExpert
InvestigationCommittee,(3)theExpertReviewCommittee,(4)theCommunications
Committee,and(5)theBudgetCommittee.
ExecutiveCouncil
Thehighest-leveldecision-makingbodyistheExecutiveCouncil,composedofrepresentatives
frommembercompanies.TheExecutiveCouncilvotesonwhichcyberattacksundergo
investigationbytheorganization.Theprocessofselectingcaseswillalsoundergoatwo-thirds
majorityvoteforapproval.MembercompaniesappointrepresentativestotheExecutive
Councilforfour-yearterms.Termlimitsareaformalorganizationalpracticetoensurea
rotatingcastofindustrystakeholdersintheExecutiveCouncil.Councilmembersunanimously
votetosuspendfirmmembershipintheorganization.Therepresentativesarealsoresponsible
forappointingexpertstotheExpertInvestigationCommitteecomposedofgeopoliticaland
technicalexperts.Eachcompanyrepresentativeappointsexpertsandfinaldecisiontoapprove
appointmentrequiresatwo-thirdsmajorityvoteoftheExecutiveCouncil.TheReview
Committee,bycontrast,iscomposedofindependentacademicsandtechnicalexperts.
TheExecutiveCounciladoptsthebestpracticesofequitablegeographicrepresentation,
organizationaltransparency,internalaccountability,andprivatesectorparticipation.
ExpertInvestigationCommittee
TheExpertInvestigationCommitteeisresponsibleforinvestigatingmajorstatesponsored
cyberattackspassedthroughtheExecutiveCouncil.WithdirectaccesstotheInformation
Repository,theExpertInvestigationCommitteeoperatesonanevidentiaryframeworkthat
evaluatestheveracityandvalidityofinformationfromtherepository.Expertscanalsosubmit
formalrequestsofinformationfrommemberfirmsforgatheringtechnicalforensicsduring
theirinvestigation.
32
TheExpertInvestigationCommittee’sattributionreportwilldevelopanevidentiaryframework
similartothelegalburdenofproof.TheevidentiaryframeworkwillensurethattheExpert
InvestigationCommitteebuildsanattributionjudgmentbasedoninculpatoryevidence.Since
theproposedorganizationdoesnotprosecuteadefendantforacyberattack,theExpert
InvestigationCommittee’slegalburdenislowerthanconventionalcriminallaw.Rather,the
onusisontheExpertInvestigationCommitteetoconstructacoherentdepictionofanation
state’sinvolvementwithacombinationoftechnicalandgeopoliticalevidence.Thecore
responsibilityfortheExpertInvestigationCommitteeistodeterminethenationstate’s
responsibilityandmotivationforanattack.
TheExpertInvestigationCommitteeadoptsthebestpracticesofequitablegeographic
representation,organizationaltransparency,internalaccountability,inclusionoftechnicaland
geopoliticalexperts,andprivatesectorparticipation.
ExpertReviewCommittee
TheExpertReviewCommitteeholdstheExpertInvestigationCommitteeaccountableforthe
qualityofevidenceusedintheattribution.TheExpertReviewCommitteeisthepeer-review
processfortheproposedorganization.TheCommittee,composedofindependentacademics
andprivatesectorresearchers,reviewstheExpertInvestigationCommittee’sattributionreport
priortheofficialrelease.TheCommitteeisbasedonopt-inparticipationandisvoluntary;the
ExecutiveCouncilofCountryCouncilscanvetospecificExpertReviewCommitteemembers
withtwo-thirdsmajorityvote.Itprovidestheimprimaturfortheproposedorganization,
indicatingbroadconsensusontheattributionjudgment.Aboveall,theReviewCommitteeis
themechanismthatupholdstheproposedorganization’scommitmenttoofneutralityand
evidentiarystandards.
33
TheExpertReviewCommitteeadoptsthebestpracticesofequitablegeographic
representation,organizationaltransparency,internalaccountability,inclusionoftechnicaland
geopoliticalexperts,andprivatesectorparticipation.
CommunicationsCommittee
TheCommunicationsCommitteeisresponsibleforreceivingthefinalattributionreportsfrom
theExpertReviewCommitteeaswellasthedisseminationofthereporttothepublic.The
CommunicationsCommitteefollowsawell-definedframeworkthatmaintainsaccountabilityto
thepublicandopenness.Allevidenceusedintheattributionreportwillbedisclosedtothe
public.ThemembercompaniesappointtheCommittee’smembers,upholdingthepracticeof
geographicdiverserepresentationintheorganizationsstaff.MembersoftheCommunications
Committeewillworkcloselywiththemediaandinsurethemediapublishesthefindings
accurately.Likemediaorganizationswhoretainageneralcounsel,theCommunications
Committeewillworkwithlawyersintheeventofalegalchallenges.
TheCommunicationsCommitteeadoptsthebestpracticesofequitablegeographic
representation,organizationaltransparency,internalaccountability,stakeholderoutreachand
privatesectormembership.
BudgetCommittee
MembercompaniesalsoappointrepresentativesofBudgetCommittee.TheBudget
Committee’sresponsibilitiesincludemanagingandcollectingthebudgetoftheproposed
organization.TheBudgetCommitteewilldiscloseanycaseswheremembercompany’sfailto
upholdtheirmonetarycontributions.TheBudgetCommitteewillpresentthesecasesofnon-
compliancetotheExecutiveCouncilwhowillthendeterminateanappropriateresponse.The
BudgetCommitteedeterminesindividualmembercompany’scontributions.
Appendix3summarizestheprojectedcostsoftheproposedorganization.Webreakdownthe
costsintosixdifferentcategories,theExpertInvestigationCommittee,theExpertReview
34
Committee,theCommunicationsCommittee,theBudgetCommittee,OutreachandMember
Relations,andInfrastructureandOperationscosts.TheExecutiveCouncilwillnotbepaidas
theirworkisminimal,althoughthereputationalbenefitsarehigh.Theprojectedtotalcostof
theproposedorganizationwillbenearly$40millioninthefirstyearandanestimated$30
millionayearinsubsequentyears.
TheBudgetCommitteeadoptsthebestpracticesofequitablegeographicrepresentation,
organizationaltransparency,internalaccountability,andprivatesectormembership.
InformationFlow
Figure1,includedagainbelow,capturesthedirectionofinformationflow.Asthefigure
illustrates,informationarrivesattheorganizationthroughaninformationrepository.As
evidenceiscollected,anExpertInvestigationCommitteeverifiestheveracityandauthenticity
oftheevidence.AnExpertReviewCommitteealsoexaminestheevidenceandthefindingsof
bothgroupscreatethesubstanceoftheattributionreport.TheExpertReviewCommittee
disseminatestheattributionreporttotheCommunicationCommittee.TheCommunication
Committeeworkswiththemediatopublicizetheresultsofthereview.
35
Figure1:OrganizationalChart
ExecutiveCouncilofCompanyRepresentatives
ExpertInvestigationCommittee
ExpertReviewCommittee
CommunicationsCommittee
BudgetCommittee
InformationRepository
SourcesofInformation
AttributionReport
MainstreamNews
Organizations
Evaluatestheveracityandauthenticityofevidence
Reviewprocess
AttributionReportDissemination
DirectionofinformationflowDirectionofauthorityandaccountability
MemberCompanies
Determinesnation-stateresponsibility
Evidencecollection
36
ChallengesfortheProposedOrganizationAsanewinternationalorganization,theproposedattributionorganizationwillfaceserious
challengesasitgathersevidenceandproducesattributionjudgementsfollowingmajor
cyberattacks.Inthefollowingsection,weidentifysevenchallengesanddrawuponexamples
fromourresearchtocraftsolutionstoeachpotentialchallenge.Thesemajorchallenges
include:
• Earningpublictrust
• Cooperationamongcompetitors
• Industrycompliancewithorganizationalnorms
• Legalchallengesofinformationsharing
• Collectingsensitiveandconfidentialcyberincidentinformation
• Methodsofinformationsharing
• SharinginformationwithChinaandRussia
EarningPublicTrust
Oneofthecentralgoalsoftheproposedorganizationistopublishandwidelydisseminate
attributionjudgementsinatimelymanner.Toeffectivelyaccomplishitsmissionofholding
cyberattackperpetratorsaccountableanddissuadingthemfromfutureattacks,the
organizationmustbecredibletothepublic.Withoutcredibility,theproposedorganization’s
judgementsareeasilydismissedandcyberattackersarefreetocontinueunderminingglobal
Internetsecurity.
Theproposedattributionorganizationwilloperateindependentlyfromnationalgovernments
andbecomposedentirelyofmembersfromtheprivatesector.Whileitsnon-governmental
statusandtransparentorganizationalstructuresignaladegreeofpoliticalneutrality,the
organizationmustactivelyworktopromoteitsindependenceifitistoholdareputationasa
credibleattributionbody.Whileearningpublictrustisapotentialchallengetoanyinternational
organization,letaloneanascentattributionbody,wecanborrowfromthepoliciesof
37
GreenpeaceandtheInternationalAtomicEnergyAgency(IAEA)tobestfostertheattribution
organization’spoliticalneutralityandearnpublicconfidence.
MaintainingIndependentFunding
Greenpeaceprovidesanexampleofexclusivelyapolitical,independentfunding.Greenpeace
doesnotacceptdonationsfromgovernments,corporations,orpoliticalparties,andrejects
donationsfromprivateentitiesthatitsgoverningbodybelievescouldcompromiseits
independence,objectives,andintegrity.66TheindependenceofGreenpeacefundingsuggests
thatGreenpeaceisanorganizationthatcannotbeboughtorquieted;Greenpeaceisonly
interestedinfurtheringitsmissionofpublicenvironmentalawarenessandengagement.
Greenpeace’sfundingmodelhasprovensuccessfulandservesasamodelthattheattribution
organizationshouldadopttoencouragepublictrustinitsfunctions.Althoughitsmethodsare
oftencontroversial,thepubliclargelyviewsGreenpeaceasanauthorityonenvironmental
issues.Subsequently,initsfortyyearsofexistence,Greenpeacehasgrownfromtenactivists
operatinginAlaskatoanorganizationwith2.9millionmembersconductingoperationsin55
countries.67Additionally,Greenpeaceisresponsibleforimpactfulenvironmentalcampaigns,
rangingfrominitiativestostopdrillingintheArcticandstoppingtheflowtoxicwasteintothe
ocean.68Theattributionorganizationcanovercomechallengestopubliccredibilitybymakinga
similarpromisetorejectpoliticalfunding,allowingittofocussolelyonitsneutralcyberattack
investigations.
FunctioningasaPublicResource
Theattributionorganizationcanpositionitselfasapublicresourcethatnotonlyattributes
cyberattacks,butprovidesinformationaboutitsmissioninaneasilycomprehensiblemanner.
TheIAEAisanexampleofanorganizationthathasgainedpublictrustthroughitsclear,
informativecommunicationstrategy.Inrecentyears,useofnuclearenergyhasgrown
66“WhoWeAre.”GreenpeaceInternational.AccessedMay17,2017.http://www.greenpeace.org/international/en/about/our-mission/67"Greenpeacestructureandorganization."GreenpeaceInternational.2017.AccessedMay9,2017.http://www.greenpeace.org/international/en/about/how-is-greenpeace-structured/68“WhoWeAre,”2017.
38
increasinglycontroversial,andnuclearenergyisalsohighlytechnical,oftentoocomplexforthe
publictounderstand,furtherexacerbatingmistrustinitsuse.69Tocombatpublic
misconceptions,theIAEAsharescomplexinformationsurroundingnuclearenergyinacoherent
mannerthatiseasilyunderstoodbythepublic,intheformoffactsheets,podcasts,regular
bulletins,andinformationalbooklets.70WhenthepublicseestheIAEAasaninformational
resourcewhosemissionisclearandunderstandable,theIAEAisfundamentallymorecredible
andabletomoreeffectivelygovernnucleartechnologyandsafety.
Theattributionorganizationcanearnpublictrustinasimilarmanner.Likenucleartechnology,
themechanicsofamajorcyberattackarehighlycomplexandabstracttoeverydaycitizens.By
engagingtheglobalpublicinthecybersecurityissuesitinvestigates,theorganizationcanbuild
publictrustthatwillinturnyieldcredencetoitsattributionjudgements,thus,hopefully
contributingtothedeclineofmajorstate-sponsoredcyberattacksovertime.
CooperationamongCompetitors
Oneofthegreatestchallengesindevelopingaprivatesectorblueprintforcyberattack
attributionisexploringhowtheproposedorganizationcouldadvocateandincentivizeprivate
sectorcompaniestocommittoaprocessofinformationsharingandcoordinatingcommon
resourceswithfirmsthatareoftentheircompetitors.Mostcompaniesaimtoprevent
cyberattacksthroughfocusingonstrengtheningtheirinternalnetworksratherthan
coordinatingwithcompetitors.
Additionally,somecompaniesprefertoabsorblossesincurredbysecuritybreachesratherthan
revealweaknessesincybersecuritysystems—allinthenameofprotectingreputationsand
shareholdervalues.However,focusoninternalcybersecurityattheexpenseofindustry
informationsharingandcooperationishighlyimpractical,asitisnearlyimpossiblefora
69Black,Richard.“NuclearPower‘GetsLittlePublicSupportWorldwide.’”BBCNews,November25,2011,sec.Science&Environment.http://www.bbc.com/news/science-environment-1586480670IAEA.“BuildingPublicTrustinNuclearPower.”InternationalAtomicEnergyAgency,March2013.https://www.iaea.org/sites/default/files/publications/magazines/bulletin/bull54-1/54104711212.pdf
39
companytoidentifyandpatcheverycybersecurityvulnerabilityarisinginasinglenetwork.71
Informationsharingbetweencompaniesallowsforgreaterunderstandingofcybersecurity
threatscanmakeeverycompanystronger.Yetdespitegeneralacknowledgementofthe
importanceofinformationsharingandthepresenceofsectorspecificinformationsharing
bodiessuchasInformationSharingandAnalysisCenters,considerableroomforimprovement
andgreaterindustrycooperationremains.72
Toovercomethechallengeofprivatesectorcooperation,weproposeadoptinginformation
sharingpracticesthatincentivizegreaterindustrycooperation.Theglobalcollaboration
exhibitedbytheStuxnetInvestigationandtheEgmontGroupofFinancialIntelligenceUnits
offeramodelthatcanbeadaptedtobolstercyberdefenseandeffectivelydecreasethecosts
ofdefensetoallorganizationmembers.
IncentivizingCooperationthroughAccesstoResources
Asagroupof152governmentalbodies,theEgmontGroupisasuccessfulmodelofhowto
incentivizecooperationinawaythatleadstointernationalcooperation.TheEgmontGroupis
responsibleforanalyzingfinancialinformationsharedbybanksandfinancialinstitutionswith
thegoalofstoppingmoneylaunderingandterroristfinancing.73Governmentsandfinancial
institutionswillinglysharethissensitiveinformationwiththeEgmontGroup,andbyextension,
othercountries.GovernmentsmustapplytobeadmittedtotheEgmontGroup,suggestingthat
governmentswanttobepartofasystemofnormsandcollaboration.74
TheEgmontGroupincentivizescollaborationandinformationsharinginthreekeyways.First,
governmentsapplyingtotheEgmontGroupgainaccesstotheGroup’swidevarietyoftraining
resourcesandtoaccessfinancialdatafromothercountries,resourcesthatultimately
strengthenagovernment’sownfinancialsecurity.75ExamplesoftheEgmontGroup’sresources
71Gagnon,Gary.“WhyBusinessesShouldShareIntelligenceAboutCyberAttacks.”HarvardBusinessReview,June13,2013.72Gagnon,2013.73“FinancialIntelligenceUnits(FIUs)-TheEgmontGroup.”74InternationalMonetaryFund,andWorldBank.“FinancialIntelligenceUnits:AnOverview,”2004.https://www.imf.org/external/pubs/ft/FIU/fiu.pdf75InternationalMonetaryFundandWorldBank,2004.
40
includeyearlyplenariesandcommuniqueswheremembersdiscussthemostpertinentcase
studiesinfightingmoneylaunderingacrosstheglobe,trainingsessionsonimplementing
FinancialActionTaskForceRecommendations,andsystemssetoutforanti-moneylaundering
andthwartingterrorismfinancingorganizations.76EgmontGroupmembershipalsoprovides
accesstotheresourcesoftheInternationalMonetaryFundandWorldBank,whoprovide
technicalassistancetothefinancialintelligenceunitsofmembercountries.77Governmentsuse
thisinformationandassistancetomoreeffectivelyattributecriminalactivitywithintheirown
borders.Gaininginsightfromanetworkofinternationalbodiesisparticularlyusefulduetothe
transnationalnatureofmanyfinancialcrimes.
Second,theEgmontGroupincentivizesmembershipthroughitsclear,centralized
communication,fosteringefficientexchangeofinformationpertinenttotimelyattribution
judgements.TheEgmontGrouphasfourworkingbodiesspecificallydesignatedtoenhancethe
qualityandquantityofinformationbeingsharedamongFinancialIntelligenceUnits,aswellas
toenhancethemethodologiesandstandardsofcommunicationsbetweengovernments.The
benefitsreapedfromeffective,immediateinformationexchangeallowindividualgovernments
toreducetheeconomicandopportunitythecostofconductingtheirowninternational
investigation.
Lastly,Egmontencouragesinternationalcooperationthroughthereputationalbenefitsit
affordsitsmembers.Membersareincentivizedtocooperateduetotheoperationalbenefitsof
joiningalargeorganizationthatallowsmembergovernmentstomoreeffectivelycombat
activitycondemnedbynotonlyinternationallawandconventions,butmanydomesticlawsas
well.Intheeyesofdomesticandinternationalaudiences,Egmontmembershipsignalsa
commitmenttofinancialaccountability,bolsteringagovernment’slegitimacyandinternational
standing.
76“PublicStatementsandCommuniques-TheEgmontGroup.”AccessedApril3,2017.https://www.egmontgroup.org/en/document-library/9.77InternationalMonetaryFundandWorldBank,2004.
41
EncouragingCooperationthroughPrivacyAssurances
TheStuxnetInvestigationisanotherusefulmodelofprivatesectorcooperation,especially
amongcompaniesthataretraditionallycompetitors.InthewakeoftheStuxnetattack,Russian
securityfirmandanti-virusproviderKasperskyLabandtheAmericancompanySymantecledan
ad-hocinvestigationtoattributethesourceoftheattack.Theirworkwasnotonlytoattribute
responsibility,buttorebuildconsumerconfidenceinthesecurityofInternetdata.78Inaddition
toworkingwithSymantec,KasperskyLabalsoworkedwithothercompetingsecurityfirmssuch
asMacAfee,andcollaboratedwitharangeofindustryandgeopoliticalexpertstoapproachthe
investigation.79ThesecompetitorsworkedtogethertoshareevidencepertainingtoStuxnet
andmademutualassurancestokeepeachother’sdataprivate,fosteringmoredirect
cooperationanddisclosure.
IntheStuxnetInvestigation,thechallengeofconvincingcompetitorstocooperatewassolved
throughinstitutingasystemofinformationsharingwithguaranteedprivacyassurances.The
proposedattributionorganizationshouldsimilarlyinstitutionalizeprivacyassurancesinaway
thatfostersinvestigationandevidencecollectionwhilepreservingeachmembercompanies’
competitiveedge.Aslongaseachcompanyagreesuponthetypeofattackdatatheywillshare
andmakesassurancestokeepsensitivedataprivate,eachcompanyshouldbeabletoreapthe
benefitsthataccompanycooperation.80ByfollowingtheStuxnetexample,competitorscan
cooperatewhileincreasingtheirabilitytoattributemajorcyberattacksinatimelyandefficient
manner.
IndustryCompliancewithOrganizationalNormsAnotherchallengeincreatinganinternationalprivatesectorattributionorganizationis
obtainingindustrycompliance.Fortheattributionorganizationtocompleteitsobjectives,its
membersmustadheretotheproposedorganization’sprocessesandestablishedbehavioral
78KimZetter,“HowdigitaldetectivesdecipheredStuxnet,themostmenacingmalwareinhistory,”WIRED,July11,2011,accessedMay1,2017,https://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/.79DavidKushner,“TheRealStoryofStuxnet:HowKasperskyLabtrackeddownthemalwarethatstymiedIran’snuclear-fuelenrichmentprogram,”IEEESpectrum,February26,2013,accessedMay1,2017,http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet.80Gagnon,2013.
42
norms.Theproblemofcompliancestemsfromtheunwillingnessofprivatefirmstovoluntarily
disclosesensitiveinformationandvulnerabilities,includingtheirownsusceptibilityto
cyberattack.Companiesriskexposingthemselvestoliabilitysuits,awrite-downofshare-price,
andthedisclosureinformationtocompetitors.
Theissueofcompliance,however,isnotanewdilemmaforinternationalorganizations.Inthe
followingsection,weapplyrationalistandconstructivisttheorytoaddressthecompliance
questionfortheproposedorganization.Inassessingbehavioraltheory,weattempttodelineate
severalcrediblereasonscompaniesengageincompliance,principally,togainsecurityreward
andtoavoidreputationalpunishment.81Thiscanonlybeaccomplished,however,ifcompanies
trustandvalidatethebehavioralnormsandstandardstheymustadhereto.
