{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,3]],"date-time":"2026-03-03T01:45:31Z","timestamp":1772502331405,"version":"3.50.1"},"reference-count":83,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2021,5,1]],"date-time":"2021-05-01T00:00:00Z","timestamp":1619827200000},"content-version":"vor","delay-in-days":120,"URL":"http:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2021,2,16]]},"abstract":"Abstract<\/jats:title>Attribution is central to cybersecurity politics. It establishes a link between technical occurrences and political consequences by reducing the uncertainty about who is behind an intrusion and what the likely intent was, ultimately creating cybersecurity \u201ctruths\u201d with political consequences. In a critical security studies\u2019 spirit, we purport that the \u201ctruth\u201d about cyber-incidents that is established through attribution is constructed through a knowledge creation process that is neither value-free nor purely objective but built on assumptions and choices that make certain outcomes more or less likely. We conceptualize attribution as a knowledge creation process in three phases \u2013 incident creation, incident response, and public attribution \u2013 and embark on identifying who creates what kind of knowledge in this process, when they do it, and on what kind of assumptions and previous knowledge this is based on. Using assemblage theory as a backdrop, we highlight attribution as happening in complex networks that are never stable but always shifting, assembled, disassembled and reassembled in different contexts, with multiple functionalities. To illustrate, we use the intrusions at the US Office of Personnel Management (OPM) discovered in 2014 and 2015 with a focus on three factors: assumptions about threat actors, entanglement of public and private knowledge creation, and self-reflection about uncertainties. When it comes to attribution as knowledge creation processes, we critique the strong focus on existing enemy images as potentially crowding out knowledge on other threat actors, which in turn shapes the knowledge structure about security in cyberspace. One remedy, so we argue, is to bring in additional data collectors from the academic sector who can provide alternative interpretations based on independent knowledge creation processes.<\/jats:p>","DOI":"10.1093\/cybsec\/tyab002","type":"journal-article","created":{"date-parts":[[2021,5,1]],"date-time":"2021-05-01T15:54:51Z","timestamp":1619884491000},"source":"Crossref","is-referenced-by-count":23,"title":["Attribution and Knowledge Creation Assemblages in Cybersecurity Politics"],"prefix":"10.1093","volume":"7","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0290-667X","authenticated-orcid":false,"given":"Florian J","family":"Egloff","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3775-1284","authenticated-orcid":false,"given":"Myriam","family":"Dunn Cavelty","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"286","published-online":{"date-parts":[[2021,4,30]]},"reference":[{"key":"2021070819462572100_tyab002-B1","author":"Raiu","year":"2018"},{"key":"2021070819462572100_tyab002-B2","doi-asserted-by":"crossref","first-page":"4","DOI":"10.1080\/01402390.2014.977382","article-title":"Attributing cyber attacks","volume":"38","author":"Rid","year":"2015","journal-title":"J Strateg Stud"},{"key":"2021070819462572100_tyab002-B3","first-page":"75","article-title":"Attribution of malicious cyber incidents: from soup to nuts","volume":"70","author":"Lin","year":"2016","journal-title":"J Int Aff"},{"key":"2021070819462572100_tyab002-B4","doi-asserted-by":"crossref","first-page":"441","DOI":"10.1017\/S0892679418000618","article-title":"Toward a human-centric approach to cybersecurity","volume":"32","author":"Deibert","year":"2018","journal-title":"Ethics Int Aff"},{"key":"2021070819462572100_tyab002-B5","doi-asserted-by":"crossref","first-page":"213","DOI":"10.1017\/aju.2019.33","article-title":"Decentralized cyberattack attribution","volume":"113","author":"Eichensehr","year":"2019","journal-title":"AJIL Unbound"},{"key":"2021070819462572100_tyab002-B6","first-page":"520","article-title":"The