Why attribution is a means to an end


The U.S. strategy of penalizing norm-busting behavior in cyberspace centers around attribution of individuals and the nations sponsoring attacks. This approach raises concerns that foreign governments will retaliate by outing U.S. intelligence and cyber operators and generates skepticism that the culprits will ever see the inside of a U.S. courtroom.

Officials often talk about attribution as the necessary first step on the road to deterring malicious foreign cyber activity.

"Investigations and intelligence … are a step toward identifying who is responsible and holding them accountable. That could be through indictments, but it also informs a whole host of whole-of-government actions: sanctions, diplomatic actions, maybe military or other operational activity," said Tonya Ugoretz, deputy assistant director of the FBI's Cyber Division, at a May 29 Aspen Institute event.

"I think you see international partners, like-minded countries coalescing around this approach, and we can't have those norms or means of deterrence if we don't have that underlying attribution," Ugoretz said.

The U.S. has imposed penalties over the past three years in response to cyberattacks, including indictments against Russian trolls and hackers for 2016 election interference, Treasury sanctions on companies for facilitating the 2017 NotPetya ransomware, indictments and sanctions against two Iranians for the 2018 SamSam campaign and charges against a North Korean programmer for the 2017 WannaCry attacks and Bank of Bangladesh heist.

More recently, the Trump administration indicted Chinese hackers and imposed restrictions on companies that the U.S. says are stealing intellectual property from American companies. In nearly all cases, U.S. officials have taken pains to demonstrate how they know these groups are responsible, sometimes going well beyond the level of detail needed to meet necessary legal thresholds.

Threat intelligence firms have become increasingly active in cyber attribution, with groups like FireEye, Crowdstrike and Cisco Talos sometimes putting out research that U.S. agencies use to justify taking action on emerging threats. While these companies all employ former intelligence officials, none have the resources or capabilities of the U.S. intelligence community or the Department of Justice. Often, the two sectors feed off each other's findings to discover new actors or unconnected dots in the threat landscape.

At an American Bar Association conference earlier this month, Associate Deputy Attorney General Sujit Raman said the U.S. does not view the current Wild West atmosphere in cyberspace as "legitimate statecraft" but rather as "crimes without justification in international relations."

Raman said that without attribution, "there will be no consequences, and thus no deterrence," adding that "attribution through the criminal justice system escalates the stakes for state-sponsored activity in a way that a press release or a public statement alone will not."

About the Author

Derek B. Johnson is a former senior staff writer at FCW.


  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected