Cybersecurity: Deterrence Policy

January 18, 2022 R47011

Cybersecurity: Deterrence Policy
January 18, 2022
Many policymakers have embraced deterrence as a driving policy position for addressing attacks
in cyberspace. However, deterring attacks remains elusive as nations disagree on acceptable
Chris Jaikaran
behavior and criminal groups proliferate. This CRS report examines the policy of deterrence,
Analyst in Cybersecurity
how it may be implemented, and options for Congress.
Policy

Deterrence policy relies on established rule of behavior, the ability to detect violations of those
rules, and capabilities to reliably employ against perpetrators. Efforts have been made to address

some of these policies, such as with establishing norms and improving attribution; however, work
remains for others.
Generally, cyberspace deterrence strategies seek to influence an adversary’s behavior, discouraging them from engaging in
unwanted activities. In contrast, denial strategies endeavor to improve a technology, process, or practice so that despite
adversarial ventures, a cyberattack might have a low rate of success. Congress and the President have a history and practice
in examining and implementing denial strategies, which may account for why many of these policy proposals have seen
progress. Conversely, deterrence strategies have been implemented at a lower rate, despite broad recommendations for their
use.
Cyberspace presents challenges for established deterrence strategy. Traditionally, deterrence relies on a few, known actors
having the resources to develop and maintain a capability (as well as the intent to use it), and a history of known
consequences being applied if norms are violated. Arguably, the inverse of these conditions exists in cyberspace. It is
relatively cheap for malicious actors to acquire the knowledge and tools necessary to conduct cyberattacks so there are many
potential adversaries, and there is ambiguity around retaliatory consequences for cyberattacks.
The Cyberspace Solarium Commission promoted a “layered cyber deterrence” strategic approach to addressing threats in
cyberspace. The concept was introduced in their final report and reiterated across subsequent white papers, where 109
recommendations for Congress and the President were made. As the second anniversary of the Commission’s final report
nears, their recommendations can be tracked by their implementation status and analyzed by how those recommendations
affect the strategic environment. Using taxonomies developed by the Department of Defense, the few recommendations that
would have a deterrence effect have not been implemented. Most of the Commission’s recommendations would deny an
adversary’s ability to conduct cyberattacks, and this may arguably create a secondary deterring effect. The deterrence
recommendations include working on norms, establishing responses to attacks, and improving government organization.
With regard to norms, two United Nations working groups have agreed to 11 norms of responsible state behaviors in
cyberspace. However, these norms are nascent and it remains to be seen how nations will adhere to and follow the norms.
The United States could lead in this space by directing agencies to actively participate in norms maturation and engage
international standards-setting bodies on information and communication technologies.
To bolster response capabilities to attacks, some have proposed declaring predictable response options. The European Union
developed a “Cyber Diplomacy Toolbox” describing the actions perpetrators may expect if they conduct cyberattacks against
member states. The United States has not publicly disclosed a menu of response options, but has used some in the past, such
as public attribution and sanctions. Policymakers may choose to direct the development of such an options list. But to be
effective as a deterrent, it would need to be consistently followed.
Lastly, to better structure federal governance of cyber deterrence, Congress and the executive branch have pursued the
creation of a bureau within the Department of State responsible for cyberspace diplomacy. Such a bureau could lead efforts
related to norms setting, foreign assistance, and confidence-building measures. However, outstanding questions for
policymakers exist, including how the bureau would coordinate with other federal agencies—many of which have significant
technical capabilities and already engage in international fora—and to what extent the bureau would be responsible for
representing the United States in multilateral and civil society fora addressing cybersecurity issues.

Congressional Research Service

Cybersecurity: Deterrence Policy

Introduction
The United States government has long sought to effectively deter (or stop) cyberattacks and to
respond to attacks in a manner that prevents future ones. Both goals have appeared elusive as the
frequency of cyberattacks, from petty to significant, have increased over time.1 These attacks
show that deterrence is difficult to achieve in cyberspace. There are nuances surrounding
cyberattacks that invert previous notions of deterrence policy. Despite chal enges, many regard
deterrence as a necessary step to establishing order for cyberspace operations, and as a building
block for future actions, and policymakers continue to pursue a strategy of deterrence for
cyberspace and cyberattack. This report analyzes the strategy of deterrence in relation to
cyberattacks and discusses options Congress may pursue in advancing deterrence policy.
In March 2020 the Cyberspace Solarium Commission (Commission) launched its report
advocating for a “layered cyber deterrence” strategic approach for cybersecurity.2 As the second
anniversary of the Commission’s report approaches, policymakers may seek to examine a
deterrence strategy in light of recent advancements in cybersecurity policy and recently evolved
cyberattacks.
While this report discusses deterrence policy strategical y, it does not discuss in depth potential
capabilities related to deterring cyberattack. Policies surrounding the use of instruments of
national power (e.g., diplomacy, intel igence activities, armed forces, and sanctions) are not
significantly discussed in this report.3 Types of attacks also are not discussed in this report, as
deterrence policy is intended to apply broadly to al types of attacks.4
The Cyberspace Solarium Commission
The John. S. McCain National Defense Authorization Act for Fiscal Year 2019 (FY2019 NDAA,
P.L. 115-232) established the Cyberspace Solarium Commission (Section 1652) to develop
approaches to defend the United States against significant cyberattacks. The FY2019 NDAA
expressly directed the Commission to examine policies around norms, denial, and deterrence. The
statute directed the Commission:
To review and make determinations on the difficult choices present within such options,
among them what norms-based regimes the United States should seek to establish, how the
United States should enforce such norms, how much damage the United States should be
willing to incur in a deterrence or persistent denial strategy, what attacks warrant response
in a deterrence or persistent denial strategy, and how the United States can best execute
these strategies.
In its final report, the Commission advocated for a strategic approach of layered cyber
deterrence and promoted three ways to achieve this end state.

