Cyber conflict attribution is becoming an identity problem

At a glance

What this is: This is a podcast-based analysis of how history, doctrine, and political intent shape cyber conflict, with the key finding that attribution and campaign context are now central to defender decision-making.

Why it matters: It matters to IAM practitioners because the same attribution problem is emerging across human, NHI, and autonomous systems, where authority chains and delegated action increasingly determine how incidents should be interpreted.

👉 Read 1Password's Chasing Entropy conversation on cyber strategy and attribution

Context

Cyber conflict is easiest to misread when defenders strip it from the political and identity context that drives it. The primary issue here is not a new attack technique, but the governance gap that appears when teams focus on malware and ignore who acted, under whose authority, and for what strategic purpose.

For identity programmes, that shift matters across human IAM, NHI governance, and autonomous system oversight. Once operations are delegated through tools, services, and AI systems, attribution becomes an identity question as much as a threat-intelligence question.

The article frames this through history and doctrine rather than a single incident, which is a typical starting point for this kind of strategic analysis. That makes it a useful prompt for security teams that need to connect identity governance to threat interpretation, not just access control.

Key questions

Q: How should security teams use attribution in incident response?

A: Security teams should use attribution to determine likely motive, target selection, and next actions, not just to name an attacker. That changes prioritisation, escalation, and containment decisions. When identity and delegation are involved, attribution also helps reconstruct who acted under what authority, which is essential for judging whether the event was human-driven, NHI-driven, or automation-assisted.

Q: Why does AI make cyber attribution harder?

A: AI makes deception cheaper because it lowers the cost of generating plausible noise, false flags, and rapid changes in tooling or infrastructure. That increases uncertainty about who initiated an action and why. For defenders, the result is more pressure on identity evidence, delegation records, and campaign context to avoid misclassifying the operation.

Q: What should organisations do when cyber activity may be part of a larger campaign?

A: Organisations should stop treating incidents as isolated technical artefacts and start correlating them with possible strategic objectives. That means comparing the event with prior activity, likely state or criminal patterns, and the authority chain behind the action. The goal is to determine whether the event is disruption, collection, or influence before response paths harden.

Q: How can identity teams support better cyber threat interpretation?

A: Identity teams can support interpretation by preserving delegation evidence, access history, and actor context across humans, NHIs, and automated systems. That evidence helps analysts explain who had the ability to act, what changed, and whether the action fits a broader campaign pattern. It turns identity telemetry into decision support for security operations.

Technical breakdown

Attribution is a control input, not a post-incident label

Attribution is the act of tying technical activity to a likely actor, motive, and campaign objective. In practice, that means defenders use context to distinguish disruption from intelligence collection or influence activity, then adjust prioritisation accordingly. This matters because the same malware or infrastructure can support different strategic goals. When identity, authority, and delegation are part of the environment, attribution is no longer only about IPs or signatures. It becomes a way to understand who was acting inside a chain of custody and why the activity mattered at the time.

Practical implication: build attribution into triage so response paths reflect intent, authority, and likely next moves, not just the observed payload.

Cyber strategy reflects doctrine, history, and organisational habit

The episode argues that states do not behave as blank slates in cyberspace. Their cyber operations reflect older power habits, military doctrine, and national history, which shape how teams organise, select targets, and apply pressure. That framing is useful for defenders because it shifts analysis from isolated events to repeatable behaviour patterns. For identity teams, the same logic applies when reviewing delegated access and operational authority: structure influences action. If the governance model assumes all actors behave the same way, it will miss the differences that doctrine or operating model creates.

Practical implication: add adversary-behaviour context to access and threat models so response assumptions reflect the actor, not just the technique.

AI lowers deception costs and raises attribution friction

The article’s most operational point is that AI makes false flags cheaper and attribution harder. That does not mean identity disappears from the problem. It means more activity can be obscured by automation, delegation, and rapid tool use, making it harder to determine whether a human operator, a service account, or an AI system drove the action. The analyst’s warning is less about detection volume and more about interpretive uncertainty. As a result, the defender’s challenge shifts from spotting an event to understanding the authority chain behind it.

Practical implication: track delegated actions and authority chains more carefully because AI-assisted deception can hide the real executor behind the observable event.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Attribution is becoming an identity governance problem, not just a threat-intelligence problem. The article makes clear that defenders need to know who is behind an operation, what authority they had, and what objective they were serving. That is the same governance logic IAM teams apply to humans and NHIs when they trace delegated access and responsibility. Practitioners should treat attribution as part of identity control, not as an afterthought once the incident is already understood.

Cyber campaigns succeed when authority chains are legible to the attacker but opaque to the defender. States, criminal groups, and AI-enabled operators all exploit the same weakness: defenders often see activity without seeing the decision chain that produced it. This aligns with OWASP-NHI and ZT-NIST-207 thinking, where visibility and trust boundaries matter more than the raw presence of a credential or tool. Practitioners should re-evaluate whether their control model captures who can act, who can delegate, and who can obscure responsibility.

Identity programmes still overfit to the actor they were originally built for. Human IAM, NHI governance, and autonomous oversight often sit in separate operational lanes, yet the article shows that strategic behaviour cuts across them. A state actor may use a human operator, a service account, or automated tooling in the same campaign, which makes narrow governance models brittle. Practitioners should unify identity interpretation across actor types so campaign analysis is not fragmented by programme silo.

Deception pressure is now a permanent condition of modern cyber conflict. The article’s AI discussion shows that false flags, proxy activity, and attribution friction will keep increasing. That changes the burden on governance teams, which must preserve trustworthy identity evidence even when the attack surface is partly automated. Practitioners should assume interpretation will remain contested and design identity telemetry accordingly.

Campaign context is the named concept security teams should adopt. Cyber activity cannot be evaluated correctly when stripped from the larger political or operational campaign that contains it. That premise holds across human, NHI, and autonomous actors because the same action can mean disruption, intelligence collection, or influence depending on context. Practitioners should evaluate incidents in campaign terms, not as standalone technical events.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• That confidence gap reinforces why teams should examine attribution, delegation, and identity evidence together, as explored in 52 NHI Breaches Analysis.

What this signals

Campaign context: identity programmes need to account for the fact that one event can now be initiated, delegated, or obscured across multiple actor types. The practical response is to unify identity telemetry so investigations can trace authority chains across humans, NHIs, and autonomous systems without switching tools or assumptions.

The governance signal is that attribution quality will increasingly depend on evidence discipline, not just detection coverage. Teams that retain delegation metadata, access history, and execution context will be able to separate operational intent from technical noise more reliably than teams that only collect alerts.

With 1 in 4 organisations already investing in dedicated NHI security capabilities, according to The State of Non-Human Identity Security, the market is already moving toward identity evidence as a core control surface. Security leaders should prepare for attribution to sit inside IAM and NHI governance, not beside it.

For practitioners

• Map authority chains for high-risk operations Document who can initiate, delegate, and obscure actions across humans, service accounts, and AI-supported workflows. Correlate those chains with logs so investigations can reconstruct who acted under whose authority.
• Add attribution context to incident triage Classify events by likely objective, not just by malware or infrastructure indicators. Separate disruption, intelligence gathering, and influence activity so response playbooks match the probable campaign goal.
• Unify identity telemetry across actor types Bring human, NHI, and autonomous activity into one evidence model so campaign analysis is not split across separate tools or teams. Prioritise timestamped delegation records and tool-use traces.
• Preserve evidence that supports post-incident attribution Retain logs, access records, and delegation metadata long enough to analyse who had authority, when it changed, and what was possible at each step. Without that evidence, attribution becomes speculation.

Key takeaways

• Cyber conflict becomes harder to defend when teams ignore the attribution and authority chain behind an event.
• The same technical activity can represent disruption, intelligence collection, or influence, depending on campaign context.
• Identity telemetry that preserves delegation evidence will matter more as AI-assisted deception raises attribution friction.

Key terms

• Attribution: Attribution is the process of linking observed cyber activity to a likely actor, motive, and campaign objective. In identity terms, it also means reconstructing which human, NHI, or automated identity had authority to act, delegate, or conceal the action at the time.
• Authority chain: An authority chain is the path of permissions and delegation that explains how an action became possible. It includes the original identity, any service accounts or tokens involved, and any handoffs that changed who could act next.
• Campaign context: Campaign context is the broader operational or strategic setting that gives an incident its meaning. It helps defenders decide whether an event is disruption, collection, or influence, and it prevents isolated technical signals from being misread as the whole story.
• Delegation evidence: Delegation evidence is the record of who granted access, when it changed, and what execution paths were available. It is essential for identity investigations because it shows how activity moved across humans, NHIs, and autonomous systems.

Deepen your knowledge

Attribution, delegation, and identity evidence are central topics in the NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to connect campaign analysis with identity governance, it is worth exploring.

This post draws on content published by 1Password: Chasing Entropy with Dave Lewis and Allie Mellen on cyber conflict, attribution, and AI. Read the original.