Table of Contents

In recent years, state authorities and corporations increasingly have publicly attributed cyber incidents to states or other entities.1 Yet the fact that cyber attacks continue to occur suggests that public attribution is not stopping them. Moreover, public attribution itself causes disputes and tension among major powers, including the United States and China. This chapter seeks to identify approaches that will reduce the risk of escalating confrontation between accusatory state and accused states.

Although there may be many possible intentions and drivers of public attribution, this chapter assumes that the ultimate purpose of attributing states is to stop and prevent cyber incidents. On the basis of this assumption, the chapter aims to explore available options to ameliorate the negative effects of public attribution from the perspectives of technology, politics, and international governance. Specifically, this chapter aims to answer three questions by providing diversified options for decisionmakers to respond to cyber incidents:

  1. Technically, how can cyber incidents be responded to effectively?
  2. Politically, how can public attributions of cyber incidents be prevented from escalating confrontation?
  3. How can the international community jointly combat malicious cyber activities?

The Technical Perspective: Effective Responses Beyond Public Attribution

For research on governmental public attribution as an element of security policy, one can split the public attribution process into two phases: mechanisms that lead to public attribution and what happens after an incident is publicly attributed.2 Attribution of malicious cyber activity can be focused on a machine, on a specific person pressing the keys that initiate that activity, or on a party that is deemed ultimately responsible for that activity.3 Herbert Lin argues that which type of attribution is relevant depends on the goals of the decisionmakers involved.

Xu Manshu
Xu Manshu is a senior fellow at the Research Center for Global Cyberspace Governance at SIIS.

Generally speaking, the machine that initiated the cyber attacks is likely to be identified as technical forensics are relatively accurate. However, some technical indicators themselves are likely to be altered or manipulated by attackers who want to deflect responsibility onto someone else. It is more difficult to trace the activity back to a specific person or party. This demands more technical means and intelligence resources, which are usually not disclosed by the attributer. Reasons for nondisclosure may include preventing the exposure and consumption of intelligence resources (which are often mentioned in statements of public attribution) or covert technical methods in the name of public security and national security (including the use of back doors and vulnerabilities, which may incur international criticism and scrutiny).

It is worth noting that while victims frequently assign responsibility for a cyber attack to one country, the deductive logic of attributing responsibility for cyber attacks to one country has become more complicated. Cyber attacks have changed a great deal and taken on new features.

First, cyber attackers can use the domestic infrastructure of their target country to carry out the attack. For example, in the SolarWinds cyber incidents, the attackers used a cybersecurity management software provider—a U.S. federal contractor—and local U.S. cybersecurity companies as the carrier. This exploitation of trust allowed the attackers to cover up their malicious operations in a legitimate way and enable precision attacks on government agencies and critical infrastructure in the United States.

Second, cyber attacks are more commercial than ever before; an international industry is popping up around them. Advanced persistent threat actors are increasingly making use of widely available commercial tools such as virtual private networks.4 Many organizations provide ransomware services, with core developers maintaining ransomware and payment sites and recruiting affiliates carrying out attacks and disrupting victim networks. In return, any ransoms paid by victims are split between core groups and affiliates, which typically receive 70–80 percent of the total.

Third, cyber attackers have adopted new tactics. Since the first global outbreak of the NotPetya ransomware attacks in 2017, there have been many new variations of ransomware, and the tactics of ransomware attacks have changed. Some ransomware attackers are increasingly using stolen data for extortion without having a direct impact on systems or businesses. So-called double blackmail has become an important mode of extortion, which not only forces victims to pay a ransom by obtaining decryption tools but also steals data before encrypting and locking the system, thus coercing the victim to pay lest the stolen data be leaked or deleted. Cyber attackers have also recruited corporate insiders, offering high pay for help with the attack. Consequently, the diversity of malicious nonstate actors—all with differing motives—has resulted in malicious cyber activities occurring more frequently and made accurate attribution more difficult.

Ransomware attacks against the Colonial Pipeline, JBS Foods, and Kaseya in the United States revealed three realities for the target systems. First, energy, healthcare, and educational institutions have become important targets. Hackers exploit the large number of access points and inadequate protection measures on online platforms. Second, there are significant vulnerabilities in critical infrastructure. Finally, the failure to repair high-risk vulnerabilities after disclosure is also an important factor in leaked data, which are often used by ransomware organizations.