1 Embroker, “2021 Must -Know Cyber Attack Statistics and T rends,” webpage, December 10, 2021, at
https://www.embroker.com/blog/cyber-attack-statistics/.
2 Cyberspace Solarium Commission, final report, March 2020, at https://drive.google.com/file/d/
1ryMCIL_dZ30QyjFqFkkf10MxIXJGT 4yv/view. Also, see CRS In Focus IF11469, The Cyberspace Solarium
Com m ission: Illum inating Options for Layered Deterrence, by Chris Jaikaran.
3 A discussion of the use of military force in cyberspace may be found in CRS In Focus IF11995, Use of Force in
Cyberspace, by Catherine A. T heohary.
4 Cyberattacks and a discussion of them may be found in CRS Report R46974, Cybersecurity: Selected Cyberattacks,
2012-2021, by Chris Jaikaran.
Congressional Research Service

1

link to page 19 link to page 6 link to page 5 link to page 12 Cybersecurity: Deterrence Policy

 Shape Behavior—working with partners to influence how parties act in
cyberspace.
 Deny Benefits—securing critical networks (e.g., infrastructures and
governments) and working to create systemic security and resiliency in
cyberspace.
 Impose Costs—retaliating against malicious actors who use cyberspace to harm
the United States.
The Commission viewed “deterrence [as] an enduring American strategy.”5 In the Commission’s
view, deterrence is about imposing costs on adversaries. Within the confines of the report, the
Commission saw deterrence incorporating two concepts. First, the Commission acknowledges
that many of their recommendations are designed to achieve deterrence through denial—that is,
improving defense so to make it more expensive for adversaries to carry out attacks. Second, the
strategy promotes defending forward—that is, continual y detecting, hunting, and opposing
adverse behavior in cyberspace to increase their costs of operating.
Since the report’s release, the Commission has published additional white papers, legislative
proposals, and a progress report. The Commission recommended 109 actions in those documents
that Congress and the President could take to implement this strategic approach. A list of the
recommendations and their status can be found in the Appendix. Using descriptions of denial and
deterrence (found in “Deterrence Factors” section) the recommendations are analyzed and
arranged according to their ability to enable strategies of denial, deterrence, or both. Table 1
provides a count of the recommendations by their implementation status (i.e., some action taken
by the President or Congress) and strategy categorization.
Table 1. Count of Cyberspace Solarium Commission Recommendations
By Recommendation Status and Strategy Categorization
Recommendation Status
Deny
Deter
Both
Implemented
11
0
10
Nearing Implementation
10
1
6
On Track
28
4
15
Delayed
8
2
0
Significant Barriers
3
0
1
TOTAL
60
7
42
Source: CRS analysis of Cyberspace Solarium Commission, “2021 Annual Report on Implementation,” report,
August 2021, at https://drive.google.com/file/d/19V7Yfc5fvEE6dGIoU_7bidLRf5OvV2__/view.
Examining the distribution and status of recommendations, the lower number of deterrence-
related recommendations and their comparative lack of implementation stands out. This may be
because of the relative difficulty of implementing deterrence policy, which is discussed in the
“Response Options” section of this report. It may also be because denial strategies are more direct
and Congress has experience addressing those types of activities.
For instance, some denial activities that have been implemented through recently enacted
legislation seek to strengthen the authorities of the Cybersecurity and Infrastructure Security

5 Cyberspace Solarium Commission, “Report,” webpage, February 12, 2021, at https://www.solarium.gov/report.
Congressional Research Service

2

Cybersecurity: Deterrence Policy

Agency (CISA)6 and address a perceived gap in national cybersecurity resiliency by improving
kindergarten to high school cybersecurity capabilities.7 In addition, the Fiscal Year 2022 National
Defense Authorization Act included provisions pertaining to vulnerability identification (Section
1544) and information sharing (Section 1548).8 In these examples, Congress passed legislation
implementing one or more of the Commission’s recommendations, and in both sets of examples
the recommendations affected domestic actors for which legislation or executive action is directly
effective.
Some recommendations—such as those related to exercises—may enable both strategies.
Exercises may promote denial (i.e., hindering or preventing an adversary from launching
successful attacks) by building partner confidence in capabilities and use of those capabilities so
that further coordinated actions are possible. Exercises may also promote deterrence (i.e.,
influencing adversaries’ behaviors) by showing cyber operation capabilities in an effort to
highlight that the capabilities wil outmatch an opponent’s.9
Deterrence Factors
While Congress and the President have pursued policies of deterrence in cyberspace, their actions
to date have primarily focused on denying adversarial actions. At times, this focus is intentional;
the Department of Defense’s (DOD) strategy of “persistent engagement” seeks to occupy
adversaries and deny them the time and resources to carry out attacks.10 At times, it is
consequential, such as pursuing strategies to impose costs on adversaries, thus denying gains of
attacks or resources for future attacks. Because of this historical prominence of implementing
denial strategies, it may be helpful to consider deterrence policy contrasted against denial policy
for context and comparison.
Denial and deterrence cybersecurity strategies are different approaches to achieve the same goal:
a safer digital environment. These strategies are not mutual y exclusive. As seen by the
Commission’s recommendations, particular activities can serve both strategies, and combining
activities can have a multiplier effect on the actions.
General y, for cybersecurity, denial strategies seek to improve technology, processes, and
practices over something in one’s own control so that despite an adversary’s efforts, their success
rate is low. Deterrence strategies seek to affect the behavior of other individuals or entities—
stopping them from engaging in an unwanted activity. The DOD developed descriptions of
“denial” and “deterrence,” which are used in this report in the context of cybersecurity to
categorize activities and provide a framework for discussing policy options.

6 P.L. 116-283, §1716.
7 P.L. 117-47.
8 P.L. 117-81.
9 An example of an information sharing-related recommendation is 3.3.4 on expanding coordinated cyber exercises. For
further information on the utility of cyber exercises, see National Security Archive, “ BALT IC GHOST : Supporting
NAT O in Cyberspace,” webpage, December 6, 2021, at https://nsarchive.gwu.edu/briefing-book/cyber-vault/2021-12-
06/baltic-ghost -supporting-nato-cyberspace.
10 Department of Defense, “Summary, Department of Defense Cyber Strategy,” 2018, at https://media.defense.gov/
2018/Sep/18/2002041658/-1/-1/1/CYBER_ST RAT EGY_SUMMARY_FINAL.PDF.
Congressional Research Service

