Over the past decade, private sector cyber security companies have developed advanced capabilities that enable them to attribute malicious cyber activity to nation-states or state-sponsored actors. These capabilities may even rival those of some government intelligence agencies, and present new challenges because historically in the U.S. only the Federal government had the ability to link hostile actions with foreign actors. It is therefore unclear whether this growing trend of private sector attribution of cyber incidents represents a benefit or a liability for the U.S. Government (USG) and its cybersecurity and diplomatic efforts. In this Article, we address four related questions. First, what is the purpose of attribution, both for private sector companies, and the USG? Second, what benefits and risks does private sector attribution bring to the USG? Third, what are the relative capabilities of each stakeholder? And fourth, how should the USG collaborate with the private sector going forward? In order to answer these questions, we begin with a brief overview of cyber attribution. We then examine attribution reports from the private sector, the USG, and a dataset of publicly known state-sponsored cyber activity. Finally, we present the results of qualitative research in which we interviewed 15 senior subject matter experts from the intelligence community, law enforcement, the National Security Council staff, academics, and private sector threat intelligence companies. We conclude with insights from this analysis.