Spectrum of State Responsibility for Cyberattacks

Attribution of cyberattacks is identifying the party responsible for them. Often, cyberattacks are defined as either state-sponsored (conducted by a government) or not (sometimes called commodity cybercrime). However, this binary is too simplistic. In reality, governments can have varying degrees of involvement in, or resistance to, cyber operations that occur within their borders. The Spectrum of State Responsibility provides labels that more realistically describe this reality, and can be useful for cyber threat intelligence analysts.

Photo by Mathias Reding on Unsplash

3 parties are described in The Spectrum of State Responsibility:

The categories describe the roles of the first 2 parties. The first 2 categories are when the government is trying to stop attacks within their borders; in the remaining categories, the government is ignoring, aiding, or directly conducting the attack.

In terms of responsibility, the government in the first 2 categories has only very passive responsibility. In the remaining categories, the government bears responsibility in increasing degrees.

Cyber threat intelligence analysts and others involved in attribution and communication about cyberattacks should use language that represents this spectrum. It isn’t necessary to use these particular terms (they’re not standardized); the important thing is to recognize the range.

Also, realize that the different categories present different risks. Ensure your analysis and communication reflects that.

Additional Resources

Beyond Attribution: Seeking National Responsibility for Cyber Attacks (PDF)



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chad Warner

Seeking a cyber threat intelligence (CTI) or OSINT job. I'm a CTI, OSINT, & cybersecurity enthusiast; bookworm; and fan of Tolkien & LEGO.