Even if cyber attacks could be accurately attributed, it is remarkably difficult to change the behavior of an attacker. Considering the limited resources and time, therefore, it is more practical and effective to prioritize strengthening one’s own cyber defense capabilities. Based on the United States’ experience, improving cybersecurity defense capabilities and modernization levels may reduce the number of ransomware attacks that seriously affect critical infrastructure businesses.

This chapter, therefore, argues that strengthening cyber defenses may be a more proactive and effective approach than public attribution. To name just a few, the following measures are more practical and efficient steps to take after a cyber attack than public attribution:

  1. Find out the attack mode from the logs of the target system. The top priorities should be identifying the way that attackers entered the target, the scope of the target being attacked, the computer code used in the attack, and the consequences of the attack—all of which can be collected by the victim’s side.
  2. Cut the fund chain. For example, in 2021, the U.S. Treasury Department announced the first-ever sanctions against a cryptocurrency exchange—the Russian-linked Suex—for facilitating ransom transactions for ransomware gangs and helping them evade sanctions. Suex is registered in the Czech Republic but has no physical presence there. Instead, it operates out of branch offices in Moscow and Saint Petersburg, with other Russian and Middle Eastern locations.5 The action is aimed at disrupting the ransomware group's main channel for collecting ransoms from victims.
  3. Strengthen legislation and guidelines to improve cyber defense. It is extremely important to take compulsory measures to report cyber incidents and patch vulnerabilities in order to respond quickly and prevent similar attacks from happening again. For example, after the ransomware attacks in 2021, the Chinese government took new measures to defend against cyber incidents. National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT) issued its “Guide for Preventing Ransomware Attacks,”6 and the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), and the Ministry of Public Security issued the “Regulations on the Management of Security Vulnerabilities in Network Products” (网络产品安全漏洞管理规定),7 and the State Council issued the “Regulations on the Protection of Critical Infrastructure” (关键信息基础设施安全保护条例).8
  4. More fundamentally, improve cybersecurity capabilities by deploying advanced security technologies. For example, the White House Office of Management and Budget issued its “Zero Trust Cybersecurity Principles.” The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency released the “Zero Trust Maturity Model” and “Cloud Security Technology Reference Architecture.” Together, these documents form a cybersecurity architecture road map for federal agencies at all levels, setting benchmark performance goals for critical infrastructure owners and operators, and implementing the zero-trust security concept of “never trust, always verify” through maturity models as agencies’ systems and businesses migrate to the cloud.

These steps are the right way to boost cybersecurity. In addition, the enhancement of cyber defense will increase the difficulty of carrying out cyber attacks, which can stop cyber attackers—to a certain extent.

The Political Perspective: Preventing Public Attribution From Escalating Confrontation Between States

The second step of public attribution—information dissemination—is actually a process of political decisionmaking. Public attribution is a political choice made by the victim state based on its own national interests. But if the public attribution seriously affects the interests of the accused state, it will also likely lead to retaliation. So can cyber attacks actually be stopped by blaming another country? Obviously, the answer is no.

Understanding the internal rationale of waging a cyber attack is critical here. From a technical point of view, two facts emerge. The first is that the interconnectedness of the internet has enabled remote operation of the physical world through cyberspace. The second is that vulnerabilities or back doors in the code of information and communication technology (ICT) products, services, mechanisms, and protocols have become a necessary condition for remote control. Until the security of ICT products and services is improved, cyber attacks by states as well as criminal organizations will never stop. Neither of these technical truths can be eliminated by blaming a single country for a cyber attack. It is the poor quality of ICT products that has created opportunities for cyber attackers of various motivations.

From the perspective of politics and diplomacy, confrontation in cyberspace not only reflects structural contradictions between countries but also increases the intensity. The emergence of cyberspace has given states new tools that are covert, flexible, and relatively low cost and high yield. Cyber intelligence collection, critical infrastructure attacks, information influence operations, have become primary ways for states to confront each other in cyberspace.

Consider, for example, the ongoing cyber conflict between the United States and Russia. In June 2019, Washington announced that it was deploying offensive malware against Russia’s power grid to prevent Russia from implementing selective blackouts in key U.S. states during the 2020 U.S. elections. In late 2020, however, the United States discovered that Russian hackers had developed the ability to hit critical U.S. infrastructure—including power, energy, water, and communications—through the SolarWinds cyber attack. According to FireEye CEO Kevin Mandia’s testimony at a congressional hearing in February 2021, the attackers conducted a “dry run” of the attack in October 2019, before the actual attack occurred between March and June 2020.9 The chronology of the two incidents, as reported by the media, has prompted outside observers to infer that the SolarWinds cyber attack may have been Russia’s response to the U.S. Cyber Command’s strategic practice of so-called persistent engagement.

