Public Cyber Attribution in the Global South: Indo-Pacific

Western governments have been at the forefront of conducting public cyber attribution. Over the past decade, the UK, US and Australia, among others, have developed frameworks to ‘name and shame’ other states for conducting, harbouring and/or enabling malicious cyber activity both individually and collectively. Public cyber attribution is intended to ascribe responsibility to a state (or state-affiliated actor) for malicious cyber activity, signal internationally what is considered as ‘unacceptable’ or ‘irresponsible’ behaviour, and (whenever possible) support broader efforts to deter adversaries. Collective attribution amplifies the likely effect: in theory, the more states call out an actor, the clearer is the collective understanding of shared red lines. Yet it is widely accepted that efforts to bring Global South countries into these coalitions have largely faltered. Efforts are hindered by factors ranging from insufficient information sharing by Western governments to substantiate attribution claims, to competing policy priorities from Global South countries.

However, in recent years, countries including China, Samoa, Azerbaijan, Venezuela, Singapore and Ethiopia have begun making their own cyber attributions.1.  Early attributions from countries in the South, particularly those attributing a malicious cyber activity to the US – such as Venezuela – might have been dismissed, but China’s increasingly frequent and assertive use of naming and shaming of the US in the past few years has now started to raise pressing questions that might not have been considered previously: What are the motivations, processes, contexts and circumstances for countries in the Global South to conduct cyber attributions? Are Western governments ready to engage with more non-Western cyber attributions?

As geopolitical tensions rise across the Indo-Pacific and wider regions, understanding evolving state approaches to publicly calling out malicious cyber operations, and the instances where such attributions are avoided, becomes vital to ongoing diplomatic efforts.

In response to these questions, RUSI’s Cyber and Tech research group launched the Global South Cyber Attribution Taskforce, as part of the Global Partnership for Responsible Cyber Behaviour. In December 2025, the taskforce began its work by bringing together cyber security experts for two workshops to discuss motivations, challenges and case studies around cyber attribution in the Global South. The workshops brought together participants with regional expertise in national administrations, domestic and international policymaking, ex-cyber operators, private sector threat intelligence and academia. Primary focus was given to the Indo-Pacific, with discussions focusing on China, India, Vietnam, Singapore, Indonesia and Pakistan. As the Taskforce evolves, it will investigate other regional and inter-regional dynamics. 

The workshops were designed based on the understanding of public cyber attribution as a spectrum between no-attribution or official government communication to what we refer as ‘full’ attribution – that is, an official government communication naming and shaming a malicious state-linked threat actor.

This Insights Paper summarises points made during the two workshops and draws from a list of cases of cyber attributions conducted by countries in the Global South that had been mapped prior to and refined after the discussions. Unless otherwise indicated, statements in this paper reflect points raised during the workshops. None of the statements are attributable to any specific individual or organisation.

The paper is divided into five parts. First, it sets out the background to the practice of public cyber attributions and outlines the objectives of the taskforce. Second, it presents insights on how countries in the Global South perceive and practise cyber attributions. Third, it outlines the domestic motivations and concerns from Global South countries in attributing. Fourth, it presents a ‘spectrum of attribution’ framework used to explore three case studies in the Indo-Pacific region assessed during the workshops. Fifth, it outlines key areas for future dialogue and research. 

Four important caveats and clarifications apply to this paper. First, the term Global South here refers to the list of G77 countries. Second, the term Global South should not be understood as one that is, by default, in direct contrast to ‘Global North’ or ‘West’. Countries in the ‘Global South’ might, at times, have similar or contrasting approaches that do not neatly reflect a binary between North and South or East and West. Their motivations and approaches might sometimes align with Western governments and might sometimes diverge. Third, the case studies in this paper employ the term as a means of introducing more context and cultural understanding of the motivations and additional variables that need to be considered for a clearer assessment of cyber attribution. That is why the paper reflects on case studies within the Indo-Pacific region discussed during the workshops. Finally, the ‘Global South’ is broad, diverse and far from existing in clear contrast with the ‘North’ or ‘West’, but there are regional and cultural particularities that go unnoticed or unexplored. The use of the term ‘Global South’ provides us with a term to engage beyond the ‘West’ and the ‘North’. This Insights Paper is not intended to be exhaustive but aims to inform the policy and research community about the cultural nuances of cyber attribution beyond Western approaches. 

Background 

State-sponsored offensive cyber operations or cyber-espionage campaigns are covert by their nature, to ensure operational success and to achieve the desired outcomes. Cyber attribution is a prominent tool of statecraft to openly name a foreign state responsible for conducting a cyber operation. It can serve at least four objectives:

1. To set or clarify norms of expected behaviour in cyberspace.2.
2. To support coercive action – that is, attempts to deter or compel (for example, through sanctions or offensive cyber operations).
3. To create friction by exposing adversaries.
4. To be accountable to domestic audiences.

