Over the last ten years, U.S. government officials have publicly attributed dozens of cyber operations to foreign state-affiliated actors.1 These public attributions have come in various forms, including formal statements, remarks by U.S. leaders and officials, indictments by the Department of Justice, sanctions announcements by the Department of the Treasury, and press leaks by anonymous government officials. These many public attributions have named multiple states and exposed cyber activities ranging from targeted espionage to indiscriminate destructive attacks. The pace of U.S. government public attributions has generally increased over time.
What is the purpose behind these public attributions? There is probably not a single, overarching goal that explains them all. Rather, the U.S. government appears to have multiple objectives that often (though not always) overlap with and reinforce each other. The importance of each objective likely varies based on specific circumstances and the views and priorities of U.S. leaders and officials serving at the time. Further complicating the picture, U.S. officials and outside experts have used a range of varying, evolving, and sometimes ambiguous terms and categories to describe these policy objectives.
This chapter seeks to clarify U.S. objectives by providing a single framework that synthesizes what can be learned from U.S. official statements and explanations—as well as expert analysis—of public attribution.2 The chapter specifically focuses on what might be called “government-to-government attribution,” meaning public U.S. government accusations that name a foreign government as responsible for a certain cyber operation.3 Thus, it does not address attributions published by U.S. private companies or the media (unless these cite U.S. government sources), nor does it address U.S. government attributions of foreign individuals or organizations that stop short of directly implicating a state. This chapter mainly focuses on why U.S. leaders use public attribution, rather than how public attribution occurs (such as who makes the statement, what communication channel is used, and how much evidence is released). Finally, the chapter does not express an opinion on whether U.S. public attributions are effective in achieving their goals; rather, it briefly describes American policy debates and common expert views on this question.
Cyber “Deterrence,” Disruption, and Defense
U.S. officials almost always invoke the language of deterrence, cost-imposition, and accountability to explain their use of public attribution. While specific terms and ideas vary, the common thread is that public attribution can help punish foreign states for unacceptable cyber operations and thereby shape their future behavior. For example, under the administration of former U.S. president Donald Trump, the National Cyber Strategy stated that public attribution can help impose “consequences for irresponsible behavior that harms the United States and our partners.”4 Sasha Romanosky and Benjamin Boudreaux surveyed fifteen senior American career technology, government, or policy professionals about public attribution and found that “promot[ing] deterrence in cyberspace” was their most commonly given explanation for U.S. government public attribution.5
However, “deterrence” can mean many different things. Below, deterrence and related objectives are divided into three subcategories, some of which could be alternatively characterized as disruption or defense.
Influencing Foreign States’ National Cyber Policy
First, public attribution can aim to dissuade the accused state (and other states) from carrying out certain types of cyber operations. For example, then Federal Bureau of Investigation director James Comey said in 2016 that “by calling out the individuals and nations who use cyber attacks to threaten American enterprise . . . we will change behavior.”6 Kristen Eichensehr called this objective “macro-level deterrence,” because the goal is to achieve significant changes in foreign states’ national-level cyber operations policy—that is, to dissuade them from conducting entire categories of cyber operations.7
The logic—or hope—is that publicly accusing a specific government of a malicious cyber operation will embarrass that government or subject it to international (or domestic) criticism, potentially motivating that government to stop such operations. This is sometimes called naming and shaming. In 2020, following the U.S. public attribution to Russia of cyber attacks against Georgia, then secretary of defense Mark Esper said, “when it might make sense, to name and shame, to call groups out—either groups or governments—we should do that.”8
Most U.S. cyber experts believe that significant macro-level deterrence cannot be achieved by naming and shaming alone. The reputational costs to the accused state are simply not as great as the gains received from conducting cyber operations. Recognizing this, the U.S. government often pairs its public attribution statements with more tangible actions, such as sanctions and indictments. (In fact, U.S. law requires the government to publicly name the targets of its sanctions and prosecutions. Public attribution, then, is not always done for solely its own sake but is sometimes intended to enable these other U.S. responses.)
