Attribution: Vital For Offense; Irrelevant For Defense

Traditional models of deterrence require that an attacker knows that there is a price to pay for engaging in a hostile act against another party. For this model to work, attribution is critical. Unfortunately, attribution is very hard to achieve when it comes to cyber attacks. When we speak about taking offensive action against another nation state, attribution correctly applied is VITAL. Correct attribution makes the attack justified. False attribution makes the attacking state an international pariah.

When we speak about how to defend our valuable assets from cyber attacks, we don't need to know attribution because the best defensive strategies don't rely upon knowing who your attacker is or even stopping the attack at the perimeter. The very best strategy today is one that is data-centric, not network-centric. When we consult with companies that have been victims of a breach, we do our best to identify who may have been responsible but we stress that regardless of who did it, the company should re-design its security framework to be data-centric, not network-centric. Then it won't matter who attacks you because regardless of who it is they most likely won't be leaving with what they came for.

So is attribution necessary? Yes and No. If you want to strike back, yes. If you want to stop an attack from being successful, no.