Public attribution in the US government: implications for diplomacy and norms in cyberspace

Abstract

In recent years, states have publicly assigned responsibility for cyber incidents to state adversaries with increasing frequency. While emerging scholarship provides insight into the strategic rationale for public cyber attribution, the literature lacks a rigorous understanding of when and under what circumstances states publicly attribute cyber incidents in practice. This paper seeks to address this gap by providing an empirical study of public cyber attribution by the US government from 2010–2020. Based on an original dataset, I find that US government actors publicly attribute cyber incidents through four distinct “channels”–criminal, technical, official policy, and unofficial policy. The purpose, timing, and state subject of attribution appear to vary consistently by channel, while organizational interests and channel-specific factors shape the context in which public attribution takes place. The lack of a unified approach creates challenges for US diplomacy—as adversaries may misperceive attributions as reflecting a whole-of-government agenda—and informs the normative environment of cyber operations in ways potentially unanticipated by individual agencies.