Blame Game: Why Public Cyber Attribution Carries Risks

At RSAC 2026, a panel talked about the pros and cons of threat actor attribution. The panelists said that it's not always clear who did an attack unless the attacker wants people to know they were involved. The panelists also said that attribution could affect things like cyber insurance coverage.

Mike Egan, a partner at Cooley LLP in San Francisco, said, "It changes the story a little and then can make some people a little more worried." "Anything you say to them can cause a lot of backlash and get people talking," said Brett Callow, a senior advisor at FTI Consulting. "We Believe It Was Them: Axios will give a talk called "The Perils of Attribution in Public Statements" on Thursday at the RSAC conference in San Francisco.

Visit www.RSAC2026.com for more information, and click here for the panel's agenda. There are clear risks to blaming an attack too soon, even if the victims don't want anyone else to tell their story. One option is to just say "no comment" or to admit that the party knows about the reports or that something has happened.

Egan, speaking from a legal point of view, said that clients should stay on the "no comment" line and let the investigation run its course. "I don't think saying nothing is ever a good answer. Callow said, "If you don't fill that gap, someone else will." Stifel added, "You don't have to say who did the attack, but you should say that the investigation is still going on."

"Sometimes the best answer is no answer. Egan said, "We're focusing on the investigation." Callow said, "If you're a victim organization, you should be able to say that you know about the incident and that an investigation is going on."