Public Attribution of Cyber-Incidents
This CSS Analysis by Florian J. Egloff and Prof. Andreas Wenger argues that cyber incidents are increasingly being publicly attributed to specific perpetrators. The public attributions issued by states and cybersecurity companies often lack both transparency and verifiability. Strengthening trust in public attributions requires institutional mechanisms at the international level as well as the engagement of the state, the corporate sector, and civil society.
Who did it? Identifying the perpetrators of cyber incidents has long been considered to be among the technically more demanding challenges. This remains true today. Owing to the structure of the internet, it is fairly easy for the attackers to achieve a degree of technical anonymity. This gives the attackers an advantage, since the affected party will often not know at first who carried out the attack. The multifaceted and usually time-consuming forensic search for the perpetrator is known as the attribution process. If the affected party believes they have identified the culprit, it must decide whether, and how, to react to the cyber incident. One possible course of action is public attribution, in which responsibility for the cyber incident is publicly assigned to a specific perpetrator.