For a country to detect and publicly attribute cyber activities to a foreign government, it requires both advanced intelligence capabilities and a clear understanding of the risks of misattribution. There are only a few Western states that have the resources and political will to use such tools to shape behaviours within an increasingly contested cyberspace. However, as illustrated in this paper, this barrier is not insurmountable for countries in other regions, including the Indo-Pacific. The key challenge is how these countries can conduct public cyber attribution credibly, consistently and in a responsible manner that is compatible with their individual financial, social and institutional context.

Various attribution channels exist as a signalling mechanism. These range from intelligence and diplomatic channels to unofficial statements in the media by uncited officials to nationally co-ordinated official public attributions. Countries continuously face the choice of which route to pursue, as well as determine how and when to communicate. Within this context, national administrations are faced with the constant task of balancing the risk calculus of escalation, domestic political pressures, intelligence exposure, and, if an attribution is incorrect, geopolitical blowback and international humiliation.

Rapidly accelerating digital societies, heightening geopolitical tensions and the increased operational tempo of cyber operations are changing national approaches to public cyber attribution. China, which has often been reluctant to publicly attribute, started conducting public attributions to the US and Taiwan and has also begun to develop its counter-attribution strategies. Cautious Singapore conducted its first cyber attribution against China-linked threat actor UNC3886 in 2025, and security tensions between India and Pakistan have led to some cyber attributions – albeit focussed on threat actors rather than making an explicit link to the country where the threat originates from. However, national approaches largely remain cautious when conducting attributions publicly. In addition, in many Global South countries, competing geopolitical, economic and political conditions frequently take precedence over concerns about malicious cyber activity.

Public cyber attribution has been mostly institutionalised and conducted in the West and as such, there are currently significant knowledge, policy and cultural gaps in research and policy debates on cyber attribution in the Global South. Meanwhile, concentration of cyber threat intelligence and research into a specific set of non-Western countries (China, Iran, Russia and North Korea), while important, has often meant that other relevant and less conclusive attribution cases in the Global South end up being neglected.

Taskforce Objectives

Western approaches to public attributions have been met with contestation and challenge from other regions. Questions on the usefulness of public attributions in isolation, or even when followed up with actionable consequences such as sanctions regimes, continue to be debated.

The Global South Cyber Attributions Taskforce has been set up to focus on: 

• Identifying patterns, trends and defining characteristics of attribution and non-attribution practices.
• Understanding why certain incidents cross the threshold for public attribution while others do not.
• Developing recommendations for how Global South cyber attribution should be studied, including implications for Western governments engaging with, or observing, these practices.

Through a series of research workshops, the taskforce will consider the relevance of attributions across the Global South, exploring the cultural and motivational nuances between countries in the region, and in comparison to Western countries.

Measured Scepticism: Global South Perceptions of Cyber Attributions

Cyber Attribution is Viewed as One Tool Among Many

Western approaches to public cyber attribution have been framed as increasing transparency, as imposing accountability for global norms, and as a display of intelligence capability to both peers and adversaries. However, discussions at the workshops showed that despite the recent cases of cyber attributions from countries in the Global South, attribution is often seen with some reluctance and as a non-decisive tool to apply pressure on other states – that is, that it does not stop malicious cyber activity nor does it change an adversary’s behaviour. They see attribution as mostly a declaratory tool, a means of showcasing domestic capacity to monitor and defend, or a vehicle through which they can achieve a political objective rather than one which effectively deters or puts pressure on adversaries. Participants noted that in order for cyber attributions to be effective in imposing costs on an adversary, they should be accompanied by and/or clearly linked to other more retaliatory measures, such as indictments and/or sanctions, but these are not yet part of the tradecraft of these countries.

There are Different Degrees of Attribution

Participants characterised cyber attribution as more of a spectrum than a binary, when deciding whether to call out malicious cyber activity. Discussions covered empirical case studies illustrating cyber attributions from India, Pakistan, China, Singapore and other small island states in Southeast Asia and in the Pacific. These cases were addressed in three breakout groups covering three different parts of the spectrum:

• Full public cyber attribution – when a state decides to publicly call out another state.
   
• Partial attribution – when a state refers indirectly to another state but does not explicitly call it out.
   
• No attribution – or when a state, despite being in a geopolitically contentious position (and at times, a military clash) with another state still decides not to attribute, and attributions remain either done by isolated government entities such as the police or fully conducted by third parties and not acknowledged by the central government.