Abstract
Attribution is central to cybersecurity politics. It establishes a link between technical occurrences and political consequences by reducing the uncertainty about who is behind an intrusion and what the likely intent was, ultimately creating cybersecurity “truths” with political consequences. In a critical security studies’ spirit, we purport that the “truth” about cyber-incidents that is established through attribution is constructed through a knowledge creation process that is neither value-free nor purely objective but built on assumptions and choices that make certain outcomes more or less likely. We conceptualize attribution as a knowledge creation process in three phases – incident creation, incident response, and public attribution – and embark on identifying who creates what kind of knowledge in this process, when they do it, and on what kind of assumptions and previous knowledge this is based on. Using assemblage theory as a backdrop, we highlight attribution as happening in complex networks that are never stable but always shifting, assembled, disassembled and reassembled in different contexts, with multiple functionalities. To illustrate, we use the intrusions at the US Office of Personnel Management (OPM) discovered in 2014 and 2015 with a focus on three factors: assumptions about threat actors, entanglement of public and private knowledge creation, and self-reflection about uncertainties. When it comes to attribution as knowledge creation processes, we critique the strong focus on existing enemy images as potentially crowding out knowledge on other threat actors, which in turn shapes the knowledge structure about security in cyberspace. One remedy, so we argue, is to bring in additional data collectors from the academic sector who can provide alternative interpretations based on independent knowledge creation processes.