Written by Shannon Vavra
Microsoft and the Hewlett Foundation are preparing to launch a nonprofit organization dedicated to exposing the details of harmful cyberattacks and providing assistance to victims in an effort to highlight their costs, CyberScoop has learned.
Known to its organizers as the “Cyber Peace Institute,” the nonprofit is expected to debut in the coming weeks, according to multiple sources who have discussed it with the organizers.
The institute aims to investigate and provide analytical information on large-scale attacks against civilian targets, assess the costs of these attacks and give security tools to both individuals and organizations that will help them become more resilient, according to a description of the nonprofit provided during a session at the 2019 B-Sides Las Vegas cybersecurity conference.
“We have a shared global responsibility to prevent the Internet from becoming ‘weaponized’ by increasing attacks by criminal groups and state actors alike,” the description reads. “We already have global organizations to tackle physical emergencies and now we need new ones to help with their counterparts in cyberspace.”
Besides Microsoft and the Hewlett Foundation, supporters include Facebook, Mastercard and the Ford Foundation.
The idea for the Cyber Peace Institute appears to be similar to previous ideas publicly presented by Microsoft President Brad Smith. Smith has previously called for a “Digital Geneva Convention,” where governments would form an independent organization that would “investigate and share publicly the evidence that attributes nation-state attacks to specific countries,” according to a blog post he wrote in 2017.
Microsoft has also been involved with the Paris Call for Trust and Security in Cyberspace with the French government, for instance, as well as the Cybersecurity Tech Accord, which many big tech companies have signed in order to protect innocent citizens online. Other projects have included the “Digital Peace Now” campaign and the Defending Democracy Program, intended to protect campaigns from hacking.
But the institute has been keen to appear independent from any one company involved in funding the venture, a source familiar with Smith’s thinking told CyberScoop.
“From the very beginning they had this idea of an international organization along the lines of the [International Atomic Energy Agency], a model of an independent, third party that would be beholden to no government,” the source familiar with Smith’s thinking said. “They wanted to be depoliticized and somehow factual … If it ended up looking and feeling and being perceived as a Microsoft objective, it won’t achieve its objectives.”
The Hewlett Foundation has pledged $5 million over the course of five years to the institute, a source familiar with the decision told CyberScoop. Facebook has pledged $250,000 to the cause, according to a source familiar with funding conversations. Microsoft, Mastercard, and the Ford Foundation have also pledged an unknown amount of money.
Although the broad goals of the nonprofit are clear, the institute is still working out details of its operations, according to multiple sources who have been in conversations with the organizers. It’s still unclear where the institute will obtain the data it will use for analysis, how it will assist victims and how many people it can actually help.
The funders and organizers of the nonprofit, through a spokesperson, declined to provide comment for this story.
Contributing to the broader debate around norms is something the nonprofit also hopes to accomplish. The launch announcement is expected to come alongside the first substantive meeting of the United Nations‘ Open Ended Working Group on developing norms of accepted behavior in cyberspace.
Additionally, Microsoft’s Smith this month is releasing a book he co-authored that discusses cybersecurity and cybercrime, among other topics.
A fluid idea
In private meetings over the past year, organizers have faced skepticism about the institute’s mission, particularly on how the group will fit into the current cybersecurity landscape, one expert who attending the meetings told CyberScoop. Aside from the basic constructs, debates have ranged from how and whether the organization should attribute attacks, to where the group will pull data for its analysis, one attendee said.
Over the course of the meetings, the nonprofit reframed its goal from “attribution” to “accountability,” in part to possibly avoid naming a specific threat group when it provides analysis on cyberattacks, a source familiar with the conversations told CyberScoop. It was not clear if this has been decided, but one of the nonprofit’s goals, as described online, is to assess how attacks “transgress international norms of responsible behavior in cyberspace.”
It was also not clear if it had been decided whether the institute will aggregate threat intelligence reports that have already been published or if staff will be hired to conduct research, meeting attendees told CyberScoop.
The debate around the nonprofit’s goals highlights how many competing pressures are at play when it comes to developing cyber norms and calling out harmful behavior. Over the last 15 years, cybersecurity firms have made a name for themselves by calling out nation-state linked behavior in cyberspace.
Mandiant, since acquired by FireEye, issued its landmark report linking APT1 with China’s People’s Liberation Army for stealing American businesses’ secrets in 2013. CrowdStrike attributed the 2016 breach into the Democratic National Committee to Russian hackers. Kaspersky, a Moscow-based software company, released a report in 2018 that exposed an active, U.S.-led counterterrorism cyber-espionage operation.
Additionally, the U.S. government has upped its efforts to publicly attribute attacks to specific countries. In 2017, it attributed the WannaCry ransomware attack to North Korea. In 2018, the U.S. Department of Justice indicted Chinese hackers linked with APT10 for targeting 45 U.S. companies and government agencies. The DOJ also indicted nine Iranian hackers for a state-sponsored attack against 144 universities last year.
All of these efforts led some involved with the institute’s planning efforts wondering where the organization would fit in among the public and private attribution work.
“I’m not sure [the institute has] the capability … or funding numbers … to duplicate what FireEye and Symantec and others have, or for that matter what the [National Security Agency] has,” one source who attended institute brainstorming sessions told CyberScoop.
Chris Painter, the former top cyber diplomat at the U.S. State Department, told CyberScoop that while public attribution can deter some adversaries, other groups don’t respond well to being called out.
“Attribution itself is valuable. Sometimes attribution can act as a deterrent. But some countries you really can’t name and shame,” said Painter, who has been involved in some of the discussions regarding the institute.
Carbon Black’s Chief Cybersecurity Officer Tom Kellermann, who has been invited to planning meetings related to the institute, told CyberScoop that although he supports the idea, he doesn’t know if it will be effective in establishing norms.
“There are nation states out there, Russia being one of them, who have created a mafiosa between their best cyber criminals and the regime … they target the West to pay homage to the regime,” said Kellermann, who is also a Global Fellow for Cyber at the Wilson Center. “They inhibit any sort of proactive action with regard to creating cyber peace, an international treatise, or any international norms.”
Paul Rosenzweig, a former deputy assistant secretary for policy at the U.S. Department of Homeland Security, told CyberScoop that regardless of the group’s direction, there is an appetite for a nongovernmental organization taking on these tasks because of the constraints that come with government-level attribution.
“Governments are rightly reluctant for a whole host of reasons,” said Rosenzweig, now a senior fellow at the R Street Institute. “In large part because the act of calling someone out is embedded in a broader dynamic about trade, taxes, war, diplomacy, finance, you name it — the whole thing is tied up in a relationship with China, Russia, Iran or Israel. That wouldn’t burden a private sector organization.”
How to fit in
In addition to uncertainties about the institute’s data feeds, it is not immediately clear how many victims will interact with the institute, according to several cybersecurity experts who have been involved in the brainstorming conversations.
“A lot of the conversations I had at RSA [related to the institute] was about the assistance function,” one attendee said. “And when we got to the higher level of the conversation it was like, ‘Wow, you really need an institute to do all of these three things? Not just one?’ A lot of people outside still have a lot of that skepticism and trying to figure out, ‘Are you guys serious?’”
Michael Daniel, president and CEO of the Cyber Threat Alliance, told CyberScoop it is too early to say whether it would be willing to do work on behalf of the institute one day. The alliance — started years ago by Fortinet, McAfee, Palo Alto Networks and Symantec — shares cyberthreat intelligence so member companies can better protect their client bases. The alliance has since expanded to include 23 companies.
A former cybersecurity coordinator during the Obama administration, Daniel has been in discussions with the institute’s organizers, and although he sees the institute and the alliance as complementary, he told CyberScoop he doesn’t know exactly how his group and the institute might work together.
“Our membership is very keen on working with organizations like [the Cyber Peace Institute] to figure out how we best put collective data to use, how is it that we take the data, the threat intelligence that we have … to amplify what others do across the ecosystem,” Daniel told CyberScoop. “We don’t quite know exactly what this organization is going to look like, what its capacities are going to be, how it’s going to be structured, what exactly it’s going to do … It’s a little early for that … and that’s fine.”
Another issue that arose during the meetings is whether calling out cyberattacks will impact ongoing cyber-espionage operations by the U.S. and its allies, a source present told CyberScoop.
An important goal of the nonprofit’s founders has been to make the institute appear as neutral as possible and immune to government influence, multiple sources told CyberScoop. Organizers have debated placing the institute’s headquarters in two cities known for neutrality and diplomacy on an international scale: Geneva, Switzerland or The Hague, Netherlands.
Rosenzweig, who has not been involved with the institute, said if it really wants to establish its neutral bona fides, it must be willing to call out activity that appears linked with the U.S. government in addition to activity emanating from Iran, Russia, North Korea, and China.
“I think the only way to make it like that [neutral] is … to make a point of calling out the NSA when they can … making a public stink about it in a way that asserts their independence from the NSA,” he said, adding he thinks the makeup of the organization could benefit from hiring from around the globe.
Even though partnerships and logistics may not necessarily be set in stone, the institute’s organizers are eager to move forward on these issues, a source who has spoken with Microsoft organizers told CyberScoop.
“I think [organizers] want themselves to be seen as identifying the need … and light the spark to make it happen and let it do its thing,” the source said. “They want to launch it and let it figure itself out.”