Sometimes, an attribution story begins when a prominent individual or group makes a public statement speculating on who might be behind a cyber incident or influence operation, but without issuing a report or other evidence to support the claim. Below is the recommended workflow.
How the story begins: An individual or a group uses language such as “probably X,” “we think it might be X” or “it could be X” to publicly speculate on the provenance of a cyber incident or an influence operation.
- If a source is publicly speculating on the parties behind a cyber incident or influence operation, but has not formally issued a report with an attribution judgment or released a dataset, ask for the methodology and proof behind their statement.
- If they are unable to provide this, consider carefully whether this speculation is worth reporting. Avoid amplifying attribution claims that are guesses without evidence.
- If you do decide that the speculation is newsworthy — perhaps because the person providing the conjecture is a prominent figure with a large audience, such as a politician claiming their campaign has been hacked — clearly state in your story that this is speculation.
- Reach out to the sites where the cyber incident or influence operation allegedly occurred, and ask if they have seen any evidence to support the speculation.
- If so, ask whether you can see the data.
- Either way, their answer should be included in the headline (for example, “Facebook says there is no evidence…”) and high up in the body of the story.
- Reach out to cybersecurity experts (and disinformation researchers, if this story involves an influence operation) to ask whether they have seen evidence to back up the speculation, or whether they can help explain any data provided by the sites in support of the speculation. The experts’ answer should be included in the body of the story.
- Ask someone in your newsroom, or a cybersecurity expert, to “red team” your story.