#SorryNotSorry: Why states neither confirm nor deny responsibility for cyber operations

Joseph M. Brown, Tanisha M. Fazal

Research output: Contribution to journalArticlepeer-review


States accused of perpetrating cyber operations typically do not confirm or deny responsibility. They issue 'non-denial denials' or refuse to comment on the accusations. These ambiguous signals are prevalent, but they are largely ignored in the existing cyber literature, which tends to treat credit claiming as a binary choice. The ambiguity of non-denial denials and 'non-comments' allows states to accomplish two seemingly opposed goals: maintaining crisis stability and leaving open the possibility of their involvement in the attack. By deliberately remaining a suspect, a state can manipulate rivals' perceptions of its cyber capability and resolve. Refusing to deny responsibility can also shape rivals' perceptions of allies' capabilities, enhancing the credibility of deterrence. All of this can be accomplished without the escalatory risks that would come with an explicit admission of responsibility. Where previous research has focused on the dangers of escalation and the limitations of costly signalling with cyber, we show that non-denial denials and non-comments make cyber operations considerably more useful than the literature appreciates.

Original languageEnglish (US)
Pages (from-to)401-417
Number of pages17
JournalEuropean Journal of International Security
Issue number4
StatePublished - Aug 20 2021

Bibliographical note

Publisher Copyright:
Copyright © 2021 The Author(s). Published by Cambridge University Press on behalf of the British International Studies Association.


  • Coercion
  • Cyber Conflict
  • Deterrence
  • Intelligence
  • Signalling


Dive into the research topics of '#SorryNotSorry: Why states neither confirm nor deny responsibility for cyber operations'. Together they form a unique fingerprint.

Cite this