Jeff Chase ----- On August 14, 2003, a local fault within a northern Ohio electrical system operator generated a cascading failure that interrupted service to an estimated 50 million people. Although the root causes of the problem were specific to the electrical grid, the event illustrates a fundamental challenge for distributed, cooperative systems: accountable cooperation and accountable decentralized control. Related structures appear in many mission-critical real-world distributed system settings: traffic control, supply chains, brokering and trading, data networks for medical and financial data, and so on. Making such systems dependable involves a great many distributed systems challenges, but the one I want to focus on here is the challenge of accountability. Participants in such a system act on the basis of claims and directives by other actors, and those actions may have cascading effects. To detect faults early and isolate them, it is necessary to monitor and analyze actor behavior over time: this entails new instrumentation, routing of information streams to auditors and diagnostic components, and streaming queries and analysis, perhaps involving statistical techniques. But these are not sufficient: accountability must also impact interaction protocols and the representation of actor state in more fundamental ways. Accountable systems must prevent actors from misrepresenting the claims or actions of others, and enable diagnostic forensics that can assign non-repudiable responsibility for incorrect states or actions, even after they ripple through the network. That goal will require representations of histories whose integrity is protected, and new techniques to manipulate, exchange, and validate those histories. We have to know who said what to whom, and how that information was used. Many of the research questions and challenges deal with distributed system structures that limit the need for trust and maintain the integrity properties and dependencies as messages are stored, transmitted, and acted upon. The groundwork for a comprehensive approach to accountable systems has been established by earlier work in security protocols and logics, trust management, and authenticated data structures. We must also continue to grapple with some very old problems, for example, how to establish a secure trusted path to the end user, and how to establish suitable authentication in a system without central trust. Strong bindings to identity are necessary for sanction or liability, and strong bindings demand trust in the certifying party. New standards for non-repudiable, certified messages are useful building blocks for accountable systems. They also facilitate richer trust management schemes through transitive delegation and endorsement of authority by signed security assertions (e.g., SAML). But we have only just begun to understand how to use these ideas to (re-)engineer distributed systems for accountability. The primary challenges concern not the security mechanisms themselves, but how to incorporate them into the workflow and actor states of networked systems. In particular, they go well beyond current practice for service structure to the ways that services interact, the service's role in enabling interaction among its clients, and the client's use of those services.