law & politics of cyberattack attribution","volume":"67","author":"Eichensehr","year":"2020","journal-title":"UCLA Law Rev"},{"key":"2021070819462572100_tyab002-B7","doi-asserted-by":"crossref","first-page":"969","DOI":"10.1093\/ejil\/chaa056","article-title":"Beyond naming and shaming: accusations and international law in cybersecurity","volume":"31","author":"Finnemore","year":"2020","journal-title":"Eur J Int Law"},{"key":"2021070819462572100_tyab002-B8","doi-asserted-by":"crossref","DOI":"10.1017\/9781108780605","volume-title":"Cyber Operations and International Law. Cambridge Studies in International and Comparative Law","author":"Delerue","year":"2020"},{"key":"2021070819462572100_tyab002-B9","doi-asserted-by":"crossref","first-page":"51","DOI":"10.4337\/cilj.2020.01.03","article-title":"Attribution of cyber operations: an international law perspective on the Park Jin Hyok Case","volume":"9","author":"Mikanagi","year":"2020","journal-title":"Camb Int Law J"},{"key":"2021070819462572100_tyab002-B10","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-662-61313-9","volume-title":"Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage","author":"Steffens","year":"2020"},{"key":"2021070819462572100_tyab002-B11","volume-title":"Is It Time to Institutionalize Cyber-Attribution?, Internet Governance Project White Paper","author":"Grindal","year":"2018"},{"key":"2021070819462572100_tyab002-B12","doi-asserted-by":"crossref","first-page":"12","DOI":"10.1109\/MSEC.2019.2938134","article-title":"Deconstructing cyber attribution: a proposed framework and lexicon","volume":"18","author":"Grotto","year":"2020","journal-title":"IEEE Secur Priv"},{"key":"2021070819462572100_tyab002-B13","first-page":"1","volume-title":"Virus Bulletin Conference","author":"Guerrero-Saade","year":"2018"},{"key":"2021070819462572100_tyab002-B14","first-page":"1","article-title":"Walking in your enemy's shadow: when fourth-party collection becomes attribution hell. In:","volume-title":"Virus Bulletin Conference","author":"Guerrero-Saade","year":"2017"},{"key":"2021070819462572100_tyab002-B15","first-page":"1","article-title":"Wave your false flags! deception tactics muddying attribution in targeted attacks","volume-title":"Virus Bulletin Conference","author":"Bartholomew","year":"2016"},{"key":"2021070819462572100_tyab002-B16","first-page":"1","article-title":"The ethics and perils of apt research: an unexpected transition into intelligence brokerage","volume-title":"Virus Bulletin Conference","author":"Guerrero-Saade","year":"2015"},{"key":"2021070819462572100_tyab002-B17","first-page":"53","article-title":"Tipping the scales: the attribution problem and the feasibility of deterrence against cyberattack","volume":"1","author":"Lindsay","year":"2015","journal-title":"J Cybersecur"},{"key":"2021070819462572100_tyab002-B18","first-page":"1","article-title":"Private-sector attribution of cyber incidents: benefits and risks to the U.S. Government","author":"Romanosky","year":"2020","journal-title":"Int J Intell CounterIntelligence"},{"key":"2021070819462572100_tyab002-B19","first-page":"322","article-title":"The \u201cAttribution Problem\u201d and the social construction of \u201cViolence\u201d: taking cyber deterrence literature a step forward","volume":"17","author":"Lupovici","year":"2016","journal-title":"Int Stud Perspect"},{"key":"2021070819462572100_tyab002-B20","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1093\/cybsec\/tyaa012","article-title":"Public attribution of cyber intrusions","volume":"6","author":"Egloff","year":"2020","journal-title":"J Cybersecur"},{"key":"2021070819462572100_tyab002-B21","doi-asserted-by":"crossref","first-page":"55","DOI":"10.1080\/13523260.2019.1677324","article-title":"Contested public attributions of cyber incidents and the role of academia","volume":"41","author":"Egloff","year":"2020","journal-title":"Contemp Secur Policy"},{"key":"2021070819462572100_tyab002-B22","author":"Egloff","year":"2018"},{"key":"2021070819462572100_tyab002-B23","author":"Roth"},{"key":"2021070819462572100_tyab002-B24","first-page":"1","article-title":"Cyber campaigns and strategic