3

Cybersecurity: Deterrence Policy

Glossary
Denial
A denial measure is an action to hinder or deny the enemy the use of territory, personn el, or
facilities. It may include destruction, removal, contamination, or erection of obstructions.11
Deterrence
Deterrence prevents adversary action through the presentation of a credible threat of
unacceptable counteraction and belief that the cost of the action outweighs the perceived
benefits.12
The definition of denial can be interpreted as stopping the adversary from using something. For
this interpretation, many potential cybersecurity activities satisfy the definition. For example,
disrupting an adversary’s internet infrastructure (e.g., a botnet13) inhibits their malicious use of
cyberspace as a domain, and proper configuration and maintenance of one’s own information and
communications technology (ICT) denies an adversary the opportunity to exploit it. Unique to
this interpretation is the focus not on the adversaries themselves, but instead on the things they
seek to exploit (e.g., unpatched ICT).
The definition of deterrence can be interpreted as influencing the adversary in such a way as to
prevent their engaging in malicious behavior. In this model, deterrence relies on norms and
demonstrated capabilities. Nations wil need to understand what other nations consider acceptable
versus unacceptable (violating) behaviors, a government wil need capabilities to influence the
behavior of other governments as wel as non-state actors, other nations wil need to believe that
the capabilities wil be used, and the government’s intentions wil need to be messaged to
potential adversaries. It is arguable that for cyberspace, these conditions are nascent or do not
exist.
Conventional deterrence policy relies on a few conditions: there is a high cost to develop,
maintain, and use certain offensive capabilities; there are a limited set of actors with those
capabilities; if actors choose to use the capabilities, then they wil incur known consequences; and
there is a history of norms compliance upon which to rely.14
Cyberspace arguable is characterized by the inverse of those conditions: the cost of entry for
potential malicious actors is low; there are many potential malicious actors to address (both state
and non-state); the retaliatory consequences for successful cyberattacks are ambiguous or
unknown; and there is not a long history of norms compliance.
It is for this reason that some suggest that deterrence in cyberspace is not a viable strategy.15 The
Commission recognized that Cold War-era analogies of deterrence are likely not applicable in
cyberspace, yet considered that some form of deterrence may be achievable, especial y through
improved security measures and behavior shaping.16

11 Joint Chiefs of Staff, Joint Operations, Joint Publication 3-0, October 22, 2018, at https://www.jcs.mil/Portals/36/
Documents/Doctrine/pubs/jp3_0ch1.pdf.
12 Joint Chiefs of Staff, Barriers, Obstacles, and Mine Warfare for Joint Operations, Joint Publication 3-15,
Washington, DC, March 5, 2018, pp. II-7, https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp3_15.pdf.
13 “T he word ‘botnet’ is formed from the words ‘robot’ and ‘network.’ Cyber criminals use special T rojan viruses to
breach the security of several users’ computers, take control of each computer, and organize all the infected machines
into a network of “bots” that the criminal can remotely manage.” National Institute of Standards and T echnology,
“Botnet” glossary entry, at https://csrc.nist.gov/glossary/term/botnet.
14 Director of National Intelligence, Global Trends 2040: A More Contested World, March 2021, at
https://www.dni.gov/files/ODNI/documents/assessments/GlobalT rends_2040.pdf.
15 Michael Fischerkeller and Richard Harknett, “Deterrence Is Not a Credible Strategy for Cyberspace,” Foreign Policy
Research Institute, Summer 2017, pp. 381-393.
16 “T he Process of the U.S. Cyberspace Solarium Commission—CyCon 2021,” NAT O Cooperative Cyber Defence
Congressional Research Service

4

Cybersecurity: Deterrence Policy

For deterrence activities, it is important to consider non-cyberspace-based responses to
cyberspace-based incidents. Cybersecurity experts can help identify and frame issues to consider
when examining deterrence strategies, but the range of activities available to government
agencies to influence adversaries is far greater than those within the cybersecurity field. Experts
across fields wil be necessary to provide multidisciplinary solutions for effective deterrence
strategies. Experts to consider consulting when drafting deterrence actions include those for
specific countries (e.g., Russia, China, North Korea and Iran)17 and experts in the capabilities
policymakers are seeking to employ (e.g., diplomatic, intel igence, military, or economic). This
position is reinforced by cybersecurity experts who view cyberattacks as a chal enge for the
computer science community, but for which solutions cannot be purely technical.18
It has long been the policy of the United States government that responses to cyberattacks wil be
proportional, but may not be limited to cyberspace operations only.19 Experts believe that the U.S.
government has not fully embraced this posture, but doing so may be necessary to deter future
cyberattacks.20
Limits Related to Cyber-Only Responses to Cyberattacks
Some Members of Congress have expressed frustration with the lack of public discourse
surrounding cyberattacks and the U.S. government’s response capabilities.21 Such discussions are
frequently held in classified venues, thereby excluding public scrutiny. While this practice may
limit debate, offensive cyber response capabilities are a fragile resource, and publicizing them
may reduce their effectiveness.
For a government, it takes research and operational security to discover, develop, and deploy
offensive cyber capabilities in a manner that al ows for repeated use and covert or clandestine
action. This is especial y true for attacks on systems that have regimented security procedures,
such as those of a foreign government agency.
The moment an attack is discovered, access to the breached systems may start to disappear,
evidence may be collected that attributes the attack to those behind it, and additional operations
they have may become vulnerable, especial y if they shared operational infrastructure or
techniques, tactics or procedures. In the event that the United States were to have its capabilities
disclosed as part of public discourse, it too may lose the ability to use those capabilities.
For the public debate on capabilities, it is also important to consider the difference between
conventional weapons and offensive cyber capabilities. Conventional weapons are developed for

Center of Excellence, May 25-28, 2021, at https://www.youtube.com/watch?v=OBUy7aGNiCQ.
17 For more information on attacks from these countries, see CRS Report R46974, Cybersecurity: Selected
Cyberattacks, 2012-2021, by Chris Jaikaran.
18 Dmitri Alperovitch, “The Case for Cyber-Realism: Geopolitical Problems Don’t Have T echnical Solutions,” Foreign
Affairs, January/February 2022, at https://www.foreignaffairs.com/articles/united-states/2021-12-14/case-cyber-
realism.
19 Intelligence Matters Podcast, “National Cyber Director Chris Inglis on Deterring Cyber T hreats,” CBS News,
November 24, 2021, at https://www.cbsnews.com/news/national-cyber-director-chris-inglis-cyber-threats-intelligence-
matters-podcast/.
20 Sue Gordon and Eric Rosenbach, “America’s Cyber-Reckoning: How to Fix a Failing Strategy,” Foreign Affairs,
January/February 2022, at https://www.foreignaffairs.com/articles/united-states/2021-12-14/americas-cyber-reckoning.
21 For an example, see U.S. Congress, House Committee on Oversight and Reform, Cracking Down on Ransomware:
Strategies for Disrupting Crim inal Hackers and Building Resilience Against Cyber Thre ats, 117th Cong., 1st sess.,
November 16, 2021.
Congressional Research Service

5

link to page 10 Cybersecurity: Deterrence Policy

use in a domain. Defending against those weapons may also use some other tool applied in that
domain. For example, a bal istic missile may be intercepted by an anti-bal istic missile system in
the air before it hits the intended target.22 However, an offensive cyber capability usual y exploits
a weakness against the domain—or a weakness against a system or network itself in cyberspace.
Thus, defending against a cyberattack may include the development and use of a new tool, or
patching an existing system to mitigate the effect of an offensive cyber tool.
Norms
“Norms,” some experts assert, “can be understood as rules for behaving that forbid or encourage
certain activities.”23 A chal enge to normative behavior in cyberspace is that cyberspace is a
domain where behaviors occur, and cyberspace operations are tools of national power that nations
may choose to employ. As Congress examines cyberattacks and responses to them, it may be
helpful to consider the duality that cyberspace is both a domain and a capability. For example,
cyberattacks can occur within cyberspace (e.g., data and identity theft attacks) and can occur
against cyberspace itself (e.g., attacks against cloud service providers). In both types of attacks
information and communications technology (ICT) is used and harmed, and it is that harm that
nations may seek to curtail with norms.
The development of norms in the context of deterring cyberattacks is further complicated by the
fact that cyber operations can occur across the entire spectrum of conflict ranging from localized,
non-violent incidents to far more consequential events with potential y national consequences. As
shown in Figure 1, the Office of the Director of National Intel igence sees cyber operations as
spanning the full range of such incidents.