That said, sanctions and indictments have been criticized on much the same grounds as public attribution: their practical impact is too small to achieve much macro-level deterrence.9 Sanctions are often applied to individuals without significant ties to the U.S. banking system, and U.S. indictments rarely lead to the arrest or extradition of foreign actors charged with conducting state-sponsored cyber operations.10 U.S. officials sometimes acknowledge these actions as limited, albeit necessary, steps toward achieving international accountability and shaping state behavior. In 2019, then assistant attorney general for national security John Demers called cyber indictments “just a piece of the puzzle.”11
In search of stronger deterrence, the U.S. government may also combine its public responses with actions taken in private. In his 2020 remarks, Esper said that public attribution should be “on a case-by-case situation, but clearly we have to do more than just play defense and we have to play more of an offensive game.” He then referred to Trump’s decision to give the military more authority to conduct cyber operations, implying that Washington might undertake cyber counterstrikes against the countries it publicly accuses.12
With cyber counterstrikes, unlike sanctions and indictments, U.S. law does not require the government to make any public accusations. Still, all these tools are fundamentally related to public attribution because the U.S. government believes that macro-level deterrence requires their combined, synchronized, and repeated use over time (ideally, in concert with allies). For example, when announcing the public attribution of the Microsoft Exchange hack and other cyber activities to China, a senior U.S. government official twice emphasized that “no one action can change China’s behavior in cyberspace.”13
Public attribution may also aim to achieve macro-level deterrence of other actors beyond the accused state. After all, the public exposure of one state’s cyber activities can provide a general global signal of U.S. attribution capabilities and intentions. In 2015, then director of national intelligence James Clapper testified that “most [cyber actors] can no longer assume that their activities will remain undetected. Nor can they assume that if detected, they will be able to conceal their identities. Governmental and private sector security professionals have made significant advances in detecting and attributing cyber intrusions.”14 By comparison, discreetly sharing a U.S. attribution privately with the accused state would not send this broader deterrent signal to other countries and actors.
The effectiveness of public attribution for macro-level deterrence is debated in Washington. Critics observe that U.S. public attribution—even combined with indictments, sanctions, cyber counterstrikes, and other actions—have failed to inflict significant costs on the exposed states. These critics note that state-sponsored cyber operations against U.S. entities have grown in number and severity over time. Thus, public attribution and related actions have obviously not achieved a large amount of macro-level deterrence.15
On the other hand, the United States has not yet suffered a truly catastrophic cyber attack. This suggests that some degree of macro-level deterrence does exist; perhaps sustaining such deterrence depends, in part, on repeated public demonstrations of Washington’s ability to attribute cyber operations. Furthermore, complete macro-level deterrence is too high a bar for public attribution or indeed any U.S. policy tool to achieve, given the powerful incentives that foreign states have to conduct cyber operations. More realistically, Washington can aim for public attribution to make modest but tangible contributions to macro-level deterrence.
An oft-cited example is the 2015 U.S.-China cyber agreement, which established mechanisms for bilateral dialogue and committed both states not to “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”16 Many U.S. analysts believe that a combination of public attribution, indictments, and threatened sanctions helped then U.S. president Barack Obama secure this deal. Moreover, U.S. officials and private cybersecurity firms both reported an overall reduction in Chinese cyber espionage against U.S. targets following the deal.17 That said, the same types of analysis showed that China eventually resumed its previous level of activity.18 Some U.S. analysts believe that Washington’s actions never adequately deterred Chinese cyber espionage, while others believe the nonbinding political agreement fell apart due to a broader breakdown in bilateral relations.
Influencing Foreign Cyber Actors, Officials, and Organizations
Second, public attribution can aim to deter or disrupt the individual cyber actors, mid-level government officials, and units or companies responsible for conducting cyber operations. Eichensehr calls this “micro-level deterrence,” because it targets a foreign government’s subordinate personnel and organizations rather than its national leadership.19 For example, then associate deputy attorney general Sujit Raman said in 2019 that “the prospect of criminal indictment can help deter some cyber actors from engaging in such conduct in the first place.”20 The viability of micro-level deterrence—and the manner in which it might work—will depend in part on the structures and incentives that exist within foreign states’ offensive cyber programs.
For some individual cyber actors, public attribution can bring a frightening level of international notoriety and foreclose future opportunities in the legitimate cybersecurity industry. Further, indictments and sanctions can limit travel or financial opportunities. These possibilities may dissuade some individuals from working for their government or accepting certain sensitive taskings. (Other cyber actors, however, may wear these punishments as badges of honor.) And for some mid-level government cyber officials, public attribution indicates their failure to ensure adequate operational security and oversight, which could cause internal embarrassment and draw criticism from superiors. (This assumes the cyber operation was not intended to be discovered.)
The exposed cyber organizations may need to conduct temporary operational stand-downs, internal reviews, or counterintelligence investigations. They may choose to cut ties with publicly named individual cyber actors, viewing them as compromised. Cyber organizations may decide to impose burdensome new oversight measures and make costly changes in tactics or infrastructure to avoid future public attributions. All this creates friction and distrust within a state’s offensive cyber ecosystem. Such costs would be too small to achieve macro-level deterrence. But, according to Raman, they “can make it more difficult for states to recruit the manpower and resources for cyber-attacks, and raise the cost of engaging in malicious cyber activity.”21 In other words, public attribution can cause modest, occasional disruptions and inefficiencies for the exposed state.