outcomes","author":"Harknett","year":"2020","journal-title":"J Strateg Stud"},{"key":"2021070819462572100_tyab002-B25","doi-asserted-by":"crossref","first-page":"317","DOI":"10.1177\/0022002717737138","article-title":"Invisible digital front: can cyber attacks shape battlefield events?","volume":"63","author":"Kostyuk","year":"2019","journal-title":"J Conflict Resolut"},{"key":"2021070819462572100_tyab002-B26","doi-asserted-by":"crossref","first-page":"655","DOI":"10.1177\/0162243913480049","article-title":"The raw is cooked: data in intelligence practice","volume":"38","author":"R\u00e4s\u00e4nen","year":"2013","journal-title":"Sci Technol Human Values"},{"key":"2021070819462572100_tyab002-B27","doi-asserted-by":"crossref","DOI":"10.1515\/9781474413640","volume-title":"Assemblage Theory","author":"DeLanda","year":"2016"},{"key":"2021070819462572100_tyab002-B28","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1080\/13523260.2019.1678855","article-title":"Cybersecurity meets security politics: complex technology, fragmented politics, and networked science","volume":"41","author":"Dunn Cavelty","year":"2019","journal-title":"Contemp Secur Policy"},{"key":"2021070819462572100_tyab002-B29","volume-title":"Cybersecurity and the Politics of Time","author":"Stevens","year":"2016"},{"key":"2021070819462572100_tyab002-B30","doi-asserted-by":"crossref","first-page":"176","DOI":"10.1017\/eis.2016.8","article-title":"A theory of actor-network for cyber-security","volume":"1","author":"Balzacq","year":"2016","journal-title":"Eur J Int Secur"},{"key":"2021070819462572100_tyab002-B31","doi-asserted-by":"crossref","first-page":"13","DOI":"10.17645\/pag.v6i2.1324","article-title":"Cybersecurity assemblages: a framework for understanding the dynamic and contested nature of security provision","volume":"6","author":"Collier","year":"2018","journal-title":"Politics Gov"},{"key":"2021070819462572100_tyab002-B32","doi-asserted-by":"crossref","first-page":"31","DOI":"10.17645\/pag.v6i2.1329","article-title":"Enacting expertise: ritual and risk in cybersecurity","volume":"6","author":"Shires","year":"2018","journal-title":"Politics Gov"},{"key":"2021070819462572100_tyab002-B33","doi-asserted-by":"crossref","first-page":"129","DOI":"10.1080\/13523260.2019.1675258","article-title":"Assembling cybersecurity: the politics and materiality of technical malware reports and the case of Stuxnet","volume":"41","author":"Stevens","year":"2019","journal-title":"Contemp Secur Policy"},{"key":"2021070819462572100_tyab002-B34","doi-asserted-by":"crossref","first-page":"108","DOI":"10.1080\/13523260.2019.1669336","article-title":"50 shades of hacking: how IT and cybersecurity industry actors perceive good, bad, and former hackers","volume":"41","author":"Tanczer","year":"2020","journal-title":"Contemp Secur Policy"},{"key":"2021070819462572100_tyab002-B35","doi-asserted-by":"crossref","first-page":"301","DOI":"10.1177\/0095327X15572997","article-title":"The impact of cyber conflict on international interactions","volume":"42","author":"Maness","year":"2016","journal-title":"Armed Forces Soc"},{"key":"2021070819462572100_tyab002-B36","doi-asserted-by":"crossref","first-page":"452","DOI":"10.1080\/09636412.2017.1306396","article-title":"The logic of coercion in cyberspace","volume":"26","author":"Borghard","year":"2017","journal-title":"Secur Stud"},{"key":"2021070819462572100_tyab002-B37","doi-asserted-by":"crossref","DOI":"10.2307\/j.ctt1trkjd1","volume-title":"The Virtual Weapon and International Order","author":"Kello","year":"2017"},{"key":"2021070819462572100_tyab002-B38","first-page":"69","volume-title":"Dialogues","author":"Deleuze","year":"2002"},{"key":"2021070819462572100_tyab002-B39","doi-asserted-by":"crossref","first-page":"24","DOI":"10.3368\/ss.46.1.21","article-title":"What is an assemblage?","volume":"46","author":"Nail","year":"2017","journal-title":"SubStance"},{"key":"2021070819462572100_tyab002-B40","doi-asserted-by":"crossref","DOI":"10.2307\/j.ctt32bbxc","volume-title":"Laboratory Life: The Construction of Scientific Facts","author":"Latour","year":"2013"},{"key":"2021070819462572100_tyab002-B41","doi-asserted-by":"crossref","first-page":"61","DOI":"10.1080\/23738871.2018.1467942","article-title":"Unpacking