22 For information on ballistic missile defense, see CRS In Focus IF10541, Defense Primer: Ballistic Missile Defense,
by Stephen M. McCall.
23 Dr. Martin C. Libicki, “Norms and Normalization,” The Cyber Defense Review, Summer 2020, at
https://cyberdefensereview.army.mil/Portals/6/CDR%20V5N1%20-%2004_Libicki_WEB.pdf.
Congressional Research Service

6

Cybersecurity: Deterrence Policy

Figure 1. Spectrum of Conflict

Source: Adapted from Director of National Intel igence, Global Trends 2040: A More Contested World, March
2021, at https://www.dni.gov/files/ODNI/documents/assessments/GlobalTrends_2040.pdf.
Notes: WMD=Weapons of Mass Destruction.
Aggressive nations may explore the use of limited cyberspace operations as an alternative to other
types of attacks and opt to use cyberattacks as a tool to reduce other forms of conflict. Cyberspace
operations may be adopted by adversarial nations if they believe that victim nations wil adhere to
a norm that responses to aggression be proportional. If aggressive nations pursue this strategy, it
is likely that cyberattacks wil increase in frequency as a tool in the lower spectrum of attacks.24
This strategy would seek to force proportional (i.e., cyber) response from victim nations and seek
to inhibit the use of other instruments of national power.
For example, it is not normative for military capabilities to be used in response to criminal
activity. However, repeated cyberattacks have led policymakers to explore novel uses of
capabilities as adversaries have escalated attacks and the impacts of those attacks have become
more severe. One such case is the combatting of ransomware, which has the effect of degrading
U.S. infrastructure in a way that may result in the endangerment of civilian populations (e.g., a
ransomware attack against a hospital).25 In response, decisionmakers have employed military
capabilities to learn about ransomware gangs and move against them.26

24 Director of National Intelligence, Global Trends 2040: A More Contested World, March 2021, at
https://www.dni.gov/files/ODNI/documents/assessments/GlobalT rends_2040.pdf.
25 Ransomware-as-a-Service (Raas) operators are able to replicate and deploy potentially destructive attacks across a
variety of potential victims, many times over, without regard for the business or services that the victims provide.
26 Julian E. Barnes, “U.S. Military Has Acted Against Ransomware Group, General Acknowledges,” New York Times,
December 5, 2021, at https://www.nytimes.com/2021/12/05/us/politics/us-military-ransomware-cyber-command.html.
Congressional Research Service

7

Cybersecurity: Deterrence Policy

Cyberattacks may increase because nations view cyberspace as a novel operational domain
without established rules of engagement. In such a lax environment, opportunities to test
techniques, tactics, and procedures are plentiful both for attacks and responses. The National
Intel igence Council assessed the outlook for international norms.27 That assessment placed
norms on a spectrum:
 Norms least likely to be contested are those that are broadly accepted by nations
and for which violations are widely condemned (e.g., national sovereignty).
 Norms likely to experience regional variations are those where their acceptance
is not broad (e.g., environmental protections).
 Norms at risk of weakening are those for which a major national power has
already breached it or for which implementation has been curtailed (e.g., open
commerce).
 Norms in early development are those not fully agreed to, not widely accepted, or
for which a future is unclear (e.g., cybersecurity).28
Concurrently, two United Nations working groups have developed a common set of norms for
responsible state behavior in cyberspace. The first is the Group of Governmental Experts on the
Developments in the Field of Information and Telecommunications in the Context of
International Security (GGE). It is the older and smal er of the two with 25 member nations. The
second group is the Open-Ended Working Group (OEWG), which is newer and larger and
includes any interested nation. Russia was an original sponsor of this group, despite the existence
of the GGE. The United States was an original supporter of the GGE and participated in the
OEWG discussions.
In 2015, the GGE published a note where the group agreed to 11 norms.29 In 2021, the OEWG
released their final substantive report reinforcing those same 11 norms.30 These norms for
responsible state behavior in cyberspace are:
1. Nations agree to cooperate;
2. Nations wil consider al source information when making claims of attribution;
3. Nations wil not knowingly al ow their territory to be used to conduct
cyberattacks;
4. Nations wil share information;
5. Nations wil respect human rights and secure ICTs to do so;
6. Nations wil not knowingly use ICT to damage critical infrastructure;
7. Nations wil appropriately protect their own critical infrastructure;
8. Nations wil respond to requests for assistance from other nations;
9. Nations wil take steps to secure supply chains;

27 Director of National Intelligence, Global Trends 2040: A More Contested World, March 2021, at
https://www.dni.gov/files/ODNI/documents/assessments/GlobalT rends_2040.pdf.
28 Ibid.
29 Note by the Secretary General, “Report of the Group of Governmental Experts on Developments in the Field of
Information and T elecommunications in the Context of International Security,” A/70/174, July 22, 2015, at
https://undocs.org/pdf?symbol=en/A/70/174.
30 Open-Ended Working Group on Developments in the Field of Information and T elecommunication s in the Context
of International Security, “Final Substantive Report,” A/AC.290/2021/CRP.2, March 10, 2021, at https://front.un-
arm.org/wp-content/uploads/2021/03/Final-report-A-AC.290-2021-CRP.2.pdf.
Congressional Research Service