As with macro-level deterrence, micro-level deterrence could extend to individuals and organizations beyond those exposed in a public attribution, including cyber actors in other states. To this end, U.S. public attribution statements often highlight the United States’ “capability to remove the Internet’s cloak of anonymity” and the intention to hold state-sponsored hackers accountable “no matter who they are, where they are, or what country’s uniform they wear.”22 In theory, then, the public attribution of a North Korean cyber operation could help convince an Iranian not to join a state-sponsored hacking organization.
On the other hand, many U.S. experts believe that micro-level deterrence and its disruption effects have generally fallen over time. As public attribution has become a more routine event, some foreign state-sponsored cyber actors and units may have come to accept and adapt to the risk of public exposure.
Informing Cyber Defenders
Finally, public attribution can provide information that enables and motivates potential victims and the cybersecurity community to better defend themselves. For example, the White House statement on the Microsoft Exchange hack stated that “by exposing the PRC’s [People’s Republic of China’s] malicious activity, we are continuing the Administration’s efforts to inform and empower system owners and operators to act.”23 Some U.S. experts call this “deterrence-by-denial,” because better defense can prevent foreign cyber operations from achieving their goals and thus potentially reduce the motivation to conduct them. Even if deterrence-by-denial is not achieved, public attribution can still aim to improve cyber defenses.
The most direct way to “inform and empower” cyber defenders is for the U.S. government to share detailed technical information about malicious cyber operations and actors—for example, malware samples, indicators of compromise, and other tactical signatures. These technical information releases do not inherently require public attribution; however, public attribution can enhance their impact in several ways. Eichensehr notes that “understanding who the attacker is can shed light on intruders’ likely targets and goals,” helping cyber defenders anticipate and prepare for cyber actors’ moves.24 Public attribution can also illuminate the stakes: potential victims may choose to invest more resources to prevent compromise by a named adversary state. Finally, public attribution can help to capture media coverage and thereby get more cyber defenders to pay attention to a technical release.
The effectiveness of public attribution in achieving deterrent, disruptive, and defensive goals is difficult to assess. An accurate evaluation would require access to detailed intelligence about foreign states’ and cyber actors’ evolving intentions and reactions to U.S. public attributions. This information, if it exists, is not publicly available. In its absence, independent analysts can use indirect data to assess the efficacy of public attribution. For example, they can examine publicly reported trends in state-sponsored cyber operations to see if public attribution appears to have a demonstrable effect. But public disclosures of cyber operations by private companies and governments provide a very limited, fragmentary view of true trends. Moreover, it is hard to isolate the impact of public attribution from many other causal factors. In sum, the deterrent value of public attribution remains an open question.
International Signaling, Partnerships, Norms, and Laws
Deterrence is not the only goal the United States has for its public attributions. Many experts have highlighted how public attribution can also be used to shape international views, norms, laws, and expectations about the so-called rules of the game in cyberspace. Again, this broad idea can be divided into three sub-objectives. U.S. officials have embraced each to some degree, although government statements and actions leave some room for interpretation about how Washington understands and prioritizes these different objectives in specific cases.
Signaling to Adversaries
First, public attribution can help communicate to adversaries what kinds of cyber operations the United States considers unacceptable. Given the dearth of clear, strong global norms and laws governing cyber behavior, this sort of signaling is a way to clarify expectations directly among key states, hopefully reducing the likelihood of misunderstanding or conflict. For example, the 2015 Department of Defense Cyber Strategy stated that “the United States used verifiable and attributable data to engage China about the risks posed by its economic espionage. The attribution of this data allowed the United States to express concerns regarding the impact of Chinese intellectual property theft on U.S. economic competitiveness, and the potential risks posed to strategic stability by Chinese activity.”25
Such signaling does not necessarily require public attribution; discreetly sharing attribution via bilateral diplomatic channels could serve the same function. However, a public attribution broadcasts the message to the entire international community, including other adversaries. For example, the U.S. public attribution of a Chinese cyber operation may also help the Russian government understand what the United States considers unacceptable behavior in cyberspace. Also, public attribution might be taken as a more serious signal than discreet bilaterally shared attribution, because the former is more costly for both the accusing state (it can risk intelligence sources and methods) and for the accused state (it can cause reputational harm).
Rallying Allies and Partners
In recent years, the United States has increasingly sought to undertake public attribution jointly with other states (so-called collective attribution).26 For example, in 2018, seven nations including the United States publicly attributed the NotPetya cyber attack to Russia.27 By acting collectively alongside other nations, the United States seeks to magnify the deterrent impacts of its public attributions. Beyond deterrence, joint attributions can provide Washington with a vehicle for building and strengthening international partnerships on cyber issues.
In 2021, the U.S. public attribution of cyber activities by China’s Ministry of State Security (MSS) was joined by what the U.S. government called “an unprecedented group of allies and partners — including the European Union, the United Kingdom, Australia, Canada, New Zealand, Japan, and NATO.”28 A senior U.S. administration official suggested that this collective attribution helped to build support among these partners “to enhance and increase information sharing, including cyber threat intel and network defense information with public and private stakeholders, and expand diplomatic engagement to strengthen our collective cyber resilience and security cooperation.” Likewise, the official emphasized that “it’s the first time NATO has condemned PRC cyber activities,” while also noting that “NATO [was also] adopting a new cyber defense policy for the first time in seven years.” As this example shows, joint public attribution can help international partners build a shared understanding of cyber threats and provide a rallying point to motivate and organize more concrete collective cyber efforts.
Shaping International Norms and Laws
Scholars frequently argue that public attribution can be used to help develop and reinforce international norms and laws. By exposing otherwise secret cyber operations, public attributions help the international community to “foster agreement on factual reality of what states are doing.”29 And by condemning the exposed cyber activity, the accusing state can express and promote its views on what should be considered irresponsible behavior. For example, John Demers stated in 2020 that “in the past three months alone, the department [of Justice] has charged computer intrusions or taken legal action related to the activities of China, Iran, and North Korea. Each of these cases charged significant and malicious conduct that we have called out in part to reinforce norms of responsible nation state behavior in cyberspace.”30 Over long periods of time, such norms (if expressed in legal terms) might conceivably help to shape customary international law. Conversely, states’ failure to publicly expose, attribute, and condemn major categories of cyber operations might result in such operations becoming seen as normatively acceptable and lawful.
On a few occasions, U.S. public attributions have alleged specific violations of international cyber norms, laws, or commitments. U.S. President Joe Biden, in off-the-cuff remarks in July 2021, accused Russia of seeking to influence the 2022 U.S. elections and called it “a pure violation of our sovereignty.”31 That same month, the White House pointed to a newly unsealed indictment of MSS cyber actors, and noted that “much of the MSS activity alleged . . . stands in stark contrast to the PRC’s bilateral and multilateral commitments to refrain from engaging in cyber-enabled theft of intellectual property for commercial advantage.”32
However, those instances are relatively rare. More frequently, U.S. public attribution statements make general condemnations of cyber operations, using terms such as “irresponsible” and “destabilizing,” without explicitly claiming that a specific international norm or law was violated. For example, the White House statement on NotPetya called it “reckless” but did not comment on its legality or compatibility with international cyber norms.33 In such cases, the United States seems unwilling to stake a clear claim about the application of international law and norms to the cyber operation at hand. Instead it offers a more general objection to or criticism of the cyber operation, while preserving room to further develop precise U.S. legal and diplomatic positions over time.34 Among other reasons, Washington may not yet be ready to constrain itself from conducting similar cyber operations of its own.
In still other cases, U.S. public attribution statements have acknowledged, or at least implied, that the relevant cyber operations did not violate any international norms or laws. When James Clapper called China the “leading suspect” for the Office of Personnel Management hack in 2015, he famously added that “you have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don’t think we’d hesitate for a minute.”35 Though his off-the-cuff remarks attracted controversy in the United States for accepting the Chinese hack as legitimate state behavior, Clapper later affirmed in his memoir that “China had hurt us dearly, but that it hadn’t done anything outside the bounds of what nation-states do when conducting espionage.”36 More recently, the 2021 White House statement attributing the SolarWinds breach to Russia called it “malicious,” “harmful,” and “a national security and public safety concern” but stopped short of alleging any violations of international principles.37 The United States has so far been reluctant to embrace normative restrictions on national security espionage in cyberspace, although more U.S. experts have begun advocating for such norms.38
Domestic Politics and Public Education
Finally, U.S. public attribution may serve domestic purposes. This is an inevitable part of policymaking in democracies (and, to a lesser extent, in non-democracies). While domestic politics can sometimes encourage poor policymaking by U.S. leaders, it can also help to channel the legitimate needs of U.S. constituencies and encourage valuable public discourse.
Domestic Political Motivations
In the wake of a significant cyber incident, U.S. leaders often face domestic political pressure to do something—and, in particular, to take strong action against the perpetrators. If they fail to do so, U.S. leaders may be criticized as weak by the political opposition. In some cases, this pressure may come from the victims themselves. Tim Maurer and Garrett Hinck note that “the March 2016 indictment against a cadre of Iranian hackers was largely in response to demands from big banks for the U.S. to take some kind of public action in response” to Iranian distributed denial-of-service (DDoS) attacks.39 Additionally, public attribution can help focus domestic political attention on the wrongdoing of an adversary rather than on U.S. cybersecurity failures.