RationalistBehaviorTheory
Rationalisttheoryarguesthatprivateandstateactorswillundergoacost-benefitanalysisand
thenonlyobserveinternationallawifcomplianceoutweighsthedisadvantagesofnon-
compliance.82However,lawsalonedonotcausecompanies,orstates,tobehaveincertain
ways.Reputationalconcernandmutualbenefitsalsoinfluencecompliancebehavior.For
example,followingtheOperationAuroraattacks,executivesatGooglebelievedthatitwas
moreimportanttoupholdapositivepublicimagethantoadheretoChina’sstrictInternet
regulations.83Thus,GooglelostbillionsofdollarsofpotentialrevenueafterexitingtheChinese
marketsinexchangeformaintainingitsreputation.Basedonthisexample,andtiedtothe
sameincentivesthatcompelcooperationamongcompetitors,itislikelythatcompanieswillsee
participationinsuchanattributionorganizationintheirbenefit.
ConstructivistTheory
Oneofthemanyfociofconstructivisttheoryexaminestheissueofreputationinrelationto
81Seee.g.HaroldHongjuKoh,“WhyDoNationsObeyInternationalLaw?,”YaleFacultyScholarshipPress(1997),accessedMay23,2017,http://digitalcommons.law.yale.edu/cgi/viewcontent.cgi?article=2897&context=fss_papers.82AbramChayesandAntoniaHandlerChayes,“TheNewSovereignty:CompliancewithInternationalRegulatoryAgreements,”HarvardUniversityPress(1998).83DougGross,“Googlevs.China:Freespeech,financesorboth?,”CNN,January13,2010,accessedMay11,2017,http://www.cnn.com/2010/TECH/01/13/google.china.analysis/index.html
43
compliancewithaninternationalorder.Constructivisttheoryplacesagreaterweightinidentity
formationandinternationalsocietytoexplaincompliancemotivationsthandorationalist
approaches.84Theconstructiviststrandofthinkingbraidstogetherrationalists’emphasison
self-interestwithsociallyconstructedinterests.Theseconstructedinterestsincluderecognized
normsandvaluesthatcancompelcompaniestoactacertainwaytomaintaintheirreputation.
Constructivistsascribesuccessfulcompliancewithbehavioralnormstothreefactors.Thethree
factorsthatfosterstrongerwillingnesstocomplywithanorganization’srulesareefficiency,
self-interest,andtrust.85Therefore,anorganizationalmodelbasedondiscourse,persuasion,
andcooperation,ratherthancoercionwillleadtoaccordancewithaninternational
organization’srules.86
UsingTheorytoUnderstandCompliance
Wecanusethesetheoriestounderstandtheprocessbywhichcompanies’pursuitoftheirbest
interestwillshapebehavior.Companiesobeypowerlessrulesbecausetheyarepulledtoward
compliancebyconsiderationsoflegitimacyandifmembersfeelthattheorganization’srules
areequallyappliedandfair.Designingtheproposedorganizationsothatbenefitsof
membershipexceedcostofmembershipisessential;thebenefitsofenhancedcompany
security,thepromotionofgeneralInternetsecurity,andenhancedcompanyreputationmust
outweightherisksofinformationsharing.Trustisessentialinmotivatingcompaniestocomply
withanorganization’sbehavioralnormsandprocesses.Generatingtrustliesinan
organization'sprocessanddesign.Certainproceduralinstrumentssuchastransparency,
streamlineddatacollection,independentverificationandexpertsupervision,andadefaultto
disclosurehelptopromoteandmaintaintrust,and,thus,compliancewiththeproposed
organization’snormsformemberbehavior.
84HaroldHongjuKoh,“WhyDoNationsObeyInternationalLaw?,”YaleFacultyScholarshipPress(1997),accessedMay23,2017,http://digitalcommons.law.yale.edu/cgi/viewcontent.cgi?article=2897&context=fss_papers.85Koh,1997.86AbramChayesandAntoniaHandlerChayes,“TheNewSovereignty:CompliancewithInternationalRegulatoryAgreements,”HarvardUniversityPress(1998).
44
LegalChallengesofInformationSharing
Acoordinatedeffortamongprivatesectoractorswillrequiresharingsensitiveaccesstocyber
incidentinformation,raisingquestionsaboutthelegalityofcross-borderinformationflows.In
ordertoproduceaccurateattributionjudgements,theproposedorganization’sinformation
repositoryislikelytoincludesensitiveinformationsuchascontrolledunclassifiedinformation
andpersonallyidentifiableinformation.Practicallyspeaking,aforensicanalystiscertainto
confrontpersonallyidentifiableinformationwheninvestigatingacompany'scomputer,or
reviewemailssuspectedofphishingattacks,87givingrisetopotentialrisksofviolationof
privacyandconfidentiality.Disclosureofsuchsensitivedatamayviolatefiatlaws,regulation,
andprivacycontracts.Inaddition,itmayrunupagainstinternationalagreements—for
example,theUNInternationalCovenantonCivilandPoliticalRights(ICCPR)outlinesprivacyas
aninternationalhumanright,88whileArticle8oftheEuropeanConventiononHumanRights
citesprivacyrightsasareasontorestrictdatasharing.89
Althoughprivacylawsmaycomplicatetheprocessofsharinginformationwiththeproposed
attributionorganization,webelievethatreconcilingthisobstacleisnotonlypossible,butthe
lynchpinforensuringthatorganizationalmembershipisdiverseandsustainable.Wedrawupon
theexampleprovidedbytheFinancialIndustryRegulatoryAuthority(FINRA)asasolutionto
legalobstaclestoinformationsharing.
AutomatingDataAnalysis
FINRAisanexcellentexampleofanorganizationthatautomatesthecollectionandprocessing
ofdatainadherencewithmajorprivacylaws.FINRAisaprivate,self-regulatoryorganization
monitoringtheUnitedStatesequitymarket.90Inthisposition,itcollectsinformationonmarket
87ChrisJohnsonetal,“GuidetoCyberThreatInformationSharing,”NationalInstituteofStandardsandTechnology(NIST)(2016),availableat:http://dx.doi.org/10.6028/NIST.SP,800-150.88“InternationalCovenantonCivilandPoliticalRights,”UnitedNationsGeneralAssembly(1966),accessedMay17,2017,http://www.ohchr.org/EN/ProfessionalInterest/Pages/CCPR.aspx.89“ConventionfortheProtectionofHumanRightsandFundamentalFreedomsRome,”(1950),accessedMay17,2017,https://rm.coe.int/1680063765.90“AboutFINRA,”finra.org,accessedMay1,2017.https://www.finra.org/about;CarrieJohnson,"SECApprovesOneWatchdogForBrokersBigandSmall,"TheWashingtonPost,July27,2007,PageD02.,accessedMay2,2017,http://www.washingtonpost.com/wp-dyn/content/article/2007/07/27/AR2007072700108_pf.html.
45
prices,equitytrading,andotherkeyvariablesinacentralizeddatabase.91Whilethisdatais
sensitiveandripeforasecuritybreach,FINRA’sdatabaseusesanautomatedprogramto
processdailytransactionsanddetectfinancialfraud,suchasmarketmanipulation,insider
trading,andcompliancebreaches.92FINRA’sautomatizeddataanalysisprovidesclear
parameterstodatacollectionwhiledevelopingnormsthatmaintainacompany'slegal
obligationstowardsinformationsharing.Bydelineatingaprocedureforcommunicationand
evidencegathering,FINRAisamodelthathandlesinformationsharinginamannerconsistent
withtheprivacyandsecurityofpersonaldata.93
TheproposedattributionorganizationcanintegrateFINRA’sautomatedinformationsharing
processesintoitsfunction,helpingtoensurecompliancewithdifferentprivacylaws.First,the
automationofdataanalysis,sorting,andextractionwillremovetheliabilityofhavinghumans
sortthroughsensitiveinformation.94Privacywillbefurtherprotectedbyestablishingformal
normsandproceduresfortheorganization’sgathering,sharing,andpreservingevidence.95
Defininghow,when,andwhatinformationcompaniescansharewillbetheprincipalmeasure
toformalizesecureinformationsharingcapabilities.Forexample,followingamajor
cyberattack,digitalevidencesuchasfilecases,networkportnumbers,andregistrykeyvalues
arefreeofpersonallyidentifiableinformation.96Aslongasmemberorganizationsagreeto
restrictthecollectionofevidencetoonlypertinentdatasurroundinganattackandsimilarly
agreetotheautomatizationofdataanalysis,privacylawscanbeeffectivelyrespectedwithout
hinderingtheattributionprocess.
CollectingSensitiveandConfidentialCyberIncidentInformation
Collectingandpublishingsensitiveinformationfromconfidentialsourcesisamajorchallenge
91“Technology|FINRA.org,”accessedMay16,2017,https://www.finra.org/about/technology.92“Technology|FINRA.org”93DeniseZhengandJamesLewis,“CyberThreatInformationSharing,”CenterforStrategicandInternationalStudies(2015),accessedMay17,2017,https://www.csis.org/analysis/cyber-threat-information-sharing.94ChrisJohnsonetal,2016.95ChrisJohnsonetal,2016.96ChrisJohnsonetal,2016.
46
fortheproposedorganization.Whiletheorganizationwillfosterregularcommunication
channelsbetweenmembersandsetclearparametersforinformationsharing,sometimes
evidencepertainingtoacyberattackcannotbeobtainedbyorganizationmembersalone.At
times,theorganizationwillrelyoninformationfromthepublictocompleteitsattribution
judgements.Atothertimes,theorganizationmayneedinformationthatonlygovernment
agenciescanprovide.
SecureDrop:AToolforAnonymityandSensitiveDataCollectionfromthePublic
Theproposedorganizationcanguaranteeanonymityofsourcesbyusingasoftwareapplication
calledSecureDrop.AsillustratedbytheStuxnetInvestigation,informationsurroundingmany
majorcyberattacksoftencomefromanonymoussourceswhoseprivacymustbeprotected.
Anonymoussourcesfunctionaswhistleblowerswhorisklosingtheirjobsandmayface
prosecution.Thus,theproposedattributionorganizationmustfindawaytoprotectsourcesof
confidential,sensitiveinformationwhilesimultaneouslymaintainingacommitmenttoa
transparentinvestigativeprocess.Solelyrelyingonclassifiedinformationcouldunderminethe
proposedorganization’slegitimacyandcommitmenttoopenness,whileomittinginformation
fromwhistleblowerstoprotecttheirinformationwouldresultinincompleteevidence
collectionandaless-credibleattributionjudgement.Incontrast,whenanattribution
judgementusesbothopenlyavailableevidenceaswellasevidenceprovidedfromsensitive
sources,ajudgementisfarmorecredibleandauthoritative.
Journalistshavelongdependedonanonymoussourcesintheirwork.TheStuxnetInvestigation
isacaseinpoint.TheWashingtonPostrelieduponananonymousgovernmentwhistleblower
tovalidatetheprivatesector’sattributionreport.Withtheinputofthisanonymous
whistleblower,theWashingtonPosthelpedbolsterthecredibilityoftheStuxnetInvestigation’s
attributionoftheattacktotheUnitedStatesandIsrael.97
SecureDropissoftwareplatformiswidelyusedbynewspaperorganizationsthatallows
97WashPostPR,“Q&AaboutSecureDroponTheWashingtonPost,"TheWashingtonPost,June5,2014,accessedMay23,2017,https://www.washingtonpost.com/pr/wp/2014/06/05/qa-about-securedrop-on-the-washington-post/?utm_term=.75a18f73a812.
47
whistleblowerstoconfidentiallyshareinformationandcommunicatewithjournalists.98
SecureDropisintegratedintoTOR,fullyencryptscommunications,cannotbeaccessedby
anyoneoutsidethenewsorganizationthatownsit,minimizesthemetadatatrailbetween
journalistsandsources,anddoesnottrackIPaddresses.99ThecodeforSecureDropisopen
sourceandavailabletoindependentoversight.Additionally,SecureDropisauditedbythe
FreedomofthePressFoundation,anon-profitfreespeechadvocacygrouptoguaranteeits
security.100SecureDropisfreeandinternationallyaccessible,makingitarealistictoolforour
proposedattributionorganization,whichwilllikelybegatheringevidencefrommanycountries
atonetime.
Tearlines:AMechanismforReceivingGovernmentInformation
Itislikelythattheproposedorganizationwillneedtoreceiveclassifiedgovernment
information,makingamechanismtoensuretheinformationissecurenecessary.Apotentially
usefulmechanismis“tearlines.”Governmentintelligenceagenciesusetearlinestoshare
classifiedinformationtopartieswithoutdisclosingthemostsensitiveinformation.
Forexample,theIntelligenceCommunityDirective209statesthattearlinesare,“writtenfor
thebroadestpossiblereadershipinaccordancewithestablishedinformationsharingpolicies,
andrequirementsinlawandpolicytoprotectintelligencesourcesandmethods.”101Essentially,
tearlineshelpUSintelligenceagenciesdisclose,whenpossible,limitedclassifiedinformationto
partiesforaninvestigation,“includingbyproviding[information]tonon-Federalentities.”102
TheuseoftearlinesisnotlimitedtotheUS.TearlineswereusedbythePakistanInter-services
Intelligence(ISI)toshareclassifiedintelligencewithIndiaforthe2008Mumbaiterrorattack
98JamesBall,“GuardianlaunchesSecureDropsystemforwhistleblowerstosharefiles,”June5,2014,accessedMay23,2017,https://www.theguardian.com/technology/2014/jun/05/guardian-launches-securedrop-whistleblowers-documents.99Ball,2014.100TrevorTimm,“SecureDropUndergoesSecondSecurityAudit,”FreedomofthePressFoundation,January20,2014,accessedMay23,2017,https://freedom.press/news-advocacy/securedrop-undergoes-second-security-audit/.101“IntelligenceCommunityDirective209-TearlineProductionandDissemination”(OfficeoftheDirectorofNationalIntelligence,September12,2012):2.102“IntelligenceCommunityDirective209-TearlineProductionandDissemination,”2012.
48
investigation.103Inregardtoacyberattackattributioncase,iftheproposedorganization
requiresclassifiedgovernmentintelligence,tearlinesmaybetheanswer.Whilethereisa
possibilitytheinformationdesiredtopiecetogetheracyberattackattributionisthesensitive
informationabovethetearline,tearlinesprovideamechanismfromwhichtobeginsecure
informationsharingbetweengovernmentsandtheproposedorganization.Havinga
mechanisminplacetokeepachannelopenforthegovernmenttoshareclassifiedinformation
canserveasausefulstartingpoint.
MethodsofInformationSharing Onceevidenceiscollected,theorganizationmustfindawaytosecurelyexchangeinformation
relatingtoitsattributionjudgement.Therearefourcommonmethodsofdisseminating
findings.First,informationsharingcanberegulatedwithaformalizedagreement,where
partiesagreewhatinformationwillbeexchanged,howitwillbeused,andhowitwillbekept
confidential.104Second,securityclearance-basedinformationsharingpracticesinvolve
protectedchannelsofcommunicationbetweenintelligencesources—butisfundamentally
narrowerinscopethanaformalizedinformationsharingagreement.105Third,organizationscan
useatrust–basedmodelofcommunicationthatlacksformalagreementandisusedbyaclosed
groupofindividuals—usuallycybersecurityprofessionalsfromdifferentcompanies—whoshare
informationwithoneanotherwhentheyseesecurityissuesofcommonconcern.106Finally,an
ad-hocmodelofexchangeoccursinresponsetoacyberattackandestablishestemporary
channelsofcommunicationpertainingspecificallytoaparticularattack.107Itisnotuncommon
foranad-hocmodeltolaythegroundworkforamoreformalizedmethodofinformation
sharinginthefuture.108
103AmitBaruah,“Pakistan‘SharedMumbaiAttacksResearchwithIndia’-BBCNews,”December4,2010,http://www.bbc.com/news/world-south-asia-11917514.104CristinGoodwinandJ.PaulNicholas,“AFrameworkforCybersecurityInformationSharingandRiskReduction”(Microsoft,January26,2015),https://www.microsoft.com/en-us/download/details.aspx?id=45516.105Ibid.106Ibid.107Ibid.108Ibid.
49
Inourresearch,wefoundthatinternationalorganizationstendedtouseaformalizedmodelof
informationsharing,whileinvestigativeprocessestendedtouseanad-hocmodel.Inthis
section,weproposethattheattributionorganizationadoptanad-hocmodelsinceitismost
inclusiveandeffectiveatreducingbarrierstoinformationsharingamongprivateactors.Inthis
recommendation,wedrawupontheexampleoftheMumbaiTerroristAttackInvestigation’s
ad-hocinformationsharingstructureasanexampletofollowintheimmediatefuture.
However,furtherdowntheroad,whentheattributionorganizationismoreestablished,amore
formalizedmodelofcommunication,suchastheoneembodiedbytheNATOCCDCOE,maybe
ofuse.
AdoptinganAd-HocMethodofExchange
TheMumbaiTerroristAttackinvestigationisastrongexampleofad-hocinformationsharing
thatcanbeeasilyadoptedbytheattributionorganization.The2008Mumbaiattackshave
manyparallelswiththetypeofstate-sponsoredcyberattackstheorganizationwillinvestigate.
TheMumbaiattacksweregeopoliticallymotivated109andoriginatedinPakistanwiththe
perpetratorshavingclosetiestoPakistaniintelligence.110BecauseoftheclosetiestoPakistani
Intelligence,theattackissimilartothewayanationstatemightperpetrateamajorcyberattack
forgeopoliticalreasons.
TheMumbaiinvestigationwasledbytheIndiangovernmentandaidedbyintelligencefromthe
USandUK,culminatinginthepresentationofanattributionjudgementtothePakistani
government.Oncetheattacktookplace,anad-hocmodelofinformationsharingwas
immediatelyemployed:intelligenceunitsfromtheUS,UK,andIndiabeganrapidlysharing
evidencewithoneanother.TimelyandopeninformationsharinghelpedIndiaproducean
effectiveattributionjudgement,identifyingindividualsresponsiblefortheattack.
109FireEye,“APT28:AWindowIntoRussia’sCyberEspionageOperations?,”IntelligenceReport,(October2014).110SebastianRotella,JamesGlanz,andDavidE.Sanger,“In2008MumbaiAttacks,PilesofSpyData,butanUncompletedPuzzle-ProPublica,”ProPublica,December21,2014,https://www.propublica.org/article/mumbai-attack-data-an-uncompleted-puzzle.
50
TheMumbaicommunicationmodelisanexamplethatwouldbethemostimmediately
applicabletoanascentattributionorganization.Followingthismodel,whenacyberattack
occurs,alltherelevantstakeholderscouldeasilyconvenetoshareinformationpertainingtothe
specificattackandproduceanattributionjudgement.Sinceeachmajorcyberattackisuniquein
someformoranotherandinvolvesdifferentvictimsandperpetrators,notallthemembersof
theattributionorganizationwouldnecessarilybeinvolvedineachinvestigation.Anad-hoc
modelisflexible,allowingfortheexclusionandinclusionofrelevantpartiesdependingonthe
natureoftheattack.
TowardaFormalizedMethodofExchange
Whilead-hocmethodsofinformationexchangeareflexibleandusefulastheproposed
attributionorganizationbeginsitsoperations,establishingaformalizedmethodofexchange
wouldbeadvisableoncetrustisfullyestablishedbetweenorganizationmembersandthe
publicandadiversesetofcompaniesbecomeorganizationmembers.Amoreformalized
channelofinformationsharingwillfostergreaterefficiency,sincethecentralizationof
resourceswillenablefasterinvestigation.
TheNATOCCDCOEservesasanexampleofformalizedinformationsharingthatcanbereadily
appliedtotheproposedattributionorganization.TheCCDCOE’smethodofinformationsharing
issaidtobeformalizedbecauseinclusionrequiresmembershipinvolvingfinancialcontributions
totheCCDCOE.111Becauseofanestablishedsystemoftrustandconfidence,CCDCOE
memberscandiscussmorethancanbecoveredinanad-hocmethodofexchange.CCDCOE
membersshareallinformationpertainingtocybersecuritywithoneanother,notjust
informationpertainingtoonecyberattack.Inthissense,CCDCOEmembershaveafullershared
understandingoftheglobalcybersecuritylandscapeandcanplanmoreeffectivelyand
efficientlyforinvestigations.Forexample,theCCDCOEhasproducedtheTallinnManual,holds
theannualCyConconference,andconductscyberattackandcyberdefenseexercises.112These
111NATO,“AboutCyberDefenceCentre|CCDCOE,”NATOCooperativeCyberDefenceCentreofExcellence,accessedApril30,2017,https://ccdcoe.org/about-us.html112“TallinnManualProcess|CCDCOE,”accessedMay4,2017,https://ccdcoe.org/tallinn-manual.html.
51
activitiesstrengthenthecybersecurityofCCDCOEmembers.Iftheattributionorganizationcan
formalizeitsmethodofinformationsharing,ithasthepotentialtoexpanditsinvestigative
capacitiesandfundamentallyenhanceglobalInternetsecurity.
SharingInformationwithChinaandRussia
Notonlyistherenouniversalapproachtoinformationsharing,butfurthercomplicating
prospectsofglobalcooperationwithintheattributionorganizationareexistinggeopolitical
rivalriesanddifferingapproachestoInternetgovernance.Whilemanymajortechnology
companiesarelocatedwithintheUS,ChinaandRussiaaretheothertwomajoractorsin
internationalcyberspace.Eachhasbarrierstosharinginformationand,alongwiththeUS,each
isapotentialsourceofstate-sponsoredcyberattacks.
