In July, a public statement by Singapore’s Minister for Home Affairs and Law caught the attention of politicians and policymakers alike. The city-state tied cyber intrusions into critical infrastructure, including banking systems, energy grids, and transport networks, to a group known as UNC3886, which other sources have linked to China. While the statement stopped short of explicitly naming Beijing, it described the threat actor’s activities in great detail. A few months before, Samoa’s computer emergency response team similarly linked a number of cyber intrusions to an actor with alleged links to China known as APT 40.
Former Australian Ambassador for Cyber Affairs Tobias Feakin recently highlighted these attributions as examples of how ‘middle powers are re-writing the rules of cyber attribution in the Indo-Pacific’. These countries have historically refrained from making such accusations. However, some regional powers are not following that trend. Two of the largest, India and Indonesia, have yet to attribute a cyberattack to any specific state or non-state actor, despite having faced a number of cyber threats to critical infrastructure, like the 2024 national data centre breach in Indonesia and the 2020 hack that caused a major power outage in Mumbai. Why have these countries displayed such restraint? And at what cost?
An attributive divide
States resort to public attribution for many reasons – to deter adversaries from resorting to attacks in the future, to improve resilience across public and private sector networks by sharing information about threat actors, to ensure compliance with cyber norms by calling out violators, or to strengthen international cooperation.
However, until recently, cyber attribution has been a legal and geopolitical tool utilised mainly by Western countries, especially the ‘Five Eyes’ and their geopolitical allies. Developing countries, by contrast, have tended to stop short of directly attributing cyberattacks.
That’s because the stakes differ for emerging powers. Cautious to not get locked into great-power technological conflict, they have taken a more ambiguous approach, enabling them to partner with countries in all corners of the geopolitical arena while developing their own offensive and defensive cyber capabilities.
But change is afoot: in addition to Singapore and Samoa, China too has recently begun to tactically attribute attacks. In contrast, India and Indonesia have maintained a notably close-lipped approach to attribution.
India’s public ambiguity
Take the 2022 cyberattack on AIIMS, India’s leading medical research institute and hospital. The event impacted hospital services and gave hackers access to an estimated 40 million confidential patient profiles, yet the Minister of State for Information Technology simply characterised the attack as a sophisticated ransomware attack orchestrated through a ‘conspiracy and planned by significant forces’. Conspicuously absent is any mention of who those forces might be. This is a pattern for India: acknowledge that a cyber intrusion took place, without naming the perpetrator.
While in the AIIMS case, the government had reportedly identified the perpetrator, in other cases it isn’t clear whether the government is not attributing simply because it is unable to. For example, a 2018 report by India’s computer emergency response team (CERT-In) suggested that 35 percent of all attacks on Indian websites originated in China, followed by 17 percent from the US, 15 percent from Russia, and 8 percent from Pakistan. However, the complete report and accompanying evidence have not yet been published, leaving doubts about CERT-In’s capacity to distinguish attackers.
Still, other instances show that this reluctance to attribute is not solely the result of technical limitations. After the US cyber intelligence firm Recorded Future released a report tying the 2020 Mumbai attack to China, local authorities confirmed that malware was behind the blackout but stopped short of pointing the finger at Beijing. In a rather vague statement to reporters, the state’s Minister for Home Affairs stated that ‘The American report specifically says that it was maybe the Chinese who did it. Our finding was that some foreign companies were indulging in the malware.’ Just two days later, national authorities seemed to think even that was too far, suggesting instead that human error caused the power outage, effectively negating the earlier naming and shaming.
This contradictory sequence of events suggests that New Delhi is not comfortable attributing, even indirectly, a cyberattack to geopolitical foes like China. This stands in contrast to India’s confident attribution of cross-border terrorist attacks to adversaries like Pakistan. Public attribution has legitimised retaliatory air strikes on alleged terror infrastructure, but punitive measures in cyberspace are less feasible or strategically useful, as we discuss below.
Indonesia’s informal internal recognition
Indonesia too has historically refrained from making formal or public attributions of cyberattacks to specific state actors. Like India, it is cautious about attributing state-sponsored attacks in cyberspace and has avoided doing so out of economic and diplomatic pragmatism. Indonesia’s approach to cyber attribution therefore remains one of informal internal recognition, backed by technical assessments but without formal public attribution.
Despite their technical ability to trace intrusion vectors and cyber infrastructures, Indonesian authorities – including the National Cyber and Crypto Agency (BSSN) – generally restrict attribution to internal assessments rather than public declarations. While the BSSN’s annual threat assessments do acknowledge campaigns linked to groups known to be linked to states, such as APT41, these references remain confined to internal or semi-technical reports rather than formal public statements or press briefings. The government has never publicly attributed a cyber incident to state-sponsored actors, even when such groups are named in internal threat modelling.
The most high-profile case to test Jakarta’s approach was the 2013 revelation that Australia had spied on President Susilo Bambang Yudhoyono and other Indonesian political leaders. The affair caused diplomatic discomfort, but, rather than responding with attribution or countermeasures, Indonesia focused on strengthening its domestic cyber resilience and diplomatic channels. Since then, rather than naming external actors, Indonesia has continued to prioritise improving systems, legal frameworks, and collaboration.
Why the sounds of silence?
India and Indonesia’s reticence to publicly attribute cyberattacks can be explained by three factors. First, the returns are unclear. A public attribution in cyberspace is unlikely to legitimise punitive action such as air strikes, which India has resorted to only when civilians have lost lives, and neither country has the technical capability, institutional architecture, or doctrinal mandate to mount punitive cyber actions. Additionally, both countries are dogmatically opposed to unilateral sanctions as a tool of foreign policy, and are thus unlikely to impose sanctions on a country suspected of being involved in a cyberattack.
Second, there are capability gaps and evidentiary hurdles. Officials with whom the authors have spoken to acknowledge that reliable technical attribution is difficult. Both countries face shortages of skilled cyber-forensic personnel. For India, this is further exacerbated by the challenges of cumbersome data sharing processes, which limit information flows from the US and other international partners. Meanwhile, Indonesian specialists can trace attacks to networks or regions, but lack the human-intelligence resources to confirm state sponsorship. Premature or inaccurate attribution would damage the credibility of their cyber institutions and strain diplomatic relationships.
Finally, the reluctance to attribute may stem from the strategic culture and foreign policy frameworks of both emerging powers. Since independence, both India and Indonesia have pursued non-aligned, interest-driven diplomacy. Maintaining ambiguity preserves flexibility, allowing them to balance relations across rival power blocs and avoid unnecessary confrontation. For now, silence protects them from retaliation or diplomatic fallout while they refine their cyber strategies, especially when the benefits of attributing cyberattacks remain unclear. Jakarta and New Delhi’s approaches to cyber attribution are unlikely to evolve in the near future even as neighbours like Singapore, which maintain more advanced digital forensic capabilities, change course in response to an ever more dangerous cyber threat environment. This hesitance could damage their geopolitical standing and embolden cyber threat actors. In the long run, as they gain technical capacity and the geopolitical situation evolves, this policy might change. For now, though, it makes sense for both emerging players to bide their time.