When considering domestic political incentives, it is worth noting that U.S. leaders do not have total control over whether or when such attributions come to light. Private sector attributions or unauthorized leaks by government officials or members of Congress may preempt the U.S. administration. For example, a U.S. senator, not an executive branch official, was the first to openly blame Iran for its DDoS attacks on the financial sector.40 Mandiant’s 2013 “APT 1” report on Unit 61398 of the People’s Liberation Army was published more than a year before the Department of Justice unsealed charges against members of that unit.41 And during the 2020 presidential election, a series of leaks by U.S. officials attributed influence activities to Russia, despite reticence by top Trump administration leaders to publicly acknowledge this attribution.42 Cases like these may encourage U.S. leaders to quickly publicize cyber attributions because they could be criticized for acting slowly or withholding information from the public if an attribution is later revealed by someone else.
Educating and Galvanizing the Public
Additionally, public attribution can help the U.S. government build domestic political support for many different cyber policies, from greater investments in cybersecurity to more assertive diplomatic action. For the last decade, many senior U.S. national security officials have expressed concern that the American people do not fully appreciate the extent of cyber risks facing the country, and they have sought various ways to raise public awareness.43 Cumulatively, public attributions create a factual record of cyber threats to U.S. interests. This can help to educate the American people about the breadth, severity, and diversity of cyber threats facing the United States—and, in turn, motivate members of Congress and other political and private sector actors to support policies to address these threats.44
Reasons Not to Publicly Attribute
U.S. administrations of both parties have gradually increased their use of public attribution over time. Independent U.S. cyber experts have generally favored this policy, even while they raise questions about its effectiveness in achieving U.S. goals. Still, commentators have identified some potential ways that certain public attributions can be counterproductive or harmful to U.S. interests. These are summarized below, in very rough order of importance.
- The U.S. government does not always have enough confidence in an attribution to justify publicly revealing it.
- Intelligence sources and methods may be compromised or lost. This could spoil opportunities to monitor, defend against, deceive, or disrupt the cyber actor (or other cyber actors).
- Cyber actors, once exposed, may learn from their mistakes and become stealthier.
- Public attribution may create domestic political pressure for a stronger U.S. retaliatory response than the government wants to—or can—undertake.
- Public attribution can cause unwarranted domestic alarm, which may even help adversaries achieve their goals—for example, by sowing doubt about election security.
- Washington may want to avoid bilateral friction during a sensitive period, such as while negotiating with the accused country on a more important topic.
- The accused country may retaliate.
- Quiet diplomacy with the accused state may be more effective in addressing the objectionable cyber behavior.
- U.S. allies and partners may not agree with Washington’s decision to publicly attribute a cyber operation.
- If the underlying evidence remains secret, public attribution may fail to convince some audiences.
- Public attribution establishes a precedent that other countries may eventually use to publicly name (and potentially take action against) U.S. government cyber operators.
- Publicly attributing some cyber operations could imply tacit approval of others.
Most of these concerns relate to the merits of public attribution in specific cases, its proper timing, or mechanics. There is little advocacy in the United States for stopping or dramatically reducing the number of public attributions across the board. In fact, the most frequent American criticism of public attribution is that it is insufficient to achieve deterrence and therefore must be accompanied by far stronger cost-imposition measures.
Foreign governments like China that object to U.S. public attribution should take account of U.S. objectives and incentives. Understanding what U.S. leaders and officials seek to accomplish and why can help reduce the risks of misinterpretation, promote cyber stability, and potentially facilitate diplomacy. There are several major takeaways:
- Public attribution is a well-established U.S. policy tool. Although each U.S. administration chooses to publicly attribute some cyber operations and not others, there is a clear trend toward greater public attribution over time. The U.S. government has multiple, overlapping objectives that often reinforce each other and make public attribution all but inevitable for some major cyber operations.
U.S. debates about the efficacy of public attribution mostly focus on whether Washington should seek to impose even stronger costs on foreign state sponsors of cyber operations—not whether the U.S. government should restrain the use of tools such as public attribution. Arguments against public attribution tend to be about the specific circumstances and timing; there is little advocacy for abandoning the tool. In the words of Florian Egloff, “The use of public attribution as a means of statecraft in national security policy is here to stay.”45 Indeed, more U.S. allies and partners (and other states, such as Iran) have also increased their use of public attribution in recent years, suggesting a growing international appreciation of its utility.
- Public attributions do not always have the same objectives. Although Washington’s overall use of public attribution is settled policy, the objectives for each instance seem fluid. Public attributions are considered on a case-by-case basis, and U.S. officials offer varying descriptions of their specific purposes and meanings. Sometimes these messages are ambiguous, suggesting that American policymakers are still working to refine their practices and resolve possible tensions between different policy objectives.
For example, the U.S. government hopes that public attribution can affirm international norms of responsible behavior in cyberspace. But it also publicly attributes certain cyber operations that do not violate international norms, on the grounds that these operations are still hostile and must therefore be deterred. Because U.S. objectives can vary from case to case, observers should carefully parse U.S. government statements and actions for clues about what message Washington is trying to communicate with a specific public attribution.