TheChinesegovernmenttendstomaintainstrictercontroloverprivatesectorinformation
sharingthancountriessuchastheUnitedStates.China’s2016CybersecurityLawconstrainsthe
abilityoftheprivatesectortoshareinformationdeemed“statesecret,”whileleavingthe
definitionof“statesecret”ambiguous.Theambiguitythenmakescompanieshesitanttoshare
datawitheachother,letalonetheirinternationalcounterparts.113Furthermore,Chinese
technologycompaniestendtoadheretothegovernment’spoliciesbecausetheyarefinancially
rewardedforcompliancewiththestate.114ThisdynamicservesasadisincentiveforChinese
companiestocooperatewithentitiesoutsidethecountry.
SimilarobstaclestointernationalprivatesectorcooperationexistinRussia.Russiancompanies
havedemonstratedtheirdesiretoshareinformationwiththeirglobalcounterpartsonseveral
occasions,buttumultuousdomesticandinternationalpoliticssometimesscarecompaniesinto
silence.Forexample,theRussian-basedsecuritycompanyKasperskyLabdemonstratedits
willingnesstocooperateandshareinformationduringtheStuxnetInvestigation.However,
113ZachWarren,“AreyoureadyforthenewChinaCybersecurityLaw?,”InsideCounsel,February28,2017,accessedMay17,2017,http://www.insidecounsel.com/2017/02/28/are-you-ready-for-the-new-china-cybersecurity-law?ref=footer-news.114HaukeJohannesGierow,“CyberSecurityinChina:InternetSecurity,ProtectionismandCompetitiveness:NewChallengestoWesternBusinesses,”MERICS,April22,2015,accessedMay17,2017,http://www.merics.org/fileadmin/templates/download/china-monitor/150407_MERICS_China_Monitor_twenty-two_en.pdf.
52
RussianauthoritiesarrestedKaspersky’sleadinginvestigatorontreasonchargesinlate2016,
allegedlyforaidingtheFBI’sinvestigationofRussianinvolvementinthe2016UnitedStates
presidentialelections.115Aroundthesametime,theUnitedStatesgovernmentrestricted
KasperskyLab’saccesstoAmericanmarketduetoitssuspectedcollaborationwithRussia’s
securityservices.116Thus,KasperskyLabhasscaledbacksignificantlyonitscooperationwith
non-Russianpartners.117
CompaniesinbothChinaandRussiaoperateinadelicatepoliticalenvironment.Ononehand,
thesecompaniesrecognizetheimportanceofinternationalinformationsharing.Ontheother
hand,theymustbalanceobediencetodomesticlaworfaceheavypoliticalandfinancial
penalties.Additionally,whenChineseandRussiacompaniescollaborateonaninternational
level,theyareoftenmetwithsuspicionfromtheothercountries.
However,differentapproachestoinformationsharingneednotbeabarriertogreater
internationalcooperationandtheproductionoftimely,effectiveattributionjudgements.We
canencouragegreaterinformationsharingandglobalcooperationwithRussiaandChina
throughjointsecurityventuresinotherpartsoftheworldandthroughthecreationof
technologyoutreachprograms.
EngagingthePrivateSector
ThekeytogainingRussianandChineseprivatesectorcooperationistobuildonthecommon
groundsharedbyalltechnologycompanies.Forexample,whileKasperskyLabmaybeviewed
controversiallyintheUnitedStates,KasperskyLabalsocompletesprojectsthatmanyAmerican
companieswouldalsoviewasimportantandnon-controversial.Forexample,KasperskyLab
sharesintelligencewithInterpolastheyinvestigatecyberattacksinSoutheastAsia.118Chinese
115DanGoodin,“KasperskyLab’stopinvestigatorreportedlyarrestedintreasonprobe,”ArsTechnica,January25,2017,accessedMay17,2017,https://arstechnica.com/security/2017/01/kaspersky-labs-top-investigator-reportedly-arrested-in-treason-probe/.116CoreyFlintoff,“KasperskyLab:BasedinRussia,DoingCybersecurityintheWest,”NPR,August10,2015,accessedMay17,2017,http://www.npr.org/sections/alltechconsidered/2015/08/10/431247980/kaspersky-lab-a-cybersecurity-leader-with-ties-to-russian-govt117Flintoff,2015.118Ians,“KasperskyLabjoinsInterpol-ledcybercrimeoperationacrossAsiannations,”TheEconomicTimes,April25,2017,accessedMay17,2017,http://economictimes.indiatimes.com/tech/internet/kaspersky-lab-joins-interpol-led-cybercrime-operation-across-asean-nations/articleshow/58360723.cms.
53
securitycompaniesalsocooperatewithothercountries.119Itappearsthatifinformation
technologysecuritycompaniesinRussiaandChinastayoutoftheirnationalgovernments’
businessandcomplywithgovernmentpoliciesoninformationsharing,thesecompaniescan
stillparticipateininternationalcyberattackinvestigationselsewhereintheworld.Thus,
informationtechnologycompaniesinRussiaandChinacanstillbecomeimportantmembersof
theproposedattributionorganizationwhileadheringtotheirnationalpolicies.
Inaddition,theattributionorganizationcanengagewiththeprivatesectorinChinaandRussia
throughaseriesofoutreachandtrainingprograms.Suchtrainingprogramscanincludecross-
borderprogramsoncombatingstate-sponsoredcyberattacksandcreatingjointtechnology
venturestobuildtrustbetweencompaniesoperatingwithdifferentpoliticalperspectives.120
Programslikethesecreategroundforgreaterinternationalcooperationandinformation
sharinginthefuture.
119Ians,2017.120DavidShukman,“OpenSesame:ScienceCenterUnveiledinJordan,”BBCNews:Science&Environment,May16,2017,accessedMay17,2017,http://www.bbc.com/news/science-environment-39927836.
54
Conclusion
Theadvantagesofformalizingtheinvestigationofcyberattackattributionintoaninternational
organizationareapparent.Throughcentralizedinformationsharingpracticesandprivatesector
cooperation,keyprocessesofattributingamajorcyberattack,suchasevidencecollectionand
analysis,canbedonebetterandfaster.Anetworkofcoordinatedprivatesectoractorscan
quicklycollectofamultitudeoftechnicalforensics,witnessstatements,andcriticalgeopolitical
information;onitsown,asinglepieceofevidenceisinsubstantial,butanarrayofevidence
createsaclearerpicture,oftenansweringthequestionofattributionfollowingamajor
cyberattack.
Theproposedorganizationcanbuildpublicconfidenceinitsattributionjudgmentsthrough
inclusionandtransparency.Ensuringthattheprocessesofcollectingevidenceanditsanalysisis
disclosedtothepublicreinforcesthecredibilityoftheattributionreport.Similarprocedural
normsthatencouragepeer-reviewwillfurtherenhanceorganizationalaccountability,while
transparent,non-governmentalmembershipfostersautonomyfromgeopoliticalinfluence.
Additionally,theproposedorganizationwillbenefitfromadiversityofperspectivesbyincluding
privatesectorcompaniesfromacrosstheglobe.
Theneedforgreaterprivatesectorcollaborationincyberspaceisclear.Asthelikelihoodof
attributionincreases,futurecyberattackswillbedeterredandperpetratorswillbeidentified.
Aninternationalorganizationtaskedwithattributionisclearlythenextstepinfosteringgreater
globalInternetsecurity,andtheprivatesectorhastheexpertiseandresourcestoseeit
through.
55
Appendix1:InternationalOrganizationsEachofthefollowingintergovernmentalornonprofitorganizationshasanestablishedsystemofauthorityandstandardsforcompliance.Wehave
identifiedbothprivateandpublicstakeholdersinvolvedwitheachorganizationandanalyzedeachorganization’sobjectives,governance,attributive
powers,andbudgetbeforecompilingasetofbestpracticesfromeachparty.
Weexaminedthefollowing14organizations:
• AmnestyInternational
• CitizenLab
• EgmontGroupofFinancialIntelligenceUnits
• EuropeanFinancialCoalitionAgainstChildPornography
• FinancialIndustryRegulatoryAuthority
• Greenpeace
• InternationalAtomicEnergyAgency
• InternationalCivilAviationOrganization
• InternationalLaborOrganization
• NATOCooperativeCyberDefenseCenterofExcellence
• OrganizationfortheProhibitionofChemicalWeapons
• UnitedNationsAl-QaidaSanctionsCommittee
• UnitedNationsSanctionsCommitteeonNorthKorea
• WorldTradeOrganization’sGATTArticleXX.
56
AmnestyInternational
Actors
Private- Researchers,journalists,non-governmentalorganizations(NGOs)
Public
Actions - Investigateshumanrightsabuses,lobbiesgovernments,andpromotesoutreachcampaigns121
Authority - Reputational
Structure - Aninternationalsecretariatbodyandinternationalboardprovidegeneralleadership
- Regionalsectionsexistin70countriesaroundtheworld122
Norms - StatuteofAmnestyInternational(2005)- InternationalNon-GovernmentalOrganization(INGO)AccountabilityCharter(2006)
Attribution - Publiclypublishesresearchonhumanrightsviolations- Organizationabidesbyanopeninformationpolicy
Budgetand
FundingSource(s)
- $250million(2016)- Fundedbyindependentdonations123
BestPractices - Prominentregionaldivisionsfostergreaterinternational
cooperation
- Highleveloftransparency
121“WhoWeAre,”AmnestyInternational,accessedApril29,2017,https://www.amnesty.org/en/who-we-are/.122“StructureandPeople,”AmnestyInternational,accessedMay1,2017,https://www.amnesty.org/en/about-us/how-were-run/structure-and-people/.123“2016GlobalFinancialReport,”accessedApril29,2017,https://www.amnesty.org/en/2016-global-financial-report/.
57
CitizenLab
Actors
Private- UniversityofToronto-basedinterdisciplinaryresearchlab
Public
Actions - EngagesonthecoreissuesofInternetopennessandsecurityfromahumanrightsperspective124
- Reportsarepublishedpublicly,sometimeswithmedia125
Authority - Reputational126
Structure - Aglobalresearchnetwork127
Norms - Proceduraltransparency128- Diversegeographicrepresentation129- Academicpeer-review130- Opensourcesharingofinformationandtechnicaltools131
Attribution - Makesallfindingspublic,oftendirectlyimplicatingactors132
Budgetand
FundingSource(s)
- Privatefoundations,institutes,andorganizations133
BestPractices - Mixedmethodapproachtoinvestigationandanalysis;
combinestechnicalandgeopoliticalexpertise
- Geographicdiversity,engagesincapacitybuildingwithmembersfromtheGlobalSouth
- Stakeholderoutreachviaorganizingandparticipatinginglobalconferences
- Autonomyfromgovernmentandcommercialinterests
124BPRAdministration,“BPRInterview:CitizensLabDirectorRonaldDeibert,”BrownPoliticalReview,October21,2012,accessedJune5,2017,http://www.brownpoliticalreview.org/2012/10/interview-citizens-lab-director-ronald-deibert/.125See,forinstance,MattathiasSchwartz,“CyberwarForSale,”TheNewYorkTimesMagazine,January4,2017,accessedJune7,2017, https://www.nytimes.com/2017/01/04/magazine/cyberwar-for-sale.html.126See,forinstance,AnitaElash,“HowTheCitizenLabpoliciestheworld'sdigitalspies,”CSMonitor,December22,2016,accessedJune7,2017,http://www.csmonitor.com/World/Passcode/2016/1222/How-The-Citizen-Lab-polices-the-world-s-digital-spies.127Ibid.128EvaGalperin,MorganMarquis-Borire,andJohnScott-Railton,“QuantumofSurveillance:FamiliarActorsandPossibleFalseFlagsinSyrianMalwareCampaigns,”CitizenLab-EEF,December23,2013,accessedJune7,2017,https://www.eff.org/document/quantum-surveillance-familiar-actors-and-possible-false-flags-syrian-malware-campaigns.129“AbouttheCitizenLab,”accessedJune5,2017,https://citizenlab.org/about/;“CyberStewards,”accessedJune7,2017,https://cyberstewards.org/;and“OpenNetInitiative,”accessedJune7,2017,https://opennet.net/.130“CitizenLab|Github,”accessedJune7,2017,https://github.com/citizenlab.131Elash,2016.132Ibid.133“AbouttheCitizenLab.”
58
EgmontGroupofFinancialIntelligenceUnits
Actors
Private- Financialinstitutionsandnon-financialinstitutions
Public- FinancialIntelligenceUnits(FIU)
Actions - Submitscash-transactionandsuspiciousactivityreportstotheappropriateFIUs134
- DifferenttypesofFIUshavedifferentobjectives- SomeFIUsnotifyproperagenciestoenforcelaws,freezingandblockingsuspicioustransactionsandaccounts,andarrestsuspects135
Authority - CorporateExecutivesandBoardsofDirectors - Domesticlaw- UnitedNations(UN)Conventions136
Structure - Variesbyinstitution - EachFIUhasitsowncomplexstructure,densenetworkofinternalbodies,andprocess-specificgroups137
Norms - Managerialdiscretion- Localand/ornationallaw- 2003FinancialActionTaskForce(FATF)recommendationsbasedonViennaandPalermoConventions138
- FATFrecommendations139
Attribution - Noattributiveproperties;workssolelyasaninformation-gatheringorganization
- Nameorganizationsthatfailtoupholdreportingstandardsandlaws140- AttributioninformationissharedbetweenFIUsthroughcommuniques,plenarymeetings,andtrainings141
Budgetand
FundingSource(s)
- Budgetsvaryfrominstitutiontoinstitution- Fundsforeachinstitutionareacquiredthroughdebtandequity
- Budgetsvaryfromnationtonation- Fundingprovidedbynationalgovernments- UnitedStatesFIU(FinCEN)hasproposedbudgetofapproximately$155Min2017142
BestPractices - SuspiciousActivityReportsfunctionaspreventativemeasuresthatcanalsoprovideinformationneededto
launchcriminalinvestigations
- ProcessImprovementGroupspromoteinformationexchangeand
adherencetofinancialstandardscreatedbytheEgmontGroup
- Heavyemphasisoncommunicationandtrainingmechanismsensure
cooperationandcohesion
134InternationalMonetaryFund,andWorldBank.“FinancialIntelligenceUnits:AnOverview,”2004.https://www.imf.org/external/pubs/ft/FIU/fiu.pdf.135Ibid.136“MoneyLaunderingandtheFinancingofTerrorism-TheEgmontGroup.”AccessedApril30,2017.https://egmontgroup.org/en/content/money-laundering-and-financing-terrorism.137“StructureandOrganizationoftheEgmontGroupofFinancialIntelligenceUnits,“TheEgmontGroup.AccessedApril3,2017.https://www.egmontgroup.org/en/content/structure-and-organization-egmont-group-financial-intelligence-units.138InternationalMonetaryFund,andWorldBank,2004.139FinancialActionTaskForce.“INTERNATIONALSTANDARDSONCOMBATINGMONEYLAUNDERINGANDTHEFINANCINGOFTERRORISM&PROLIFERATION.”FAFTA/OECD,2013.http://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF_Recommendations.pdf.140“News|FinCEN.gov.”AccessedApril30,2017.https://www.fincen.gov/news-room/news.141“PublicStatementsandCommuniques-TheEgmontGroup.”AccessedApril3,2017.https://www.egmontgroup.org/en/document-library/9.142InternationalMonetaryFund,andWorldBank,2004.
59
EuropeanFinancialCoalitionAgainstChildPornography(EFCACP)
Actors
Private- Banks,paymentcompanies,Internetserviceproviders
Public- Europol,EuropeanUnion(EU)
Actions - CooperateswiththeEFCACPtodesignandlaunchinitiativestostopthesexualexploitationofchildrenonline
- Workstopreventthetransferringoffundsforchildpornographythroughcreditcardsandotheronlinepaymentmethods
- ISPsworktoimplementabettersystemfordetectingandblockingpornographiccontent143
- Fightssexualexploitationofchildrenonlinebydisruptingtheeconomicsoftheillegalindustry
- Promotesawareness,cross-sectortrainingsessions,andpolicyresearchandpromotion144
Authority - Reputational - EU
Structure - Partnershipsareestablishedonavoluntarybasis- RepresentativesfromprivateindustrysitontheSteeringCommittee145
- Bureaucratic;oneofmanyregionalbranchesoftheFinancialCoalitionAgainstChildPornography
- TheEFCACPischairedbyEuropolandledbyaSteeringCommitteeFunctionsasabranchoftheEuropeanCyberCentreatEuropol
Norms - UNConventionontheRightsoftheChild- NGO/Industrybestpractices
- UNConventionontheRightsoftheChild
Attribution - Noattributiveproperties - Noattributiveproperties,butsharesinformationwithotherEUbodies
Budgetand
FundingSource(s)
- PartofEuropol’s$114.6millionbudget(2017)- FundingprovidedbyEUmemberstates146
BestPractices - Widerangeofprivateactorsfrommultiplefieldshavea
seatatthetableandareinvolvedintheorganization’s
structureandagenda
- Theprivatesectorisdirectlyresponsibleforcarryingoutinitiativestostopanyfinancialgainrelatedtochildsexual
exploitation
- Prominentregionaldivisionsfostergreaterinternational
cooperation
143“CommercialChildPornography:ABriefSnapshotoftheFinancialCoalitionAgainstChildPornography,”NationalCenterforMissingandExploitedChildren,(2016),http://www.missingkids.com/en_US/documents/Commercial_child_pornography_-_A_brief_snapshot_of_the_FCACP_2016.pdf.144“NewsfromtheEFC:ThePast,ThePresent,TheFuture,”accessedApril28,2017,http://us11.campaign-archive1.com/?u=a39d608c8102dd5c712efbc48&id=d1ce5b24df.145“EFCMembers,”EuropeanFinancialCoalitionagainstCommercialSexualExploitationofChildrenOnline,n.d.,http://www.europeanfinancialcoalition.eu/efc_members.php.146“StatementofRevenueandExpenditureoftheEuropeanPoliceOfficefortheFinancialYear2017”(OfficeJournaloftheEuropeanUnion,n.d.).
60
TheFinancialIndustryRegulatoryAuthority(FINRA)
Actors
Private- Self-regulatingprivatecorporation
Public- SecuritiesExchangeCouncil(SEC),JusticeDepartment,andtheFederalBureauofInvestigation(FBI)
Actions - MonitorsUSequities,sharesinformationwithauthorities- ProtectsinvestorsbyupholdingtheintegrityofUSfinancialmarket,andleviesfinesagainstbrokers147
- UseFINRA'sinformationtobuildevidencefortheprosecutionofsecuritiesfraud
Authority - Performsregulatoryoversightofsecuritiesfirmssellingtopublicinvestorsthroughcontractswithstockexchanges148
- TheSecuritiesandExchangeAct;SEC’sextraterritorialexerciseofitsjurisdiction
Structure - 3,400employeesbasedinWashington,D.C.andNewYorkCitywith20regionaloffices149
- Bureaucraticagencieswithinthefederalgovernment
Norms - ComplieswiththeFederalReserveandlawsregulatingdataandinformationprivacy
- Usesanarbitrationforum- Boardmembersarepubliclyelected150
- Pressbriefings,disclosure,lawsregulatingevidencecollectionandprosecution151
Attribution - Disclosesinformationpubliclyinreportsandwithlawenforcement152
- Yes,andprosecution153
Budgetand
FundingSource(s)
- $878.6million(2012)- Fundedbythebusinessesitregulates154
- BudgetisprovidedbytheUSgovernment
BestPractices - Publicdisclosure- Useoftechnologytodetectfraud,centralizeddatabase155- Collaborationwithauthorities
- Strongnormsandlawsguideinvestigations
- Publicdisclosure- Public-privatecooperation
147“AboutFINRA,”finra.org,accessedMay1,2017.https://www.finra.org/about;CarrieJohnson,"SECApprovesOneWatchdogForBrokersBigandSmall,"TheWashingtonPost,July27,2007,PageD02.,accessedMay2,2017,http://www.washingtonpost.com/wp-dyn/content/article/2007/07/27/AR2007072700108_pf.html.148Ibid.,8149Ibid.,72.150Ibid.,72;“BoardofGovernors,”finra.org.Accessed2May2017.https://www.finra.org/about/finra-board-governors;AnOutlineoftheFINRAArbitrationProcessForCustomer-BrokerDisputes-SmileyBishop&PorterLLP,"April20,2011,accessedMay22017,http://www.sbpllplaw.com/2011/04/an-outline-of-the-finra-arbitration-process-for-customer-broker-disputes/.151MichaelFeldberg,“U.S.InsiderTradingEnforcementGoesGlobal,”Allen&OveryLLP,May2,2013.152ForananalysisofFINRA’sannuallettersee,"FINRA2014exams:Variableannuities,"PwCFinancialServicesRegulatoryPractice,January,2015,accessedMay2,2017,http://www.pwc.com/en_US/us/financial-services/regulatory-services/publications/assets/finra-exams-variable-annuities.pdf;AzamAhmed,“AmidInsiderTradingInquiry,TigerAsiaCallsItQuits,”NewYorkTimes,August14,2012,accessedMay1,2017,https://dealbook.nytimes.com/2012/08/14/amid-insider-trading-inquiry-tiger-asia-calls-it-quits/?_r=0.153SECPressRelease2012-264,HedgeFundManagertoPay$44MillionforIllegalTradinginChineseBankStocks,December12,2012,accessedMay1,2017,https://www.sec.gov/news/press-release/2012-2012-264htm.154Ibid.,8155Seeforinstance,“TechnologyFINRA,”finra.org,accessedMay12017,https://www.finra.org/about/technology;"CentralRegistrationDepository(WebCRD),”finra.org,accessedMay2,2017,http://www.finra.org/industry/compliance/registration/crd/.
