We’ve provided a glossary of definitions and tips for checking your information, but what is cyber attribution, really? How and why is it made?
Cyber attribution is rooted in a long history. Many cybersecurity scholars date the birth of the field to the “Cuckoo’s Egg,” an incident from the mid-1980s. Clifford Stoll, a scientist at Lawrence Berkeley National Laboratory, traced a discrepancy in the lab’s finances — a total of 75 cents — to hackers handing off files from the Lab’s network to the KGB, and later wrote about his process. Since these early days of cyber attribution, new forms of attacks employed by new actors have opened the door for new methods, models and workflows to uncover their provenance and achieve attribution. At the same time, as Andrew Grotto writes in his recent paper on attribution, though there is overlap between these models, “they also reflect subtle but important biases about the means and ends of attribution as well as different evidentiary standards, target audiences, and models of communication for attribution claims.”
With this in mind, it is important for journalists to know the differences in how attribution is made, and the motivations and capabilities behind the entities making the judgment, in order to weigh the attribution claims in context. This page provides a brief overview of the different components of attribution: first, the types of operations, such as traditional cyber operations and cyber-enabled influence operations; and second, the frameworks analysts use to make attribution and the different attribution lexicons and models. Finally, it presents three case studies under “Assigning Attributions” that apply the frameworks to different operations.