Skip to main content Accessibility help

Decentralized Cyberattack Attribution

  • Kristen E. Eichensehr (a1)


Attribution of state-sponsored cyberattacks can be difficult, but the significant uptick in attributions in recent years shows that attribution is far from impossible. After several years of only sporadic attributions, Western governments in 2017 began attributing cyberattacks to other governments more frequently and in a more coordinated fashion. But nongovernment actors have more consistently attributed harmful cyber activity to state actors. Although not without risks, these nongovernmental attributions play an important role in the cybersecurity ecosystem. They are often faster and more detailed than governmental attributions, and they fill gaps where governments choose not to attribute. Companies and think tanks have recently proposed centralizing attribution of state-sponsored cyberattacks in a new international entity. Such an institution would require significant start-up time and resources to establish efficacy and credibility. In the meantime, the current system of public-private attributions, decentralized and messy though it is, has some underappreciated virtues—ones that counsel in favor of preserving some multiplicity of attributors even alongside any future attribution entity.

  • View HTML
    • Send article to Kindle

      To send this article to your Kindle, first ensure is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about sending to your Kindle. Find out more about sending to your Kindle.

      Note you can select to send to either the or variations. ‘’ emails are free but can only be sent to your device when it is connected to wi-fi. ‘’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

      Find out more about the Kindle Personal Document Service.

      Decentralized Cyberattack Attribution
      Available formats

      Send article to Dropbox

      To send this article to your Dropbox account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account. Find out more about sending content to Dropbox.

      Decentralized Cyberattack Attribution
      Available formats

      Send article to Google Drive

      To send this article to your Google Drive account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account. Find out more about sending content to Google Drive.

      Decentralized Cyberattack Attribution
      Available formats


This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (, which permits unrestricted re-use, distribution, and reproduction in any medium, provided the original work is properly cited.


Hide All

1 See infra notes 35–36 and accompanying text.

2 See, e.g., Jack Goldsmith, The Strange WannaCry Attribution, Lawfare (Dec. 21, 2017) (arguing that a naming-and-shaming strategy is ineffective at deterring state-sponsored cyberattacks).

3 Cf. UN Int'l Law Comm'n, Report of the International Law Commission, Draft Articles on Responsibility of States for Internationally Wrongful Acts art. 49, UN GAOR, 53rd Sess., Supp. No. 10, UN Doc. A/56/10 (2001) (“An injured State may only take countermeasures against a State which is responsible for an internationally wrongful act.”).

4 See Kristen Eichensehr, The Private Frontline in Cybersecurity Offense and Defense, Just Security (Oct. 30, 2014).

6 See, e.g., Crowdstrike, Crowdstrike Intelligence Report: Putter Panda 5 (2014) (accusing Chinese PLA Unit 61486 of hacking, among others, “satellite and aerospace industries”); Manish Sardiwal et al., New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit, FireEye (Dec. 7, 2017) (identifying hackers “work[ing] on behalf of the Iranian government” as responsible for cyberespionage against a Middle Eastern government); Darien Huss, North Korea Bitten by Bitcoin Bug: Financially Motivated Campaigns Reveal New Dimension of the Lazarus Group, ProofPoint (2017) (attributing to North Korea a hacking campaign focused on cryptocurrency).

7 Dmitri Alperovitch, Bears in the Midst: Intrusion into the Democratic National Committee, CrowdStrike Blog (June 15, 2016).

8 See, e.g., Bill Marczak & John Scott-Railton, The Million Dollar Dissident: NSO Group's iPhone Zero-Days Used Against a UAE Human Rights Defender, Citizen Lab (Aug. 24, 2016) (accusing the United Arab Emirates of spying on a human rights advocate); Lookout & Electronic Frontier Found., Dark Caracal: Cyber-Espionage at a Global Scale (2018) (attributing to Lebanon's General Directorate of General Security espionage focused on mobile devices).

