Private-Sector Attribution of Cyber Incidents

Benefits and Risks to the U.S. Government

Published in: International Journal of Intelligence and CounterIntelligence (2020). doi: 10.1080/08850607.2020.1783877

Posted on RAND.org on September 01, 2020

by Sasha Romanosky, Benjamin Boudreaux

Read More

Access further information on this document at Taylor & Francis Online

This article was published outside of RAND. The full text of the article can be found at the link above.

Over the past decade, private sector cyber security companies have developed advanced capabilities that enable them to attribute malicious cyber activity to nation-states or state-sponsored actors. These capabilities present new challenges because historically in the U.S. only the Federal government had the ability to link hostile actions with foreign actors. It is therefore unclear whether this growing trend of private sector attribution of cyber incidents represents a benefit or a liability for the U.S. Government (USG) and its cybersecurity and diplomatic efforts. In this Article, we address four related questions. First, what is the purpose of attribution, both for private sector companies, and the USG? Second, what benefits and risks does private sector attribution bring to the USG? Third, what are the relative capabilities of each stakeholder? And fourth, how should the USG collaborate with the private sector going forward?

This report is part of the RAND Corporation External publication series. Many RAND studies are published in peer-reviewed scholarly journals, as chapters in commercial books, or as documents published by other organizations.

Our mission to help improve policy and decisionmaking through research and analysis is enabled through our core values of quality and objectivity and our unwavering commitment to the highest level of integrity and ethical behavior. To help ensure our research and analysis are rigorous, objective, and nonpartisan, we subject our research publications to a robust and exacting quality-assurance process; avoid both the appearance and reality of financial and other conflicts of interest through staff training, project screening, and a policy of mandatory disclosure; and pursue transparency in our research engagements through our commitment to the open publication of our research findings and recommendations, disclosure of the source of funding of published research, and policies to ensure intellectual independence. For more information, visit www.rand.org/about/principles.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.