Private Sector Attribution of Cyber Incidents

Benefits and Risks to the U.S. Government

by Sasha Romanosky, Benjamin Boudreaux

Download eBook for Free

FormatFile SizeNotes
PDF file 0.9 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Over the past decade, private sector cyber security companies have developed advanced capabilities that enable them to attribute malicious cyber activity to nation-states or state-sponsored actors. These capabilities may even rival those of some government intelligence agencies, and present new challenges because historically in the U.S. only the Federal government had the ability to link hostile actions with foreign actors. It is therefore unclear whether this growing trend of private sector attribution of cyber incidents represents a benefit or a liability for the U.S. Government (USG) and its cybersecurity and diplomatic efforts. In this Article, we address four related questions. First, what is the purpose of attribution, both for private sector companies, and the USG? Second, what benefits and risks does private sector attribution bring to the USG? Third, what are the relative capabilities of each stakeholder? And fourth, how should the USG collaborate with the private sector going forward? In order to answer these questions, we begin with a brief overview of cyber attribution. We then examine attribution reports from the private sector, the USG, and a dataset of publicly known state-sponsored cyber activity. Finally, we present the results of qualitative research in which we interviewed 15 senior subject matter experts from the intelligence community, law enforcement, the National Security Council staff, academics, and private sector threat intelligence companies. We conclude with insights from this analysis.

This research was conducted by the RAND National Security Research Division.

This report is part of the RAND Corporation working paper series. RAND working papers are intended to share researchers' latest findings and to solicit informal peer review. They have been approved for circulation by RAND but may not have been formally edited or peer reviewed.

Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.