61
Greenpeace
Actors
Private- Membersandvolunteers
Public
Actions - Researchandlobbyingoncasesofenvironmentaldestruction
Authority - Reputational- ConsultativestatuswithUNEconomicandSocialCouncil
Structure - 26regionalofficesreporttotheheadquartersofficeofGreenpeaceInternationalinAmsterdam
- Regionalofficesdealwithissuesatalocallevel,whiletheheadquarterstakeonissuesthathavebroaderglobalimplications156
Norms - Responsibility,nonviolence,independenceandneutrality,aslistedinGreenpeace’scorevalues157
Attribution - Operatesa"fleet”consistingoffourships,hotairballoons,inflatables,andremotesensingtacticstosurveiltheareastheyareinspecting
- Inspectionsarecarriedoutbytheirvolunteersandemployees158
Budgetand
FundingSource(s)
- $349.8million(2015),collectedfromdonationsof2.9millionmembers159
BestPractices - Independencefrompublicsector
- Strongreputationalauthority
156"Greenpeacestructureandorganization."GreenpeaceInternational.2017.accessedApril30,2017.http://www.greenpeace.org/international/en/about/how-is-greenpeace-structured/.157"Ourcorevalues."GreenpeaceInternational,accessedApril30,2017.http://www.greenpeace.org/international/en/about/our-core-values/.158"OurInflatables."GreenpeaceInternational,accessedApril30,2017.http://www.greenpeace.org/international/en/about/ships/our-inflatables/.159GreenpeaceInternationalAnnualReport2015.Report.2015,accessed,April30,2017,http://www.greenpeace.org/international/Global/international/publications/greenpeace/2016/2015-Annual-Report-Web.pdf.
62
InternationalAtomicEnergyAgency(IAEA)
Actors
Private- Atomicenergyexpertsandemployees
Public- 168memberstates
Actions - Setnuclearsafetystandards- Helpmemberstatesmeetsafetystandards- Verifycompliancewithinternationalsafeguards160
- ComplywithSafeguards/AdditionalProtocol- Declareallnuclearfacilitiesandmaterials,aidothermemberstates161
Authority - UN - IndividualmemberstatesreporttotheBoardofGovernors,GeneralConference
Structure - TheSecretariatconsistsoffiveofficesandsixdepartmentsstaffedbyexpertsfromtheprivatesector
- BoardofGovernorsconsistingofrepresentativesfrom22memberstates;eachstatemustbeelectedbytheGeneralConference
- TheGeneralConferencecontainsdelegatesofall168memberstatesthatmeetonceayeartoapproveactionsandbudgets
- Nationalenergyagencies,suchastheUSNuclearRegulatoryCommissionandtheDepartmentofEnergy,workalongsideIAEAofficesanddepartments162
Norms - Basedaroundthepolicyofnuclearnon-proliferation - EachstateisboundtotheSafeguards/AdditionalProtocol
Attribution - Attributesafetyviolationsthroughmaterialsandfacilitiesinspections163
- Statescanattributedomesticproblemsbyconductingself-evaluationandpeer-reviewinspectionsbeforeofficialIAEAinspections
Budgetand
FundingSource(s)
- $391.5million(2016)164- Fundedbymemberstatesandotherdonations
- Eachmemberstatehasitsownenergybudget
BestPractices - Politicalneutrality- Collaborationwithintheprivatesector- Differentbranchesoftheorganizationserveasaformof
checksandbalances
- Emphasisoncooperationbetweengovernmentagencies
- Provideaframeworkforself-assessment
- Haveformalagreements,suchasthefoundingstatuteandSafeguard,
thatactasthebasisforIAEAoperation
160"InternationalAtomicEnergyAgency(IAEA)IAEAHome,"iaea.org,accessedApril30,2017,https://www.iaea.org/OurWork/.161"IAEASafeguardsOverview,"iaea.org,accessedApril30,2017,https://www.iaea.org/publications/factsheets/iaea-safeguards-overview.162"MemberStates'CompetentAuthorities,"iaea.org,accessedApril30,2017,http://www-ns.iaea.org/tech-areas/emergency/member-states-competent-authorities.asp?s=1.163“IAEASafetyStandards,”iaea.org,accessedApril30,2017,http://www-ns.iaea.org/standards/.164“TheAgency’sProgrammeandBudget2016–2017,”Rep.N.p.:IAEA,2015.,accessedApril30,2017,https://www.iaea.org/About/Policy/GC/GC59/GC59Documents/English/gc59-2_en.pdf.
63
InternationalCivilAviationOrganization(ICAO)
Actors
Private- Airlines,tourismoffices,andairplanemanufacturers165
Public- 191UNmemberstates
Actions - CollaboratewithUNagenciestofurthercivilaviation’sprogressandstrategizenon-stateactorinvolvementwiththeICAO166
- OfferconsultationservicestoICAOwhenrequested,usuallyregardingtheadoptionofnewstandardsandpractices167
- UsesconsensusonStandardsandRecommendedPractices(SARPs)madebyMemberStatestoconductsafetyandsecurityaudits168
Authority - Reputational - UN- ChicagoConventiononInternationalCivilAviation
Structure - MemberstatessitonanAssemblytovoteonallSARPs- Memberstateselectacouncilof36statesthatprovideoveralldirectionoforganizationandelectsapresident
Norms - ICAOSARPs- ChicagoConventiononInternationalCivilAviation
- ChicagoConventiononInternationalCivilAviation
Attribution - Noattributiveproperties;sharesreviewswithICAO169 - Publiclysharessafetyauditresults,namingbreachingparties- Securityauditsremaininternal,andnoattributionforsecuritybreachesarepubliclynamed170
Budgetand
FundingSource(s)
- $221.12million(for2017-2019)- Fundedbymemberstatesandprivateindustry171
BestPractices - Collaborationwiththepublicsector- Utilizationofprivatesectorexpertise
- Keepsupdatednormstomeettechnologicaladvancements172
- Incorporationofprivateindustriesandtheirspecialties
165"About."JoinOurProject-BasedInitiatives,”icao.int,accessedApril30,2017,http://www.icao.int/about-icao/partnerships/Pages/default.aspx.166Ibid.,36167"MakinganICAOStandard,"icao.int,accessedApril30,2017,http://www.icao.int/safety/airnavigation/Pages/standard.aspx#4.168“AboutICAO,"icao.int,accessedApril30,2017,http://www.icao.int/about-icao/Pages/default.aspx.169"ICAO:FrequentlyAskedQuestions,"icao.org,accessedApril30,2017,http://www.icao.int/about-icao/FAQ/Pages/icao-frequently-asked-questions-faq-2.aspx.170Ibid.,40171"BudgetoftheOrganization2017-2018-2019,"icao.int,accessedApril29,2017,http://www.icao.int/publications/Documents/10074_en.pdf.172"ICAO'sResponsetoGlobalChallenges,"ActGlobal,2009,accessedApril29,2017,http://www.icao.int/Newsroom/News%20Doc/copenhaguen-complete134ec9.pdf.
64
InternationalLaborOrganization(ILO)
Actors
Private Public- 187memberstates
Actions - Representsemploymentandworkers,registerscomplaints,setsgloballaborstandards,173andinvestigatesviolationsofworkers’rights174
Authority - UNCharter- ILOConventions
Structure - ILOfunctionsasa“ParliamentofLabor,”whereaGoverningBodyoverseestheInternationalLaborConference,wheregovernment,employer,andworkerdelegatesfromeachcountrydebatepolicy
Norms - Routinemonitoring,freeandopendebate,175declarationoffundamentalofprinciples,176equalgeographicrepresentation,andatripartitegovernmentstructure
Attribution - Releasefindingsafteraprocessofevidencecollection,standardization,assessmentoflegalburden,andareviewprocess177
Budgetand
FundingSource(s)
- $225.7million(2015)- Fundedbycontributionsfrommemberstatesanddonations178
BestPractices - Anefficientsystemtolaunchcomplaintsandestablishtransparency
reports
173“MissionandImpactoftheILO,”ilo.org,accessedMay3,2017.http://ilo.org/global/about-the-ilo/mission-and-objectives/lang--en/index.htm.174“Government’sRecentLabourInterventionsHighlyUnusual,ExpertsSay,”CBCNews,accessedMay3,2017.http://www.cbc.ca/news/canada/government-s-recent-labour-interventions-highly-unusual-experts-say-1.977658.175“InternationalLabourConference,”ilo.org,accessedMay3,2017,http://ilo.org/global/about-the-ilo/how-the-ilo-works/international-labour-conference/lang--en/index.htm.176“ILODeclarationonFundamentalPrinciplesandRightsatWork(DECLARATION),”accessedMay3,2017,http://www.ilo.org/declaration/lang--en/index.htm.177OnhowtheILOactsasavehicletoinvestigatenoncompliancesee:Berik,GünseliandYanaVanderMeulenRodgers,"Optionsforenforcinglabourstandards:LessonsfromBangladeshandCambodia,"JournalofInternationalDevelopment22(2008):56-85,accessedApril30,2017,www.interscience.wiley.com.178“ProgrammeandBudget,”ilo.org,accessedMay3,2017,http://embargo.ilo.org/global/about-the-ilo/how-the-ilo-works/programme-and-budget/lang--en/index.htm.
65
NATOCooperativeCyberDefenseCenterofExcellence(CCDCOE)
Actors
Private- Companiesinthedefenseindustry,suchasSiemens,ThreodSystems,CyberTestSystems,andmore
Public- NATOmemberstatesandcooperatingnon-memberstates
Actions - Promotecooperativecyberdefense,establishcyberspacenorms,andconfidence-buildingmeasures179
Authority - NATO
Structure - Internationalsteeringcommitteeconsistingofcenter’ssponsoringnations- TheCCDCOEisnotpartofNATO’smilitarycommandorforcestructure,andismadeupofmilitary,government,anddefenseindustryprofessionals
- Centerconsistsofresearchers,analysts,trainers,educators180
Norms - TallinnManual181
Attribution - Attributescyberattacksinpublishedarticles,butismostlyfocusedonbuildingcyberinfrastructure,andcyberdefensecapabilities182183
Budgetand
FundingSource(s)
- FundedbyNATOandNon-NATOmembers
BestPractices - Multinationalinformationsharing
- Promotingcollectivecyberdefense
- Accumulating,creating,anddisseminatinginternationalcyberexpertise
179NATO,“AboutCyberDefenceCentre|CCDCOE,”NATOCooperativeCyberDefenceCentreofExcellence,accessedApril30,2017,https://ccdcoe.org/about-us.html.180Structure|CCDCOE,”accessedMay4,2017,https://ccdcoe.org/structure-0.html.
181TallinnManualProcess|CCDCOE,”accessedMay4,2017,https://ccdcoe.org/tallinn-manual.html.182JeffreyCarr,“ResponsibleAttribution:APrerequisiteForAccountability,”NATOCCDCOE,TheTallinnPapers,no.No.6(2014):1–8.
183JasonRiveraandForrestHare,“TheDeploymentofAttributionAgnosticCyberdefenseConstructsandInternallyBasedCyberthreatCountermeasures,”CCDCOE,6thInternationalConferenceonCyberConflict,2014,100–116.
66
OrganizationfortheProhibitionofChemicalWeapons(OPCW)
Actors
Private- IndependentscientistsandNGOs
Public- 192membercountries
Actions - Overseeoutreachandtrainingprogramswithchemicalindustry
- Collaboratestoreviewprocessesofverificationandchemicalweaponsdisarmament
- Carriesoutverificationmeasures,facilitateschemicalweaponsinspections,andnegotiatesagreementswithstateparties184
Authority - Reputational - UN
Structure - IndependentscientistssitontheScientificAdvisoryBoard- INGOsliketheInternationalUnionofPureandAppliedChemistryprovideaconsultativeandoutreachrole
- PrivatecompaniescansignaMemorandumofUnderstandingwiththeOPCWtosolidifycooperation185
- LedbyaDirector-General- Equitablegeographicdistributionindecision-makingbodies
Norms - OPCWandInternationalUnionofPureandAppliedChemistrycodeofethicalprinciplesofchemistry186
- 1997ConventiononChemicalWeapons
Attribution - Nopublicattributiveproperties;privateactorsdonotreleaseinformationaboutongoinginvestigations
- Nopublicattributiveproperties;donotreleaseinformationaboutongoinginvestigations
Budgetand
FundingSource(s)
- $95Million(2012)- Fundedbymemberstates,whosecontributioniscalculatedbasedontheUNscaleofassessment187
BestPractices - Involveschemicalindustryinoutreachtrainingprograms
andnormsbuilding
- Scientistsactivelyparticipateinadvisingandfacilitatingdisarmamentonarotationalandelectedbasis
- Equitablegeographicdistributionamongallbodiesoftheorganization
- On-the-groundinspectionsandfact-findingmissionsgivetheOPCWa
tangiblepresenceinmembercountries
- Broadinternationaltreatygivestheorganizationaclearlegalmandate
andsetofduties
184“OPCWMissionStatement,”OrganizationfortheProhibitionofChemicalWeapons,n.d.,accessedApril30,2017,https://www.opcw.org/about-opcw/mission/.185“IUPACandtheOrganizationfortheProhibitionofChemicalWeaponsTakePartnershiptoNewLevel|InternationalUnionofPureandAppliedChemistry,”IUPAC,InternationalUnionofPureandAppliedChemistry,December1,2016,accessedApril30,2017,https://iupac.org/iupac-opcw-take-partnership-new-level/.186“InternationalUnionofPure&AppliedChemistry,”IUPAC,InternationalUnionofPureandAppliedChemistry,accessedApril28,2017,https://iupac.org/who-we-are/.187“OrganizationfortheProhibitionofChemicalWeapons,”NIT:BuildingaSaferWorld,April28,2017,accessedApril30,2017,http://www.nti.org/learn/treaties-and-regimes/organization-for-the-prohibition-of-chemical-weapons/.
67
UnitedNationsAl-QaidaSanctionsCommittee
Actors
Private- MonitoringTeamcomprisedofindependentresearchersandexperts
Public- UNmemberstates
Actions - AssistscommitteeandUNmemberstatesinidentifyingandgatheringinformationonsanctionedindividualsandmonitorscasesofstatenon-compliancewithsanctionoperations188
- Imposesatravelban,freezesassets,andimposesarmsembargosanctionsontoindividualsorentitiesbelievedtobeinconnectiontoISILorAl-Qaida189
Authority - UN - UN
Structure - IndependentbranchoftheSanctionsCommittee - Decision-makingdonethroughmemberstateconsensus- AllmembersoftheUNSCarerepresented190
Norms - UnitedNationsSecurityCouncil(UNSC)Resolution1267 - UNSCResolution1267
Attribution - PresentsfindingstoUNSC/UNSanctionsCommittee - Publiclydisclosesthesanctionslist
Budgetand
FundingSource(s)
- PartofCommitteebudget - $39.6million(2015)forallSanctionsCommittees- FundedbycontributionsfromUNmemberstates191
BestPractices - Cooperatedirectlywithmemberstatesinimplementation
andinformation-gathering
- Conductsindependentassessmentsandensurecompliance
andstateaccountability192
- Ombudspersonhelpswithlegalcredibilityandinternalaccountability193
- HighlevelofcooperationwithmultipleUNandnon-UNorganizations
demonstratesreputationalauthorityandservesasanexampleof
efficacyacrosssectorsandborders
188“Resolution2253(2015)”UnitedNationsSecurityCouncil,December17,2015,accessedApril29,2017,http://www.un.org/en/ga/search/view_doc.asp?symbol=S/RES/2253(2015).189“GuidelinesoftheCommitteefortheConductofItsWorld”UnitedNationsSecurityCouncil,December23,2016,accessedApril25,2017,https://www.un.org/sc/suborg/sites/www.un.org.sc.suborg/files/guidelines_of_the_committee_for_the_conduct_of_its_work.pdf.190Ibid.,55191“GeneralAssembly,onFifthCommittee’sRecommendation,AdoptsRaftofTextson2014-2015BienniumBudgetAppropriations,CommonSystem,Peacekeeping,”UnitedNations,accessedApril27,2017,https://www.un.org/press/en/2014/ga11608.doc.htm.192“WorkandMandate,”UnitedNationsSecurityCouncilSubsidiaryOrgans,accessedApril29,2017,https://www.un.org/sc/suborg/en/sanctions/1267/monitoring-team/work-and-mandate.193“Procedure,”OfficeoftheOmbudspersonoftheSecurityCouncil’s1267Committee,accessedApril29,2017,https://www.un.org/sc/suborg/en/ombudsperson/procedure.
68
UnitedNationsSanctionsCommitteeonNorthKorea
Actors
Private- PanelofExpertscomposedofprofessionalsfromnuclear,
weaponofmassdestruction,import/exportcontrols,andfinancialindustries194
Public- UNmemberstates
Actions - HelpstheSanctionsCommitteegatherevidence,analyzeinformation,andassesstheimplementationofsanctions
- AdvisesSanctionsCommitteeastheydecidehowtoutilizesanctions195
- Imposesconstraintsondiplomats,inspectssuspiciouscargo,andexpandsablacklistofitemsNorthKoreaisprohibitedfromimporting196
Authority - UN,USlaw- Reputational
- UN
Structure - PanelactsunderthedirectionoftheSanctionsCommittee- PanelistsareappointedbyUNSecretaryGeneral197
- Centralizedbureaucracywithdecision-makingdonethroughmemberstateconsensus198
- AllmembersoftheUNSCarerepresented
Norms - Purelyinformational,advisoryrolewithnodecision-makingcapacities199
- Asystemofroutinemonitoring,narrowmandate,impromptumeetings,adeclarationoffundamentalprinciples,200andgeographicrepresentation201governUNSCResolutionsrelatingtoNorthKorea
Attribution - Publiclypublishreportsonfindingsonanannualbasis202 - Sanctionslistispublic,namingspecificindustries
Budgetand
FundingSource(s)
- FundedbyUNSanctionsCommittee,UNmemberstates - PartoftheUNbudgetfortheSecurityCouncilandSanctionsCommittees203
- FundedbycontributionsfromUNmemberstates
BestPractices - Integrationofprivatesectorexpertsintothedecisionsofalarge,inter-governmentalbody
- Usefulmodelformanycountriesthatagreeuponattributionto
coordinateandassessfaultandcompliance
194“WorkandMandate.”SecurityCouncilCommitteeEstablishedPursuanttoResolution1718(2006),n.d.https://www.un.org/sc/suborg/en/sanctions/1718/panel_experts/work_mandate.195Ibid.196“UnitedNationsResolution1718,”globalpolicy.org,accessedMay3,2017,https://www.globalpolicy.org/images/pdfs/1014reso1718.pdf.197Ibid.198“FunctionsandPowersoftheUnitedNationsSecurityCouncil,”un.org,accessedMay3,2017,http://www.un.org/en/sc/about/functions.shtml.199MaryBethNiktin,MarkE.Manyin,EmmaChanlett-Avery,andDickK.Nanto.“NorthKorea’sSecondNuclearTest:ImplicationsofU.N.SecurityCouncilResolution1874.”CongressionalResearchService,April15,2010.https://fas.org/sgp/crs/nuke/R40684.pdf.200“ChapterI|UnitedNations,”un.org,accessedMay3,2017,http://www.un.org/en/sections/un-charter/chapter-i/index.html.201“MembersoftheUnitedNationsSecurityCouncil,”un.org,accessedMay3,2017,http://www.un.org/en/sc/members/.202“Reports,”n.d.https://www.un.org/sc/suborg/en/sanctions/1718/panel_experts/reports.203SusanKurtas,“ResearchGuides:UNDocumentation:SecurityCouncil:Introduction,”Research.un.org,accessedMay3,2017.http://research.un.org/en/docs/sc/introduction.
69
WorldTradeOrganization(WTO)GATTArticleXX
Actors
Private- Environmentalactivists
Public- WTOmemberstates
Actions - AimtobroadenthescopeofArticleXX204 - Promotefreetradewhileprotectingandrespectingtheenvironment205
Authority - Reputational - WTO
Structure - Disputesaremediatedthroughthepanelprocess206- WTOgovernanceiscentralizedandbureaucratic,withaGeneralCouncilandcommitteesregulatingdifferentaspectsoftrade
Norms - Promoteenvironmentallysustainableeconomicpractices - GATTArticleXX
Attribution - Memberstatescanattributeviolationstootherstates207
Budgetand
FundingSource(s)
- $198million(2016)208- FundingisprovidedbycontributingMemberStatetrustfundsandWTOpublications209
BestPractices - Cooperatedirectlywithmemberstatesinimplementation
andinformation-gathering
- Conductsindependentassessmentstoensurecompliance
andstateaccountability210
- Disputesettlementstructure
204ThomasH.Oatley,“DebatesinInternationalPoliticalEconomy,”(Boston:Longman,2012.)Print.205"WTOTradeandEnvironment,"WTO.org,accessedApril30,2017,https://www.wto.org/english/tratop_e/envir_e/envt_rules_exceptions_e.htm.206"WTOUnderstandingtheWTO-Auniquecontribution,"WTO.org,accessedApril30,2017,https://www.wto.org/english/thewto_e/whatis_e/tif_e/disp1_e.htm.207Ibid.,69208"AnnualReport2016-SecretariatandBudget,"WTOSecretariat,2016,accessedApril29,2017.https://www.wto.org/english/res_e/booksp_e/anrep_e/anrep16_chap9_e.pdf.209"WTOBudgetfortheyear2015,"WTO.org,accessedApril29,2017,https://www.wto.org/english/thewto_e/secre_e/budget_e.htm.210“WorkandMandate,”UnitedNationsSecurityCouncilSubsidiaryOrgans,accessedApril29,2017,https://www.un.org/sc/suborg/en/sanctions/1267/monitoring-team/work-and-mandate.
70
Appendix2:InvestigativeProcessesEachoftheseinvestigativeprocesseswasformulatedandgovernedinanad-hocmanner,borrowingauthorityandstructurefromavarietyofdifferent
sources.Wehaveidentifiedbothprivateandpublicstakeholdersinvolvedwitheachinvestigativeprocessandanalyzedeachprocesses’objectives,
governance,attributivepowers,andbudgetbeforecompilingasetofbestpracticesfromeachparty.
Weexaminedthefollowingnineinvestigativeprocesses:
• CheonanJointInvestigationGroup
• DemocraticNationalCommitteeEmailLeakInvestigation
• Google’sOperationAurora
• Intermediate-RangeNuclearForceTreatyInvestigativeProcess
• MalaysiaAirlinesFlight17(MH17)CrashInvestigation
• Mandiant’sAPT1
• MumbaiTerroristAttackInvestigation
• SonyPicturesHackInvestigation
• StuxnetInvestigation
71
CheonanJointInvestigationGroup(JIG)
Actors
Private- Media,academia,independentresearchers211
Public- SouthKoreanGovernment,technicalandforensicexpertsintheJointInvestigationGroup212
Actions - TestandverifytheJIG’sreport - DeterminethecauseofCheonan’ssinkinganddeescalatetensionswithNorthKorea213
Authority - Credibilityofindividualorganizations - Expertscredentials,government
Structure - Thejointcivilian-militaryteamconsistsof25expertsfromtendomesticprofessionalinstitutes,22militaryexperts,threelawmakersand24foreignexpertsfromtheUS,Australia,theUnitedKingdom,andSweden
- TheJIGwasdividedintofourdepartments:forensicscience,explosivepatternanalysis,hullstructure,anddataanalysis214
- State-integrated,non-bureaucratic
Norms - Peer-review,high-degreeoftransparency
Attribution - Evidenceanalysisandattributionjudgment215 - Publishedanattributionreportdetailingevidencecollection,evidencestandardandanalysis,andmadefinaljudgementinreport216
Budgetand
FundingSource(s)
- FundedbySouthKoreangovernment
BestPractices - Decentralizedpeer-review- Accessibility,low-barriertoentry
- Objectivereadingofevidence,defaulttoneutrality- Quickinvestigation- Bodycomposedofforensicandtechnicalexperts
211Seeforinstance,"HowDidN.KoreaSinkTheCheonan?"ChosunIlbo,May21,2010,accessedMay1,2017,http://english.chosun.com/site/data/html_dir/2010/05/21/2010052100698.html;YoichiShimatsu,"DidanAmericanMineSinkSouthKoreanShip?"NewAmericaMedia,May27,2010,accessedMay1,2017,http://newamericamedia.org/2010/05/did-an-american-mine-sink-the-south-korean-ship.php;“RussianNavyExpertTeam'sanalysisontheCheonanincident,"TheHankyoreh,July27,2010,accessedMay1,2017,http://english.hani.co.kr/arti/english_edition/e_northkorea/432230.html;KimMyongChol,"PyongyangseesUSroleinCheonansinking,"AsiaTimesOnline,May5,2010,accessedApril29,2017,http://www.atimes.com/atimes/Korea/LE05Dg01.html.212"InvestigationResultontheSinkingofROKSCheonan–reportstatement,"MinistryofNationalDefenseR.O.K.,May20,2010.NewsitemNo592.,accessedMay1,2017,http://www.mnd.go.kr/webmodule/htsboard/template/read/engbdread.jsp?typeID=16&boardid=88&seqno=871&c=TITLE&t=&pagenum=3&tableName=ENGBASIC&pc=undefined&dc=&wc=&lu=&vu=&iu=&du=&st=.213PeterFosterandMalcolmMoore,“NorthKoreathreatens'all-outwar'overwarshipsinkingreport,”TheTelegraph,May20,2010,accessedMay1,2017,http://www.telegraph.co.uk/news/worldnews/asia/northkorea/7745370/North-Korea-threatens-all-out-war-over-warship-sinking-report.html.214“ResultsConfirmNorthKoreaSankCheonan,"DailyNK,May20,2010,accessedMay1,2017http://www.dailynk.com/english/read.php?cataId=nk00100&num=6392.215"Cheonansinking:toptenconspiracytheories,"TheDailyTelegraph,June4,2010,accessedMay1,2017,http://blogs.telegraph.co.uk/news/peterfoster/100042229/cheonan-sinking-top-ten-conspiracy-theories/.216Editorial,“TheSinkingoftheCheonan,”NewYorkTimes,May20,2010,accessedMay1,2017,http://www.nytimes.com/2010/05/21/opinion/21fri2.html.
72
DemocraticNationalCommittee(DNC)EmailLeakInvestigation
Actors
Private- DNC,Crowdstrike,FireEye
Public- FBI,CentralIntelligenceAgency(CIA),DepartmentofHomelandSecurity(DHS),DirectorofNationalIntelligence
Actions - DNCtaskedCrowdstriketoinvestigateandattributespearphishinganddatatheftoftheircampaign217
- FireEyehadanongoinginvestigationsince2007218andconductedseparateattributioninvestigation
- FBIinitiallynotifiedDNCofsophisticatedspearphishing219andagenciesinvestigatedforattribution
Authority - CredibilityofCrowdstrikeasindependentorganizationandFireEyeasoneofthetopfourcybersecurityfirms220
- USlaw
Structure - Ad-hocindividualnon-coordinatedinvestigation - Ad-hocnon-integratedinvestigationsexceptFBI&Dept.HomelandSecurity
Norms - Crowdstrike:nopeerreview,low-degreeoftransparency- FireEye:nopeerreview,medium-degreeoftransparency
Attribution - Crowdstrikedidnotpublishareportoftheirfindings,insteadtheyinformedthepublicofRussianattributionthroughtheirwebsiteblog221
- FireEyereleasedareportoftheirongoinginvestigationofAPT28&29222
- FBI&DHSpublishedareportofattribution223DirectorofNationalIntelligencealsoproducedareportofattribution224
- AllreportsseparatelyattributedRussianinvolvementintheDNChacks
Budgetand
FundingSource(s)
- ProvidedbyDNC - Unknown
BestPractices - Informationsharing
- ExpertAnalysis- ReportRelease- Shorter(thanpublic)investigationtime
- Publicreleaseofreport- Cross-verificationmechanisms
217EricLipton,DavidE.Sanger,andScottShane,“ThePerfectWeapon:HowRussianCyberpowerInvadedtheU.S.,”TheNewYorkTimes,December13,2016,accessedApril25,2017,https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html?_r=0.218FireEye,“APT28:AWindowIntoRussia’sCyberEspionageOperations?,”IntelligenceReport,(October2014).219Ibid.,79220“10TopCybersecurityCompanies,”accessedMay2,2017,http://investingnews.com/daily/tech-investing/cybersecurity-investing/top-cyber-security-companies/.221DmitriAlperovitch,“BearsintheMidst:IntrusionintotheDemocraticNationalCommittee,”CROWDSTRIKEBLOG,June15,2016,accessedApril29,2017,https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/.222FireEye,“APT28:AttheCenteroftheStorm,RussiaStrategicallyEvolvesItsCyberOperations,”IntelligenceReport,(January2017).223FederalBureauofInvestigationandU.S.DepartmentofHomelandSecurity,“GRIZZLYSTEPPERussianMaliciousCyberActivity,”JointAnalysisU.S.GovernmentReport,(December29,2016).224OfficeoftheDirectorofNationalIntelligence,“Backgroundto‘AssessingRussianActivitiesandIntentionsinRecentUSElections’:TheAnalyticProcessandCyberIncidentAttribution,”U.S.Government,NationalIntelligenceCouncil,(January6,2017).
73
Google’sOperationAurora
Actors
Private- Google,othertechfirms,privatesecurityfirms,themedia225
Public- USintelligenceagencies226
Actions - InvestigatedattackonGoogleandthetheftofIPandattribution227
- AssistedGoogleastheyinvestigatedattacks
Authority - Reputational - LegalauthoritywithintheUSandoverseastocollectandsharedata228
Structure - Independent,non-bureaucratic,state-integrated - Bureaucratic,withlimitedcollaborationwithindustry229
Norms - BrokewithnormsbyviolatingUSComputerFraudandAbuseAct’scriminalprovisions230
- Confidentialinformation,lackoftransparency,governedbytheNationalSecurityActof1947,interagencycooperation
Attribution - Collectedevidenceandreleasedfindings231 - PlayedaroleinevidencecollectionanddidnotattributeexplicitlybutcondemnedChinaexplicitly232
Budgetand
FundingSource(s)
- Fundedbyfor-profittechcompanies - $49billion(2013)233- FundedbytheUSgovernment
BestPractices - Publicdisclosure- Public-privatecollaborationandinformationsharing
- Collaborationwithtechindustryinevidencecollection234
225KennethCorbin,“'Aurora'CyberAttackersWereReallyRunningCounter-Intelligence,”CIO.com,April22,2013,accessedApril29,2017,http://www.cio.com/article/2386547/government/-aurora--cyber-attackers-were-really-running-counter-intelligence.html;MichaelJosephGross,“EntertheCyber-Dragon,”VANITYFAIR,September,2011,at222,accessedApril29,2017,http://www.vanityfair.com/culture/features/2011/09/chinese-hacking-201109.226ShaneHarris,“Google’sSecretNSAAlliance:TheterrifyingdealsbetweenSiliconValleyandtheSecurityState,”Salon,November16,2014,accessedApril29,2017,http://www.salon.com/2014/11/16/googles_secret_nsa_alliance_the_terrifying_deals_between_silicon_valley_and_the_security_state.227KimZetter,“‘Google’HackersHadAbilitytoAlterSourceCode,”Wired,March3,2010,accessedApril27,2017,https://www.wired.com/2010/03/source-code-hacks.228“BestPracticesforVictimResponseandReportingofCyberIncidents,”CybersecurityUnit,ComputerCrime&IntellectualPropertySection,U.S.DepartmentofJustice,April29,2015,accessedApril27,2017,https://www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29/criminal_division_guidance_on_best_practices_for_victim_response_and_reporting_cyber_incidents.pdf.229Ibid.,64230ShaneHuang,"ProposingaSelf-HelpPrivilegeforVictimsofCyberAttacks."GeorgeWashingtonLawReview82(2014):1229-858..;18U.S.C.§1030(a)(2)(2012).231DavidDrummond,“ANewApproachtoChina,”GoogleOfficialBlog,January12,2010,accessedApril25,2017,http://googleblog.blogspot.com/2010/01/new-approach-to-china.html.232HillaryRodhamClinton,U.S.SecofState,StatementonGoogleOperationsinChina,January12,2010,accessedApril29,2017,https://2009-2017.state.gov/secretary/20092013clinton/rm/2010/01/135105.htm.233"DNIReleasesBudgetFigurefor2013NationalIntelligenceProgram,"OfficeoftheDirectorofNationalIntelligence,October30,2013,accessedMay2,2017,http://www.dni.gov/index.php/newsroom/press-releases/191-press-releases-2013/957-dni-releases-budget-figure-for-2013-national-intelligence-program.234JohnMarkoff,“HackersSaidtoBreachGooglePasswordSystem,”NewYorkTimes,April20,2010,atA1.,accessedApril29,2017,http://www.nytimes.com/2010/04/20/technology/20google.html.
74
Intermediate-RangeNuclearForce(INF)TreatyInvestigativeProcess
Actors
Private
Public- USBureauofArmsControl,VerificationandCompliance(AVC)- USandRussiangovernments,inter-governmentalorganizationsthatverifyadherencetoINFTreaty
Actions - Conducton-siteinspectionsandverifications,235inter-stateinformationexchange,236reconnaissanceanddataanalyses237
Authority - USDepartmentofState
Structure - Centralizedbureaucracy,government-to-governmentdiscussionsandnegotiations
Norms - INFTreatyprovisionedprotocols238
Attribution - Bothnationshaveattributedtreatyviolationstotheothernation239
Budgetand
FundingSource(s)
- $32million(2017)forcompliance240- FundedbytheUSDepartmentofState
BestPractices - Informationexchangebetweennations
- Processbuildsconfidencebetweennations- StrongdefinitionssectionintheINFTreaty- Usefuldisputeresolutionmechanism
235AmyF.Woolf,MonitoringandVerificationinArmsControl,CongressionalResearchService,December23,2011,accessedMay2,2017,https://fas.org/sgp/crs/nuke/R41201.pdf236Ibid.237Ibid.238U.S.DepartmentofState,“TreatyBetweentheUnitedStatesOfAmericaAndTheUnionOfSovietSocialistRepublicsonTheEliminationofTheirIntermediate-RangeandShorter-RangeMissiles(INFTreaty),accessedMay1,2017,https://www.state.gov/t/avc/trty/102360.htm239U.S.DepartmentofState,“AdherencetoandCompliancewithArmsControl,Nonproliferation,andDisarmamentAgreementsandCommitments,”unclassified,July2014,accessedMay1,2017,https://www.state.gov/documents/organization/230108.pdf240CongressionalBudgetJustification,Appendix1:DepartmentofStateDiplomaticEngagement,Fiscalyear2017,TheSecretaryofState,accessedMay2,2017,https://www.state.gov/documents/organization/252732.pdf.
75
MalaysiaAirlinesFlight17(MH17)CrashInvestigation
Actors
Private- Bellingcat,anonlineinvestigationhub,themedia
Public- DutchSafetyBoard(DSB)- JointInvestigationTeam(JIT)memberstates(theNetherlands,Australia,Belgium,Malaysia,andUkraine)
- PublicProsecutionService(DutchMinistryofJustice)
Actions - Onlineintelligencegathering- Publishingofanalyses241
- Widespectrumcrashinvestigation242andinformationsharing
Authority - Reputational - DutchGovernment,JITmemberstates,UN
Structure - Independentcontributors,243ad-hoc,community-drivenapproach
- Bureaucratic
Norms - Rulesoftransparency,verifiabilityofdata - ICAOstandardsforevidencecollection
Attribution - Releasedfindingsafterevidencecollectionandareviewprocess244
- AttributionjudgementwasreleasedbyPublicProsecutionService245
Budgetand
FundingSource(s)
- Totalbudgetunknown- Fundedthroughpublicpledges,246donations,andgrants247
- 36millionEuro(2014)248- FundedbythegovernmentoftheNetherlands
BestPractices - Employmentofinformationsharingmechanisms
- Engagementofindependentinternationalcontributorsand
thepoolingofmultinationalexpertise
- Adherencetoevidencecollectionmethodsandstandards
- Inter-statecollaborationandinformationexchange
- Releaseofpreliminaryandfinalreports
- Confidencebuildingmeasures
241“Bellingcat:Thehomeofonlineinvestigations,”bellingcat.com,accessedMay1,2017,https://www.bellingcat.com/?s=MH+17.242DutchSafetyBoard,“InvestigationcrashMH17,17July2014”,accessedMay1,2017https://www.onderzoeksraad.nl/en/onderzoek/2049/investigation-crash-mh17-17-july-2014.243CameronColquhoun,“ABriefHistoryofOpenSourceIntelligence,”bellingcat.com,July14,2016,accessedMay2,2017,https://www.bellingcat.com/resources/articles/2016/07/14/a-brief-history-of-open-source-intelligence/.244BenSullivan,“BellingcatWantsYourHelptoDebunkFakeNews,”ViceMotherboard,March7,2017,accessedMay2,2017,https://motherboard.vice.com/en_us/article/bellingcat-wants-your-help-to-debunk-fake-news.245LizzieDearden,“MH17report:298victimsrememberedasDutchSafetyBoardreportrevealscause,”TheIndependent,October13,2015,accessedMay2,2017,http://www.independent.co.uk/news/world/europe/mh17-report-names-of-the-298-victims-as-dutch-safety-board-reveals-cause-of-crash-a6691941.html.246“SohowisBellingcatfunded?,”whathappendetoflightmh17.com,March25,2016,http://www.whathappenedtoflightmh17.com/so-how-is-bellingcat-funded/.247Ibid.,111248Igrindstad,“OVER€36MSPENTONMH17INVESTIGATIONSOFAR,”NLTimes,November21,2014,accessedMay2,2017,http://nltimes.nl/2014/11/21/eu36m-spent-mh17-investigation-far.
76
Mandiant’sAPT1
Actors
Private- Mandiant,privatesecurityfirms,themedia,academia249
Public
Actions - Investigateglobalattacks,attributetospecificindividuals,shareactionableinformationtopreventfutureattacks250
Authority - Oneofthe‘TopFour’cybersecurityfirms,composedofelitestaff251
Structure - Centralizedinvestigation,peer-reviewfromothersecurityfirmsandthemedia
Norms - Full-disclosure,technicalforensicnorms,Informationsharing,XMLSchema252
Attribution - Finalattributionmadeinareport,detailsevidencecollectionandanalysis253
Budgetand
FundingSource(s)
- Fundedbyprivate,for-profitfirm
BestPractices - Publicdisclosure254- Publishedanalysisofevidence- Providedindicators:
- Domainsusedbytheattackinginfrastructure,SSLcerts,
MDShashesofAPT1malware,opensource‘indicatorsof
compromise’255
249BenjaminWittes,“MandiantReporton‘APT1’,”Lawfare.org,February20,2013,accessedApril29,2017,https://lawfareblog.com/mandiant-report-apt1.250WilliamWanandEllenNakashima,"ReporttiescyberattacksonU.S.computerstoChinesemilitary,"WashingtonPost,January19,2013,accessedApril29,2017,https://www.washingtonpost.com/world/report-ties-100-plus-cyber-attacks-on-us-computers-to-chinese-military/2013/02/19/2700228e-7a6a-11e2-9a75-dab0201670da_story.html.251PiaRivera,“TopCybersecurityCompanies,”INVESTINGNEWS,March28,2017,accessedApril29,2017,http://investingnews.com/daily/tech-investing/cybersecurity-investing/top-cyber-security-companies/;BradStoneandMichaelRiley,“Mandiant,theGo-ToSecurityFirmforCyber-EspionageAttacks,”Bloomberg,February8,2013,accessedApril28,2017,https://www.bloomberg.com/news/articles/2013-02-07/mandiant-the-go-to-security-firm-for-cyber-espionage-attacks.252WadeWilliamson,“LessonsfromMandiant’sAPT1Report,”SECURITYWEEK,February29,2013,accessedApril29,2017,http://www.securityweek.com/lessons-mandiant%E2%80%99s-apt1-report.253Mandiant,“APT1:ExposingOneofChina’sCyberEspionageUnits,”accessedApril29,2017,https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pd;DavidE.Sanger,DavidBarbozaandNicolePerlroth,"ChineseArmyUnitIsSeenasTiedtoHackingAgainstU.S.,"NewYorkTimes,February29,2013,accessedApril29,2017,https://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html.254“APT1:ExposingOneofChina'sCyberEspionageUnits”onYouTube,accessedApril29,2017,https://www.youtube.com/watch?v=6p7FqSav6Ho.255WadeWilliamson(2017)at46.
