Public attribution of cyber incidents to nation-state actors is increasing. It is a challenging and important accountability function that is often performed by a combination of threat intelligence firms or other private actors and less frequently by states. But is it time to institutionalize cyber attribution? The cybersecurity community has sporadically reflected on the idea. Several calls have been made for domestic or international attribution organization(s) to provide credible processes that go beyond technical measures. The feasibility of these ideas is only beginning to be examined in depth, with no systematic plan to evaluate and discard or to find ways to implement them.
In this new white paper by the IGP, we explore the attribution challenge, review proposed models for new institutions, and sketch an agenda for future research. IGP’s expertise in the development of transnational institutions in the domain name space has direct policy relevance to this case. A new Transnational Attribution Institution (TAI) may be needed to align actor incentives and serve as a neutral global platform for performing authoritative public cyber-attributions that could hold offensive actors responsible and deter future cyber attacks.