As cyberattacks sow ever greater chaos worldwide, IT titan Microsoft and independent experts are pushing for a new global NGO tasked with the tricky job of unmasking the hackers behind them. Dubbed the "Global Cyber Attribution Consortium," according to a recent report by the Rand Corporation think-tank, the NGO would probe major cyberattacks and publish, when possible, the identities of their perpetrators, whether they be criminals, global hacker networks or states.
"This is something that we don't have today: a trusted international organization for cyber-attribution," Paul Nicholas, director of Microsoft's Global Security Strategy, said at a NATO's Cycon cybersecurity conference in Tallinn last week.
With state and private companies having "skills and technologies scattered around the globe" Nicholas admits it becomes "really difficult when you have certain types of complex international offensives occurring."
"The main actors look at each other and they sort of know who they think it was, but nobody wants to make an affirmation," he said.
Microsoft already floated the idea of an anti-hacking NGO in a June 2016 report that urged the adoption of international standards on cybersecurity. The report by Rand commissioned by Microsoft called "Stateless Attribution - Toward international accountability in Cyberspace" analyses a string of major cyberattacks. They include offensives on Ukraine's electricity grid, the Stuxnet virus that ravaged an Iranian nuclear facility, the theft of tens of millions of confidential files from the U.S. Office of Personnel Management (OPM) or the notorious WannaCry ransomware virus.
"In the absence of credible institutional mechanisms to contain hazards in cyberspace, there are risks that an incident could threaten international peace and the global economy," the report's authors conclude.
They recommend the creation of an NGO bringing together independent experts and computer scientists that specifically excludes state actors, who could be bound by policy or politics to conceal their methods and sources. Rand experts suggest funding for the consortium could come from international philanthropic organizations, institutions like the United Nations, or major computer or telecommunications firms. Pinning down the identity of hackers in cyberspace can be next to impossible, according to experts who attended Cycon.
"There are ways to refurbish an attack in a way that 98 percent of the digital traces point to someone else," Sandro Gaycken, founder and director of the Digital Society Institute at ESMT Berlin, said in Tallinn.
"There is a strong interest from criminals to look like nation-states, a strong interest from nation-states to look like criminals," Gaycken said. "It's quite easy to make your attack look like it comes from North Korea."
According to experts at Cycon, hackers need only include three lines of code in Cyrillic script in a virus in order to make investigators wrongly believe it came from Russian hackers. Similarly, launching attacks during working hours in China raises suspicions about Chinese involvement. Hackers can also cover their tracks by copying and pasting bits and pieces of well-known Trojan viruses, something that points the finger at their original authors.