Despite international agreement on norms for responsible state behavior in cyberspace, malicious cyber activity by state actors shows little sign of abating, raising urgent questions about accountability and whether law and norms carry any deterrent weight.  

An interactive workshop convened by the Stimson Center and the Cyber Policy Group as part of Geneva Cyber Week 2026 took up this challenge directly, examining the role that attribution plays in translating agreed law and norms into accountability mechanisms. The event was facilitated by Cyber Program Director Allison Pytlak (Stimson) and Christopher Painter (Cyber Policy Group). 

An opening panel featuring Gordon McCraken (Foreign, Commonwealth & Development Office – United Kingdom), Heli Tirma-Klaar (Cyber Policy Group, former Estonian Cyber Ambassador), and John Hering (Microsoft) outlined national, collective, and private sector approaches and perspectives on attribution. All stressed the central role of attribution in “turning on the lights” about who is responsible for a major cyber operation, but that it should not be viewed as an end in itself. Panelists variously noted that attribution can support deterrence against further attacks, improve transparency and accountability, inform response options, and reinforce the Framework for Responsible State Behavior in Cyberspace.  

Political attribution activities are calibrated, exist along a spectrum, and can take quieter or less overt forms than public “naming and shaming” statements, depending on the severity of the incident, scale of impact, and how it balances with other geopolitical factors or foreign policy goals. It was also noted that public statements are important for demonstrating accountability to the public, to victims, and to domestic constituencies — but the impact on behavioral change is not clear, and potentially waning. In that context, there was discussion about sanctions and other punitive tools.  

It is not uncommon to see public attribution statements published by groupings of states, rather than unilaterally, and the panel provided insights about the practicalities of such cooperation. Discussion also briefly noted the “free style” approaches taken by a small handful of states in making public political attribution despite not having formal national processes for doing so. Capacity-building that is inclusive of the technical, legal, and political dimensions of attribution are needed.  

Workshop participants then broke into small groups to discuss a case study in which several major metropolitan areas in a country experience sustained distributed denial-of-service (DDoS) attacks targeting public service and information portals over a period of several weeks. The disruptions affect access to transportation schedules, municipal payments, and health appointment systems, resulting in local frustration and disinformation narratives circulating online. 

A first round of discussion questions explored the “how” of attribution: what constitutes sufficient confidence for attribution in politically sensitive cyber incidents (both technically and politically) and whether any particular standard guides that judgment, as well as how private sector intelligence and actions factor into government decision-making and whether the severity of an incident or its direct impact on national territory shapes willingness to make or join a public attribution statement. 

A second round of discussion questions explored moving from attribution to accountability: Is a public or private approach more effective? Will public attribution meaningfully shape or change adversary behavior? What tools and actions beyond the attribution statement itself are available to states seeking to hold malicious actors to greater account? 

Key points of discussion included:  

• The potential role of public discontent and pressure, including possible media pressure, stemming from severity and impact of the incident.  
• Working with other relevant actors whether in government or the private sector to ascertain technical confidence and develop clarity about respective roles and responsibilities. 
• The feasibility and potential utility of “common evidentiary standards” or, in lieu of such standards, guidance.
• If public political attribution potentially undermines security or other objectives by giving credibility to the threat actor responsible.  
• The potential impact and value of retaliation through responsive cyber activity (i.e. “hack backs,” technical disruption, or similar), and what protocols exist for doing so at the national level, as well as related risks. 
• The importance of patching and incident response occurring alongside attribution efforts. 

During Geneva Cyber Week, Stimson also hosted an event promoting its 2025 report, Beyond Denial: Toward a Credible Cyber Deterrence Strategy. Report co-author Allison Pytlak presented arguments from the report, namely that stronger accountability mechanisms can act as a deterrent and identified strategies and considerations for moving in that direction. Cyber deterrence has a long and somewhat tortured history in cyber policymaking and academic research, because the primary characteristics of cyber operations and capabilities have rendered traditional approaches to deterrence inadequate or inapplicable.

The roundtable included opening remarks from three experts. John Hering (Microsoft) spoke about the realities of the cyber threat landscape and need for approaches that go beyond resilience. Christopher Painter (Cyber Policy Group) reflected on the U.S. context and evolution of deterrence strategies. Marius Houwen (EU Institute for Security Studies – EU Cyber Direct) provided considerations stemming from the EUISS’s project on accountability and deterrence and perspectives from Europe. The panel and ensuing discussion also reinforced that resilience remains important, as does diplomacy, even if other measures are needed to deter malicious activity. While “offensive” cyber operations seem to be a trending topic again amid a hardened geopolitical landscape, it is vital that such activities are undertaken responsibly and in conformity with international law and other standards.

Header image: Stimson Senior Fellow and Cyber Program Director Allison Pytlak speaking on a panel during Geneva Cyber Week. By Eliise Klaar