Time
How important is the time constraint for attribution? How has the time constraint evolved? And what constitutes an appropriate time for attributing cyber attacks? Timing plays a significant role in attribution. The common assumption is that attribution is time-consuming, and warrants efforts to try to reduce the time it takes to identify instigators of cyber attacks. In the context of a national security incident, the rationale continues, this is problematic because fast reaction times are needed to ensure that any response will still be consistent with the fast-changing geopolitical context. Yet, counter-intuitively, focusing on time reduction can be misleading. In the national security context, timing matters, but not in terms of the measurable passage of time as much as in terms of external conjectures that influence the decision to attribute an act. Whether for a violent act of sabotage where the public expects a government reaction or for a less visible act of espionage, the time may not always be such that it is politically appropriate to attribute an attack. In this context, talking about reducing the time for attribution does not make much sense: such a proposal foregoes all the political elements that inform attribution, and over-emphasizes the technical aspect of attribution over the context in which an attack takes place.