DOCSLIB.ORG

Incentivizing Comprehensive Cybersecurity Solutions by Matching Accountability to Capability

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Incentivizing Comprehensive Cybersecurity Solutions by Matching Accountability to Capability POLICY ANALYSIS EXERCISE Incentivizing Comprehensive Cybersecurity Solutions by Matching Accountability to Capability Kevin Mott Master in Public Policy Candidate, Harvard Kennedy School Olivia Volkoff Master in Public Policy Candidate, Harvard Kennedy School PAPER MAY 2018 Belfer Center for Science and International Affairs Harvard Kennedy School 79 JFK Street Cambridge, MA 02138 www.belfercenter.org Statements and views expressed in this report are solely those of the author and do not imply endorsement by Harvard University, the Harvard Kennedy School, or the Belfer Center for Science and International Affairs. This paper was completed as a Harvard Kennedy School Policy Analysis Exercise, a yearlong project for second-year Master in Public Policy candidates to work with real-world clients in crafting and presenting timely policy recommendations. Design & layout by Andrew Facini Cover photo: Adobe Stock Copyright 2018, President and Fellows of Harvard College Printed in the United States of America POLICY ANALYSIS EXERCISE Incentivizing Comprehensive Cybersecurity Solutions by Matching Accountability to Capability Kevin Mott Master in Public Policy Candidate, Harvard Kennedy School Olivia Volkoff Master in Public Policy Candidate, Harvard Kennedy School PAPER MAY 2018 About the Authors Olivia Volkoff is a recent graduate of the Master in Public Policy program at the Harvard Kennedy School and the Master in Business Administration program at Harvard Business School. During this period, she served as both a George and Rubenstein Fellow at the Center for Public Leadership as well as a Belfer International and Global Affairs Fellow. Prior to her graduate studies, Olivia graduated from Harvard College and served as a U.S. Naval officer and engineer at Naval Reactors Headquarters. Kevin Mott is a recent graduate of the Master in Public Policy program at the Harvard Kennedy School and the Master in Business Administration at the Harvard Business School. During this period, he served as both a George and Rubenstein Fellow at the Center for Public Leadership as well as a Tillman Military Scholar. A graduate of the United States Naval Academy, Kevin previously served as a Marine infantry officer. Acknowledgments Although any errors or omissions in this paper are ours alone, many people contributed directly or indirectly to it. Many thanks to Michael Sulmeyer, Matt Bunn and Lena G. Goldberg for your advice, support and patience. You have each been endless fountains of new ideas and able guides to us throughout this process. Belfer Center for Science and International Affairs | Harvard Kennedy School iii Table of Contents Executive Summary ............................................................................................. 1 PART I: SCOPING THE CYBERSECURITY CHALLENGE 1. Introduction .....................................................................................................4 1.1 Case Selection ...............................................................................................................5 1.2 Methodology ..................................................................................................................7 1.3 Lessons Learned ............................................................................................................8 1.4 Setting the Context .....................................................................................................10 1.5 Major Trends Shaping Cybersecurity ..........................................................................11 1.6 Addressing Risk ........................................................................................................... 14 2. Responsibility, Accountability and Liability in Cybersecurity .................. 15 2.1 Establishing Liability .................................................................................................... 15 2.2 Liability in the Cyber Context .................................................................................... 17 PART II: CONTEMPORARY CASE STUDIES 3. Case Study: Sony Pictures Entertainment ............................................... 20 3.1 Situation ...................................................................................................................... 20 3.2 Timeline ........................................................................................................................ 21 3.3 Analysis of the Event ...................................................................................................23 3.4 Network Analysis .........................................................................................................25 3.5 Lessons Learned ..........................................................................................................28 3.6 Who is Accountable? .................................................................................................. 29 4. Case Study: Target ........................................................................................ 31 4.1 Situation ....................................................................................................................... 31 4.2 Timeline ........................................................................................................................32 4.3 Analysis of the Event .................................................................................................. 