cyber norms: private companies as norm entrepreneurs","volume":"3","author":"Hurel","year":"2018","journal-title":"J Cyber Policy"},{"key":"2021070819462572100_tyab002-B42","author":"Gorwa"},{"key":"2021070819462572100_tyab002-B43","first-page":"1","volume-title":"CSS Analyses in Security Policy No. 244","author":"Egloff","year":"2019"},{"key":"2021070819462572100_tyab002-B44","author":"Solomon","year":"2018"},{"key":"2021070819462572100_tyab002-B45","first-page":"107","article-title":"Cyber attribution: can a new institution achieve transnational credibility?","volume":"4","author":"Mueller","year":"2019","journal-title":"Cyber Defense Rev"},{"key":"2021070819462572100_tyab002-B46","doi-asserted-by":"crossref","first-page":"197","DOI":"10.1017\/CBO9781107281837.012","volume-title":"The Return of the Public in Global Governance","author":"Leander","year":"2014"},{"key":"2021070819462572100_tyab002-B47","doi-asserted-by":"crossref","first-page":"487","DOI":"10.1080\/08850600802046939","article-title":"The active management of uncertainty","volume":"21","author":"Canton","year":"2008","journal-title":"Int J Intell CounterIntelligence"},{"key":"2021070819462572100_tyab002-B48","doi-asserted-by":"crossref","first-page":"81","DOI":"10.1177\/0162243919901159","article-title":"Governing uncertainty or uncertain governance? information security and the challenge of cutting ties","volume":"46","author":"Slayton","year":"2021","journal-title":"Sci Technol Human Values"},{"key":"2021070819462572100_tyab002-B49","doi-asserted-by":"crossref","first-page":"261","DOI":"10.1080\/02684527.2012.661646","article-title":"Intelligence failures: what are they really and what do we do about them?","volume":"27","author":"Jensen","year":"2017","journal-title":"Intell Natl Secur"},{"key":"2021070819462572100_tyab002-B50","author":"Kent","year":"1964"},{"key":"2021070819462572100_tyab002-B51","author":"Joyce","year":"2016"},{"key":"2021070819462572100_tyab002-B52","first-page":"153","volume-title":"A Sociology of Monsters: Essays on Power, Technology and Domination, Sociological Review Monograph","author":"Callon","year":"1991"},{"key":"2021070819462572100_tyab002-B53","volume-title":"Pandora's Hope: Essays on the Reality of Science Studies","author":"Latour","year":"1999"},{"key":"2021070819462572100_tyab002-B54","doi-asserted-by":"crossref","first-page":"346","DOI":"10.1111\/ips.12026_1","article-title":"\u201cActor-Network Theory\u201d and international relationality: lost (and found) in translation: introduction","volume":"7","author":"Best","year":"2013","journal-title":"Int Politic Sociol"},{"key":"2021070819462572100_tyab002-B55","author":"FOR508. Advanced Incident Response, Threat Hunting, and Digital Forensics"},{"key":"2021070819462572100_tyab002-B56","author":"FOR572. Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response"},{"key":"2021070819462572100_tyab002-B57","author":"FOR578. Cyber Threat Intelligence"},{"key":"2021070819462572100_tyab002-B58","doi-asserted-by":"crossref","first-page":"278","DOI":"10.1080\/08850607.2019.1690877","article-title":"Evaluating commercial cyber intelligence activity","volume":"33","author":"Work","year":"2020","journal-title":"Int J Intell CounterIntelligence"},{"key":"2021070819462572100_tyab002-B59","first-page":"433","volume-title":"Proceedings of the 29th USENIX Security Symposium","author":"Bouwman","year":"2020"},{"key":"2021070819462572100_tyab002-B60","volume-title":"ISO\/IEC 27000:2018","author":"ISO","year":"2018"},{"key":"2021070819462572100_tyab002-B61","author":"Exemplary, see Security and Exchange Commission"},{"key":"2021070819462572100_tyab002-B62","doi-asserted-by":"crossref","first-page":"49","DOI":"10.1109\/MSP.2011.67","article-title":"Stuxnet: dissecting a cyberwarfare weapon","volume":"9","author":"Langner","year":"2011","journal-title":"IEEE Secur Privacy"},{"key":"2021070819462572100_tyab002-B63","doi-asserted-by":"crossref","first-page":"365","DOI":"10.1080\/09636412.2013.816122","article-title":"Stuxnet and the limits of cyber warfare","volume":"22","author":"Lindsay","year":"2013","journal-title":"Secur