For more than two decades, cyber defenders, intelligence analysts, and policymakers have struggled to determine the source of the most damaging attacks. This “attribution problem” will only become more critical as we move into a new era of cyber conflict with even more attacks ignored, encouraged, supported, or conducted by national governments according to Jason Healey, the director of the Cyber Statecraft Initiative, in a new Atlantic Council issue brief.
Analysts often fall into the trap of “attribution fixation,” the belief that they cannot assess which organization or nation was behind an attack until technical forensics discovers the identity of the attacking machines. Because the Internet enables anonymity more than security, this bottom-up process rarely succeeds.
Fortunately, there is another option.
For national security policymakers, knowing “who is to blame?” can be more important than “who did it?” Moreover, attribution becomes far more tractable when approached as a top-down policy issue with nations held responsible for major attacks originating from their territory or conducted by their citizens.
Meeting the needs of policymakers must be the end goal of attribution, not a byproduct. So, in addition to making the case for national responsibility for cyber attacks, this issue brief proposes a spectrum of state responsibility to more directly tie the goals of attribution to the needs of policymakers.