Private-Sector Attribution of Cyber Incidents
Benefits and Risks to the U.S. Government
Published in: International Journal of Intelligence and CounterIntelligence (2020). doi: 10.1080/08850607.2020.1783877
Posted on RAND.org on September 01, 2020
Over the past decade, private sector cyber security companies have developed advanced capabilities that enable them to attribute malicious cyber activity to nation-states or state-sponsored actors. These capabilities present new challenges because historically in the U.S. only the Federal government had the ability to link hostile actions with foreign actors. It is therefore unclear whether this growing trend of private sector attribution of cyber incidents represents a benefit or a liability for the U.S. Government (USG) and its cybersecurity and diplomatic efforts. In this Article, we address four related questions. First, what is the purpose of attribution, both for private sector companies, and the USG? Second, what benefits and risks does private sector attribution bring to the USG? Third, what are the relative capabilities of each stakeholder? And fourth, how should the USG collaborate with the private sector going forward?