Stanford CIS

Decentralized Cyberattack Attribution

By Kristen Eichensehr on

Abstract

Attribution of state-sponsored cyberattacks can be difficult, but the significant uptick in public attributions in recent years has proven that attribution is far from impossible. After several years of only sporadic attributions, Western governments in 2017 began publicly attributing cyberattacks to other governments more frequently and in a more coordinated fashion. But more consistent over the past several years have been public attributions by non-governmental actors, including companies, a non-profit, and an academic institute.

Although not without risks, these non-governmental attributions have an important role to play in the cybersecurity ecosystem. They are often faster and more detailed than governmental attributions, and they sometimes fill gaps, bringing clarity about cyberattacks that governments, for various reasons, may choose not to attribute.

Companies and think tanks have recently proposed centralizing attribution of state-sponsored cyberattacks in a new international entity. But the current system of public-private attributions, decentralized and messy though it is, has some underappreciated virtues — ones that counsel in favor of preserving a multiplicity of attributors even alongside a possible future attribution entity.

Download the full paper at SSRN.