8

Cybersecurity: Deterrence Policy

10. Nations wil support the reporting of vulnerabilities; and
11. Nations wil not attack computer emergency response teams.
Relative to other international norms—such as those related to national sovereignty and
defense—cybersecurity norms are in early development and adoption. It remains to be seen how
nations wil operate within those norms.31
The U.S. government has already taken overt actions in support of some of these norms. For
example, the U.S. Intel igence Community published a white paper on attributing cyberattacks
that takes into consideration open-source information.32 Federal agencies have launched efforts
for supply chain security and vulnerability disclosure.33 Congress has directed federal agencies to
engage partner nations for cybersecurity and increase information sharing activities.34
The U.N.’s ICT security efforts have been following a dual path of security fields. The first field
addresses demilitarization, de-escalation, and prevention as they relate to nation-state actors. That
is the field under which these 11 norms were developed. The second field is on cybercrime and
non-state actors. Russia proposed a U.N. resolution to establish an ad-hoc group to address
cybercrime and state sovereignty, which was agreed to by the General Assembly.35 Some
observers believe this is an effort to replace the existing order on international cybercrime and
internet freedoms.36
Regardless of a nation’s intentions behind engaging in norms-setting activities, many nations
agree that norms development is a worthy pursuit. While development is occurring, it is important
to consider that these efforts are the beginning of a lengthy process. It takes time for norms to be
developed and agreed to. It takes even more time for states to change their behavior and the
norms to become common practice. Despite the far-off potential for return on investment, experts
believe that norms are a vital pursuit, necessary for peaceful operations in cyberspace.37
Response Options
Certainly, having the ability to determine perpetrators is a key element to deterrence. If
perpetrators believed that they would never be identified, then they would not have to fear
retaliatory action. Historical y, barriers to effective response have included the difficulty in
adequately attributing cyberattacks, the time it takes to do so, and the availability of information
for public discussion related to attribution. However, the U.S. government has recently released

31 Director of National Intelligence, Global Trends 2040: A More Contested World, March 2021, at
https://www.dni.gov/files/ODNI/documents/assessments/GlobalT rends_2040.pdf.
32 Office of the Director of National Intelligence, “A Guide to Cyber Attribution,” memo, September 14, 2018, at
https://www.dni.gov/files/CT IIC/documents/ODNI_A_Guide_to_Cyber_Attribution.pdf.
33 Cybersecurity & Infrastructure Security Agency, “Information and Communications T echnology (ICT ) Supply Chain
Risk Management (SCRM) T ask Force,” website, at https://www.cisa.gov/ict-scrm-task-force. Cybersecurity &
Infrastructure Security Agency, “Develop and Publish a Vulnerability Disclosure Policy,” Binding Operational
Directive 20-01, September 2, 2020, at https://cyber.dhs.gov/bod/20-01/.
34 United States-Israel Advanced Research Partnership Act of 2016 (P.L. 114-304).
35 United Nations, “ General Assembly Adopts Resolution Outlining T erms for Negotiating Cybercrime T reaty amid
Concerns over ‘Rushed’ Vote at Expense of Further Consultations,” press release, May 26, 2021, at
https://www.un.org/press/en/2021/ga12328.doc.htm.
36 Joyce Hakmeh and Allison Peters, “ A New UN Cybercrime T reaty? T he Way Forward for Supporters of an Open,
Free, and Secure Internet ,” Council on Foreign Relations Blog, January 13, 2020, at https://www.cfr.org/blog/new-un-
cybercrime-treaty-way-forward-supporters-open-free-and-secure-internet.
37 Joseph S. Nye, Jr., “T he End of Cyber-Anarchy? How to Build a New Digital Order,” Foreign Affairs,
January/February 2022, at https://www.foreignaffairs.com/articles/world/2021-12-14/end-cyber-anarchy.
Congressional Research Service

9

Cybersecurity: Deterrence Policy

information on a slew of cyberattacks, attributing them not just to nations or criminal
organizations, but to individuals. The government has decreased the time it takes to make these
attributions and has also made public the information agencies used to determine potential y
guilty parties. A further discussion of attribution can be found in CRS Report R46974,
Cybersecurity: Selected Cyberattacks, 2012-2021, by Chris Jaikaran. While work remains to
improve confidence in attribution and decrease the time it takes to attribute attacks, it appears that
attribution is no longer the barrier it used to be.
Having a level of attribution is a key step in responding to cyberattacks. But once a nation has
confidence in potential perpetrators, the nation wil need to decide if tools wil be employed
against those perpetrators, which tools against which perpetrators, and for how long.
Identifying a slate of options that nations intend to use in response to cyberattacks serves two
potential purposes: (1) it signals to adversaries the actions victim nations are prepared to engage
in to retaliate for attacks; and (2) it publicizes the options for its citizens so that they may debate
with their elected leaders the appropriateness and suitability of those options. A long standing
criticism of cyberattack response in the United States is that the federal government has not
revealed its menu of options. This is despite both congressional38 and executive39 direction to the
U.S. Department of State to report on cyberspace policy.
The State Department has issued papers discussing elements of the policies but has general y not
discussed specific retaliatory options publicly.40 Some have argued that limiting public
information about exact plans al ows the United States to remain agile in its response.41 While
discussing specific and technical responses to cyberattacks with offensive cyber capabilities may
be chal enging, a general discussion of tools available to the U.S. government and conditions
under which certain tools may be deployed is not. The National Cyber Director, Chris Inglis,
acknowledged the importance of al instruments of national power when bringing accountability
to cyberspace, as wel as the utility of the National Security Council in coordinating those tools:42
The role of the national security council, which outside of cyberspace is accountable to use
all the instruments of power that this nation can bring to bear—diplomacy, intelligence,
military resources, financial resources, sanctions that might be applied—to bring about the
proper conditions in all domains, not least of which [is] cyberspace.
Other governments have general y shown a wil ingness to more openly discuss options to respond
to cyberattacks. The European Union (EU) developed the “Cyber Diplomacy Toolbox” to list and
describe actions the EU may take in response to cyberattacks, depending on the level of
confidence in attribution a victim member state has in the perpetrator, and the level of

38 P.L. 114-113, Division N, §402.
39 Executive Office of the President, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,”
82 Federal Register 22391-22397, May 11, 2017.
40 For examples, see the following: Department of State, “Department of State International Cyberspace Policy
Strategy,” March 2016, at https://2009-2017.state.gov/documents/organization/255732.pdf; Department of State,
“Recommendations to the President on Deterring Adversaries and Better Protecting the American People from Cyber
T hreats,” May 31, 2018, at https://www.state.gov/wp-content/uploads/2019/04/Recommendations-to-the-President-on-
Deterring-Adversaries-and-Better-Protecting-the-American-People-From-Cyber-Threats.pdf; and Department of State,
Recommendations to the President on Protecting American Cyber Interests through International Engagement,” May
31, 2018, at https://www.state.gov/wp-content/uploads/2019/04/Recommendations-to-the-President -on-Protecting-
American-Cyber-Interests-Through-International-Engagement.pdf.
41 CSIS, “Discussing the UN OEWG with the Mother of Norms,” Inside Cyber Diplomacy podcast, March 26, 2021, at
https://www.csis.org/podcasts/inside-cyber-diplomacy.
42 U.S. Congress, House Committee on Oversight and Reform, Cracking Down on Ransomware: Strategies for
Disrupting Crim inal Hackers and Building Resilience Against Cyber Threats, 117th Cong., 1st sess., November 16,
2021.
Congressional Research Service

