Aegis Paper Series

Attribution of Malicious Cyber Incidents: From Soup to Nuts

By Herb Lin
Tuesday, September 20, 2016, 7:30 AM

PDF version

Attribution of malicious cyber activities is a deep issue, about which confusion and disquiet can be found in abundance. Attribution has many aspects, and a variety of well-researched and well-executed papers cover one or more of these aspects; these papers are referenced in the body of the paper and are called out again in the Acknowledgments section. This paper tries to synthesize the best aspects of these works with some original thoughts of the author’s own into a coherent picture of how attribution works, why it is both important and difficult, and how the entire process relates to policymaking.

The primary takeaway messages of this paper are that (1) attribution has a different meaning depending on what a relevant decision-maker wants to do (i.e., attribution of malicious cyber activity can be to a machine, to a specific human being pressing the keys that initiate that activity, and to a party that is deemed ultimately responsible for that activity); (2) attribution is a multidimensional issue that draws on all sources of information available, including technical forensics, human intelligence, signals intelligence, history, and geopolitics, among others; (3) all attribution judgments are necessarily accompanied by some measure of uncertainty; and (4) an adversary cannot be fully confident of its ability to conceal its identity from the victim.