77
MumbaiTerroristAttackInvestigation
Actors
Private
Public- IntelligenceagenciesofUS,UnitedKingdom,Australia,andPakistan
Actions - Conductedacriminalinvestigation,establishedcross-borderintelligencesharing,andpressuredPakistantobecomeinvolvedintheinvestigation256
Authority - Ad-hocandsubjectedtothelegalauthorityofcountriesinvolved
Structure - Stateintegrated,non-bureaucratic
Norms - Notpeer-reviewed,butfollowedstandardanalysisofforensicevidence,low-degreeoftransparency,257geographicrepresentation
Attribution - Releasedfindingsandspecificallyattributedattacktoaterroristgroup,andnamedindividualsbehindtheplanning258
Budgetand
FundingSource(s)
- Unknown
BestPractices - Informationandevidencesharingbetweenmultiplenations
- Transnationaldatacollection
256SebastianRotella,JamesGlanzandDavidE.Sanger,“In2008MumbaiAttacks,PilesofSpyData,butanUncompletedPuzzle,”ProPublica,December21,2014,accessedApril29,2017,https://www.propublica.org/article/mumbai-attack-data-an-uncompleted-puzzle.257SebastianRotella,“FourDisturbingQuestionsAbouttheMumbaiTerror”FRONTLINEPBS,February22,2013,accessedApril28,2017,http://www.pbs.org/wgbh/frontline/article/four-disturbing-questions-about-the-mumbai-terror-attack/.258Ibid.,115
78
SonyPicturesHackInvestigation
Actors
Private- FireEyeandMandiant
Public- FBI
Actions - Investigatedsourceofattack - Investigatedsourceofattack
Authority - Reputational–rosetoprominenceafterimplicatingChinesecyberespionagein2013
- USgovernment
Structure - Fiveconsultingofferings,“incidentresponseandpreparednesslifecycle”259
- Cyberdivision,56fieldofficeswithcyberteams93computercrimestaskforces
- PartnershipswithDepartmentofDefense,HomelandSecurity)260
Norms - PoliciessetoutbyFBI- USlaw
Attribution - Nodirectattribution - FBIconcludedthatNorthKoreaisresponsiblefortheattack261
Budgetand
FundingSource(s)
- $8.6million(2016)262- Fundsraisedprimarilyfromventureinvestor
- Budgetforthisinvestigationunknown- FundedbyDepartmentofJustice263
BestPractices - Calledonformostmajorcybersecurityattacks - Exemplifiescollaborationandcooperationacrossdepartments
259“Services,”FireEye,accessedMay1,2017,https://www.fireeye.com/services.html.260“CyberCrime,”FederalBureauofInvestigation,accessedMay1,2017,https://www.fbi.gov/investigate/cyber.261“FBIConcludesNorthKoreaResponsibleforSonyHack,”MSNBC,December19,2014,accessedApril29,2017,http://www.msnbc.com/msnbc/fbi-concludes-north-korea-responsible-sony-hack.262“FireEyeReportsFourthQuarterandFiscalYear2016FinancialResults(None:FEYE),”investors.com,accessedMay1,2017,http://investors.fireeye.com/releasedetail.cfm?ReleaseID=1010252.263“FederalBureauofInvestigationFY2017BudgetRequestataGlance,”justice.gov,accessedApril29,2017,https://www.justice.gov/jmd/file/822286/download.
79
StuxnetInvestigation
Actors
Private- Symantec,VirusBlockAda,KasperskyLabs,McAfee,othersecurityfirms,industryandgeopoliticalexperts,themedia
Public- NSA,DHS,IAEA
Actions - Workedondiscovery,264informationsharing,265technicalanalyses,266andgeopoliticalanalyses267
- NSAemployeesleakedclassifiedinformation- IAEAVerifiedIran’scompliancewiththenon-proliferationtreaty- ProvidedcontexttoStuxnetattributionjudgements
Authority - Reputational - USgovernment,IAEA
Structure - Ad-hoc268withSymantec269andKasperskyLabs270takingleadershiproles
- Nation-statesupportwasnotactiveorstructuredintheinvestigation- Allpartieswereonlydirectorindirectinformationproviders
Norms - Informationtechnologycommunitybestpractices,transparency
- TheStatuteofIAEA,informationconfidentialitypracticesandnon-disclosurelaws271
Attribution - Finalattributionaljudgementsweredrawnbymedia272whilethefirmscollectedevidence,completedanalyses
- Confirmedalreadyestablishedattributionjudgments273
Budgetand
FundingSource(s)
- Budgetunknown- Eachpartyfundedindependently
- Totalamountisunknown- NotclearwhetherNSA/DHSemployeeswerecompensated
BestPractices - Informationsharingmechanisms
- Confidencebuilding- Poolingofmultinationalexpertise
- Evidencecollectionmethods
- Informationretrievalmethodsfromstateentities
264VirusBlokAda,“Modulesofcurrentmalwarewerefirsttimedetectedby‘VirusBlokAda’companyspecialistsonthe17thofJune2010…”,accessedMay1,2017,http://anti-virus.by/en/tempo.shtml.265BrianKrebs,“ExpertsWarnofNewWindowsShortcutFlaw,”KrebsOnSecurity,July10,2010,accessedMay1,2017,http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/.266NocolasFalliere,LiamOMurchuandEricChien,“W32.StuxnetDossier,version1.4,”SymantecSecurityResponse(February,2011),accessedMay1,2017,https://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices.267Stratfor,“TheU.S.-IsraeliStuxnetAlliance,”Stratfor.com,January17,2011,accessedMay1,2017,https://www.stratfor.com/analysis/us-israeli-stuxnet-alliance.268KimZetter,“HowdigitaldetectivesdecipheredStuxnet,themostmenacingmalwareinhistory,”WIRED,July11,2011,accessedMay1,2017,https://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/.269Ibid.,126270DavidKushner,“TheRealStoryofStuxnet:HowKasperskyLabtrackeddownthemalwarethatstymiedIran’snuclear-fuelenrichmentprogram,”IEEESpectrum,February26,2013,accessedMay1,2017,http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet.271NationalSecurityAgency,“NSA/CSSPolicyManual1-52,”May,232014,accessedMay1,2017,https://www.nsa.gov/news-features/declassified-documents/nsa-css-policies/assets/files/Policy_Manual_1-52.pdf.272WilliamJ.Broad,JohnMarkoffandDavidE.Sager,“IsraeliTestonWormCalledCrucialinIranNuclearDelay,”NewYorkTimes,January15,2011,accessedMay1,2017,http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html.273JasonKoebler,“NSABuiltStuxnet,butRealTrickIsBuildingCrewofHackers,”U.S.News,June8,2012,accessedMay1,2017,https://www.usnews.com/news/articles/2012/06/08/nsa-built-stuxnet-but-real-trick-is-building-crew-of-hackers.
80
Appendix3:ProposedBudgetThetablebelowsummarizestheexpectedcostsoftheproposedorganization.Webreakdownthecostsintosixdifferentcategories,theExpertInvestigationCommittee,theExpertReviewCommittee,theCommunicationsCommittee,theBudgetCommittee,OutreachandMemberRelations,andInfrastructureandOperations.TheExecutiveCouncilwillnotbepaidastheirworkisminimalwhilethereputationalbenefitsarehigh.Thepositionsintheproposedorganizationaremodelledafterandchosenfrompreviousinvestigativeprocesses,largeprivatecorporations,andnon-governmentalorganizations.TheExpertInvestigationandExpertReviewCommitteeswillincludebothtechnicalcybersecurityexpertsandgeopoliticalexpertsfromacademiaandindustry.ThesepositionsaremodelledaftermajorcorporationssuchasMicrosoftandAmazonwhoalsohavegeopoliticalexpertsworkingwithorintechnicalcybersecurityteamstogivecontexttothecyberenvironment.TheExpertReviewCommitteememberswillsupporttheproposedorganizationonapart-timeconsultingbasis.TheCommunicationsCommitteewillincludepublicrelationsassociatestoprovideupdatesinattributioninvestigationsanddisseminateattributionreportstothepublic.Thiscommitteewillalsohousethelegalteam.TheOutreachandMemberRelationsCommitteewillberesponsibleforthebiannualmeetings.Finally,theproposedorganizationwillincludestaffforInfrastructureandOperations.Theone-timecostsincludeinitialtechnologypurchasesandofficepurchasesinallsixregionsoftheproposedorganization.Themiscellaneousoperatingexpensesincludesthemaintenanceandyearlycostsofofficespace,supplies,andoperations.Thesalariesandcostshavebeencalculatedbasedonindustryaveragesandcomparablesalariesoftheassociatedpositions.Theinfrastructurecostshavealsobeencalculatedatofficespacepricesintherespectiveregions.
81
Table2:ProposedBudgetforYear1andSubsequentYears
TypeofCosts PositionNamePerpositioncost/year Totalcost/year
ExpertInvestigationCommittee
4IndustryCyberLeads $500,000 $2,000,00012IndustryCyberExperts $300,000 $3,600,0006GeopoliticalLeads $500,000 $3,000,00012GeopoliticalAnalysts $280,000 $3,360,000
ExpertReviewCommittee
8Part-timeCybersecurityConsultants $150,000 $1,200,000
8Part-timeGeopoliticalExperts $150,000 $1,200,000
CommunicationsCommittee
1PublicRelationsDirector $500,000 $500,000
5PublicRelationsAssociates $160,000 $800,0001GeneralCounsel $500,000 $500,0003Attorneys $320,000 $960,000
BudgetCommittee1FinanceDirector $360,000 $360,0004FinancialAdministrators $120,000 $480,000
Outreach&MemberRelations BiannualMemberMeetings $2,000,000 $4,000,00018OutreachCoordinators $120,000 $2,160,000
Infrastructure&Operations
8AdministrativePositions $160,000 $1,280,00012ServerAdministrators $160,000 $1,920,000MiscellaneousOperatingExpenses $1,000,000
One-timeinfrastructurecost $10,560,000 FirstYearProjectedBudget $38,880,000 SubsequentYearsProjectedBudget $28,320,000
82
Bibliography“10TopCybersecurityCompanies.”InvestingNewsNetwork,March28,2017.
http://investingnews.com/daily/tech-investing/cybersecurity-investing/top-cyber-security-companies/.
“2016GlobalFinancialReport.”AccessedApril29,2017.https://www.amnesty.org/en/2016-global-financial-report/.
“2016ReportonAdherencetoandComplianceWithArmsControl,Nonproliferation,andDisarmamentAgreementsandCommitments.”U.S.DepartmentofState.AccessedApril13,2017.http://www.state.gov/t/avc/rls/rpt/2016/255651.htm.
“ABreakdownandAnalysisoftheDecember2014SonyHack.”AccessedApril30,2017.https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack/.
“ADayintheLifeofaSafeguardsInspector|IAEA.”AccessedMay4,2017.https://www.iaea.org/newscenter/news/a-day-in-the-life-of-a-safeguards-inspector.
“ANewApproachtoChina.”OfficialGoogleBlog,May2,2017.https://googleblog.blogspot.com/2010/01/new-approach-to-china.html.
“About.”JoinOurProject-BasedInitiatives.AccessedMay2,2017.http://www.icao.int/about-icao/partnerships/Pages/default.aspx.
“About.”AccessedMay2,2017.http://www.icao.int/about-icao/partnerships/Pages/default.aspx.
“AboutCyberDefenceCentre|CCDCOE.”NATOCooperativeCyberDefenceCentreofExcellence.AccessedApril30,2017.https://ccdcoe.org/about-us.html.
“AboutFINRA|FINRA.org.”AccessedMay2,2017.https://www.finra.org/about.AboutICAO.”AccessedMay2,2017.http://www.icao.int/about-icao/Pages/default.aspx.“AboutOurResearch.”HumanRightsWatch,April21,2015.https://www.hrw.org/about-our-
research.“AbouttheCitizenLab,”accessedJune5,2017,https://citizenlab.org/about/“AdherencetoandCompliancewithArmsControl,Nonproliferation,andDisarmament
AgreementsandCommitments.”U.S.DepartmentofState,July2014.https://www.state.gov/documents/organization/230108.pdf.
Aftergood,Steven.“CommercialSatellitesas‘NationalTechnicalMeans.’”FederationofAmericanScientists,March5,2008.https://fas.org/blogs/secrecy/2008/03/commercial_satellites_as_natio/.
Ahmed,Azam,“AmidInsiderTradingInquiry,TigerAsiaCallsItQuits,”NewYorkTimes,August14,2012,accessedMay1,2017,https://dealbook.nytimes.com/2012/08/14/amid-insider-trading-inquiry-tiger-asia-calls-it-quits/?_r=0.
“AirNavigationCommission.”AccessedMay2,2017.http://www.icao.int/about-icao/AirNavigationCommission/Pages/default.aspx.
Alperovitch,Dmitri.“BearsintheMidst:IntrusionintotheDemocraticNationalCommittee ».”CROWDSTRIKEBLOG,June15,2016.https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/.
83
“AmidInsiderTradingInquiry,TigerAsiaCallsItQuits-TheNewYorkTimes,”May2,2017.https://dealbook.nytimes.com/2012/08/14/amid-insider-trading-inquiry-tiger-asia-calls-it-quits/?_r=1.
“AnOutlineoftheFINRAArbitrationProcessForCustomer-BrokerDisputes.”SmileyBishop&PorterLLP,April20,2011.http://www.sbpllplaw.com/an-outline-of-the-finra-arbitration-process-for-customer-broker-disputes/.
“Anti-MoneyLaundering.”PwC.AccessedApril30,2017.https://www.pwc.com/gx/en/services/advisory/forensics/economic-crime-survey/anti-money-laundering.html.
“ApproachandStandard.”OfficeoftheOmbudspersonoftheSecurityCouncil’s1267Committee.https://www.un.org/sc/suborg/en/ombudsperson/approach-and-standard.
“APT1:ExposingOneofChina’sCyberEspionageUnits.”AccessedApril29,2017.https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf.
“APT1:ExposingOneofChina’sCyberEspionageUnits-YouTube,”May2,2017.https://www.youtube.com/watch?v=6p7FqSav6Ho.
“APT28:AWindowIntoRussia’sCyberEspionageOperations?”FireEye,October2014.“AsiaTimesOnline:KoreaNewsandKoreanBusinessandEconomy,PyongyangNews,”May2,
2017.http://www.atimes.com/atimes/Korea/LE05Dg01.html.“‘Aurora’CyberAttackersWereReallyRunningCounter-Intelligence|CIO,”May2,2017.
http://www.cio.com/article/2386547/government/-aurora--cyber-attackers-were-really-running-counter-intelligence.html.
Ball,James.“GuardianLaunchesSecureDropSystemforWhistleblowerstoShareFiles|Technology|TheGuardian.”TheGuardian,June5,2014.https://www.theguardian.com/technology/2014/jun/05/guardian-launches-securedrop-whistleblowers-documents.
Barrett,Devlin.“FBISaysNorthKoreaBehindSonyHack.”WallStreetJournal,December19,2014,sec.US.http://www.wsj.com/articles/fbi-says-north-korea-behind-sony-hack-1419008924.
Baruah,Amit.“Pakistan‘SharedMumbaiAttacksResearchwithIndia’-BBCNews,”December4,2010.http://www.bbc.com/news/world-south-asia-11917514.
BPRAdministration,“BPRInterview:CitizensLabDirectorRonaldDeibert,”BrownPoliticalReview,October21,2012,accessedJune5,2017,http://www.brownpoliticalreview.org/2012/10/interview-citizens-lab-director-ronald-deibert/.
Bright,Arthur.“EstoniaAccusesRussiaof‘Cyberattack.’”ChristianScienceMonitor,May17,2007.AccessedMay17,2017.https://www.csmonitor.com/2007/0517/p99s01-duts.html.
Broad,WilliamJ.,andJohnMarkoff,andDavidE.Sanger."IsraelTestsonWormCalledCrucialinIranNuclearDelay,"NewYorkTimes,January15,2011.AccessedMay23,2017,https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=1&ref=general&src=me&pagewanted=all.
84
Broggi,Jeremy.“BuildingonExecutiveOrder13,636ToEncourageInformationSharingforCybersecurityPurposes.”AccessedMay24,2017.http://www.harvard-jlpp.com/wp-content/uploads/2014/05/37_2_653_Broggi.pdf.
“BudgetoftheOrganization2017-2018-2019.”Montreal:ICAO,October2016.http://www.icao.int/publications/Documents/10074_en.pdf.
“BuildingPublicTrustinNuclearPower.”InternationalAtomicEnergyAgency,March2013.https://www.iaea.org/sites/default/files/publications/magazines/bulletin/bull54-1/54104711212.pdf
Carr,Jeffrey.“ResponsibleAttribution:APrerequisiteforAccountability.”NATOCCDCOE,TheTallinnPapers,no.No.6(2014):1–8.https://ccdcoe.org/sites/default/files/multimedia/pdf/Tallinn%20Paper%20No%20%206%20Carr.pdf.
Carlin,JohnP.,“Detect,Disrupt,Deter:AWhole-of-GovernmentApproachtoNationalSecurityCyberThreats.”AccessedMay17,2017.HarvardNationalSecurityJournal/Vol.7.https://docs.google.com/viewer?docex=1&url=https://lawfare.s3-us-west-2.amazonaws.com/staging/2016/Carlin%20FINAL.pdf.
“CETS005-ConventionfortheProtectionofHumanRightsandFundamentalFreedoms-1680063765.”AccessedMay17,2017.https://rm.coe.int/1680063765.
“CFTCases-TheEgmontGroup.”AccessedApril3,2017.https://egmontgroup.org/en/document-library/12.
“ChapterI|UnitedNations.”AccessedMay4,2017.http://www.un.org/en/sections/un-charter/chapter-i/index.html.
Charney,Scott,ErinEnglish,AaronKleiner,NemanjaMalisevic,AngelaMcKay,JanNeutze,andPaulNicholas.“FromArticulationtoImplementation:EnablingProgressonCybersecurityNorms,”June2016.https://mscorpmedia.azureedge.net/mscorpmedia/2016/06/Microsoft-Cybersecurity-Norms_vFinal.pdf.
Chayes,Abram,andAntoniaHandlerChayes.TheNewSovereignty:CompliancewithInternationalRegulatoryAgreements.HarvardUniversityPress,1998.https://www.amazon.com/New-Sovereignty-Compliance-International-Regulatory/dp/0674617835.
“China’sInternet:TheGreatFirewall.”TheEconomist,April6,2013.http://www.economist.com/news/special-report/21574631-chinese-screening-online-material-abroad-becoming-ever-more-sophisticated.
“CitizenLab|Github,”accessedJune7,2017,https://github.com/citizenlab.Clark,David,andSusanLandau.“UntanglingAttribution.”MassachusettsInstituteof
Technology,2011.http://static.cs.brown.edu/courses/csci1950-p/sources/lec12/ClarkandLandau.pdf.
“Clinton’sSpeechonInternetFreedom,January2010.”CouncilonForeignRelations,May2,2017.http://www.cfr.org/internet-policy/clintons-speech-internet-freedom-january-2010/p21253.
“CreateaStrategicOutreachCampaigntoAddValuetoYourOrganization.”Prowl,May23,2011.http://prowlpublicrelations.blogspot.com/2011/06/create-strategic-outreach-campaign-to.html?m=0.
85
Colquhoun,Cameron.“ABriefHistoryofOpenSourceIntelligence.”Bellingcat,July14,2016.https://www.bellingcat.com/resources/articles/2016/07/14/a-brief-history-of-open-source-intelligence/.
“CommercialChildPornography:ABriefSnapshotoftheFinancialCoalitionAgainstChildPornography.”NationalCenterforMissingandExploitedChildren,2016.http://www.missingkids.com/en_US/documents/Commercial_child_pornography_-_A_brief_snapshot_of_the_FCACP_2016.pdf.
“CongressionalBudgetJustification,Appendix1:DepartmentofStateDiplomaticEngagement,FiscalYear2017.”TheSecretaryofState.AccessedMay2,2017.https://www.state.gov/documents/organization/252732.pdf.
“CrashMH17.”Politie(Police).AccessedMay1,2017.https://www.politie.nl/themas/flight-mh17-2.html.
“CrashofMalaysiaAirlinesFlightMH17.”DutchSafetyBoard,October22,2015.https://onderzoeksraad.nl/uploads/phase-docs/1006/debcd724fe7breport-mh17-crash.pdf.
“CrashofMalaysiaAirlinesFlightMH17,FinalReport.”DutchSafetyBoard,October22,2015.https://www.onderzoeksraad.nl/uploads/phase-docs/1006/debcd724fe7breport-mh17-crash.pdf.
“Cross-BorderImplicationsofTheSECWhistleblowerReport.”Law360,May2,2017.https://www.law360.com/articles/395744/cross-border-implications-of-the-sec-whistleblower-report.
“CyberCrime.”FederalBureauofInvestigation.AccessedMay1,2017.https://www.fbi.gov/investigate/cyber.
“CyberCrime—FBI.”AccessedApril13,2017.https://www.fbi.gov/investigate/cyber.CyberattackonGoogleSaidtoHitPasswordSystem-TheNewYorkTimes,”May2,2017.
http://www.nytimes.com/2010/04/20/technology/20google.html.“Cybersecurity|HomelandSecurity.”AccessedApril13,2017.
https://www.dhs.gov/topic/cybersecurity.“Cyber-SecurityTaskForce:Public-PrivateInformationSharing,”BipartisanPolicyReview,July
2012.AccessedMay17,2017.http://bipartisanpolicy.org/wp-content/uploads/sites/default/files/PublicPrivateInformationSharing.pdf
“CyberStewards,”accessedJune7,2017,https://cyberstewards.org/Cyranoski,David.“ControversyoverSouthKorea'ssunkenship,”NatureJournal,July14,2010.
AccessedMay22,2017.http://www.nature.com/news/2010/100708/full/news.2010.343.html.
“DataPrivacyLawsAroundtheWorld,”BakerMcKenzie(2016).AccessedMay23,2017,https://globalcompliancenews.com/data-privacy/data-privacy-laws-around-the-world/.
Davis,Joshua.“HackersTakeDowntheMostWiredCountryinEurope.”WIRED.AccessedMay17,2017.https://www.wired.com/2007/08/ff-estonia/.
Dearden,Lizzie.“MH17Report:298VictimsRememberedasDutchSafetyBoardReportRevealsCause.”INDEPENDENT,October13,2015.http://www.independent.co.uk/news/world/europe/mh17-report-names-of-the-298-victims-as-dutch-safety-board-reveals-cause-of-crash-a6691941.html.
