TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Application Security Checkmarx KICS Code Scanner Targeted in Widening Supply Chain Hit Checkmarx KICS Code Scanner Targeted in Widening Supply Chain Hit by Jai Vijayan Mar 24, 2026 5 Min Read Application Security How AI Coding Tools Crushed the Endpoint Security Fortress How AI Coding Tools Crushed the Endpoint Security Fortress by Rob Wright Mar 24, 2026 5 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America Recent in World See All Application Security Real-Time Banking Trojan Strikes Brazil's Pix Users Real-Time Banking Trojan Strikes Brazil's Pix Users by Alexander Culafi Mar 13, 2026 4 Min Read Threat Intelligence Iran's Cyber-Kinetic War Doctrine Takes Shape Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi Mar 6, 2026 4 Min Read The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Cyber Risk Threat Intelligence Cybersecurity Operations Vulnerabilities & Threats News Blame Game: Why Public Cyber Attribution Carries Risks Publicly accusing an entity of a cyberattack could have negative consequences that organizations should consider before taking the plunge. Alexander Culafi , Senior News Writer , Dark Reading March 25, 2026 4 Min Read Source: designer491 via Alamy Stock Photo RSAC 2026 CONFERENCE – San Francisco – Questions about threat actor attribution, including how to do it and why you might want to hold off, are not as straightforward as they may first seem. Attribution is a wide-ranging topic that mostly boils down to "Whodunnit?" for cyberattacks. Depending on the attack and various circumstances, you may read somewhere that a bespoke threat group, such as a ransomware gang, compromised an organization's network. Sometimes it's a "cluster," designed to connect a pattern of activity without strictly connecting a threat actor or nation to that activity with complete certainty. Often, a cybersecurity vendor will use their own custom naming taxnomy to track threat groups, like Salt Typhoon or Sandworm , even though the threat actors themselves would never use those names. This gets more complicated when those names are used both as an internal signifier to describe a pattern of activity as well as a vendor marketing tool to share research or present a threat. Related: Why a 'Near Miss' Database Is Key to Improving Information Sharing A panel at RSAC 2026 Conference , titled "We Think It Was Them: The Perils of Attribution in Public Statements," dug into some of the questions of attribution that are not always asked: How often is attribution a sure thing? Should you always publicly attribute? What are the risks of attempting to attribute a threat actor? Axios reporter Sam Sabin hosted the panel, which featured FTI Consulting senior advisor Brett Callow, Institute for Security and Technology chief strategy officer Megan Stifel, and Cooley LLP partner Mike Egan. Misconceptions Surrounding Threat Actor Attribution Callow said that when it comes to attribution, a common misconception is that the process is definitive rather than probabilistic. He said it is almost always a case of it being "more likely than not that a particular entity was responsible, but that nuance doesn't always get carried out." Egan agreed, saying it's rarely 100% clear an attacker conducted an attack unless the attacker wants their involvement known. That's without even considering the propensity for entities like ransomware groups to lie and take credit for attacks they might not be responsible for — another complicating factor in attribution. He added that for some of his legal clients, a recurring misconception has been that attribution may divert responsibility from the defender and improve the narrative surrounding an attack because it gives the impression that there was no way to avoid something so sophisticated. "We've had instances of that in the past where the FBI has come out and told the company, 'Listen, 99% of companies wouldn't be able to withstand this attack. This is a pure nation-state attack.' I get the attraction behind that, but it changes the narrative a bit and then can make some people a little bit more concerned," Egan explained. "Now all of a sudden, we're not talking about just a personal data breach and something bigger, and that story sticks around longer." Related: Ex-NSA Directors Discuss 'Red Line' for Offensive Cyberattacks Attribution and Risk While firmly attributing an attack can seem appealing, the panelists said there are consequences to consider. Callow said that on the whole, definitive attribution is "extremely risky" because it means bringing third parties into the discussion. "That could be a nation or it could be a for-profit criminal enterprise. In either case, whatever you say to them can attract considerable blowback and invite comments," he said. Attribution may also impact things like cyber insurance coverage , the panelists said. For example, some insurance claims from victims of the NotPetya ransomware attacks in 2017 initially denied because the providers argued that the policies didn't cover acts of war. The ransomware attacks were initially directed at Ukraine before spreading to other countries and were attributed to Russian nation-state actors, specifically the notorious Sandworm threat group. Related: With Government's Role Uncertain, Businesses Unite to Combat Fraud However, there can also be risks to not attributing an attack. Stifel, who was previously an attorney in the National Security Division at the U.S. Department of Justice (DOJ), pointed out that, depending on the attack, if an organization declines to make an attribution case, that could signal acceptance or even assent of the behavior. Sabin asked about situations where an entity (like a government, company, or a victim organization) isn't ready to make a concrete attribution but reality gets in the way; for example, if a reporter gets a scoop that an attack took place, it could put pressure on the victim organization. There are obvious risks for prematurely attributing an attack, even though victims mayt not want someone else to set a narrative for them. All three panelists approached the question from a different angle. Stifel said that one option is to simply say "no comment" or acknowledge that the party is aware of reports or that an incident has occurred, and that investigation is ongoing. Egan, speaking from a legal perspective, advocated for keeping clients on the "no comment" line and letting the investigation play out. "Oftentimes the best answer is no answer. We're concentrating on the investigation." Callow disagreed, at least in part. "I don't think no comment is ever a good response. If you don't fill that gap, somebody else will," he said. "You don't necessarily have to attribute the attack, but you should, for example, say the investigation is ongoing." RSAC Conference Mar 23, 2026 TO Mar 26, 2026 Join thousands of your peers at RSAC™ 2026 Conference in San Francisco from March 23–26. Discover new strategies, explore bold technologies, and connect with peers who share your challenges and ambitions. Don’t just attend the Conference—be part of the community that defines what’s next. Secure Your Spot Secure Your Spot About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. See more from Alexander Culafi Want more Dark Reading stories in your Google search results? Add Us Now More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars Editor's Choice Cybersecurity Operations Why Stryker's Outage Is a Disaster Recovery Wake-Up Call Why Stryker's Outage Is a Disaster Recovery Wake-Up Call by Jai Vijayan Mar 12, 2026 5 Min Read Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks Threat Intelligence Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats Jan 2,