- Public attribution is usually part of an integrated U.S. response to cyber operations. It has become rare for the U.S. government to publicly attribute a cyber operation while taking no other responsive action. American leaders understand that public attribution alone—like other individual U.S. policy tools used in isolation—cannot achieve objectives such as deterrence. That is why Washington generally uses public attribution in concert with other responses, such as sanctions, indictments, technical releases, intelligence sharing, coordinated defense among international partners, and cyber counterstrikes.
In other words, public attribution is not fully discrete from the rest of U.S. cyber response policy. Rather, public attribution should be understood as supporting, and being supported by, other U.S. actions. The United States aims to achieve its objectives by combining multiple policy tools together, sustaining their use over time, and acting in concert with allies and international partners whenever possible.
- Public attributions accurately reflect U.S. government assessments. Research for this paper did not identify any U.S. government public attributions that were later proven wrong, let alone any that were deliberately concocted or falsified. In all of the instances examined, the U.S. intelligence community, federal law enforcement, and other agencies appear to have sought in good faith to assess and report who was responsible for cyber operations.46
U.S. leaders choose whether, when, and how to publicize agencies’ internal attributions. In the overwhelming majority of cases examined, U.S. leaders’ public statements seem to have accurately described U.S. intelligence assessments. To definitively confirm this would require access to classified information. That said, the possibility of leaks, whistleblowing, or contradictory reports by private companies helps to serve as a check on any attempts by U.S. government officials to inaccurately convey cyber attributions.
The Trump administration, as in many other areas, provided some partial exceptions to this general pattern of truthful cyber attributions. Trump administration officials publicly denied that Russia was supporting the president’s reelection, even though U.S. intelligence analysts had assessed the opposite. Additionally, the Trump administration publicly implied that China’s rhetorical opposition to U.S. policies was intended to undermine the president’s reelection prospects, even though intelligence analysts had assessed otherwise. Neither of these cases involved falsely attributing actions that the accused government did not in fact do; rather, the Russia case involved falsely denying an attribution, and the China case involved mischaracterizing publicly visible behavior. In both cases, public signs of the distorted intelligence quickly emerged, and the issues were eventually addressed by internal investigators, reported to Congress and the public, and corrected by the Biden administration.47
1 Sasha Romanosky and Benjamin Boudreaux, “Private-Sector Attribution of Cyber Incidents,” International Journal of Intelligence and CounterIntelligence (Fall 2020): 463–93, https://www.rand.org/pubs/external_publications/EP68257.html. Romanosky and Boudreaux’s figures are confirmed by unpublished data compiled by June Lee, Carnegie Endowment for International Peace.
2 The taxonomy and examples in this paper are heavily indebted to the following sources, among others cited: Martha Finnemore and Duncan B. Hollis, “Beyond Naming and Shaming: Accusations and International Law in Cybersecurity,” European Journal of International Law 31, no. 3 (August 2020), 10.2139/ssrn.3347958; Florian J. Egloff, “Public Attribution of Cyber Intrusions,” Journal of Cybersecurity 6, no. 1 (2020), 10.1093/cybsec/tyaa012; Kristen Eichensehr, “The Law & Politics of Cyberattack Attribution,” U.C.L.A. Law Review 67, no. 520 (2020), https://papers.ssrn.com/abstract=3453804; Romanosky and Boudreaux, “Private-Sector Attribution of Cyber Incidents”; Garrett Hinck and Tim Maurer, “Persistent Enforcement: Criminal Charges as a Response to Nation-State Malicious Cyber Activity,” Journal of National Security Law and Policy 3, no. 10 (Winter 2020), https://jnslp.com/wp-content/uploads/2020/05/Criminal-Charges-as-a-Response-to-Nation-State-Malicious-Cyber-Activity.pdf; and June Lee, “Strategic Publicity?: Understanding US Government Cyber Attribution,” Stanford University, 2021.
3 This paper focuses specifically on U.S. government public attributions to state-affiliated actors. It does not consider, for example, attributions to non-state-affiliated cyber criminals.
4 “National Cyber Strategy of the United States of America,” White House, September 2018. https://trumpwhitehouse.archives.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf.
5 Romanosky and Boudreaux, “Private-Sector Attribution of Cyber Incidents.”
6 “Seven Iranians Working for Islamic Revolutionary Guard Corps-Affiliated Entities Charged for Conducting Coordinated Campaign of Cyber Attacks Against U.S. Financial Sector,” Department of Justice, news release, March 24, 2016, https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged.
7 Kristen Eichensehr, “The Law & Politics of Cyberattack Attribution.”
8 Mark Esper, “Remarks by Secretary Esper in a Media Availability, U.S. Strategic Command,” U.S. Department of Defense, speech transcript, February 20, 2020, https://www.defense.gov/News/Transcripts/Transcript/Article/2090285/remarks-by-secretary-esper-in-a-media-availability-us-strategic-command/.