86
Demick,Barbara,andJohnM.Glionna,“DoubtsSurfaceonNorthKorea’sRoleinShipSinking.”LosAngelesTimes,July23,2010.http://articles.latimes.com/2010/jul/23/world/la-fg-korea-torpedo-20100724.
“DepartmentofSafeguards.”Text,July26,2016.https://www.iaea.org/about/organizational-structure/department-of-safeguards.
“DepartmentofTechnicalCooperation.”Text,August17,2016.https://www.iaea.org/about/organizational-structure/department-of-technical-cooperation.
“DidanAmericanMineSinkSouthKoreanShip?-NewAmericaMedia,”May2,2017.http://newamericamedia.org/2010/05/did-an-american-mine-sink-the-south-korean-ship.php.
“EFCMembers.”EuropeanFinancialCoalitionagainstCommercialSexualExploitationofChildrenOnline,n.d.http://www.europeanfinancialcoalition.eu/efc_members.php.
“EgmontGroupCommunicationStrategy.”EgmontGroupofFinancialIntelligenceUnits,July2015.https://egmontgroup.org/en/document-library/8
Elash,Anita,“HowTheCitizenLabpoliciestheworld'sdigitalspies,”CSMonitor,December22,2016,accessedJune7,2017,http://www.csmonitor.com/World/Passcode/2016/1222/How-The-Citizen-Lab-polices-the-world-s-digital-spies.
“EntertheCyber-Dragon|VanityFair,”May2,2017.http://www.vanityfair.com/news/2011/09/chinese-hacking-201109.
“EstoniaFinesManfor‘CyberWar.’”BBCNews,January25,2008.http://news.bbc.co.uk/2/hi/technology/7208511.stm.
“Ex-Pres.SecretarySuedforSpreadingCheonanRumors,"TheDong-AIlbo(EnglishEdition),May8,2010.AccessedMay22,2017,http://english.donga.com/List/3/all/26/264989/1
Falliere,Nicolas.“StuxnetIntroducestheFirstKnownRootkitforIndustrialControlSystems.”SymantecBlog,August6,2010.https://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices.
Falliere,Nicolas,LiamO.Murchu,andEricChien.“W32.StuxnetDossier,Version1.4.”SymantecSecurityResponse,February2011.https://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices.
“FATF-GAFI.ORG-FinancialActionTaskForce(FATF).”AccessedApril3,2017.http://www.fatf-gafi.org/.
“FBIConcludesNorthKoreaResponsibleforSonyHack.”MSNBC,December19,2014.http://www.msnbc.com/msnbc/fbi-concludes-north-korea-responsible-sony-hack.
“FBIOffersNewEvidenceConnectingNorthKoreaToSonyHack.”NPR.org.AccessedApril30,2017.http://www.npr.org/2015/01/07/375671935/fbi-offers-new-evidence-connecting-north-korea-to-sony-hack.
“FederalBureauofInvestigation-Facts&Figures.”AccessedApril30,2017.https://www2.fbi.gov/facts_and_figures/accountability_compliance.htm.
“FederalBureauofInvestigationFY2017BudgetRequestataGlance,”n.d.https://www.justice.gov/jmd/file/822286/download.
87
FederalBureauofInvestigation,andU.S.DepartmentofHomelandSecurity.“GRIZZLYSTEPPE-RussianMaliciousCyberActivity.”JointAnalysisU.S.GovernmentReport,December29,2016.
“FinancialIntelligenceUnits:AnOverview,”InternationalMonetaryFund,andWorldBank.2004.https://www.imf.org/external/pubs/ft/FIU/fiu.pdf.
“FinancialIntelligenceUnits(FIUs)-TheEgmontGroup.”AccessedApril3,2017.https://www.egmontgroup.org/en/content/financial-intelligence-units-fius.
“FINRA2015Exams:VariableAnnuities.”RegulatoryBrief:APublicationofPwC’sFinancialServicesRegulatoryPractice,January2015.http://www.pwc.com/us/en/financial-services/regulatory-services/publications/assets/finra-exams-variable-annuities.pdf.
“FINRABoardofGovernors|FINRA.org.”AccessedMay2,2017.https://www.finra.org/about/finra-board-governors.
“FireEye|Crunchbase.”AccessedApril30,2017.https://www.crunchbase.com/organization/fireeye.
“FireEyeReportsFourthQuarterandFiscalYear2016FinancialResults(None:FEYE).”AccessedMay1,2017.http://investors.fireeye.com/releasedetail.cfm?ReleaseID=1010252.
Flintoff,Corey.“KasperskyLab:BasedinRussia,DoingCybersecurityintheWest.”NPR,August10,2015.http://www.npr.org/sections/alltechconsidered/2015/08/10/431247980/kaspersky-lab-a-cybersecurity-leader-with-ties-to-russian-govt.
“FOIA.gov-FreedomofInformationAct:WheretoMakeaFOIARequest.”AccessedApril17,2017.https://www.foia.gov/report-makerequest.html.
“FunctionsandPowersoftheUnitedNationsSecurityCouncil.”AccessedMay3,2017.http://www.un.org/en/sc/about/functions.shtml.
“FY2017President’sBudget.”FinancialCrimesEnforcementNetwork(FinCEN,February9,2016.https://www.treasury.gov/about/budget-performance/CJ17/14.%20FinCEN%20FY%202017%20CJ.PDF.
Gagnon,Gary.“WhyBusinessesShouldShareIntelligenceAboutCyberAttacks.”HarvardBusinessReview,June13,2013.https://hbr.org/2013/06/why-businesses-should-share-intelligence-abo.
Galperin,Eva,Marquis-Borire,Morgan,andScott-Railton,John,“QuantumofSurveillance:FamiliarActorsandPossibleFalseFlagsinSyrianMalwareCampaigns,”CitizenLab-EEF,December23,2013,accessedJune7,2017,https://www.eff.org/document/quantum-surveillance-familiar-actors-and-possible-false-flags-syrian-malware-campaigns.
“GeneralAssembly,onFifthCommittee’sRecommendation,AdoptsRaftofTextson2014-2015BienniumBudgetAppropriations,CommonSystem,Peacekeeping.”UnitedNations,https://www.un.org/press/en/2014/ga11608.doc.htm.
Gierow,HaukeJohannes.“CyberSecurityinChina:InternetSecurity,ProtectionismandCompetitiveness.NewChallengestoWesternBusinesses.”MERICS,April22,2015.AccessedMay17,2017.http://www.merics.org/fileadmin/templates/download/china-monitor/150407_MERICS_China_Monitor_twenty-two_en.pdf.
Gladstone,Rick,andDavidE.Sanger.“NewSanctionsonNorthKoreaOverNuclearTest.”TheNewYorkTimes,March7,2013.
88
http://www.nytimes.com/2013/03/08/world/asia/north-korea-warns-of-pre-emptive-nuclear-attack.html.
Glazer,Emily,andChristinaRexrode.“WellsFargoFinedforAnti-Money-Laundering‘Failures.’”WallStreetJournal,December18,2014,sec.Markets.http://www.wsj.com/articles/wells-fargo-fined-for-anti-money-laundering-failures-1418913816.
Goldsmith,Jack.“TowardGreaterTransparencyofNationalSecurityLegalWork,”(May2015).http://jackgoldsmith.org/toward-greater-transparency-of-national-security-legal-work/.Goodin,Dan.“KasperskyLab’sTopInvestigatorReportedlyArrestedinTreasonProbe.”
ArsTechnica,January25,2017.https://arstechnica.com/security/2017/01/kaspersky-labs-top-investigator-reportedly-arrested-in-treason-probe/.
Goodman,Marc.FutureCrimes:EverythingIsConnected,EveryoneIsVulnerableandWhatWeCanDoaboutIt.Firsted.NewYork:Doubleday,2015.
“GoogleHackersHadAbilitytoAlterSourceCode|WIRED,”May2,2017.https://www.wired.com/2010/03/source-code-hacks.
“Google’sSecretNSAAlliance:TheTerrifyingDealsbetweenSiliconValleyandtheSecurityState-Salon.com,”May2,2017.http://www.salon.com/2014/11/16/googles_secret_nsa_alliance_the_terrifying_deals_between_silicon_valley_and_the_security_state/
“Government’sRecentLabourInterventionsHighlyUnusual,ExpertsSay.”CBCNews.AccessedMay3,2017.http://www.cbc.ca/news/canada/government-s-recent-labour-interventions-highly-unusual-experts-say-1.977658.
“GreenpeaceInternationalAnnualReport2015.”GreenpeaceInternational.AccessedApril27,2017.http://www.greenpeace.org/international/Global/international/publications/greenpeace/2016/2015-Annual-Report-Web.pdf.
“GreenpeaceStructureandOrganization.”GreenpeaceInternational.AccessedMay3,2017.http://www.greenpeace.org/international/en/about/how-is-greenpeace-structured/.
“GreenpeaceVictoriesandSuccesses.”AccessedMay4,2017.http://www.greenpeace.org/international/Global/international/code/2016/victory-timeline/index.html.
“GuidelinesoftheCommitteefortheConductofItsWorld.”UnitedNationsSecurityCouncil,December23,2016.https://www.un.org/sc/suborg/sites/www.un.org.sc.suborg/files/guidelines_of_the_committee_for_the_conduct_of_its_work.pdf.
Gross,Doug.“Googlevs.China:FreeSpeech,FinancesorBoth?-CNN.com,”January13,2010.http://www.cnn.com/2010/TECH/01/13/google.china.analysis/index.html.
Gross,MichaelJoseph."ADeclarationofCyber-War,"VanityFair,April2011.AccessedMay23,2017.https://www.vanityfair.com/news/2011/03/stuxnet-201104.Haggard,Stephan,andJonR.Lindsay.“NorthKoreaandtheSonyHack:ExportingInstability
ThroughCyberspace.”AsiaPacificIssues,no.117(May2015):1–8.Healey,Jason.“BeyondAttribution:SeekingNationalResponsibilityforCyberAttacks.”Atlantic
Council,CyberStatecraftInitiative,2011.
89
http://www.atlanticcouncil.org/images/files/publication_pdfs/403/022212_ACUS_NatlResponsibilityCyber.PDF.
Hesseldahl,Arik.“SonyPicturesInvestigatesNorthKoreaLinkInHackAttack.”Recode,November28,2014.https://www.recode.net/2014/11/28/11633356/sony-pictures-investigates-north-korea-link-in-hack-attack.
Holgate,JonWolfsthal,andLauraS.H.“CuttingFundingtotheIAEAIsaHorribleIdea.”CarnegieEndowmentforInternationalPeace.AccessedMay3,2017.http://carnegieendowment.org/2017/03/27/cutting-funding-to-iaea-is-horrible-idea-pub-68413.
“HowDidN.KoreaSinktheCheonan?,”May2,2017.http://english.chosun.com/site/data/html_dir/2010/05/21/2010052100698.html.
Hunker,Jeffrey,BobHutchinson,andJonathanMargulies.“RoleandChallengesforSufficientCyber-AttackAttribution.”InstituteforInformationInfrastructureProtection,January2008.http://www.scis.nova.edu/%7Ecannady/ARES/hunker.pdf.
“IAEABudget.”Text,June8,2016.https://www.iaea.org/about/overview/budget.“IAEASafetyStandards.”AccessedMay2,2017.http://www-ns.iaea.org/standards/.Ians.“KasperskyLabJoinsInterpol-LedCybercrimeOperationacrossAsianNations.”The
EconomicTimes,April25,2017.http://economictimes.indiatimes.com/tech/internet/kaspersky-lab-joins-interpol-led-cybercrime-operation-across-asean-nations/articleshow/58360723.cms.
“ICAO:FrequentlyAskedQuestions.”AccessedMay2,2017.http://www.icao.int/about-icao/FAQ/Pages/icao-frequently-asked-questions-faq-2.aspx.
“ICAO’sPoliciesonChargesforAirportsandAirNavigationServices.”EighthEdition.Montreal,Quebec,Canada:ICAO,2009.http://www.icao.int/publications/Documents/9082_8ed_en.pdf.
“ICAO’sResponsetoGlobalChallenges.”ICAO.AccessedApril29,2017.http://www.icao.int/Newsroom/News%20Doc/copenhaguen-complete134ec9.pdf.
“IEWGPlanonaPage.”EgmontGroup,2016.https://www.egmontgroup.org/sites/default/files/IEWG%20Plan%20on%20a%20page%2016082016.pdf.
Igrindstad.“OVER€36MSPENTONMH17INVESTIGATIONSOFAR.”NLTimes,November21,2014.http://nltimes.nl/2014/11/21/eu36m-spent-mh17-investigation-far.
“ILODeclarationonFundamentalPrinciplesandRightsatWork(DECLARATION).”AccessedMay3,2017.http://www.ilo.org/declaration/lang--en/index.htm.
“InformationExchangeWorkingGroup,”n.d.https://www.egmontgroup.org/sites/default/files/IEWG%20Plan%20on%20a%20page%2016082016.pdf.
“Intermediate-RangeNuclearForcesTreaty(INFTreaty).”U.S.DepartmentofState.AccessedApril10,2017.http://www.state.gov/t/avc/trty/102360.htm.
“InternationalAtomicEnergyAgency(IAEA)‘LacksTransparency’,Agency’sSecrecy|GlobalResearch-CentreforResearchonGlobalization.”AccessedMay3,2017.http://www.globalresearch.ca/international-atomic-energy-agency-lacks-transparency-observers-and-researchers-say/5446187.
“InternationalLaborConference,”http://www.ilo.org/.
90
“InternationalLabourConference.”AccessedMay3,2017.http://ilo.org/global/about-the-ilo/how-the-ilo-works/international-labour-conference/lang--en/index.htm.
“InternationalLabourOrganization.”AccessedMay3,2017.http://www.ilo.org/global/lang--en/index.htm.
“InternationalStandardsonCombatingMoneyLaunderingandtheFinancingofTerrorism&Proliferation.”TheFATFRecommendations.FATF,February2012.http://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF_Recommendations.pdf.
“InternationalUnionofPure&AppliedChemistry.”IUPAC|InternationalUnionofPureandAppliedChemistry.AccessedApril28,2017.https://iupac.org/who-we-are/.
"InspectionandEnforcementbytheRegulatoryBody."4.1.3.2.MethodsofInspection.AccessedMay11,2017.https://www.iaea.org/ns/tutorials/regcontrol/inspect/insp4133.htm.
“IntelligenceCommunityDirective209-TearlineProductionandDissemination.”AccessedMay25,2017.https://fas.org/irp/dni/icd/icd-209.pdf.
“InvestigationResultontheSinkingofROKS‘Cheonan.’”AccessedMay2,2017.http://news.bbc.co.uk/nol/shared/bsp/hi/pdfs/20_05_10jigreport.pdf.
“InvestigationMH17Crash,July2014.”DutchSafetyBoard.AccessedMay1,2017.https://www.onderzoeksraad.nl/en/onderzoek/2049/investigation-crash-mh17-17-july-2014.
“IUPACandtheOrganisationfortheProhibitionofChemicalWeaponsTakePartnershiptoNewLevel|InternationalUnionofPureandAppliedChemistry.”IUPAC|InternationalUnionofPureandAppliedChemistry,December1,2016.
https://iupac.org/iupac-opcw-take-partnership-new-level/.Jakobi,Anja.“Non-StateActorsandGlobalCrimeGovernance:ExplainingtheVarianceof
Public-PrivateInteraction.”TheBritishJournalofPoliticsandInternationalRelations18,no.1(2016):72–89.
JasonRivera,andForrestHare.“TheDeploymentofAttributionAgnosticCyberdefenseConstructsandInternallyBasedCyberthreatCountermeasures.”CCDCOE,6thInternationalConferenceonCyberConflict,2014,100–116.
Johnson,ChrisandLeeBadger,DavidWaltermire,JulieSnyder,ClemSkorupka.“GuidetoCyberThreatInformationSharing,”NationalInstituteofStandardsand
Technology(NIST),April2016.http://csrc.nist.gov/publications/drafts/800-150/sp800_150_second_draft.pdf.
Kaytal,Neal.“CommunitySelfHelp.”GeorgetownUniversityLawCenterJournalofLaw,EconomicsandPolicy,2005.http://scholarship.law.georgetown.edu/cgi/viewcontent.cgi?article=1532&context=facpub.
Keizer,Gregg.“IsStuxnetthe‘Best’MalwareEver?”InfoWorld,September16,2010.http://www.infoworld.com/article/2626009/malware/is-stuxnet-the--best--malware-ever-.html.
Kim,HwangSu,andMauroCaresta."WhatReallyCausedtheROKSCheonanWarshipSinking?"AdvancesinAcousticsandVibration(2014).AccessedMay22,2017.https://www.hindawi.com/journals/aav/2014/514346/.
91
Koebler,Jason.“NSABuiltStuxnet,butRealTrickIsBuildingCrewofHackers.”U.S.News,June8,2012.https://www.usnews.com/news/articles/2012/06/08/nsa-built-stuxnet-but-real-trick-is-building-crew-of-hackers.
Koh,HaroldHongju.“WhyDoNationsObeyInternationalLaw?,”YaleFacultyScholarshipPress(1997).AccessedMay23,2017.http://digitalcommons.law.yale.edu/cgi/viewcontent.cgi?article=2897&context=fss_papers.
Krebs,Brian.“ExpertsWarnofNewWindowsShortcutFlaw.”KrebsOnSecurity:In-DepthSecurityNewsandInvestigation,July10,2010.http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/.
Kurtas,Susan.“ResearchGuides:UNDocumentation:SecurityCouncil:Introduction.”Researchguide.AccessedMay3,2017.http://research.un.org/en/docs/sc/introduction.
Kushner,David.“TheRealStoryofStuxnet:HowKasperskyLabTrackeddowntheMalwareThatStymiedIran’sNuclear-FuelEnrichmentProgram.”EEESpectrum,February26,2013.AccessedMay17,2017.http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet.
Landler,Mark.“DiplomaticStormBrewingOverKoreanPeninsula.”TheNewYorkTimes,May19,2010.http://www.nytimes.com/2010/05/20/world/asia/20diplo.html.
“LatestNewsandHighlights.”AccessedMay2,2017.http://www.icao.int/newsroom/Pages/default.aspx.
“LessonsfromMandiant’sAPT1Report|SecurityWeek.Com.”AccessedMay2,2017.http://www.securityweek.com/lessons-mandiant%E2%80%99s-apt1-report.
“LetterDated4June2010fromthePermanentRepresentativeoftheRepublicofKoreatotheUnitedNationsAddressedtothePresidentoftheSecurityCouncil.”UnitedNationsSecurityCouncil,June4,2010.http://www.un.org/en/sc/repertoire/2010-2011/Part%20I/2010-2011_letterKorea.pdf.
Lin,HerbertS.“AttributionofMaliciousCyberIncidents:FromSouptoNuts.”SSRNScholarlyPaper.Rochester,NY:SocialScienceResearchNetwork,September2,2016.https://papers.ssrn.com/abstract=2835719.
Lindsay,JonR.“Tippingthescales:theattributionproblemandthefeasibilityofdeterrenceagainstcyberattack,”JournalofCybersecurity1(1):115,2015,http://cybersecurity.oxfordjournals.org/content/1/1/53
Lipton,Eric,DavidE.Sanger,andScottShane.“ThePerfectWeapon:HowRussianCyberpowerInvadedtheU.S.-TheNewYorkTimes.”TheNewYorkTimes,December13,2016.https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html?_r=0.
“ListofParticipatingInternationalOrganizationsandIndustry.”AccessedMay2,2017.http://www.icao.int/Meetings/ICAN2015/Pages/List-of-Participating-Industry-and-International-Organizations.aspx.
MacAfeeReport,THEECONOMICIMPACTOFCYBERCRIMEANDCYBERESPIONAGE,CenterforStrategicandInternationalStudies,(July,2013).https://docs.google.com/viewer?docex=1&url=http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime.pdf.
“MakinganICAOStandard.”AccessedMay2,2017.http://www.icao.int/safety/airnavigation/Pages/standard.aspx#4.
92
“MandiantReporton‘APT1.’”Lawfare,February20,2013.https://lawfareblog.com/mandiant-report-apt1.
“Mandiant,theGo-ToSecurityFirmforCyber-EspionageAttacks-Bloomberg,”May2,2017.https://www.bloomberg.com/news/articles/2013-02-07/mandiant-the-go-to-security-firm-for-cyber-espionage-attacks.
“MembershipandFunctions.”OrganizationfortheProhibitionofChemicalWeapons,https://www.opcw.org/about-opcw/executive-council/membership-and-functions/.
“MemberStates’CompetentAuthorities.”AccessedMay3,2017.http://www-ns.iaea.org/tech-areas/emergency/member-states-competent-authorities.asp?s=1.
“MembersoftheUnitedNationsSecurityCouncil.”AccessedMay3,2017.http://www.un.org/en/sc/members/.
“Mission&Priorities.”Folder.FederalBureauofInvestigation.AccessedMay1,2017.https://www.fbi.gov/about/mission.
“MissionandImpactoftheILO.”AccessedMay3,2017.http://ilo.org/global/about-the-ilo/mission-and-objectives/lang--en/index.htm.
“MoneyLaunderingandtheFinancingofTerrorism.”EgmontGroup,n.d.https://www.egmontgroup.org/en/content/money-laundering-and-financing-terrorism.