On March 8, 2021, White House Press Secretary Jen Psaki said the U.S. government was prepared to take “a mix of actions seen and unseen” in response to Russian cyber attacks, but said the White House would not “publicly discuss certain aspects of our response.”10 On May 7, 2021, the Colonial Pipeline Company, the largest fuel pipeline in the United States, proactively shut down its pipeline system in response to a ransomware attack.11 On May 10, 2021, the Federal Bureau of Investigation confirmed that “the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks.”12 President Joe Biden explained that “so far there is no evidence based on, from our intelligence people, that Russia is involved, though there is evidence that the actors, ransomware, is in Russia. They have some responsibility to deal with this.”13 So it might as well be assumed that if the United States military did carry out cyber attacks on Russian military and intelligence systems, the subsequent series of ransomware attacks on the United States could be logically undestood as retaliation by Russia.

Cyber interactions between North Korea and the United States offer another illuminating example. In the wake of the Sony hack, the United States disrupted North Korea’s networks and then U.S. president Barack Obama issued an executive order imposing sanctions on ten North Korean individuals and three entities linked to the North Korean government.14 North Korea did not immediately respond. But by October 2017, FireEye reported that North Korean hackers had successfully used phishing emails to infiltrate the networks of several U.S. electric companies for early-stage reconnaissance and “North Korea linked actors are bold . . . and have little concern for potential discovery and attribution of their operations.”15 In 2020, the U.S. government said North Korean hackers had manipulated the systems of financial institutions in nearly forty countries. The U.S. Departments of State, the Treasury, Homeland Security, and Justice issued a joint statement noting that North Korea is targeting banks in several countries to make fraudulent international transfers.16

In these cases, publicly attributing cyber attacks did not change the behavior of the accused states. Rather, public attribution made it more difficult to reach a compromise with the opposing sides and more likely for the adversary to seek revenge. Regardless of the gap between different nations’ cyber capabilities, cyber attacks are often the most attractive choice for a state. If a cyber dispute between two countries falls into a cycle of attack and retaliation, political negotiations are a necessary step toward deescalation. These negotiations must go beyond the subject of the cyber attacks themselves and take into account a broad spectrum of national concerns and interests.

For instance, direct mediation between the Chinese and U.S. heads of state helped settle the 2013–2015 cyber espionage dispute between the two countries.17 U.S.-Chinese relations were strained on the eve of President Xi Jinping’s visit to the United States in 2015 due to the combined effects of the Mandiant report, the Edward Snowden disclosures, the U.S. judicial prosecution of five Chinese military officers, and the U.S. Office of Personnel Management data breach. Under the direct instructions of the two heads of state, the envoys of the two countries conducted urgent visits. Then U.S. national security adviser Susan Rice visited China on August 30, during which the two sides discussed a range of sensitive issues, including cybersecurity. Although the two countries have differences over cyber attacks, official press statements did not mention them.18 On September 9, 2015, Meng Jianzhu—Xi Jinping’s special envoy and a member of the Political Bureau of the Chinese Communist Party (CCP) Central Committee and secretary of the CCP’s Central Political and Legal Commission—visited the United States. Two days later, on September 11, the two sides said that they had reached an “important consensus” on prominent issues of cybersecurity.19 Finally, on September 25, Xi and Obama held a joint press conference to announce a landmark agreement on cybersecurity.20 Although China had previously rejected the distinction between acceptable national security spying and unacceptable economic espionage,21 the two sides agreed that “states should not conduct or knowingly support misappropriation of intellectual property” and “ICT cyber security regulations should be consistent with WTO agreements.”

The U.S.-Russia summit in June 2021 can also be seen as an important factor in the reduction of blackmail attacks. During talks in Geneva, U.S. President Joe Biden gave Russian President Vladimir Putin a list of sixteen key infrastructure areas, from energy to water, that should be off-limits for malicious cyber activity. The two heads of state also agreed to have cybersecurity experts from both governments “work on specific understandings about what’s off-limits and to follow up on specific cases that originate in . . . either of our countries.”22 According to Kommersant’s Russian sources, in a few months Moscow and Washington managed to resume cooperation in areas that had been frozen for many years. As a result, the Evil Corp., TrickBot, and REvil cyber groups were hit.23

Once the leaders reach a consensus, states can discuss implementation. This requires flexibility. New mechanisms can be established, old approaches can be revived, and cyber issues can be added to traditional security dialogue and consultation mechanisms. If there are cyber attacks involving national security and intelligence, they should be discussed at a very high level through strategic dialogue channels. If cyber attacks involve critical infrastructure protection or the financial sector, they could be addressed through cooperation and consultation mechanisms to combat cyber crimes.

