Microsoft Proposes an Independent Body for Making Attribution Judgments

Yesterday, Scott Charney, Microsoft’s Corporate Vice President for Trustworthy Computing announced a new white paper about cybersecurity norms for nation-states and the global information and communications technology industry, “From Articulation to Implementation: Enabling Progress on Cybersecurity Norms.”

I haven’t yet had a chance to digest it thoroughly, but so far it looks the best corporate statement on this problem to date.

One of the most interesting things contained in this paper for me is the idea of establishing an independent body not aligned with any particular nation to help make attribution judgments when circumstances called for it. The proposal also anticipates the obvious objection that governments may be “reluctant to empower an independent organization to make findings that may be both politically important and politically charged.” To help address this objection, the proposal calls for the body to have strong technical expertise, diverse geographic representation, and a mandate to focus only on attribution of significant cyberattacks, and to be subject to peer review.

If such a body were feasible and established itself as a credible source of attribution judgments, it would help to a considerable extent address the politicization of many attribution judgments today.

Could such a body be constituted to play a meaningful role? The skeptic in me doubts it (largely for the reason anticipated in the report), but I’d love to be wrong. Read the proposal for yourself and let’s start a discussion.