“MoneyLaunderingandtheFinancingofTerrorism-TheEgmontGroup.”AccessedApril30,2017.https://egmontgroup.org/en/content/money-laundering-and-financing-terrorism.
Morris,Harvey.“NKoreaEscapesBlameoverShipSinking.”FinancialTimes,July9,2010.https://www.ft.com/content/4208c344-8b6e-11df-ab4d-00144feab49a.
“MostS.KoreansSkepticalAboutCheonanFindings,SurveyShows.”TheChosunIlbo(EnglishEdition),September8,2010.AccessedMay17,2017.http://english.chosun.com/site/data/html_dir/2010/09/08/2010090800979.html.
Nakashima,Ellen."StuxnetwasworkofU.S.andIsraeliexperts,officialssay,"TheWashingtonPost,June2,2012.AccessedMay23,2017.https://www.washingtonpost.com/world/national-security/stuxnet-was-work-of-us-and-israeli-experts-officials-say/2012/06/01/gJQAlnEy6U_story.html.
“News|FinCEN.gov.”AccessedApril30,2017.https://www.fincen.gov/news-room/news.“NewsfromtheEFC:ThePast,ThePresent,TheFuture.”AccessedApril28,2017.
http://us11.campaign-archive1.com/?u=a39d608c8102dd5c712efbc48&id=d1ce5b24df.Nikitin,MaryBeth,MarkE.Manyin,EmmaChanlett-Avery,andDickK.Nanto.“NorthKorea’s
SecondNuclearTest:ImplicationsofU.N.SecurityCouncilResolution1874.”CongressionalResearchService,April15,2010.https://fas.org/sgp/crs/nuke/R40684.pdf.
“NorthKoreaThreatens‘All-outWar’overWarshipSinkingReport-Telegraph,”May2,2017.http://www.telegraph.co.uk/news/worldnews/asia/northkorea/7745370/North-Korea-threatens-all-out-war-over-warship-sinking-report.html.
Oatley,ThomasH.DebatesinInternationalPoliticalEconomy.Boston:Longman,2012.“ObserversandInternationalPartners-TheEgmontGroup.”AccessedApril3,2017.
https://egmontgroup.org/en/document-library/13.OfficeoftheDirectorofNationalIntelligence.“Backgroundto‘AssessingRussianActivitiesand
IntentionsinRecentUSElections’:TheAnalyticProcessandCyberIncidentAttribution.”U.S.Government.NationalIntelligenceCouncil,January6,2017.
93
“OHCHR|InternationalCovenantonCivilandPoliticalRights.”1966.AccessedMay18,2017.http://www.ohchr.org/EN/ProfessionalInterest/Pages/CCPR.aspx.
“OneorMoreUnknownTradersintheSecuritiesofFortressInvestmentGroup,LLC(ReleaseNo.LR-23760;Feb.28,2017).”AccessedMay2,2017.https://www.sec.gov/litigation/complaints/2017/comp23760.pdf.
“OPCWCalendarofEvents.”OrganizationfortheProhibitionofChemicalWeapons.https://www.opcw.org/events-calendar/.
“OPCW.”OPCW.AccessedApril13,2017.https://opcw.unmissions.org/.“OPCWMissionStatement.”OrganizationfortheProhibitionofChemicalWeapons,n.d.
https://www.opcw.org/about-opcw/mission/.“OPCWPressReleaseonAllegationsofChemicalWeaponsUseinSouthernIdli,Syria.”
OrganizationfortheProhibitionofChemicalWeapons,April4,2017.“OpenNetInitiative,”accessedJune7,2017,https://opennet.net/.“OrganizationfortheProhibitionofChemicalWeapons.”NIT:BuildingaSaferWorld,April28,
2017.http://www.nti.org/learn/treaties-and-regimes/organization-for-the-prohibition-of-chemical-weapons/.
“OurCodeofEthics&BusinessConduct:LivingOurVision&Values.”WellsFargo.AccessedApril30,2017.https://www08.wellsfargomedia.com/assets/pdf/about/corporate/code-of-ethics.pdf.
“OurCoreValues|GreenpeaceInternational.”AccessedMay4,2017.http://www.greenpeace.org/international/en/about/our-core-values/.
“OurShips|GreenpeaceInternational.”AccessedMay4,2017.http://www.greenpeace.org/international/en/about/ships/.
Patel,Neil.“WhyaTransparentCultureIsGoodforBusiness.”FastCompany,October9,2014.https://www.fastcompany.com/3036794/why-a-transparent-culture-is-good-for-business.
Parket,Landelijik.“JIT:FlightMH17WasShotdownbyaBUKMissilefromaFarmlandnearPervomaiskyi.”OpenbaarMinisterie,September28,2016.https://www.om.nl/onderwerpen/mh17-crash/@96068/jit-flight-mh17-shot/.
Parket,Landelijk.“JointInvestigationTeam’sReactiontoOVVReport.”OpenbaarMinisterie,October13,2015.https://www.om.nl/onderwerpen/mh17-crash/@91208/joint-investigation-0/.
“Procedure.”OfficeoftheOmbudspersonoftheSecurityCouncil’s1267Committee,n.d.https://www.un.org/sc/suborg/en/ombudsperson/procedure.
“ProgrammeandBudget.”AccessedMay3,2017.http://embargo.ilo.org/global/about-the-ilo/how-the-ilo-works/programme-and-budget/lang--en/index.htm.
“ProposingaSelf-HelpPrivilegeforVictimsofCyberAttacks,”May2,2017.https://www.researchgate.net/publication/298414555_Proposing_a_Self-Help_Privilege_for_Victims_of_Cyber_Attacks.
“ProtectingandDefendingagainstCyberthreatsinUncertainTimes|USA2017|RSAConference.”AccessedMay23,2017.http://www.rsaconference.com/events/us17/agenda/sessions/7577-keynote-speaker-brad-smith-president-and-chief.
94
“PublicStatementsandCommuniques-TheEgmontGroup.”AccessedApril3,2017.https://www.egmontgroup.org/en/document-library/9.
“Q&AaboutSecureDroponTheWashingtonPost.”WashingtonPost,June5,2014.https://www.washingtonpost.com/pr/wp/2014/06/05/qa-about-securedrop-on-the-washington-post/.
“ReportTiesCyberattacksonU.S.ComputerstoChineseMilitary-TheWashingtonPost,”May2,2017.https://www.washingtonpost.com/world/report-ties-100-plus-cyber-attacks-on-us-computers-to-chinese-military/2013/02/19/2700228e-7a6a-11e2-9a75-dab0201670da_story.html?utm_term=.5cd49327297e.
“Reports|UnitedNationsSecurityCouncilSubsidiaryOrgans.”AccessedMay24,2017.https://www.un.org/sc/suborg/en/sanctions/1718/panel_experts/reports.
Resolution1718(2006),S/RES/1718(2006)§(2006).https://www.globalpolicy.org/images/pdfs/1014reso1718.pdf.
“Resolution2253(2015).”UnitedNationsSecurityCouncil,December17,2015.http://www.un.org/en/ga/search/view_doc.asp?symbol=S/RES/2253(2015).
“ResultsConfirmNorthKoreaSankCheonan-DailyNK,”May2,2017.http://www.dailynk.com/english/read.php?cataId=nk00100&num=6392.
Rid,Thomas,andBenBuchanan.“AttributingCyberAttacks.”JournalofStrategicStudies38,no.1–2(January2,2015):4–37.doi:10.1080/01402390.2014.977382.
Rotella,Sebastian.“FourDisturbingQuestionsAbouttheMumbaiTerrorAttack|AmericanTerrorist|FRONTLINE|PBS,”February22,2013.http://www.pbs.org/wgbh/frontline/article/four-disturbing-questions-about-the-mumbai-terror-attack/.
Rotella,Sebastian,JamesGlanz,andDavidE.Sanger.“In2008MumbaiAttacks,PilesofSpyData,butanUncompletedPuzzle-ProPublica.”ProPublica,December21,2014.https://www.propublica.org/article/mumbai-attack-data-an-uncompleted-puzzle.
“RulesandProcedurefortheScientificAdvisoryBoardandTemporaryWorkingGroupsofScientificExperts”.OrganizationfortheProhibitionofChemicalWeapons.AccessedMay10,2017.https://www.opcw.org/about-opcw/subsidiary-bodies/scientific-advisory-board/rules-of-procedure/
“RussianNavyExpertTeam’sAnalysisontheCheonanIncident :NorthKorea :News :TheHankyoreh,”May2,2017.http://english.hani.co.kr/arti/english_edition/e_northkorea/432230.html.
“SanctionsListMaterials.”UnitedNationsSecurityCouncilSubsidiaryOrgans,n.d.https://www.un.org/sc/suborg/en/sanctions/1267/aq_sanctions_list.
Sanger,DavidE.,DavidBardoza,andNicolePerlroth.“China’sArmyIsSeenasTiedtoHackingAgainstU.S.”TheNewYorkTimes,February18,2013.http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html.
Schneier,Bruce.“AttackAttributionandCyberConflict.”SchneierOnSecurity.March9,2015.AccessedMay23,2017.https://www.schneier.com/blog/archives/2015/03/attack_attribut_1.html.
Schneier,Bruce.“ClickHeretoKillEveryonewiththeInternetofThings,we’rebuildingaworld-sizerobot.Howarewegoingtocontrolit?,”NewYorkMagazine,(January,2017)
95
http://nymag.com/selectall/2017/01/the-internet-of-things-dangerous-future-bruce-schneier.html
Schwartz,Mattathias,“CyberwarForSale,”TheNewYorkTimesMagazine,January4,2017,accessedJune7,2017,https://www.nytimes.com/2017/01/04/magazine/cyberwar-for-sale.html.
“SECApprovesOneWatchdogforBrokersBigandSmall.”AccessedMay2,2017.http://www.washingtonpost.com/wp-dyn/content/article/2007/07/27/AR2007072700108_pf.html.
“SEC.gov|HedgeFundManagertoPay$44MillionforIllegalTradinginChineseBankStocks,”May2,2017.https://www.sec.gov/news/press-release/2012-2012-264htm.
“SecretariatandBudget.”AnnualReport.WTO,2016.https://www.wto.org/english/res_e/booksp_e/anrep_e/anrep16_chap9_e.pdf.
“Services.”FireEye.AccessedMay1,2017.https://www.fireeye.com/services.html.“SecurityCouncilCondemnsAttackonRepublicofKoreaNavalShip‘Cheonan’,StressesNeed
toPreventFurtherAttacks,OtherHostilitiesinRegion|MeetingsCoverageandPressReleases.”AccessedMay16,2017.https://www.un.org/press/en/2010/sc9975.doc.htm.
Shamsi,JawwadA.,SheraliZeadally,FarehaSheikh,andAngelynFlowers.“AttributioninCyberspace:TechniquesandLegalImplications.”SecurityandCommunicationNetworks9(n.d.):2886–2900.
Shukman,David.“OpenSesame:ScienceCenterUnveiledinJordan.”BBCNews,May16,2017,sec.Science&Environment.http://www.bbc.com/news/science-environment-39927836.
“SinkingReport.doc-20_05_10jigreport.pdf,”May2,2017.http://news.bbc.co.uk/nol/shared/bsp/hi/pdfs/20_05_10jigreport.pdf.
“SoHowIsBellingcatFunded?,”March25,2016.http://www.whathappenedtoflightmh17.com/so-how-is-bellingcat-funded/.
“SonyHiresMandiantafterCyberAttack,FBIStartsProbe.”Reuters,December1,2014.http://www.reuters.com/article/us-sony-cybersecurity-mandiant-idUSKCN0JE0YA20141201.
“SouthKoreaWarshipSinking:TheTop10ConspiracyTheories-Telegraph,”May2,2017.http://www.telegraph.co.uk/news/worldnews/asia/northkorea/7803376/South-Korea-warship-sinking-the-top-10-conspiracy-theories.html.
“SpeakersinSecurityCouncilCallforUnified,GlobalCounter-TerrorismEffort,FollowingBriefingsbyChairsofCommitteesSetUptoSpearheadFight,”UnitedNations,May
11,2010.http://www.un.org/press/en/2010/sc9923.doc.htm.“SpecialVerificationCommission(INFTreaty)Held30thSessionNovember15-16inGeneva »
USMissionGeneva.”AccessedApril10,2017.https://geneva.usmission.gov/2016/11/18/special-verification-commission-inf-treaty-held-30th-session-november-15-16-in-geneva/.
Soldatov,Andrei,andIrinaBorogan.“PutinBringsChina’sGreatFirewalltoRussiainCybersecurityPact.”TheGuardian,November29,2016.https://www.theguardian.com/world/2016/nov/29/putin-china-internet-great-firewall-russia-cybersecurity-pact.
96
“StatementofRevenueandExpenditureoftheEuropeanPoliceOfficefortheFinancialYear2017.”OfficeJournaloftheEuropeanUnion.
“StatementonGoogleOperationsinChina.”U.S.DepartmentofState,May2,2017.“StatementtotheBoard–NuclearVerificationinIran.”Text,March3,2008.
https://www.iaea.org/newscenter/multimedia/videos/statement-board-%E2%80%93-nuclear-verification-iran.
Stone,BradandMichaelRiley,“Mandiant,theGo-ToSecurityFirmforCyber-EspionageAttacks.”Bloomberg,February8,2013.AccessedApril28,2017.https://www.bloomberg.com/news/articles/2013-02-07/mandiant-the-go-tosecurity-firm-for-cyberespionage-attacks.
“Structure|CCDCOE.”AccessedMay4,2017.https://ccdcoe.org/structure-0.html.“StructureandOrganizationoftheEgmontGroupofFinancialIntelligenceUnits-TheEgmont
Group.”AccessedApril3,2017.https://www.egmontgroup.org/en/content/structure-and-organization-egmont-group-financial-intelligence-units.
“StructureandPeople.”AmnestyInternational.AccessedMay1,2017.https://www.amnesty.org/en/about-us/how-were-run/structure-and-people/.
“SuggestedBestPracticesforIndustryOutreachProgramstoStakeholders.”FederalEnergyRegulatoryCommission,July2015.https://www.ferc.gov/industries/gas/enviro/guidelines/stakeholder-brochure.pdf.
Sullivan,Ben.“BellingcatWantsYourHelptoDebunkFakeNews.”Motherboard,March7,2017.https://motherboard.vice.com/en_us/article/bellingcat-wants-your-help-to-debunk-fake-news.
“TallinnManualProcess|CCDCOE.”AccessedMay4,2017.https://ccdcoe.org/tallinn-manual.html.
“Technology|FINRA.org.”AccessedMay16,2017.https://www.finra.org/about/technology.“The2007EstonianCyberattacks:NewFrontiersinInternationalConflict.”OnCyberWay
HarvardLawSchoolBlog.AccessedMay17,2017.https://blogs.harvard.edu/cyberwar43z/2012/12/21/estonia-ddos-attackrussian-nationalism/.
“TheAgency’sProgrammeandBudget2016-2017.”IAEA,July2015.https://www.iaea.org/About/Policy/GC/GC59/GC59Documents/English/gc59-2_en.pdf.
“TheEgmontGroupStrategicPlan2014–2017,”May2015.https://egmontgroup.org/en/filedepot_download/1658/40.
“TheSinkingoftheCheonan-TheNewYorkTimes,”May2,2017.http://www.nytimes.com/2010/05/21/opinion/21fri2.html.
“TheStakesandChallengesofInternationalCivilAviation.”Montreal:ICAO,February17,2011.http://www.icao.int/Newsroom/Speeches/THE%20STAKES%20AND%20CHALLENGES%20OF%20INTERNATIONAL%20CIVIL%20AVIATION%20-%20Secretary%20General%20Raymond%20Benjamin.pdf.
“TheU.S.-IsraeliStuxnetAlliance.”Stratfor,January17,2017.https://www.stratfor.com/analysis/us-israeli-stuxnet-alliance.
“TigerAsiaManagement,LLC,etAl.(ReleaseNo.LR-22569;December13,2012),”May2,2017.https://www.sec.gov/litigation/litreleases/2012/lr22569.htm.
97
Timm,Trevor.“SecureDropUndergoesSecondSecurityAudit.”FreedomofthePressFoundation,January20,2014.https://freedom.press/news-advocacy/securedrop-undergoes-second-security-audit/.
“TreatyBetweentheUnitedStatesofAmericaAndTheUnionOfSovietSocialistRepublicsonTheEliminationofTheirIntermediate-RangeandShorter-RangeMissiles(INFTreaty).”U.S.DepartmentofState.AccessedMay1,2017.https://www.state.gov/t/avc/trty/102360.htm.
UAEGeneralCivilAviationAuthority.“GapsinGlobalEffectiveness.”http://www.icao.int/Meetings/AMC/SAR2010/Documents/21June2010-1030-Brian_Day-Gaps_in_Global_Effectiven.pdf.
“UpdateonSonyInvestigation.”PressRelease.FederalBureauofInvestigation.AccessedApril30,2017.https://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation.
“U.S.HackedintoIran’sCriticalCivilianInfrastructureforMassiveCyberattack,NewFilmClaims.”Buzzfeed,May16,2016.https://www.buzzfeed.com/jamesball/us-hacked-into-irans-critical-civilian-infrastructure-for-ma?utm_term=.nxgZMvM1z#.eclLmVmWX.
“VIENNADOCUMENT2011ONCONFIDENCE-ANDSECURITY-BUILDINGMEASURES.”OSCE.AccessedMay1,2017.http://www.osce.org/fsc/86597?download=true.
“VirusBlokAda.”VirusBlokAda.AccessedMay1,2017.http://anti-virus.by/en/tempo.shtml.Walters,Riley.“CyberAttacksonU.S.CompaniesSinceNovember2014.”TheHeritage
Foundation.November18,2015.AccessedMay23,2017.http://www.heritage.org/cybersecurity/report/cyber-attacks-us-companies-november-2014.
“WarintheFifthDomain.”TheEconomist,July1,2010.AccessedMay17,2017.http://www.economist.com/node/16478792.
Warren,Zach.“AreYouReadyfortheNewChinaCybersecurityLaw?”InsideCounsel,February28,2017.http://www.insidecounsel.com/2017/02/28/are-you-ready-for-the-new-china-cybersecurity-law?ref=footer-news.
Wheeler,DavidandGregoryLarsen.InstituteforDefenseAnalysis,TechniquesforCyberAttackAttributionES.October2003.http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA468859.
“WhoWeAre.”AmnestyInternational.AccessedApril29,2017.https://www.amnesty.org/en/who-we-are/.
“WhyAmericaShouldKeepSupportingtheIAEA|TheNationalInterestBlog.”AccessedMay4,2017.http://nationalinterest.org/blog/the-buzz/why-america-should-keep-supporting-the-iaea-20485.
“WilderSecurity.”WilderSecurityForums.AccessedMay1,2017.https://www.wilderssecurity.com/threads/son-of-stuxnet.310195/.
Williamson,Wade.“LessonsfromMandiant’sAPT1Report,”SECURITYWEEK,February29,2013.AccessedApril29,2017,http://www.securityweek.com/lessons-mandiant%E2%80%99s-apt1-report.
Wittes,Benjamin,“MandiantReporton‘APT1’,”Lawfare.org,February20,2013.AccessedApril29,2017,https://lawfareblog.com/mandiant-report-apt1.Woolf,AmyF.“MonitoringandVerificationinArmsControl.”CongressionalResearchService,
December23,2011.https://fas.org/sgp/crs/nuke/R41201.pdf.
98
“WorkandMandate.”SecurityCouncilCommitteeEstablishedPursuanttoResolution1718(2006),n.d.https://www.un.org/sc/suborg/en/sanctions/1718/panel_experts/work_mandate.
“WorkandMandate.”UnitedNationsSecurityCouncilSubsidiaryOrgans,n.d.https://www.un.org/sc/suborg/en/sanctions/1267/monitoring-team/work-and-mandate.
“WTO|BudgetfortheYear2013.”AccessedMay2,2017.https://www.wto.org/english/thewto_e/secre_e/budget_e.htm.
“WTO|TradeandEnvironment.”AccessedMay2,2017.https://www.wto.org/english/tratop_e/envir_e/envt_rules_exceptions_e.htm.
“WTO|UnderstandingtheWTO-AUniqueContribution.”AccessedMay2,2017.https://www.wto.org/english/thewto_e/whatis_e/tif_e/disp1_e.htm.
Zetter,Kim."BlockbusterWormAimedforInfrastructure,ButNoProofIran...."WIRED,September23,2010.AccessedMay23,2017,
https://www.wired.com/2010/09/stuxnet-2/.Zetter,Kim."CyberwarIssuesLikelytoBeAddressedOnlyAfteraCatastrophe,"WIRED,
February17,2011.AccessedMay23,2017.https://www.wired.com/threatlevel/2011/02/cyberwar-issues-likely-to-be-addressed-only-after-a-catastrophe.
Zetter,Kim.“HowDigitalDetectivesDecipheredStuxnet,theMostMenacingMalwareinHistory.”WIRED.July11,2011.AccessedMay24,2017.https://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/.
Zheng,Denise,andJamesLewis.“CyberThreatInformationSharing.”CenterforStrategicandInternationalStudies,March10,2015.AccessedMay17,2017.https://www.csis.org/analysis/cyber-threat-information-sharing.