10 See, e.g., Mandiant, supra note 5, at 66–74 (providing links to appendices with technical details).

11 See, e.g., sources cited supra note 8.

12 See, e.g., In Data Breach, Reluctance To Point The Finger at China, NPR (July 2, 2015) (quoting Director of National Intelligence James Clapper stating, about the Office of Personnel Management (OPM) hack, “You have to kind of salute the Chinese for what they did … .You know, if we had the opportunity to do that, I don't think we'd hesitate for a minute.”).

13 See, e.g., Jim Finkle, Mandiant Goes Viral After China Hacking Report, Reuters (Feb. 22, 2013).

14 See, e.g., David E. Sanger & Charlie Savage, U.S. Says Russia Directed Hacks to Influence Elections, N.Y. Times (Oct. 7, 2016).

15 See Kristen E. Eichensehr, Public-Private Cybersecurity, 95 Tex. L. Rev. 467, 529 (2017).

16 See Chris Bing, In the Opaque World of Government Hacking, Private Firms Grapple with Allegiances, CyberScoop (July 23, 2018) (reporting that Dell SecureWorks, FireEye, McAfee, Microsoft, TrendMicro, and ThreatConnect have notified the U.S. government).

17 See Shane Harris, @War 209 (2014) (reporting that the U.S. government gave Mandiant information used in the APT1 report); Shane Harris, Security Firm: China Is Behind the OPM Hack, Daily Beast (July 9, 2015) (reporting that Crowdstrike's allegation that China was responsible for the OPM hack was “based on technical information provided by the U.S. government”).

18 See Eichensehr, supra note 15, at 529 (discussing the risk of accountability confusion).

19 Kristen Eichensehr, Risky Business: When Governments Do Not Attribute State-Sponsored Cyberattacks, Net Politics (Oct. 4, 2016).

20 See, e.g., Orin S. Kerr, The Mosaic Theory of the Fourth Amendment, 111 Mich. L. Rev. 311, 349 (2012) (describing the “CSI effect”).

21 Jason Healey et al., Confidence-Building Measures in Cyberspace 10 (Atlantic Council, 2014).

24 Id.; see also Justin Collins et al., Univ. of Wash., Cyberattack Attribution: A Blueprint for Private Sector Leadership 26 (2017).

25 In an upcoming article, I explore in detail how public cyberattack attributions can help to foster stability and avoid conflict in the international system and how best to structure such attributions.

26 Alperovitch, supra note 7.

27 Ellen Nakashima, Cyber Researchers Confirm Russian Government Hack of Democratic National Committee, Wash. Post (July 20, 2016) (discussing confirmation of the attribution by Fidelis Cybersecurity and Mandiant); Matt Tait, On the Need for Official Attribution of Russia's DNC Hack, Lawfare (July 28, 2016).

29 Indictment, United States v. Netyksho et al., No. 18-cr-215, (D.D.C. July 13, 2018).

30 UK National Cybersecurity Centre, Reckless Campaign of Cyber Attacks by Russian Military Intelligence Service Exposed (Oct. 4, 2018); Prime Minister of Australia, Attribution of a Pattern of Malicious Cyber Activity to Russia (Oct. 4, 2018); New Zealand Gov't Communications Security Bureau, Malicious Cyber Activity Attributed to Russia (Oct. 4, 2018).

31 See supra notes 11–12 and accompanying text.

32 See Eichensehr, supra note 15, at 529. Private attributors have concerns, however, about preserving their own sources and methods. See Kristen Eichensehr, “Your Account May Have Been Targeted by State-Sponsored Actors”: Attribution and Evidence of State-Sponsored Cyberattacks, Just Security (Jan. 11, 2016).

33 See Charney et al., supra note 22, at 12.

34 See, e.g., id.; Davis II et al., supra note 23, at 27–29.

36 See, e.g., David E. Sanger et al., Russia Targeted Investigators Trying to Expose Its Misdeeds, Western Allies Say, N.Y. Times (Oct. 4, 2018).


Altmetric attention score

Full text views

Total number of HTML views: 0
Total number of PDF views: 0 *
Loading metrics...

Abstract views

Total abstract views: 0 *
Loading metrics...

* Views captured on Cambridge Core between <date>. This data will be updated every 24 hours.

Usage data cannot currently be displayed