In the world of international relations theory, anarchy plays a large role in the way states interact with one another. Theorists have spent decades theorizing the best way to prevent security dilemmas, encourage cooperation, and promote intercultural understanding on the world stage. Similar to the international stage, cyberspace has its own defining problem that influences its actors: the attribution problem. There are three main elements contributing to the attribution problem that, if left unaddressed by the international community, will result in the deterioration of the cybersecurity environment. These include the increasing number of actors within cyberspace, the introduction and usage of cyber proxies, and the reluctance of major cyber powers to address the attribution problem. As long as the attribution problem remains unsolved and cyberspace remains ungoverned, the cybersecurity environment grows ever closer to unmitigated anarchy.

The attribution problem is well-known, as it has plagued the cybersecurity community for years. Cyber operations are fundamentally low-risk due to their covert nature; it’s difficult to accurately locate the source of a cyber attack in time to stop the attack and identify the perpetrator. This means that actors are more willing to use cyber attacks against other actors for their own personal gain because the chances of their actions being accurately attributed to them are low. Although attributing cyberattacks is possible, it is very labor and resource-intensive. Thus, only major cyber powers have the capability to identify the source of cyberattacks. Furthermore, these major cyber powers will only out the perpetrator of an attack if it lies within their interests. This inability--or unwillingness--to create accountability in cyberspace is the core element of the attribution problem. 

Every actor within cyberspace uses the attribution problem, whether intentionally or not. This becomes problematic as more and more actors access cyberspace and begin using cyber operations to gain power and influence. For actors, the low-cost, low-risk nature of cyber operations makes them an attractive alternative to investing in traditional defense systems. As more actors without strong conventional militaries develop cyber capabilities, their power and presence within cyberspace grow. This power allows them to conduct cyber operations and, using the attribution problem, avoid consequences for any actions that are considered to lie outside of international norms. As more cyber operations remain anonymous, more actors grasp for power and the cybersecurity environment deteriorates.

Experts also posit that the increasing number of actors gaining power within cyberspace will decrease the imbalance of power in cyberspace. This hierarchy was established after World War II and was reinforced by the United Nations Security Council to govern the international community and ensure accountability. The hierarchical placement of actors within cyberspace isn’t based upon the hierarchy of the international world order; it’s based on the capabilities of different actors. This allows the hierarchy to flatten as more actors achieve the same level of capability as others, evening the playing field and granting actors without traditional means to project power to gain influence on the world stage. With the hierarchy flattened, cyberspace becomes harder to govern as actors use the attribution problem to conduct operations without consequence. This effect can be seen as actors with a small--or nonexistent--traditional defense system become major powers within cyberspace, such as Estonia and the Ukrainian hacktivist network, the Cyber Alliance.

The only way to reinforce the hierarchy is for the major cyber powers to create norms that would hold actors accountable within cyberspace. The traditional leaders of the international community, China, Russia, and the United States, are also considered the greatest cyber powers. They could, rather easily, create norms that would hold actors accountable for their actions within cyberspace and mitigate the effects of anarchy and the attribution problem. They are, however, highly unlikely to do so. Major cyber powers are not only the most influential states in the world but are also the states most likely to benefit from anarchy and the attribution problem within cyberspace. If cyber powers advocated for constraining norms within cyberspace, they’d be restricting their own capabilities, which is naturally against their interests. This dilemma is similar to the one faced by the international community during the creation of the liberal world order after World War II; however, the usage of cyber proxies has introduced a new aspect to this familiar problem.

The unwillingness of cyber powers to pursue attribution is best observed through the existence and usage of cyber proxies. Cyber proxies are individuals or groups of people who are contracted by cyber powers to conduct technical operations, such as data-mining and network infiltration, within cyberspace. Using cyber proxies to conduct operations is not only cost-effective, but it also complicates attribution. If a cyber power wants to conduct a cyber operation that they feel could have great consequences should a competitor choose to pursue attribution, they can outsource the operations to cyber proxies and redirect blame and attention. Russia has done this in multiple cases, including the 2014 annexation of Crimea and the 2016 DNC hacks, by claiming that all of the information warfare operations were simply conducted by “patriotic hackers” who had no connections to the Russian government. Although the U.S. Intelligence Community strongly suspects that Russia's intelligence agency contracted these hackers to conduct their cyber operations, it is far too difficult to find the connection between the government and the hackers to create a case against them. By using the attribution problem to their advantage, cyber power can conduct operations with few consequences and cyber proxies gain access to power and influence within cyberspace.

As non-state actors, cyber proxies are not subject to the same limitations as states. They can pursue their interests without justification and, more importantly, have no agency in the eyes of the international courts. Agency, or legal standing in the international justice system, is primarily afforded to states according to their relation to the United Nations. UN member states have agency, as do the organizations housed by and affiliated with the UN. Even if the international community were able to overcome the attribution problem and accuse a cyber proxy of conducting illicit cyber operations, actors without legal standing cannot be held to the same standards as states who do have legal standing and cannot be tried in an international court. International organizations such as the United Nations could attempt to create international laws that would govern cyberspace, but they wouldn’t be effective as they wouldn’t be applicable to non-state actors. Instead, the international community should focus on creating norms that would mitigate the effects of the attribution problem and promote accountability within cyberspace.

So far, governance of cyberspace has been a largely “bottom-up” endeavor, with individual actors within cyberspace using their power and influence to set guidelines of what actions are and are not acceptable. These guidelines, however, are different for every actor and only followed by the actors who set the rules themselves. Actors with less advanced cyber capabilities don’t have the same limitations as major cyber powers. However, major cyber powers have the ability to employ cyber proxies to overcome these limitations. Additionally, cyber proxies can avoid consequences altogether, as private actors can’t be held to the same standards as states and international organizations. Each different type of actor within cyberspace uses the attribution problem to further their own personal interests, to the detriment of the cybersecurity environment. Without a comprehensive and all-encompassing set of norms that forces all actors to be confined to the same rules, anarchy and the attribution problem will continue to define cyberspace.