The International Governance Perspective: Combating Malicious Cyber Activities Beyond Collective Public Attribution

Another way to publicly attribute a malicious cyber activity is collectively through an alliance of actors. When a government-led public attribution fails to provide sufficient evidence of blame, the country can choose to cooperate with other governments and lean on the credibility and political influence of a coalition to prescribe responsibility for a cyber incident. In 2017, for example, the ransomware NotPetya spread around the world after attacking Ukraine, causing billions of dollars in damage by infecting companies and governments in Europe, Asia, and the Americas. The governments of the UK, the United States, Denmark, Australia, Canada, and New Zealand all issued public attribution statements within a week, unanimously blaming the Russian government for NotPetya. In general, establishing a public attribution alliance strengthens the claim of responsibility in cyber conflict (the fundamental objective of a public attribution alliance), promotes collective action by the alliance, and helps to shape international rules in cyberspace.

Collective public attribution may enhance a claim’s credibility, but it cannot change the nature of public attribution. Collective public attribution is still a strategic choice made by the states according to their political needs. In essence, they are still deriving their conclusion from the comprehensive analysis of technology and intelligence, and the content is still a new way to package the nonconfidential information such as data forensics and incident response.

Specifically, collective public attribution has not yet solved three major challenges of identifying responsibility in cyber incidents. The first is the uncertainty of cyber attribution—attackers make full use of the anonymity of cyberspace to conceal and mislead their nature. The second is how to attribute the action to personnel in the accused country, which involves the acquisition of overseas information and is thus both complicated and sensitive. The third is how to persuade the public through a confidential attribution process. As a non-legal scholar, I argue that public attribution—including collective public attribution—cannot help a government earn international legitimacy for their retaliatory actions against other countries, nor can it serve as a legitimate basis for exercising collective self-defense in cyberspace. I do hope there will be more professional discussion on this from legal experts.

Fortunately, it is in the common interest of the international community to combat malicious cyber activities. Under the multilateral framework, the international community could work together to establish an international cyber attribution mechanism to jointly combat malicious cyber activities by nonstate actors. This could act as a communication mechanism for resolving cyber disputes between competitors; it may also serve to restrain the behavior of states actors.

First, the international cyber attribution mechanism should aim to avoid misunderstandings and escalating tensions between states by promoting the peaceful settlement of cyber disputes. If the mechanism to attribute malicious cyber activities becomes an avenue for escalation into a “real shooting war,”24 as Biden has described it, or causes more conflicts than it solves, it will be doomed to failure.

Second, the priority for the international cyber attribution mechanism should be to fight against cyber attacks that disrupt a country’s vital services infrastructures. For example, to combat ransomware attacks, which have become a common threat to global cyberspace, the Biden administration has initiated a Counter-Ransomware Initiative and held virtual meetings with thirty countries to address the misuse of virtual currency, laundering ransom payments, disrupting the ransomware ecosystem, and prosecuting cyber criminals.25

Third, a technical cooperation mechanism for cyber attribution should be established. Being positioned to jointly crack down on cross-border cyber criminal organizations, the mechanism may facilitate intelligence sharing, investigation and evidence collection of cross-border cyber attacks, and assistance for technical attribution and investigation of major cyber incidents worldwide. For instance, the “Federal Government Cybersecurity Incident and Vulnerability Response Playbooks,”26 published by the U.S. Cybersecurity and Infrastructure Security Agency, is worth sharing worldwide; it provides valuable operational procedures and detailed steps for both cybersecurity incidents and vulnerability responses.

Key Takeaways

There is no doubt that finding the source of an attack is at the very core of combating malicious cyber behavior. Due to the particularities of cyberspace, attribution—especially the attribution of malicious behavior—has always been a challenging issue for the international governance of the cyber sector. Technically speaking, publicly attributing responsibility for cyber attacks to one country does not reduce uncertainty in cyberspace as there is no fundamental breakthrough in the architecture of cyberspace and the anonymity of cyberspace has not changed.

Politically, public attribution is a strategic choice made by countries according to their political needs. Some countries even define it as national sovereignty. However, assigning responsibility for malicious cyber behavior to another country will inevitably lead to hostility. Thus, public attribution is likely to increase tensions and provoke hostile interactions between states.

