Why attribution is a means to an end


The U.S. strategy of penalizing norm-busting behavior in cyberspace centers around attribution of individuals and the nations sponsoring attacks. This approach raises concerns that foreign governments will retaliate by outing U.S. intelligence and cyber operators and generates skepticism that the culprits will ever see the inside of a U.S. courtroom.

Officials often talk about attribution as the necessary first step on the road to deterring malicious foreign cyber activity.

"Investigations and intelligence … are a step toward identifying who is responsible and holding them accountable. That could be through indictments, but it also informs a whole host of whole-of-government actions: sanctions, diplomatic actions, maybe military or other operational activity," said Tonya Ugoretz, deputy assistant director of the FBI's Cyber Division, at a May 29 Aspen Institute event.

"I think you see international partners, like-minded countries coalescing around this approach, and we can't have those norms or means of deterrence if we don't have that underlying attribution," Ugoretz said.

The U.S. has imposed penalties over the past three years in response to cyberattacks, including indictments against Russian trolls and hackers for 2016 election interference, Treasury sanctions on companies for facilitating the 2017 NotPetya ransomware, indictments and sanctions against two Iranians for the 2018 SamSam campaign and charges against a North Korean programmer for the 2017 WannaCry attacks and Bank of Bangladesh heist.

More recently, the Trump administration indicted Chinese hackers and imposed restrictions on companies that the U.S. says are stealing intellectual property from American companies. In nearly all cases, U.S. officials have taken pains to demonstrate how they know these groups are responsible, sometimes going well beyond the level of detail needed to meet necessary legal thresholds.

Threat intelligence firms have become increasingly active in cyber attribution, with groups like FireEye, Crowdstrike and Cisco Talos sometimes putting out research that U.S. agencies use to justify taking action on emerging threats. While these companies all employ former intelligence officials, none have the resources or capabilities of the U.S. intelligence community or the Department of Justice. Often, the two sectors feed off each other's findings to discover new actors or unconnected dots in the threat landscape.

At an American Bar Association conference earlier this month, Associate Deputy Attorney General Sujit Raman said the U.S. does not view the current Wild West atmosphere in cyberspace as "legitimate statecraft" but rather as "crimes without justification in international relations."

Raman said that without attribution, "there will be no consequences, and thus no deterrence," adding that "attribution through the criminal justice system escalates the stakes for state-sponsored activity in a way that a press release or a public statement alone will not."

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.