In the last few years there has been an increase in public attribution of cyber incidents, where a government utilises a combination of technical evidence and intelligence assessments to publicly link those incidents to another state or to a state-sponsored actor. In 2025, at least seven states – including China, the Czech Republic, France and Singapore – have issued their first public attributions or made accusatory statements that were more explicit than before. In 2024, five states made public attributions for the first time, including Estonia, Palau and the Philippines. Since 2020, IISS research has identified 188 instances in which 47 states, along with the European Union and NATO, have sought to publicly attribute cyber incidents to other states. There is significant variation in how specifically states identify the actor responsible and in the amount of evidence they choose to present. When highlighting the malicious activity, states may choose to present only a limited amount of the evidence they possess, relying on their political credibility to support their claims. To demonstrate links between identified threat actors and state sponsors – and to highlight their own investigative capabilities – they often present intelligence assessments. To trigger sanctions or criminal indictments, attributions need to be backed by substantive evidence.
Reframing cyber attribution (Virpratap Vikram Singh – IISS)
Related articles