9 Tim Maurer and Garrett Hinck, “Persistent Enforcement.”
11 Derek B. Johnson, “DOJ Official Says ‘Name and Shame’ is One Piece of the Puzzle,” Business of Federal Technology, January 18, 2019, https://fcw.com/articles/2019/01/18/demers-doj-cyber-shame.aspx.
12 Mark Pomerleau, “After Tug-of-War, White House Shows Cyber Memo to Congress,” Fifth Domain, March 13, 2020, https://www.fifthdomain.com/congress/2020/03/13/after-tug-of-war-white-house-shows-cyber-memo-to-congress/.
13 “Background Press Call by Senior Administration Officials on Malicious Cyber Activity Attributable to the People’s Republic of China,” White House, July 19, 2021, https://www.whitehouse.gov/briefing-room/press-briefings/2021/07/19/background-press-call-by-senior-administration-officials-on-malicious-cyber-activity-attributable-to-the-peoples-republic-of-china/.
14 James R. Clapper, “Worldwide Threat Assessment of the US Intelligence Community,” February 26, 2015, https://www.dni.gov/files/documents/Unclassified_2015_ATA_SFR_-_SASC_FINAL.pdf.
15 Jack Goldsmith and Robert D. Williams, “The Failure of the United States’ Chinese-Hacking Indictment Strategy,” Lawfare, December 28, 2018, https://www.lawfareblog.com/failure-united-states-chinese-hacking-indictment-strategy.
16 “Fact Sheet: President Xi Jinping’s State Visit to the United States,” White House, fact sheet, September 25, 2015, https://obamawhitehouse.archives.gov/the-press-office/2015/09/25/fact-sheet-president-xi-jinpings-State-visit-united-States.
17 “Update 1- U.S. Accuses China of Violating Bilateral Anti-Hacking Deal,” Reuters, November 9, 2018, https://www.reuters.com/article/usa-china-cyber-idUKL2N1XK06K. In 2018, senior NSA official Rob Joyce stated that the quantity of Chinese cyber espionage operations had dropped “dramatically” since the 2015 agreement, though he also said that China hacking went “well beyond the bounds today of the agreement.”
18 David E. Sanger and Steven Lee Myers, “After a Hiatus, China Accelerates Cyberspying Efforts to Obtain U.S. Technology,” New York Times, November 29, 2018, https://www.nytimes.com/2018/11/29/us/politics/china-trump-cyberespionage.html.
19 Eichensehr, “The Law & Politics of Cyberattack Attribution.”
20 Sujit Raman, “The Rule of Law in the Age of Great Power Competition in Cyberspace,” U.S. Department of Justice, prepared remarks, May 21, 2019, https://www.justice.gov/opa/speech/associate-deputy-attorney-general-sujit-raman-delivers-remarks-aba-rule-law-initiative.
22 “Chinese Military Personnel Charged With Computer Fraud, Economic Espionage and Wire Fraud for Hacking Into Credit Reporting Agency Equifax,” U.S. Department of Justice, press release, February 10, 2020, https://www.justice.gov/opa/pr/chinese-military-personnel-charged-computer-fraud-economic-espionage-and-wire-fraud-hacking.
23 “The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People’s Republic of China,” White House, July 19, 2021, https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/19/the-united-states-joined-by-allies-and-partners-attributes-malicious-cyber-activity-and-irresponsible-state-behavior-to-the-peoples-republic-of-china/.
24 Eichensehr, “The Law & Politics of Cyberattack Attribution.”
25 “The DoD Cyber Strategy,” U.S. Department of Defense, 2015, https://www.jcs.mil/Portals/36/Documents/Doctrine/Other_Pubs/dod_cyber_2015.pdf.
26 Erica Lonergan, “That Makes This Attribution of Chinese Hacking Different,” Carnegie Endowment for International Peace, July 22, 2021, https://carnegieendowment.org/2021/07/22/what-makes-this-attribution-of-chinese-hacking-different-pub-85023.
27 Stilgherrian, “Blaming Russia for NotPetya was Coordinated Diplomatic Action,” ZDNet, April 11, 2018, https://www.zdnet.com/article/blaming-russia-for-notpetya-was-coordinated-diplomatic-action/.
28 “Background Press Call by Senior Administration Officials on Malicious Cyber Activity Attributable to the People’s Republic of China,” White House.
29 Eichensehr, “The Law & Politics of Cyberattack Attribution.”
30 “DOJ Press Conference Transcript October 19: Charges Against Russian Officers,” Rev.com, October 19, 2020, https://www.rev.com/blog/transcripts/doj-press-conference-transcript-october-19-charges-against-russian-officers.