Stud"},{"key":"2021070819462572100_tyab002-B64","doi-asserted-by":"crossref","first-page":"72","DOI":"10.1162\/ISEC_a_00267","article-title":"What is the cyber offense-defense balance? Conceptions, causes, and assessment","volume":"41","author":"Slayton","year":"2017","journal-title":"Int Secur"},{"key":"2021070819462572100_tyab002-B65","author":"U.S. Cyber Command","year":"2018"},{"key":"2021070819462572100_tyab002-B66","author":"Libicki"},{"key":"2021070819462572100_tyab002-B67","doi-asserted-by":"crossref","first-page":"73","DOI":"10.1080\/00396338.2018.1542804","article-title":"The demilitarisation of cyber conflict","volume":"60","author":"Boeke","year":"2018","journal-title":"Survival"},{"key":"2021070819462572100_tyab002-B68","doi-asserted-by":"crossref","first-page":"33","DOI":"10.1080\/13523260.2019.1677389","article-title":"The unexpected norm-setters: intelligence agencies in cyberspace","volume":"41","author":"Georgieva","year":"2020","journal-title":"Contemp Secur Policy"},{"key":"2021070819462572100_tyab002-B69","volume-title":"International Studies Review","author":"Egloff","year":"2020"},{"key":"2021070819462572100_tyab002-B70","volume-title":"Texas National Security Review","author":"Chesney","year":"2020"},{"key":"2021070819462572100_tyab002-B71","first-page":"1","article-title":"Cyber conflict vs. cyber command: hidden dangers in the american military solution to a large-scale intelligence problem","volume":"36","author":"Lindsay","year":"2020","journal-title":"Intell Natl Secur"},{"key":"2021070819462572100_tyab002-B72","volume-title":"The OPM Data Breach: How the Government Jeopardized Our National Security for More Than a Generation","author":"U.S. Congress, House of Representatives, Committee on Oversight and Government Reform","year":"2016"},{"key":"2021070819462572100_tyab002-B73","author":"Written testimony of Dr. Andy Ozment, Assistant Secretary for Cybersecurity and Communications, U.S. Department of Homeland Security"},{"key":"2021070819462572100_tyab002-B74","author":"H. Comm. On Oversight and Gov\u2019t Reform"},{"key":"2021070819462572100_tyab002-B75","author":"AAR Timeline\u2014Unknown SSL Certificate"},{"key":"2021070819462572100_tyab002-B76","author":"Chinese hackers go after U.S. workers\u2019 personal data"},{"key":"2021070819462572100_tyab002-B77","author":"The Anthem Hack: All Roads Lead to China"},{"key":"2021070819462572100_tyab002-B78","author":"Chinese breach data of 4 million federal workers"},{"key":"2021070819462572100_tyab002-B79","volume-title":"Facts and Fears: Hard Truths from a Life in Intelligence","author":"Clapper","year":"2018"},{"key":"2021070819462572100_tyab002-B80","first-page":"231","volume-title":"Understanding Cyberconflict: Fourteen Analogies","author":"Egloff","year":"2017"},{"key":"2021070819462572100_tyab002-B81","first-page":"1","article-title":"A tale of two cybers\u2014how threat reporting by cybersecurity firms systematically underrepresents threats to civil society","volume":"18","author":"Maschmeyer","year":"2020","journal-title":"J Inf Technol Polit"},{"key":"2021070819462572100_tyab002-B82","doi-asserted-by":"crossref","first-page":"217","DOI":"10.1080\/10572252.2015.1044122","article-title":"The US intelligence community's mathematical ideology of technical communication","volume":"24","author":"Kreuter","year":"2015","journal-title":"Tech Commun Q"},{"key":"2021070819462572100_tyab002-B83","author":"Grierson"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/7\/1\/tyab002\/37754859\/tyab002.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/7\/1\/tyab002\/37754859\/tyab002.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,12,26]],"date-time":"2022-12-26T05:05:35Z","timestamp":1672031135000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyab002\/6261798"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,1,1]]},"references-count":83,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2021,2,16]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyab002","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2021,1,1]]},"published":{"date-parts":[[2021,1,1]]},"article-number":"tyab002"}}