Government Agencies Workflow

The capabilities, access to information, motivations, interests and incentives of government agencies may look different from other entities that make attribution judgments. Government agencies may:

  • Make an attribution claim, but choose not to disclose classified information behind the claim or explain its methodology or sources.
  • Be incentivized to make a public stance of certainty, in order to head off skeptics or assure the public of its capabilities.
  • Have greater visibility in certain operations, such as influence operations, as they have access to account metadata that the public or other entities do not.
  • Avoid publicly pointing a finger at another nation-state due to foreign policy concerns.
  • Withhold public attribution to protect employees in certain countries.

How the story begins: A government agency issues a statement or gives a briefing that publicly names an actor behind a cyber incident. 

  1. Ask: Which agency issued the attribution judgment? For example, was it the State Department, or the FBI? Different agencies have different attribution capabilities and motivations. 
  1. Read the statement, or watch the full briefing. Look for:
    1. The data behind the attribution judgment.
    2. The methodology used to make the attribution judgment.
    3. The confidence level the agency expresses in the attribution judgment.
    4. The location of the named actor.
    5. The tactics that the named actor used. 
    6. The audience targeted by the activity.
  1. Ask the agency if they can provide any of the information from Step 2, if it has not been disclosed. If the agency can’t or won’t provide that information, make a note — this will be important to include in your story.  
  1. Contact cybersecurity experts and ask: 
    1. Does the government agency’s attribution judgment make sense, based on the information that has been made public? 
    2. Could there be an alternative explanation? If so, that should be included in your story. 
  1. If the attribution judgment is missing key evidence, it is OK to pass on the story. 
  1. If you decide to write the story about the statement or based on the statement, it should be clear about: 
    1. The agency’s confidence level in attribution judgment. 
    2. The methodology used to make the attribution judgment. 
    3. The information that the agency publicly disclosed in support of the attribution judgment.
    4. The information that the agency did not disclose, including:
      1. The information the agency declined to release, and why. 
      2. The information that was not disclosed because it could not be determined by the agency. 
    5. Alternative explanations for the activity, based on the evidence made public. 
  1. Your story should link to the agency statement or briefing, so readers can see the judgment and the supporting evidence provided. 
  2. Ask someone in your newsroom, or a cybersecurity expert, to “red team” your story.

For more about the motivations behind governments making or abstaining from claims on attribution, see our discussion of Andrew Grotto’s paper, “Deconstructing Cyber Attribution: A Proposed Framework and Lexicon,” on our ATTRIBUTION MODELS & FRAMEWORKS page, under UNDERSTANDING ATTRIBUTION.