SAN FRANCISCO — Businesses need to think carefully about when they publicly blame a threat actor for a cyberattack, lest they invite unwanted consequences, experts said at a panel at the RSAC 2026 Conference here on Tuesday.
“The rush to attribute is a risky one,” Megan Stifel, the chief strategy officer at the Institute for Security and Technology, a cybersecurity think tank, said during a panel discussion.
Brett Callow, a ransomware expert and senior adviser at FTI Consulting who advises cyberattack victims, called attribution “extremely risky” because “you are bringing third parties into the discussion, and those third parties may very well respond.”
That response could take the form of diplomatic retaliation, in the case of a nation-state actor, or a data leak, in the case of a cybercrime gang. In either case, Callow said, public blame “can attract considerable blowback” and even “result in your losing control of the narrative, which isn’t a good thing at all.”
The experts’ warnings about attribution come as companies weigh how to discuss security incidents — especially when doing so could help them shift the blame.
Mike Egan, a partner at the law firm Cooley LLP, said some of his clients had a “misconception” about the benefits of blaming nation-state groups for breaching them.
“They think, ‘If we can go public and say it was XYZ Government, that helps us. That shows — how could we possibly stop this from happening?’” Egan said. “And I get the attraction behind that, but [on the other hand], it sort of changes the narrative a bit.”
Blaming a foreign government, Egan said, can increase customers’ anxieties about the potential consequences of the attack. “They’re, like, ‘Wait a minute, we thought this was just a normal cyberattack, and then you’re telling me it was North Korea. What are they going to do with this data right now?’ All of a sudden, we’re not talking about just a personal data breach. It’s something bigger, and that story sticks around longer.”
Every attribution decision is different, said Stifel, a former White House and Justice Department cybersecurity staffer: “There is definitely the need to calculate, ‘What more strategic objectives can we achieve through the attribution conversation?’”
What to say about hacks, and when
Whether to attribute an attack is only the first question that companies need to answer. After that, they need to decide when to speak up and how much information to share.
Publicly traded companies face the highest stakes when speaking out, because their announcements constitute regulated statements. “If you change that [statement later], do you have an issue?” Egan said. “Do you have to go out and correct it in the market with either a press release or an 8-K or something along those lines?”
If a news article or social-media post reveals an attack’s attribution before the victim can announce it, Egan said, the company’s best course of action is usually to stay quiet.
Callow pushed back on that argument. “I don’t think ‘no comment’ is a good response,” he said. “If you don't fill that gap, somebody else will.”
Egan acknowledged that their diverging views reflected their differing roles in the incident-response process. “This is the difference between a lawyer and [a] communications [consultant],” he quipped.
Insurance on the line
The increasing ubiquity of cyber insurance has also changed the attribution conversation, because blaming a foreign government can trigger act-of-war exceptions to policy coverage. Egan said he’s currently examining the insurance implications of several clients’ cybersecurity incidents through that lens.
“This gets back to this idea of thinking holistically about the costs and benefits of attribution,” Egan said. If a company knows that blaming a nation-state actor would void their insurance payout, they will be more reluctant to do so.
