Cyberattacks against critical infrastructure—from water systems and pipelines to hospitals and power grids—have increased substantially around the world, disrupting services to millions of people. Cyber criminals based in Russia have disabled hospitals in multiple countries, forcing hundreds of health care facilities to divert ambulances, delay procedures, and manage emergency care without full access to patients’ medical details. Iran conducted a cyberattack against Albania’s government systems, disabling online government services, and China continues to pre-position malware on critical infrastructure in the United States and elsewhere for potential cyberattacks in crisis or conflict.
Boundaries in cyberspace are easily crossed—attackers in one country can use infrastructure in other countries to attack a set of victims. Can nations create deterrence in cyberspace? What are its limits? And how do we maintain cyber deterrence in a dynamic international environment?
Cyber deterrence can mean using a nation’s cyber capabilities to deter an adversary’s military operations, for example via signaling, or to deter its operations in cyberspace. In this article, we focus on the latter. Deterrence in cyberspace is different from nuclear or conventional deterrence. First, cyber deterrence involves a broader range of actors—including states, criminals, and politically motivated hackers—who carry out a range of actions, some that approach the use-of-force threshold and others that fall below it. Second, identifying the attacker(s) responsible can take months or years and often requires unique threat intelligence or forensic capabilities. Third, actors in cyberspace rely on residency in, and travel between, safe-haven jurisdictions to act with impunity in pursuit of shifting objectives and in collaboration with changing compatriots. For these and other reasons, maintaining deterrence in cyberspace is not a static endeavor; it requires constant and consistent action—identifying and communicating activities of concern, maintaining and deploying credible attribution and response capabilities, and ensuring unity with allies and partners—all with the goal of convincing bad actors that the costs of malicious activity will outweigh the benefits.
Nations declare their deterrence posture through joint statements such as NATO’s declaration that one or more cyberattacks could meet the Article 5 threshold established for a kinetic attack, negotiated norms such as via the United Nations’ Open-ended Working Group, whose final report in 2021 achieved consensus, and direct warnings to adversaries. Deterrence posture outlines thresholds for unacceptable behavior. To be meaningful, those must then be reinforced by consequences when they are breached.
Establishing consequences has been one of the most challenging areas for deterrence in cyberspace. Adversaries understand that the United States will respond to cyberattacks that cause physical impacts just as we would respond to a kinetic attack. But calibrating responses to cyberattacks and other cyber operations below that threshold is difficult. The response must have adequate impact to change an adversary’s calculus but avoid causing greater disruptive impacts on critical infrastructure or a spiral into conflict. Understanding the exact impact of a cyber operation also is not always known or finely tunable in advance. Hence, the consequences that countries have imposed in response to cyberattacks against critical infrastructure have often been limited to indictments and/or sanctions against the individual attackers. Perhaps as a result, countries have increasingly tested the limits of U.S. deterrence posture. This absence of accountability was itself escalatory.
The Biden-Harris administration has introduced new approaches to generate cyber deterrence, both in cyberspace and beyond. For example, following President Joe Biden’s meeting with President Vladimir Putin in mid-2021, the United States shared details of ransomware actors with Russian law enforcement, leading to arrests of those actors, though this approach is now overshadowed by Russia’s invasion of Ukraine. The Biden-Harris administration has also been able to disrupt ransomware infrastructure, such as by releasing decryptors for the prolific Hive ransomware and coordinating a takedown of LockBit’s website and servers around the world.
Ramping up cybersecurity, as the Biden-Harris administration has done, is core to deterrence by denial. That includes shoring up defenses in key sectors by requiring adherence to minimum cybersecurity requirements and accelerating the intelligence community’s sharing of information with partners around the world.
As a warning and a first step to imposing consequences, the Biden-Harris administration has built coalitions to attribute cyberattacks on critical infrastructure, such as the first joint U.S./EU attribution to Russia. More work is needed to implement coordinated consequences, including addressing differing national authorities and approaches to attribution across allies and partners.
Deterrence has proved particularly challenging in two areas of rising cyber threats: addressing nonstate actors—such as ransomware groups and politically motivated hackers operating from safe-haven jurisdictions—and the pre-positioning of cyberattacks on critical infrastructure that supports public health, safety, and security.
Regarding non-state actors, in accordance with their obligations to the U.N. Charter, U.N. member states have committed to respect international law in cyberspace and have endorsed norms of responsible state behavior, including to exercise “due diligence” on attacks emanating from digital infrastructure or actors in their country. However, further work is needed to define those “due diligence” standards and hold countries accountable for implementing them.
As for pre-positioning, while highly destabilizing, it technically skirts existing norms that focus on the actual disruption of critical infrastructure services to the public. To deter such activity, the Biden-Harris administration has worked to expose China’s cyber pre-positioning on critical pipelines, water systems, and energy systems. In public statements and private briefings to allies, the U.S. has shared technical details and advice to defend against Chinese pre-positioning in their critical infrastructure networks. Such exposures have also been accompanied by private messaging to the Chinese government that this activity is destabilizing.
As outlined above, establishing and maintaining deterrence in cyberspace has unique complexities. Further strengthening deterrence could include building shared approaches with more countries on attribution standards, identifying a menu of response actions consistent with international law and agreed norms, and credibly signaling or informing adversaries of the potential consequences, both publicly and privately. A collective approach is essential if efforts to stabilize and create accountability in cyberspace are to succeed.
Anne Neuberger is the Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technologies in the White House. Previously, she served at the National Security Agency (NSA) for over ten years in senior intelligence and cybersecurity roles. Most recently, she served as director of NSA’s Cybersecurity organization and deputy director of NSA’s intelligence operations, leading an organization of over 20,000 people globally. Prior to NSA, she served as the Department of the Navy’s Deputy Chief Management Officer and as a White House Fellow. Prior to entering government, Ms. Neuberger led technology and operations for a financial services firm. She has been awarded a Presidential Rank Award and the Department of Defense’s and NSA’s highest civilian awards.