10

link to page 14

Cybersecurity: Deterrence Policy

coordination necessary to effectively implement the action. Figure 2 list the actions in the Cyber
Diplomacy Toolbox. The policy is stil relatively new and how the EU chooses to adhere to it in
the future remains to be seen. Key elements to response certainty include having stated
consequences to cyberattacks and reliably executing the actions that deliver those consequences.
Figure 2. European Union Cyber Diplomacy Toolbox Actions
By Attribution Confidence

Source: Erica Moret and Patryk Pawlak, “The EU Cyber Diplomacy Toolbox: Towards a Cyber Sanctions
Regime?” European Union Institute for Security Studies, July 2017, at https://www.iss.europa.eu/sites/default/files/
EUISSFiles/Brief%2024%20Cyber%20sanctions.pdf.
Notes: European Union (EU). High Representative for the Union for Foreign Affairs and Security Policy
(HR/VP).
Congressional Research Service

11

link to page 6 Cybersecurity: Deterrence Policy

The existence of potential response options a nation may employ against cyberattack perpetrators
need not bind that nation only to those options. As a deterrence tool, stated options can create
potential fear of reprisal on the part of the attacker. Discussions on which tools may be publicly
disclosed as possible responses presents an opportunity to engage the international community in
norms-setting activities and developing normative behavior. Both may provide paths for increased
stability in cyberspace.43
Options for Congress
Over the past two years, the number of denial recommendations made by the Commission and
acted upon by Congress or the President has outpaced those for dedicated deterrence activities. As
discussed in “Deterrence Factors,” Congress and the President have a history of pursuing and
implementing strategies of denial to achieve cybersecurity.
Outstanding policy recommendations related to deterrence include:
 Creating a bureau in the U.S. Department of State (nearing implementation);
 Strengthening norms of responsible state behavior in cyberspace (on track);
 Engaging in international standards setting fora (on track);
 Improving capability building and foreign assistance financing (on track);
 Developing confidence building measures (delayed);
 Leveraging sanctions and trade enforcement actions (on track); and
 Improving attribution (delayed).
These recommendations are further discussed below. Policymakers may choose to examine
options to deter cyberattacks by creating government agencies to specifical y address deterrence
policy with al ies and adversaries, advocating for the development and adoption of international
norms and standards, and maturing certainty of response options.
New State Bureau
The Commission identified a chal enge with addressing cyberattacks in the U.S. government;
namely, that government activities are federated.44 That is to say that agencies are independently
authorized and it is at the Executive Office of the President where agency activities are regularly
coordinated. The Commission recommended the creation of a National Cyber Director within the
Executive Office of the President to oversee interagency activities related to national
cybersecurity, which was enacted through the Wil iam M. (Mac) Thornberry National Defense
Authorization Act for Fiscal Year 2021.45
Another Commission recommendation relates to the creation of a bureau within the State
Department to address cyberspace issues. Such a bureau was initiated during the Trump

43 International Security Advisory Board, “A Framework for International Cyber Stability,” report, July 2, 2014, at
https://2009-2017.state.gov/documents/organization/229235.pdf.
44 For examples, see the following: U.S. Government Accountability Office, Cybersecurity: Clarity of Leadership
Urgently Needed to Fully Im plem ent the National Strategy, GAO-20-629, September 22, 2020, pp. 42-56,
https://www.gao.gov/assets/gao-20-629.pdf; and Cyberspace Solarium Commission, Final Report, Washington, DC,
March 2020, pp. 142-143.
45 P.L. 116-283, §1752. 6 U.S.C. §1500.
Congressional Research Service

12

Cybersecurity: Deterrence Policy

Administration—the Cyberspace Security and Emerging Technologies Bureau46—to lead U.S.
government diplomatic efforts on cybersecurity. The Government Accountability Office (GAO)
found that its establishment was hasty and its responsibilities and relationships were il -defined.47
The Biden Administration halted progress on the bureau until October 2021. Secretary Blinken
has since announced the creation of two new positions at the State Department to address cyber
and digital concerns.48 The first would be an ambassador-at-large heading the Bureau of
Cyberspace and Digital Policy, and would focus on cybersecurity deterrence, policy, and
negotiations. The second would be a Special Envoy for Critical and Emerging Technology, and
would be responsible for coordinating policy with partner nations on artificial intel igence,
quantum computing, and other technology-related fields. These developments came after the
House of Representatives passed the Cyber Diplomacy Act of 2021 (H.R. 1251) authorizing a
Bureau of International Cyberspace Policy.49
As Congress and the Administration advance plans to create a unit within the State Department
focused on cyber issues, there remain outstanding concerns that policymakers may choose to
address and conduct oversight on. GAO found that the State Department did not coordinate with
other federal agencies during their first effort to create a bureau, and recommended it do so going
forward.50 Other agencies play a substantial role in international discussions on cyber norms and
standards, engage in operations with partner nations, and house expertise on technical matters
related to cyberspace. Should the State Department proceed with independently forming and
empowering a bureau, the potential for policy fragmentation and duplication of efforts may
compound.51
Largely unaddressed in previous efforts to create a new bureau in State is how it would engage
with partner nations (e.g., EU member states), multinational bodies researching cybersecurity
(e.g., NATO’s Cooperative Cyber Defence Centre of Excel ence),52 or civil society efforts related
to cybersecurity norm building (e.g., the Paris Cal ).53 Engaging in these types of international
fora provides opportunities for the United States to lead policy development and model desirable
behaviors for cyberspace engagement and operations.

