Second Roundtable Looks at Role of Private Sector and Civil Society in Attribution

Sarah Lohmann

Dr. Sarah Lohmann is Non-Resident Fellow with the American Institute for Contemporary German Studies at Johns Hopkins University. Dr. Lohmann is an Acting Assistant Professor in the Henry M. Jackson School for International Studies and a Visiting Professor at the U.S. Army War College. Her current teaching and research focus is on cyber and energy security and NATO policy, and she is currently a co-lead for a NATO project on “Energy Security in an Era of Hybrid Warfare”. She joins the Jackson School from UW’s Communications Leadership faculty, where she teaches on emerging technology, big data and disinformation. Previously, she served as the Senior Cyber Fellow with the American Institute for Contemporary German Studies at Johns Hopkins University, where she managed projects which aimed to increase agreement between Germany and the United States on improving cybersecurity and creating cybernorms.

Starting in 2010, Dr. Lohmann served as a university instructor at the Universität der Bundeswehr in Munich, where she taught cybersecurity policy, international human rights, and political science. She achieved her doctorate in political science there in 2013, when she became a senior researcher working for the political science department.

Prior to her tenure at the Universität der Bundeswehr, Dr. Lohmann was a press spokeswoman for the U.S. Department of State for human rights as well as for the Bureau of Near Eastern Affairs (MEPI). Before her government service, she was a journalist and Fulbright scholar. She has been published in multiple books, including a handbook on digital transformation, Redesigning Organizations: Concepts for the Connected Society (Springer, 2020), and has written over a thousand articles in international press outlets.

Defense and tech experts from the United States and Germany gathered in the conference room of the American-German Institute in Washington, DC, on May 23 to discuss the greatest hurdles for cybersecurity for the transatlantic community. The second German-American Cyber Roundtable co-hosted by Microsoft examined what actors should work together to identify those responsible for malicious cyber incidents.

Setting the tone for the meeting, Prof. John Davis, a senior information scientist at RAND and professor of the Pardee RAND Graduate School, discussed the challenges of attribution and the motivations and methods of actors who conduct illegal cyber intrusions. His study Stateless Attribution: Toward International Accountability in Cyberspace proposes an attribution organization independent from the state, similar to the International Atomic Energy Agency, which would be made up of companies from the private sector and civil society. This independent organization would not be concerned with punitive mechanisms, he said, but should focus on synergy of methodology and confidence from the participants to correctly identify actors conducting illegal intrusions.

Laura Rosenberger, who founded the Alliance for Securing Democracy, talked about the challenges for governments when making attribution public, and the role the private sector and civil society can play to galvanize government action and provide public transparency.

Michael Ngo, the new CSO of ORock Technologies, provided an operational perspective, and the value of connecting intelligence, sensor data, and operational reporting to mitigate against cyber-attacks and illegal intrusions. There was a diversity of opinion among the participants about the degree to which governments, the military, and intelligence agencies should be left out of an attribution coalition altogether, and who should provide accountability for bad actors.

A second panel, which included Professor Tom Wingfield of the National Defense University, Steve Bucci of Heritage, Kaja Ciglic of Microsoft, and Todd Oja of U.S. Cyber Command, discussed the layers of authorities needed to identify malicious cybersecurity actors and the motivators that can be used for compelling lawful behavior. Here, access, authorities, and resources all play a role, especially in terms of coordinating with partners in Europe.

Ms. Ciglic discussed the Cybersecurity Tech Accord as a solution to increased malicious cybersecurity threats to users from both cybercriminals and nation states. The Accord, which was launched in April, has been signed by over forty companies, and the signatories agree to share threat information, protect users from cyber-attacks, to not help governments launch offensive attacks which are harmful to “innocent” citizens, and to report publicly on their progress.

While the role of the government in interacting with an attribution coalition or in responding to the private sector’s desire to protect their users’ privacy was hotly debated, all agreed that civil society had a greater role to play in identifying bad cyber actors, assisting in technical cooperation, and sharing threat information. The next Cyber Roundtable will take place in Brussels in the fall.