31 Joe Biden, “Remarks by President Biden at the Office of the Director of National Intelligence,” White House, July 27, 2021, https://www.whitehouse.gov/briefing-room/speeches-remarks/2021/07/27/remarks-by-president-biden-at-the-office-of-the-director-of-national-intelligence/.
32 “The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People’s Republic of China,” White House, July 19, 2021, https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/19/the-united-states-joined-by-allies-and-partners-attributes-malicious-cyber-activity-and-irresponsible-state-behavior-to-the-peoples-republic-of-china/.
33 “Statement From the Press Secretary,” White House, February 15, 2018 https://trumpwhitehouse.archives.gov/briefings-statements/statement-press-secretary-25/.
34 Nick Beecroft, “To Condemn Chinese Hacks, Hate the Game Not Just the Players,” Carnegie Endowment for International Peace, July 23, 2021, https://carnegieendowment.org/2021/07/23/to-condemn-chinese-hacks-hate-game-not-just-players-pub-85025.
35 Julianne Pepitone, “China Is ‘Leading Suspect’ in OPM Hacks, Says Intelligence Chief James Clapper,” NBC News, June 25, 2015, https://www.nbcnews.com/tech/security/clapper-china-leading-suspect-opm-hack-n381881.
36 Florian J. Egloff, “Public Attribution of Cyber Intrusions.”
37 “Fact Sheet: Imposing Costs for Harmful Foreign Activities by the Russian Government,” White House, April 15, 2021, https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/
38 Perri Adams, Dave Aitel, George Perkovich, and JD Work, “Responsible Cyber Offense,” Lawfare, August 2, 2021, https://www.lawfareblog.com/responsible-cyber-offense.
39 Maurer and Hinck, “Persistent Enforcement.”
40 Ellen Nakashima, “Iran Blamed for Cyberattacks on U.S. Banks and Companies,” Washington Post, September 21, 2012, https://www.washingtonpost.com/world/national-security/iran-blamed-for-cyberattacks/2012/09/21/afbe2be4-0412-11e2-9b24-ff730c7f6312_story.html.
41 William Wan and Ellen Nakashima, “Report Ties Cyberattacks on U.S. Computers to Chinese Military,” Washington Post, February 19, 2013, https://www.washingtonpost.com/world/report-ties-100-plus-cyber-attacks-on-us-computers-to-chinese-military/2013/02/19/2700228e-7a6a-11e2-9a75-dab0201670da_story.html?wprss&google_editors_picks=true.
42 Jon Bateman, “American Voters Deserve Facts on Outside Influence on This Election,” Hill, July 26, 2020, https://thehill.com/opinion/national-security/509099-american-voters-deserve-facts-on-outside-influence-on-this-election.
43 Adam Stone, “How Leon Panetta’s ‘Cyber Pearl Harbor’ Warning Shaped Cyber Command,” Fifth Domain, https://www.fifthdomain.com/opinion/2019/07/30/how-leon-panettas-cyber-pearl-harbor-warning-shaped-cyber-command/; Aaron Boyd, “DNI Clapper: Cyber Bigger Threat Than Terrorism,” Federal Times, February 4, 2016, https://www.federaltimes.com/management/2016/02/04/dni-clapper-cyber-bigger-threat-than-terrorism/; Brian Fung, “Cyberattacks Are the Number-One Threat to the Global Financial System, Fed Chair Says,” CNN, April 12, 2021, https://www.cnn.com/2021/04/12/business/jerome-powell-cyberattacks-global-threat/index.html; and Aruna Viswanatha and Dustin Volz, “FBI Director Compared Ransomware Challenge to 9/11,” Wall Street Journal, June 4, 2021, https://www.wsj.com/articles/fbi-director-compares-ransomware-challenge-to-9-11-11622799003.
44 D. Howard Kass, “CISA Needs More Money, Lawmakers Tell House Appropriations Committee,” MSSPAlert, May 3, 2021, https://www.msspalert.com/cybersecurity-markets/americas/cisa-budget-needs/.
45 Florian J. Egloff, “Public Attribution of Cyber Intrusions.”
46 “A Guide to Cyber Attribution,” Office of the Director of National Intelligence, September 14, 2018, https://www.dni.gov/files/CTIIC/documents/ODNI_A_Guide_to_Cyber_Attribution.pdf.
47 Ellen Nakashima, “Political Appointees, Career Analysts Clashed Over Assessments of Russian, Chinese Interference in 2020 Election,” Washington Post, January 8, 2021, https://www.washingtonpost.com/national-security/russia-china-election-interference-intelligence-assessment/2021/01/08/7dc844ce-5172-11eb-83e3-322644d82356_story.html; and
National Intelligence Council, “Foreign Threats to the 2020 US Federal Elections,” March 10, 2021, https://www.dni.gov/files/ODNI/documents/assessments/ICA-declass-16MAR21.pdf.