46 U.S. Department of State, “Secretary Pompeo Approves New Cyberspace Security and Emerging T echnologies
Bureau,” press release, January 7, 2021, at https://2017-2021.state.gov/secretary-pompeo-approves-new-cyberspace-
security-and-emerging-technologies-bureau/index.html.
47 U.S. Government Accountability Office, Cyber Diplomacy; State Should Use Data and Evidence to Justify Its
Proposal for a New Bureau of Cyberspace Security and Em erging Technologies, GAO-21-266R, January 28, 2021,
https://www.gao.gov/products/gao-21-266r.
48 Dustin Volz, “State Department to Form New Cyber Office to Face Proliferat ing Global Challenges,” Wall Street
Journal, October 25, 2021, at https://www.wsj.com/articles/state-department -to-form-new-cyber-office-to-face-
proliferating-global-challenges-11635176700.
49 Passed the U.S. House of Representatives on April 20, 2021.
50 CRS In Focus IF10541, Defense Primer: Ballistic Missile Defense, by Stephen M. McCall; U.S. Government
Accountability Office, Priority Open Recom m endations: Departm ent of State, GAO-21-457pr, May 19, 2021, pp. 3-4,
https://www.gao.gov/assets/gao-21-457pr.pdf.
51 Ibid.
52 North Atlantic T reaty Organization, “The NAT O Cooperative Cyber Defence Centre of Excellence Is a Multinational
and Interdisciplinary Hub of Cyber Defence Expertise,” webpage, at https://ccdoe.org.
53 Paris Call for T rust and Security in Cyberspace, “Paris Call” webpage, at https://pariscall.international/en.
Congressional Research Service

13

Cybersecurity: Deterrence Policy

International Norms and Standard Setting
Two Commission recommendations address cybersecurity norms: one discusses advancing norms
and the other makes suggestions around engaging international bodies on ICT standards
development. These activities have the potential for the United States to model behaviors and
lead the development of international order and ICT operations.
To some extent, the United States engages in these activities today. The State Department’s Office
of the Coordinator for Cyber Issues (S/CCI)54 worked on developing the 11 norms of responsible
state behavior in cyberspace and many federal agencies participate in international standards
development activities.55
Should policymakers choose to pursue options to advance international norms and/or the
strengthening of the United States’ role in norms setting, there are both existing and new
opportunities to do so. Congress may choose to direct an agency to coordinate federal activities
on norms setting, or provide expertise to another agency to inform norms development and
advancement activities. This is commonly done for other cybersecurity activities today. For
example, the Cybersecurity Act of 2015 (P.L. 114-113, Division N)56 directed the Secretary of
Homeland Security to establish a voluntary information sharing program with the private sector,
but also directed the Secretary to work with the Attorney General on the procedures for
participating in the information sharing program.
Congress may also choose to direct an agency to engage in norms setting fora. Despite the
existence of 11 norms of responsible state behavior in cyberspace, opportunities exist to advance
these principles, advance scholarship on norms, and engage non-governmental groups on the
norms. For example, two civil society groups are working on achieving peace in cyberspace—the
Global Commission on the Stability of Cyberspace57 and the Paris Cal for Trust and Security in
Cyberspace (Paris Cal ).58 The North Atlantic Treaty Organization’s (NATO) Cooperative Cyber
Defence Centre of Excel ence,59 develops scholarship on cyberspace operations. Among private
sector stakeholders, the Microsoft Corporation has cal ed for government and the private sector to
work together to build new norms for cyber operations, akin to the Geneva Convention.60 U.S.
agency participation in these efforts provides an opportunity for the United States to drive norm-
setting activities and influence the debate.
Policymakers may also choose to have agencies engage in new activities. For example, CISA has
a strategy for engaging with national governments on securing the cyberspace.61 Congress may

54 For more information, see https://www.state.gov/bureaus-offices/secretary-of-state/office-of-the-coordinator-for-
cyber-issues/.
55 National Institute of Standards and T echnology, “NIST Summary of the Responses to the National Scienc e and
T echnology Council’s Sub-Committee on Standards Request -for-Information, issued December 8, 2010: Effectiveness
of Federal Agency Participation in Standardization in Select T echnology Sectors,” document, May 13, 2011, at
https://www.nist.gov/system/files/documents/standardsgov/RFI-Summary-5-13-final2.pdf.
56 6 U.S.C. §§1501-1510.
57 Global Commission on the Stability of Cyberspace, at https://cyberstability.org/.
58 Paris Call for T rust and Security in Cyberspace, at https://pariscall.international/en/.
59 North Atlantic T reaty Organization, “The NAT O Cooperative Cyber Defence Centre of Excellence Is a Multinational
and Interdisciplinary Hub of Cyber Defence Expertise,” webpage, at https://ccdoe.org.
60 Brad Smith, “T he Need for a Digital Geneva Convention,” blog post, February 14, 2017, at
https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/.
61 Cybersecurity & Infrastructure Security Agency, “CISA Global,” document, February 17, 2021, at
https://www.cisa.gov/sites/default/files/publications/CISA_Glo bal_Print -021721_508.pdf.
Congressional Research Service

14

Cybersecurity: Deterrence Policy

choose to codify in law these activities and further direct CISA, or another agency like the
National Institute of Standards and Technology (NIST) or the National Telecommunications and
Information Administration (NTIA), to assist in ongoing norms and standards setting activities by
providing technical expertise.
Options to Mature Response Capabilities
U.S. policymakers may choose to pursue a strategy of declaratory actions to deny or deter
cyberattacks. The Commission made recommendations concerning attribution and use of
sanctions, which may be additions to a matured response. If Congress chooses to pursue a
strategy of stated and certain actions, there are existing options for activities to be outlined and
described.
Congress may request that a declaratory policy be included as part of the National Security
Strategy.62 Congress may also request this information as part of the National Cyber Strategy.63
Additional y, Congress may choose to make this request independent of existing strategy
documents and task an agency or the National Cyber Director with producing the federal
government’s list of response actions to cyberattacks. In doing so, Congress may create an
additional opportunity to conduct oversight of these activities and inquire as to how often they are
being used and how effective they are at deterring cyberattacks. Congress recently requested that
the Secretary of Defense provide a taxonomy of cyber capabilities.64 Such a taxonomy may serve
as a model for a fuller report on broader deterrence capabilities.
Conclusion
Deterring adversarial actions in cyberspace remains chal enging. There are nuances to cyberspace
that complicate the ability to apply current deterrence concepts to cyberattacks. Regardless of
these chal enges, many regard efforts to deter cyberattacks as a necessary step to achieve stable
cyberspace operations. Establishing norms, having a way to detect violations, and developing
reputable options to respond to attacks al contribute to a strategy of deterrence.

