Do you have the expertise or experience to conduct your own investigation into attribution, or to interpret the evidence of attribution you are offered?
If not, does your newsroom have reporters with the expertise to help you investigate or pull apart the data?
If not, are there researchers or other entities you can collaborate with, to help you make sense of the data?
If none of these resources are available, it’s okay to pass on the story.
When faced with evidence of an influence operation, do not automatically assume that a foreign actor is responsible. Domestic actors can and do benefit from carrying out influence operations against people in their own country. (For an example, see Thomas Rid’s examination of how the “Ukraine interfered in the 2016 US election” theory was propagated.) There are implications to accusing a state: use extreme caution.
Avoid mistaking foreign policy considerations for hard evidence of attribution. A state actor may have a geopolitical interest in launching a cyber incident or an influence operation — but that motivation alone does not mean that they are responsible. Stoking fears of foreign influence operations where there aren’t any, or misattributing operations to the wrong actor, can be damaging to the public’s trust in democratic institutions.
Fight the urge to rush the piece out. Investigations take time, and so will your story on attribution. Your story will benefit from you speaking to multiple cybersecurity experts, and (if applicable) to platforms and disinformation researchers. If your piece is going to attribute (or amplify someone else’s attribution) to a specific actor, do not fast-track the piece no matter how obvious the answer may seem.
While writing the story:
Always link to the report, study or takedown announcement you are citing. Let the public see the report and draw its own conclusions about the report’s reliability.
Clearly explain the attribution judgment. Tell readers what the report says about:
The actors that carried out the cyber incident.
The parties that directed the incident.
Where the incident occurred.
When the incident occurred.
Who the incident targeted.
Details about the threat actors’ behavior and anything unique to this operation.
State the confidence level clearly. An organization that provides an attribution judgment should, ideally, include in its report a statement of its level of confidence in its judgment: high, moderate or low. Always search the report for the confidence level; if the report does not state the confidence level, ask the party that made the attribution judgment.
But be careful about how you frame your story even if there is a “high confidence” judgment. Even with this confidence level, there is still a chance the judgment is wrong.
Be careful about describing organizations and individuals that make attributions. If the organization or individual is a political operative or an activist group, state that. Avoid using terms like “investigator” or “researcher” to describe them.
If you attempt to make your own attribution judgment, consult outside experts on the methods and tools you should use.
Always have someone “red team” your conclusions. Run your reporting by people in your newsroom who have experience with reporting on cybersecurity and cyber attribution issues. Reach out to external sources (academics and other experts in the field) and ask them to play devil’s advocate. Ask them to:
Look at the dataset.
Suggest possible alternative explanations or attributions for the cyber incident or influence operation in question.
Help you weigh the strengths and weaknesses of the attribution evidence you are citing.
Be extra diligent if you are the first to break the story. Make sure the attribution judgment you are covering (or making) is airtight. Other articles will summarize, or cite to, your story.
Scrutinize the evidence if you are expanding on existing coverage. If you are not breaking the story of an attribution judgment,closely inspect the attribution judgment in the original story. Talk to independent experts and ask for their opinion of the original story. Be cautious about amplifying stories where the attribution is not fully confirmed.