34 iv Incentivizing Comprehensive Cybersecurity Solutions by Matching Accountability to Capability 4.4 Network Analysis ........................................................................................................ 36 4.5 Lessons Learned ......................................................................................................... 38 4.6 Who is Accountable? ................................................................................................... 41 5. Case Study: U.K. National Health Service ................................................. 42 5.1 Situation ...................................................................................................................... 42 5.2 Timeline ....................................................................................................................... 44 5.3 Analysis of the Event .................................................................................................. 45 5.4 Network Analysis .........................................................................................................47 5.5 Lessons Learned .......................................................................................................... 51 PART III: INCENTIVIZING A BRIGHTER CYBERSECURITY FUTURE 6. Directly Reducing Risk: Regulations, Requirements and Rules ...............59 6.1 Government-Led Options ............................................................................................59 6.2 Industry-Led Recommendations ............................................................................... 68 6.3 Technology-Based Options .........................................................................................72 6.4 Bridging Government-Led and Industry-Led Options to Address Risk ................... 81 7. Spreading Risk: Cyber-Related Insurance ..................................................82 7.1 Introduction to Cyber-Related Insurance ................................................................ 83 7.2 Key Challenges ............................................................................................................ 86 7.3 Making Cyber-Related Insurance an Effective Risk-Spreading Mechanism .......... 95 7.4 Can Cyber-Related Insurance Incentivize Good Security Practices? .....................97 8. Preventing Risk: Product Liability Law .................................................... 100 8.1 Evolution of Modern Product Liability Law ............................................................ 100 8.2 Product Liability Law in the Cyber Context ............................................................. 101 8.3 Cybersecurity Product Liability Law: What Should It Include? ..............................102 8.4 Implication of Product Liability Law for Sony, Target and NHS Cases ..................102 8.5 Shortcomings: Why Cybersecurity Product Liability Law Might Not Work ..........104 8.6 Equifax: Future Impact of Class-Action Lawsuits? ..................................................106 Belfer Center for Science and International Affairs | Harvard Kennedy School v 9. Tactical Options: Cyber Hygiene, Red Teaming and Penetration Testing .....................................................................................108 9.1 Cyber Hygiene ............................................................................................................108 9.2 Penetration Testing and Red Teaming ...................................................................... 110 9.3 Implementation Challenges: Why Isn’t This Happening Already? ..........................112 9.4 Implications for Sony, Target and NHS Case Studies ..............................................113 9.5 Should Cyber Hygiene, Red Teaming and Penetration Testing Be Mandated? .....115 10. Incentivizing Cybersecurity Without Stifling Innovation .........................117 10.1 Turning to History: The Seatbelt Debate ..................................................................117 10.2 Academic Research: Learning from Other Highly-Regulated Industries .............. 119 10.3 Lessons
Load more

Recommended publications
  • UNITED STATES DISTRICT COURT NORTHERN DISTRICT of GEORGIA ATLANTA DIVISION in Re
    Case 1:17-md-02800-TWT Document 739 Filed 07/22/19 Page 1 of 7 UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION MDL Docket No. 2800 In re: Equifax Inc. Customer No. 1:17-md-2800-TWT Data Security Breach Litigation CONSUMER ACTIONS Chief Judge Thomas W. Thrash, Jr. PLAINTIFFS’ MOTION TO DIRECT NOTICE OF PROPOSED SETTLEMENT TO THE CLASS Plaintiffs move for entry of an order directing notice of the proposed class action settlement the parties to this action have reached and scheduling a hearing to approve final approval of the settlement. Plaintiffs are simultaneously filing a supporting memorandum of law and its accompanying exhibits, which include the Settlement Agreement. For the reasons set forth in that memorandum, Plaintiffs respectfully request grant the Court enter the proposed order that is attached as an exhibit to this motion. The proposed order has been approved by both Plaintiffs and Defendants. For ease of reference, the capitalized terms in this motion and the accompanying memorandum have the meaning set forth in the Settlement Agreement. Case 1:17-md-02800-TWT Document 739 Filed 07/22/19 Page 2 of 7 Respectfully submitted this 22nd day of July, 2019. /s/ Kenneth S. Canfield Kenneth S. Canfield Ga Bar No. 107744 DOFFERMYRE SHIELDS CANFIELD & KNOWLES, LLC 1355 Peachtree Street, N.E. Suite 1725 Atlanta, Georgia 30309 Tel. 404.881.8900 [email protected] /s/ Amy E. Keller Amy E. Keller DICELLO LEVITT GUTZLER LLC Ten North Dearborn Street Eleventh Floor Chicago, Illinois 60602 Tel. 312.214.7900 [email protected] /s/ Norman E.
