Blame Game: Why Public Cyber Attribution Carries Risks

CYBER RISK THREAT INTELLIGENCE CYBERSECURITY OPERATIONS VULNERABILITIES & THREATS NEWS Blame Game: Why Public Cyber Attribution Carries Risks Publicly accusing an entity of a cyberattack could have negative consequences that organizations should consider before taking the plunge. Alexander Culafi,Senior News Writer,Dark Reading March 25, 2026 4 Min Read SOURCE: DESIGNER491 VIA ALAMY STOCK PHOTO RSAC 2026 CONFERENCE – San Francisco –  Questions about threat actor attribution, including how to do it and why you might want to hold off, are not as straightforward as they may first seem. Attribution is a wide-ranging topic that mostly boils down to "Whodunnit?" for cyberattacks. Depending on the attack and various circumstances, you may read somewhere that a bespoke threat group, such as a ransomware gang, compromised an organization's network. Sometimes it's a "cluster," designed to connect a pattern of activity without strictly connecting a threat actor or nation to that activity with complete certainty. Often, a cybersecurity vendor will use their own custom naming taxnomy to track threat groups, like Salt Typhoon or Sandworm, even though the threat actors themselves would never use those names. This gets more complicated when those names are used both as an internal signifier to describe a pattern of activity as well as a vendor marketing tool to share research or present a threat.  Related:Why a 'Near Miss' Database Is Key to Improving Information Sharing A panel at RSAC 2026 Conference, titled "We Think It Was Them: The Perils of Attribution in Public Statements," dug into some of the questions of attribution that are not always asked: How often is attribution a sure thing? Should you always publicly attribute? What are the risks of attempting to attribute a threat actor? Axios reporter Sam Sabin hosted the panel, which featured FTI Consulting senior advisor Brett Callow, Institute for Security and Technology chief strategy officer Megan Stifel, and Cooley LLP partner Mike Egan. Misconceptions Surrounding Threat Actor Attribution Callow said that when it comes to attribution, a common misconception is that the process is definitive rather than probabilistic. He said it is almost always a case of it being "more likely than not that a particular entity was responsible, but that nuance doesn't always get carried out." Egan agreed, saying it's rarely 100% clear an attacker conducted an attack unless the attacker wants their involvement known. That's without even considering the propensity for entities like ransomware groups to lie and take credit for attacks they might not be responsible for — another complicating factor in attribution. He added that for some of his legal clients, a recurring misconception has been that attribution may divert responsibility from the defender and improve the narrative surrounding an attack because it gives the impression that there was no way to avoid something so sophisticated. "We've had instances of that in the past where the FBI has come out and told the company, 'Listen, 99% of companies wouldn't be able to withstand this attack. This is a pure nation-state attack.' I get the attraction behind that, but it changes the narrative a bit and then can make some people a little bit more concerned," Egan explained. "Now all of a sudden, we're not talking about just a personal data breach and something bigger, and that story sticks around longer." Related:Ex-NSA Directors Discuss 'Red Line' for Offensive Cyberattacks Attribution and Risk While firmly attributing an attack can seem appealing, the panelists said there are consequences to consider. Callow said that, on the whole, definitive attribution is "extremely risky" because it means bringing third parties into the discussion. "That could be a nation or it could be a for-profit criminal enterprise. In either case, whatever you say to them can attract considerable blowback and invite comments," he said.  Attribution may also impact things like cyber insurance coverage, the panelists said. For example, some insurance claims from victims of the NotPetya ransomware attacks in 2017 initially denied because the providers argued that the policies didn't cover acts of war. The ransomware attacks were initially directed at Ukraine before spreading to other countries and were attributed to Russian nation-state actors, specifically the notorious Sandworm threat group. Related:With Government's Role Uncertain, Businesses Unite to Combat Fraud However, there can also be risks to not attributing an attack. Stifel, who was previously an attorney in the National Security Division at the U.S. Department of Justice (DOJ), pointed out that, depending on the attack, if an organization declines to make an attribution case, that could signal acceptance or even assent of the behavior.  Sabin asked about situations where an entity (like a government, company, or a victim organization) isn't ready to make a concrete attribution but reality gets in the way; for example, if a reporter gets a scoop that an attack took place, it could put pressure on the victim organization. There are obvious risks for prematurely attributing an attack, even though victims may not want someone else to set a narrative for them. All three panelists approached the question from a different angle. Stifel said that one option is to simply say "no comment" or acknowledge that the party is aware of reports or that an incident has occurred, and that investigation is ongoing. Egan, speaking from a legal perspective, advocated for keeping clients on the "no comment" line and letting the investigation play out. "Oftentimes the best answer is no answer. We're concentrating on the investigation." Callow disagreed, at least in part. "I don't think 'no comment' is ever a good response. If you don't fill that gap, somebody else will," he said. "You don't necessarily have to attribute the attack, but you should, for example, say the investigation is ongoing." RSAC Conference MAR 23, 2026 TO MAR 26, 2026 Join thousands of your peers at RSAC™ 2026 Conference in San Francisco from March 23–26. Discover new strategies, explore bold technologies, and connect with peers who share your challenges and ambitions. Don’t just attend the Conference—be part of the community that defines what’s next. SECURE YOUR SPOT About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBER RISK Dark Reading Confidential: A Guided Tour of Today's Dark Web by Dark Reading Staff AUG 28, 2025 CYBER RISK 'Venom Spider' Targets Hiring Managers in Phishing Scheme by Alexander Culafi, Senior News Writer, Dark Reading MAY 05, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 CYBER RISK CISA Warns: Old DNS Trick 'Fast Flux' Is Still Thriving by Nate Nelson, Contributing Writer APR 04, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE