Cyber conflict attribution: what it means for IAM teams

TL;DR: Security leaders misread cyber conflict when they treat attacks as isolated technical events; attribution, intent, and campaign context change how defenders prioritise response and forecast what comes next, according to 1Password’s Chasing Entropy episode with Allie Mellen. The practical shift is that identity, authority, and delegated action now matter as much as malware indicators when interpreting operations.

NHIMG editorial — based on content published by 1Password: Chasing Entropy with Dave Lewis and Allie Mellen on cyber conflict, attribution, and AI

Questions worth separating out

Q: How should security teams use attribution in incident response?

A: Security teams should use attribution to determine likely motive, target selection, and next actions, not just to name an attacker.

Q: Why does AI make cyber attribution harder?

A: AI makes deception cheaper because it lowers the cost of generating plausible noise, false flags, and rapid changes in tooling or infrastructure.

Q: What should organisations do when cyber activity may be part of a larger campaign?

A: Organisations should stop treating incidents as isolated technical artefacts and start correlating them with possible strategic objectives.

Practitioner guidance

• Map authority chains for high-risk operations Document who can initiate, delegate, and obscure actions across humans, service accounts, and AI-supported workflows.
• Add attribution context to incident triage Classify events by likely objective, not just by malware or infrastructure indicators.
• Unify identity telemetry across actor types Bring human, NHI, and autonomous activity into one evidence model so campaign analysis is not split across separate tools or teams.

What's in the full article

1Password's full podcast discussion covers the strategic context this post intentionally leaves at a higher level:

• The historical examples behind US, China, and Russia cyber doctrine and why they still shape operational behaviour.
• The episode’s discussion of how public narratives like WarGames influenced security thinking in the 1980s.
• The detailed argument for why attribution changes defensive prioritisation and response sequencing.
• The closing commentary on how AI changes deception, false flags, and interpretation in live operations.

👉 Read 1Password's Chasing Entropy conversation on cyber strategy and attribution →

Cyber conflict attribution: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →