Skip to main content

Woburn, MA – June 22, 2022 – Kaspersky researchers have partnered with policy scholars at London School of Economics (LSE) to explore the role of cyber attribution and find ways technical attribution – conducting a technical investigation to identify who is behind a cyber-incident – can be made more transparent and understood by the wider public. In a paper submitted to the UN Open-ended Working Group (OEWG), the experts explained how technical attribution takes place, why its transparency is the key to further cyber stability and propose ways in which it can be made more accessible for a wider multi-stakeholder community.

When reports of a cyberattack appear in the headlines, questions arise around who launched the attack and why. However, the reasons for an attack are often left for speculation, by the world and by the victims themselves. Understanding the source and reason for these attacks enables organizations to build appropriate defenses, patch gaps and increase their cyber resilience. Policymakers and industry leaders are often eager to obtain this knowledge. It is here that the technical aspects of an attack play a significant role.

The paper reveals that cyber attribution is a complex process where technical, legal and political discussions intertwine to produce as complete a narrative of an attack as possible. One element is technical attribution, the process used by cybersecurity researchers, including Kaspersky experts, to analyze cyber incidents from a technical standpoint. The end result of this process is intelligence about the identity of the attackers – not the specific personalities within a group, but the technical details that distinguish a particular threat actor.

The authors argue that though cyber attribution, whether public or private, remains a sovereign prerogative of states, it may have far-reaching consequences for other stakeholders too. While legal and political parts of attribution rarely reach the wider public, technical attribution does, and this stage can be made more transparent and accessible, to help the wider community improve their defenses, as well as contributing to greater credibility of the analysis through additional reviews by other stakeholders.

The authors propose paths towards enhancing transparency in the technical attribution process, focusing on norm implementation (i.e., norm 13(b) of the UN GGE report concerning cyber attribution), more clarification and building consensus across the international community. Greater cooperation between vendors, the technical community, and states can improve the technical attribution process. If researchers have more information from various transparent and accessible sources from different states, they will be better equipped to prevent and defend against these attacks.

These strategies form a key aspect of the technical attribution process: they transcend individual incidents and aim to build knowledge that can be useful within a larger context. No single entity can be successful at attribution alone. Yet the authors stipulate the existence of transparent and accessible technical attribution among the international community is currently frozen, as nation states lack the political will to tie themselves to formal legal obligations in cyberspace.

“Technical attribution is not magic, but it is a difficult process that is impossible without sharing knowledge and experience,” said Anastasiya Kazakova, senior public affairs manager at Kaspersky. “Greater dialogue between security researchers, diplomats, and academia is a must to avoid their 'worlds' existing in silos. If technical attribution remains closed and conducted only within limited circles, victims and the rest of the world will be left in the dark. And, as we know, darkness wreaks havoc, it creates escalation and instability. We must unite our efforts and knowledge – it’s the only way to build a safer world.”

“The general public, as well as policymakers, are used to receiving attribution information from the cybersecurity field, either from media articles or vendor blogposts,” said Ivan Kwiatkowski, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT). “It is difficult for them to assess this information without obtaining a greater knowledge of the general attribution process and its intrinsic ambiguities and tradeoffs. With this paper, we hope to provide a clearer understanding of how we approach this delicate question and view it as the first stepping-stone towards fostering discussion in the wider community - and eventually establish common practices in the industry.”

“There is a need for greater communication, transparency, and accessibility to information on cyber activity among states, while maintaining protection over sensitive data for the sake of national and individual security,” said Julia Ryng, project and research associate at LSE IDEAS. “The challenge here is great. However, this is not the first time the international community has faced issues that require capacity building and cooperation among public and private actors. This piece unpacks the complexity of technical attribution and points to existing cross-border and cross-industry mechanisms that we can learn from.”

"Cyberspace is a relatively new domain of international relations and it is through this paper that we hope to shed some light on the topic of technical attribution in cybersecurity,” said Kenddrick Chan, deputy head of the Digital International Relations project at LSE IDEAS. “We hope that it will spur further discussions between industry professionals and policymakers and eventually having in place institutional mechanisms that will bring about a safer and more secure cyberspace."

Read the full copy of the submission on Securelist.

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at

Media Contact

Sawyer Van Horn

(781) 503-1866



Kaspersky and policy scholars tackle lack of transparency in cyber attribution

Kaspersky Logo