    [Show full text]
  • Accepted Manuscript Version
    Research Archive Citation for published version: Tony Shaw, and Tricia Jenkins, ‘An Act of War? The Interview Affair, the Sony Hack, and the Hollywood– Washington Power Nexus Today’, Journal of American Studies, April 2017. DOI: https://doi.org/10.1017/S0021875817000512 Document Version: This is the Accepted Manuscript version. The version in the University of Hertfordshire Research Archive may differ from the final published version. Copyright and Reuse: © 2017 Cambridge University Press and British Association for American Studies. This version is free to view and download for private research and study only. Not for re-distribution, re-sale or use in derivative works. Enquiries If you believe this document infringes copyright, please contact the Research & Scholarly Communications Team at [email protected] An Act of War? The Interview Affair, the Sony Hack, and the Hollywood/Washington Power Nexus Today An early quasi-police procedural showing J. Edgar Hoover’s Federal Bureau of Investigation “smashing” a communist sleeper cell in Boston, Alfred L. Werker’s 1952 docudrama Walk East on Beacon looks at first much like any other Red-baiting Hollywood production of the McCarthy era. On closer inspection, the movie offers us a keen insight into the Hollywood/Washington power nexus during the Cold War. Recently declassified documents reveal that the FBI’s top brass not only helped to inspire Walk East on Beacon but also to cast and market the film. More intriguingly, America’s most powerful military Cold War think tank, the RAND Corporation, was at the heart of the movie’s screenplay. Hollywood scriptwriter Leo Rosten worked as a part-time adviser on social sciences for RAND and based key elements of his plot for Walk East on Beacon on top-secret RAND projects, principally the military uses of satellites and computers.
    [Show full text]
  • Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches
    Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches OVERVIEW Over the past several years, the Cybersecurity and Infrastructure Security Ransomware is a serious and increasing threat to all government and Agency (CISA) and our partners have responded to a significant number of private sector organizations, including ransomware incidents, including recent attacks against a U.S. pipeline critical infrastructure organizations. In company and a U.S. software company, which affected managed service response, the U.S. government providers (MSPs) and their downstream customers. launched StopRansomware.gov, a centralized, whole-of-government Ransomware is malware designed to encrypt files on a device, rendering webpage providing ransomware files and the systems that rely on them unusable. Traditionally, malicious resources, guidance, and alerts. actors demand ransom in exchange for decryption. Over time, malicious actors have adjusted their ransomware tactics to be more destructive and impactful. Malicious actors increasingly exfiltrate data and then threaten to sell or leak it—including sensitive or personal information—if the ransom is not paid. These data breaches can cause financial loss to the victim organization and erode customer trust. All organizations are at risk of falling victim to a ransomware incident and are responsible for protecting sensitive and personal data stored on their systems. This fact sheet provides information for all government and private sector organizations, including critical infrastructure organizations, on preventing and responding to ransomware-caused data breaches. CISA encourages organizations to adopt a heightened state of awareness and implement the recommendations below. PREVENTING RANSOMWARE ATTACKS 1. Maintain offline, encrypted backups of data and regularly test your backups.
    [Show full text]
  • About the Sony Hack
    All About the Sony Hack Sony Pictures Entertainment was hacked in late November by a group called the Guardians of Peace. The hackers stole a significant amount of data off of Sony’s servers, including employee conversations through email and other documents, executive salaries, and copies of unreleased January/February 2015 Sony movies. Sony’s network was down for a few days as administrators worked to assess the damage. According to the FBI, the hackers are believed have ties with the North Korean government, which has denied any involvement with the hack and has even offered to help the United States discover the identities of the hackers. Various analysts and security experts have stated that it is unlikely All About the Sony Hack that the North Korean government is involved, claiming that the government likely doesn’t have the Learn how Sony was attacked and infrastructure to succeed in a hack of this magnitude. what the potential ramifications are. The hackers quickly turned their focus to an upcoming Sony film, “The Interview,” a comedy about Securing Your Files in Cloud two Americans who assassinate North Korean leader Kim Jong-un. The hackers contacted Storage reporters on Dec. 16, threatening to commit acts of terrorism towards people going to see the Storing files in the cloud is easy movie, which was scheduled to be released on Dec. 25. Despite the lack of credible evidence that and convenient—but definitely not attacks would take place, Sony decided to postpone the movie’s release. On Dec. 19, President risk-free. Obama went on record calling the movie’s cancelation a mistake.
    [Show full text]
  • Fighting for Women Existence in Popular Espionage Movies Salt (2010) and Zero Dark Thirty (2012)
    Benita Amalina — Fighting For Women Existence in Popular Espionage Movies Salt (2010) and Zero Dark Thirty (2012) FIGHTING FOR WOMEN EXISTENCE IN POPULAR ESPIONAGE MOVIES SALT (2010) AND ZERO DARK THIRTY (2012) Benita Amalina [email protected] Abstract American spy movies have been considered one of the most profitable genre in Hollywood. These spy movies frequently create an assumption that this genre is exclusively masculine, as women have been made oblivious and restricted to either supporting roles or non-spy roles. In 2010 and 2012, portrayal of women in spy movies was finally changed after the release of Salt and Zero Dark Thirty, in which women became the leading spy protagonists. Through the post-nationalist American Studies perspective, this study discusses the importance of both movies in reinventing women’s identity representation in a masculine genre in response to the evolving American society. Keywords: American women, hegemony, representation, Hollywood, movies, popular culture Introduction The financial success and continuous power of this industry implies that there has been The American movie industry, often called good relations between the producers and and widely known as Hollywood, is one of the main target audience. The producers the most powerful cinematic industries in have been able to feed the audience with the world. In the more recent data, from all products that are suitable to their taste. Seen the movies released in 2012 Hollywood from the movies’ financial revenues as achieved $ 10 billion revenue in North previously mentioned, action movies are America alone, while grossing more than $ proven to yield more revenue thus become 34,7 billion worldwide (Kay, 2013).
    [Show full text]
  • Business Analytics
    SPRING 2017 Business Analytics Meeting the need for talent. PAGE 4 VIRGINIA TECH BUSINESS is published twice a year by: RANKINGS Pamplin College of Business, Virginia Tech No. 2 1030 Pamplin Hall (0209) U.S. 880 West Campus Drive Blacksburg, VA 24061 540-231-6601 No. 2 No. 7 No. 6 World www.pamplin.vt.edu Master of Evening Hospitality and Address changes: [email protected] Information Technology MBA Tourism Management Editorial inquiries and story suggestions: [email protected] U.S. News & World Report QS Top Universities In this magazine, alumni, with some exceptions, are DONNIE GRAY identified by degree and the year it was received. VIRGINIA TECH’S EVENING MBA ranking in U.S. News & World Report has improved DEAN to No. 7 among the nation’s part-time Robert T. Sumichrast MBA programs, according to the 2018 EDITOR survey released in March. It was ranked Sookhan Ho No. 16 for the previous two years. Offered DESIGN by the Pamplin College of Business, the Uncork-it, Inc. Evening MBA program serves aspiring FEATURE WRITERS business leaders in the Washington, D.C., Sookhan Ho, Dan Radmacher area with classes taught at the Northern PHOTOGRAPHERS Virginia Center, and has seen significant STUDENTS such as Mala Lal balance work, Christina O’Connor, Jim Stroup, Logan Wallace, growth in recent years. study, and family in the highly ranked Evening Oliver Meredith MBA program. ALUMNI INFORMATION Gina French, Bonnie Gilbert DISTRIBUTION MANAGER Jodi Jennings Charles Schwab Financial Planning Suite ABOUT enhances learning for business students Virginia Tech’s nationally ranked Pamplin College of JIM STROUP Business offers undergraduate and graduate programs in accounting and information systems, business information technology, economics, finance, hospitality and tourism management, management, and market- ing.
    [Show full text]
  • North Korean Cyber Capabilities: in Brief
    North Korean Cyber Capabilities: In Brief Emma Chanlett-Avery Specialist in Asian Affairs Liana W. Rosen Specialist in International Crime and Narcotics John W. Rollins Specialist in Terrorism and National Security Catherine A. Theohary Specialist in National Security Policy, Cyber and Information Operations August 3, 2017 Congressional Research Service 7-5700 www.crs.gov R44912 North Korean Cyber Capabilities: In Brief Overview As North Korea has accelerated its missile and nuclear programs in spite of international sanctions, Congress and the Trump Administration have elevated North Korea to a top U.S. foreign policy priority. Legislation such as the North Korea Sanctions and Policy Enhancement Act of 2016 (P.L. 114-122) and international sanctions imposed by the United Nations Security Council have focused on North Korea’s WMD and ballistic missile programs and human rights abuses. According to some experts, another threat is emerging from North Korea: an ambitious and well-resourced cyber program. North Korea’s cyberattacks have the potential not only to disrupt international commerce, but to direct resources to its clandestine weapons and delivery system programs, potentially enhancing its ability to evade international sanctions. As Congress addresses the multitude of threats emanating from North Korea, it may need to consider responses to the cyber aspect of North Korea’s repertoire. This would likely involve multiple committees, some of which operate in a classified setting. This report will provide a brief summary of what unclassified open-source reporting has revealed about the secretive program, introduce four case studies in which North Korean operators are suspected of having perpetrated malicious operations, and provide an overview of the international finance messaging service that these hackers may be exploiting.