From the perspective of international governance, collective public attribution still does not solve three major challenges about determining responsibility in cyberspace. Therefore, though it may strengthen credibility, it cannot help a government obtain international legitimacy for retaliatory actions against other countries, nor can it serve as the legal basis for exercising the right of collective self-defense in cyberspace.

If the ultimate goal of public attribution is to crack down on competitors, the risk of it causing instability needs to be addressed in a broad political framework across countries. If the ultimate goal of public attribution is to combat malicious cyber activities, there are many more effective measures—whether through technical solutions or international cooperation—that can be taken without increasing political hostility.


1 Florian J. Egloff and Andreas Wenger, “Public Attribution of Cyber Incidents,” CSS Analyses in Security Policy, no. 244, Spring 2019,

2 Florian J. Egloff, “Contested Public Attributions of Cyber Incidents and the Role of Academia,” Contemporary Security Policy 41, no. 1 (Fall 2019): 55–81,

3 Herbert Lin, “Attribution of Malicious Cyber Incidents,” Hoover Institution, 2016,

4 Mariam Baksh, “NSA Cyber Chief Warns Hackers Increasingly Use Commercial Tools to Stay Hidden,” NextGov, September 29, 2021,

5 Sergiu Gatlan, “US Sanctions Cryptocurrency Exchange Used by Ransomware Gangs,” Bleeping Computer, September 21, 2021,

6 “Guide for Preventing Ransomware Attacks,” CNCERT, August 11, 2021,

7 Catalin Cimpanu, “Chinese Government Lays Out New Vulnerability Disclosure Rules,” Record, July 14, 2021,; see also

8 “Regulation to Strengthen Protection Over Critical Information Infrastructure,” State Council of China, 2021,

9 Scott Ferguson, “House SolarWinds Hearing Focuses on Updating Cyber Laws,” Data Breach Today, February 26, 2021,

10 Lauren Feiner, “U.S. Reportedly Prepares Action Against Russia After Major Cyberattack,” CNBC, March 8 2021,

11 “Colonial Pipeline Cyber Incident,” U.S. Office of Cybersecurity, Energy Security, and Emergency Response, press release, accessed March 3, 2022,

12 “FBI Statement on Compromise of Colonial Pipeline Networks,” FBI National Press Office, press release, May 10, 2021,

13 Edward Helmore and Joan E Greve, “Biden Says ‘No Evidence’ Russia Involved in US Pipeline Hack but Putin Should Act,” Guardian, May 10, 2021,

14 “Letter – Imposing Additional Sanctions With Respect to North Korea,” White House, press release, January 2, 2015,

15 “North Korean Actors Spear Phish U.S. Electric Companies,” FireEye, October 11, 2017,

16 “CISA, TREASURY, FBI And USCYBERCOM Release Cyber Alert on Latest North Korea Bank Robbing Scheme,” Cybersecurity and Infrastructure Agency, press release, February 05, 2021,

17 Manshu XU and Chuanying LU, “China–U.S. Cyber-Crisis Management, China International Strategy Review 3, (Summer 2021): 97–114,

18 Edward Wong, “National Security Adviser Meets With Chinese President Before His U.S. Visit,” New York Times, August 28, 2015,

19 “U.S., Chinese Officials Meet on Cyber Security Issues: White House,” Reuters, September 12, 2015,

20 Ministry of Foreign Affairs of China. Outcome list of President Xi Jinping’s state visit to the United States, 2015. See

21 Elizabeth Thomas, “US-China Relations in Cyberspace: The Benefits and Limits of a Realist Analysis,” E-International Relations, August 28, 2016,

22 Sean Lyngaas, “Biden Says He Gave Putin List of 16 Sectors That Should Be Off-Limits to Hacking,” Cyberscoop, June 16, 2021,

23 Elena Chernenko, “Axis Against Evil,” Newspaper, Kommersant, No. 176, September 29, 2021, p. 6,

24 Nandita Bose, “Biden: If U.S. Has ‘Real Shooting War’ It Could Be Result of Cyber Attacks,” Reuters, July 28, 2021,

25 “White House Brings 30 Nations Together for Counter-Ransomware Even,” Cisomag, October 14, 2021,; “Joint Statement of the Ministers and Representatives From the Counter Ransomware Initiative Meeting,” White House, October 14, 2021,

26 “New Federal Government Cybersecurity Incident and Vulnerability Response Playbooks,” Cybersecurity and Infrastructure Agency, November 16, 2021,