After WannaCry began infecting computers powered by Microsoft's Windows via the internet on May 12, users had 72 hours to pay $300 in bitcoin, or pay twice as much.
Paying didn't unlock their computers, Bossert wrote in the Wall Street Journal on Monday.
"It was cowardly, costly and careless," he wrote. "The attack was widespread and cost billions, and North Korea is directly responsible."
While calling the public attribution an initial step in holding North Korea accountable, Bossert said President Donald Trump had already exhausted many of the tools available for punishing the regime in Pyongyang as he seeks to halt its nuclear weapons and ballistic missile programmes.
"North Korea has done everything wrong as an actor on the global stage that a country can do," he said. "President Trump has used just about every lever that you can use short of starving the people of North Korea to death to change their behaviour. And so we don't have a lot of room left here to apply pressure to change their behaviour."
Bossert called on governments and companies around the world to cooperate to mitigate cyber risk, and said the US would lead the effort. Microsoft, Facebook and other companies worked to disrupt the attack and moved last week to disable North Korean accounts being used for cyberattacks, Bossert said.
Assistant secretary of homeland security for cybersecurity and communication Jeanette Manfra said that the companies should take additional steps to collaborate with the government to defend against cyberattacks.
"We make it way too easy for attackers by operating independently," she said. "Our adversaries are not distinguishing between public and private, so neither should we. Government and industry must work together, now more than ever, if we are serious about improving our collective defence."
North Korea has been developing cyber capabilities as trade sanctions and a debilitated domestic economy make it difficult to invest in conventional military capabilities, said Tom Uren, a visiting fellow at the Australian Strategic Policy Institute's (Aspi) International Cyber Policy Centre.
"Having a formal report gives more weight to negotiations when the US approaches China, or Russia or anywhere else that might be providing North Korea with internet services," Uren said. "It gives them something else to bring to the table."
The UK government in October blamed North Korea for the attack on the NHS. Kim Jong Un's regime denied any connection. Until now, the US hadn't publicly named Pyongyang as being behind the attack. Australia, Canada and Japan also agree with the US analysis, Bossert said.
North Korea allows internet access to only a small portion of its population, but it began to train its techno soldiers in the early 1990s, according to South Korea's Defence Security Command. The country probably employs 1700 state-sponsored hackers, backed by more than 5000 support staff, according to Aspi.
North Korea has grown increasingly adept at breaking into computer systems around the world for financial gain and strategic benefit. This year, the regime's cyber warriors have been linked to stolen US-South Korean military plans and the alleged theft of $60 million from a Taiwan bank.
The hackers drew international headlines in 2014 when they allegedly broke into Sony's movie business as it was preparing to release The Interview, a Seth Rogen and James Franco comedy about meeting the North Korean leader.