    [Show full text]
  • 2015 Threat Report Provides a Comprehensive Overview of the Cyber Threat Landscape Facing Both Companies and Individuals
    THREAT REPORT 2015 AT A GLANCE 2015 HIGHLIGHTS A few of the major events in 2015 concerning security issues. 08 07/15: Hacking Team 07/15: Bugs prompt 02/15: Europol joint breached, data Ford, Range Rover, 08/15: Google patches op takes down Ramnit released online Prius, Chrysler recalls Android Stagefright botnet flaw 09/15: XcodeGhost 07/15: Android 07/15: FBI Darkode tainted apps prompts Stagefright flaw 08/15: Amazon, ENFORCEMENT bazaar shutdown ATTACKS AppStore cleanup VULNERABILITY reported SECURITYPRODUCT Chrome drop Flash ads TOP MALWARE BREACHING THE MEET THE DUKES FAMILIES WALLED GARDEN The Dukes are a well- 12 18 resourced, highly 20 Njw0rm was the most In late 2015, the Apple App prominent new malware family in 2015. Store saw a string of incidents where dedicated and organized developers had used compromised tools cyberespionage group believed to be to unwittingly create apps with malicious working for the Russian Federation since behavior. The apps were able to bypass at least 2008 to collect intelligence in Njw0rm Apple’s review procedures to gain entry support of foreign and security policy decision-making. Angler into the store, and from there into an ordinary user’s iOS device. Gamarue THE CHAIN OF THE CHAIN OF Dorkbot COMPROMISE COMPROMISE: 23 The Stages 28 The Chain of Compromise Nuclear is a user-centric model that illustrates Kilim how cyber attacks combine different Ippedo techniques and resources to compromise Dridex devices and networks. It is defined by 4 main phases: Inception, Intrusion, WormLink Infection, and Invasion. INCEPTION Redirectors wreak havoc on US, Europe (p.28) INTRUSION AnglerEK dominates Flash (p.29) INFECTION The rise of rypto-ransomware (p.31) THREATS BY REGION Europe was particularly affected by the Angler exploit kit.
    [Show full text]
  • What Every CEO Needs to Know About Cybersecurity
    What Every CEO Needs to Know About Cybersecurity Decoding the Adversary AT&T Cybersecurity Insights Volume 1 AT&T Cybersecurity Insights: Decoding the Adversary 1 Contents 03 Letter from John Donovan Senior Executive Vice President AT&T Technology and Operations 04 Executive Summary 05 Introduction 07 Outsider Threats 15 Looking Ahead: Outsider Threats 16 Best Practices: Outsiders 18 Insider Threats 24 Looking Ahead: New Potential Threats 25 Looking Ahead: Emerging Risks 26 Best Practices: Malicious Insiders 27 Best Practices: Unintentional Insiders 28 Moving Forward 32 Conclusion 33 Know the Terms For more information: Follow us on Twitter @attsecurity 35 End Notes and Sources Visit us at: Securityresourcecenter.att.com © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T Globe logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 2 ATT.com/network-security Business leader, Welcome to the inaugural issue of AT&T Cybersecurity Insights, a comprehensive look at our analysis and findings from deep inside AT&T’s network operations groups, outside research firms, and network partners. This first issue, “Decoding the Adversary,” focuses on whether or not you and your board of directors are doing enough to protect against cyber threats. Security is not simply a CIO, CSO, or IT department issue. Breaches, leaked documents, and cybersecurity attacks impact stock prices and competitive edge. It is a responsibility that must be shared amongst all employees, and CEOs and board members must proactively mitigate future challenges.
    [Show full text]
  • Reframe and Imdbpro Announce New Collaboration to Recognize Standout Gender-Balanced Film and TV Projects
    FOR IMMEDIATE RELEASE Media Contacts: June 7, 2018 For Sundance Institute: Jenelle Scott 310.360.1972 [email protected] For Women In Film: Catherine Olim 310.967.7242 [email protected] For IMDbPro: Casey De La Rosa 310.573.0632 [email protected] ReFrame and IMDbPro Announce New Collaboration to Recognize Standout Gender-balanced Film and TV Projects The ReFrame Stamp is being Awarded to 12 Films from 2017 including Everything, Everything; Girls Trip; Lady Bird; The Post; and Wonder Woman Los Angeles, CA — ReFrame™, a coalition of industry professionals and partner companies founded by Women In Film and Sundance Institute whose mission is to increase the number of women of all backgrounds working in film, TV and media, and IMDbPro (http://www.imdbpro.com/), the leading information resource for the entertainment industry, today announced a new collaboration that leverages the authoritative data and professional resources of IMDbPro to recognize standout, gender- balanced film and TV projects. ReFrame is using IMDbPro data to determine recipients of a new ReFrame Stamp, and IMDbPro is providing digital promotion of ReFrame activities (imdb.com/reframe). Also announced today was the first class of ReFrame Stamp feature film recipients based on an extensive analysis of IMDbPro data on the top 100 domestic-grossing films of 2017. The recipients include Warner Bros.’ Everything, Everything, Universal’s Girls Trip, A24’s Lady Bird, Twentieth Century Fox’s The Post and Warner Bros.’ Wonder Woman. The ReFrame Stamp serves as a mark of distinction for projects that have demonstrated success in gender-balanced film and TV productions based on criteria developed by ReFrame in consultation with ReFrame Ambassadors (complete list below), producers and other industry experts.
    [Show full text]
  • Daniel Rosehill Blog Daniel Rosehill Blog Linux, Writing, and More
    7/6/2020 How to Extract Your Data From Quora and Reddit | Daniel Rosehill Blog Daniel Rosehill Blog Linux, writing, and more M E N U 6 IYYAR 5780 EDIT How to Extract Your Data From Quora and Reddit Topics: backups, Data, Data governance, Data portability, Reddit Thank you, GDPR! For years, I have been what you might call a backup fanac. I back up my operang system, my VMs, and my hosng — all regularly. This is all fairly easy and can be parally automated. But when it comes to smaller cloud services, I have to rely on manual methods. That’s things like Todoist, cloud-hosted password managers, and everything that isn’t a big monolith with an easy export funconality like G Suite. Two services had always proven troublesome in this respect, however: Quora and Reddit. https://www.danielrosehill.co.il/myblog/how-to-extract-your-data-from-quora-and-reddit/ 1/9 7/6/2020 How to Extract Your Data From Quora and Reddit | Daniel Rosehill Blog Yes, there are GitHub-hosted projects aplenty promising to scrape data from both (like this project) — but a nave funconality is obviously always preferable — both technically and from a reliability perspecve. And last me I checked none of the Quora scrapers worked. So … I’m pleased to report that aer a lile bit of digging I am pleased to have discovered a way to back up both services. Neither company provides convenient backup funconalies that the user can administer themselves (as Facebook, Medium, Twier, and LinkedIn all do). But what can I say — people begging for copies of their own data can’t be choosers.
    [Show full text]
  • Cyberattack Attribution
    CYBERATTACK ATTRIBUTION A BLUEPRINT FOR PRIVATE SECTOR LEADERSHIP RESEARCH FELLOWS SENIOR RESEARCH FELLOWS Justin Collins Allison Anderson Cameron Evans Stacia Lee Chris Kim Kayley Knopf FACULTY LEAD Selma Sadzak Jessica Beyer Nicholas Steele Julia Summers Alison Wendler This report is a product of the Applied Research Program in the Henry M. Jackson School of International Studies at the University of Washington. The Applied Research Program matches teams of top-achieving Jackson School students with private and public sector organizations seeking dynamic, impactful, and internationally-minded analyses to support their strategic and operational objectives. For more information about the Applied Research Program please contact us at [email protected]. Executive Summary After three decades of development, adoption, and innovation, the Internet stands at the core of modern society. The same network that connects family and friends across the world similarly ties together all aspects of daily life, from the functioning of the global economy to the operation of governments. The digitization of daily life is the defining feature of the 21st century. While the pervasiveness of Internet-enabled technology brings significant benefits, it also brings serious threats—not only to our economy and safety, but also to our trust in computer systems.1 The Internet is central to modern life, yet major state-sponsored cyberattacks persist in disrupting Internet access and function. These attacks undermine faith in government and public trust in democratic institutions. Attribution attempts to date have been unable to deter states from building malicious code for even greater destructive capabilities. In response, we propose the formation of an attribution organization based on international private sector coordination.
    [Show full text]