62 P.L. 99-433, §603; 50 U.S.C. §3043. T he National Security Strategy is released and sent to Congress annua lly.
63 P.L. 116-283, §1752; 6 U.S.C. §1500. Statute is silent on the frequency that the National Cyber Strategy shall be sent
to Congress, but the National Cyber Director is to report annually to Congress on the implementation of the strategy
and the nation’s cybersecurity posture.
64 S. 1605, §1501.
Congressional Research Service

15

link to page 19 Cybersecurity: Deterrence Policy

Appendix. Cyberspace Solarium Commission
Recommendations
Table A-1 contains the 109 recommendations from the Commission and their status.65 Each
recommendation in the table is categorized as either a deterrence or denial (or both) activity based
on the definitions set forth in this report. There are five options for the assessed status of a
recommendation:
 Implemented recommendations have been enacted by legislation, executive
action, or agency activity;
 Nearing Implementation recommendations are in legislation or executive action
that have a clear path to approval;
 On Track recommendations are partial y implemented or are being considered. In
many cases, the Commission has drafted an Executive Order or bil to address
these recommendations, but the recommendation has not been formal y
considered;
 Delayed recommendations have not been rejected but do not have a policy action
or vehicle for implementation; and
 Significant Barriers recommendations have received significant pushback from
policymakers or have been outright rejected.
Table A-1. Cyberspace Solarium Commission Recommendations
Ascending by Pil ar and Recommendation Identifier
Deter or
Pillar
Rec. #
Recommendation
Status
Assessment
Deny
Reform the U.S.
1.1
Issue and Update
In Process
Nearing
Both
Government’s
National Cyber Strategy
Implementation
Structure and
Organization for
1.1.1
Develop a Multitiered
Executive Action On Track
Deny
Cyberspace
Signaling Strategy
Needed
1.1.2
Promulgate a New
Executive Action Delayed
Deny
Declaratory Policy
Needed
1.2
Create House
Faces Significant
Significant
Both
Permanent Select and
Barriers to
Barriers
Senate Select
Implementation
Committees on
Cybersecurity
1.2.1
Reestablish the Office of Appropriations
On Track
Both
Technology Assessment
Needed
1.3
Establish National Cyber Legislation
Implemented
Both
Director (NCD)
Passed in
FY2021 NDAA,
NCD
Confirmed,
Related E.O.
Issued,
Appropriated

65 Statuses are as of December 20, 2021.
Congressional Research Service

16

Cybersecurity: Deterrence Policy

Deter or
Pillar
Rec. #
Recommendation
Status
Assessment
Deny
1.4
Strengthen the
Legislation
Implemented
Deny
Cybersecurity and
Passed in
Infrastructure Security
FY2021 NDAA,
Agency
Related E.O.
Issued
1.4.1
Codify and Strengthen
Legislation
Delayed
Both
the Cyber Threat
Proposed,
Intel igence Integration
Appropriations
Center
Needed
1.4.2
Strengthen the FBI’s
Appropriations
On Track
Both
Cyber Mission and
Needed
National Cyber
Investigative Joint Task
Force
1.5
Diversify and Strengthen Partial
On Track
Both
the Federal Cyberspace
Implementation
Workforce
via Legislation
Passed in the
FY2021 NDAA,
Further
Legislation and
Appropriations
Needed
1.5.1
Improve Cyber-
Appropriations
Implemented
Deny
Oriented Education
Needed
Strengthen
2.1
Create a Cyber Bureau
Legislation
Nearing
Deter
Norms and
and Assistant Secretary
Engrossed
Implementation
Nonmilitary
at the U.S. Department
Tools
of State
2.1.1
Strengthen Norms of
Executive
On Track
Deter
Responsible State
Actions Taken,
Behavior in Cyberspace
E.O. Proposed
2.1.2
Engage Actively and
Legislation
On Track
Deter
Effectively in Forums
Engrossed,
Setting International ICT Appropriations
Standards
Needed
2.1.3
Improve Cyber Capacity Legislation
On Track
Deter
Building and
Proposed,
Consolidate the Funding Appropriations
of Cyber Foreign
Needed
Assistance
2.1.4
Improve International
Legislation
Nearing
Both
Tools for Law
Proposed,
Implementation
Enforcement Activities
Appropriations
in Cyberspace
Needed
2.1.5
Leverage Sanctions and
Legislation
On Track
Deter
Trade Enforcement
Proposed
Actions
Congressional Research Service

17

Cybersecurity: Deterrence Policy

Deter or
Pillar
Rec. #
Recommendation
Status
Assessment
Deny
2.1.6
Improve Attribution
E.O. Proposed
Delayed
Deter
Analysis and the
Attribution-Decision
Rubric
2.1.7
Reinvigorate Efforts to
E.O. Proposed
Delayed
Deter
Develop Cyber
Confidence-Building
Measures
Promote
3.1
Codify Sector-Specific
Legislation
Implemented
Deny
National
Agencies and Sector
Passed in the
Resilience
Risk Management
FY2021 NDAA
Agencies and Strengthen
their Ability to Manage
Critical Infrastructure
Risk
3.1.1
Establish a National Risk
E.O. Proposed,
Nearing
Deny
Management Cycle
Legislation
Implementation
Culminating in a Critical
Engrossed
Infrastructure Resilience
Strategy
3.1.2
Establish a National
Legislation
On Track
Deny
Cybersecurity
Proposed
Assistance Fund
3.2
Develop and Maintain
Legislation
Implemented
Deny
Continuity of the
Passed in the
Economy Planning
FY2021 NDAA;
Appropriations
Needed
3.3
Codify a “Cyber State of Legislation
Implemented
Deny
Distress” Tied to a
Passed in the
“Cyber Response and
IIJA
Recover Fund”
3.3.1
Designation
Faces Significant
Significant
Deny
Responsibility for
Barriers to
Barriers
Cybersecurity Services
Implementation
Under the Defense
Production Act
3.3.2
Clarify Liability for
Legislation
Delayed
Deny
Federal y Directed
Proposed
Mitigation, Response,
and Recovery Efforts
3.3.3
Improve and Expand
E.O. Proposed
On Track
Deny
Planning Capacity and
Readiness for Cyber
Incidence Response and
Recovery Efforts
3.3.4
Expand Coordinated
Appropriated
Implemented
Both
Cyber Exercises,
Gaming, and Simulation
Congressional Research Service

18

Cybersecurity: Deterrence Policy

Deter or
Pillar
Rec. #
Recommendation
Status
Assessment
Deny
3.3.5
Establish a Biennial
Legislation
Implemented
Deny
National Cyber
Passed in the
Tabletop Exercise
FY2021 NDAA
3.3.6
Clarify the Cyber
Legislation
Implemented
Both
Capabilities and the
Passed in the
Interoperability of the
FY2021 NDAA
National Guard
3.4
Improve the Structure
Legislation
On Track
Deny
and Enhance Funding of
Engrossed
the Election Assistance
Commission
3.4.1
Modernize Campaign
Legislation
On Track
Deny
Regulations to Promote
Proposed
Cybersecurity
3.5
Build Societal Resilience
Legislation
Delayed
Deny
to Foreign Malign
Proposed
Cyber-Enabled
Information Operations
3.5.1
Reform Online Political
Legislation
On Track
Deny
Advertising to Defend
Proposed
Against Foreign
Influence in Elections
Reshape the
4.1
Establish and Fund a
Legislation
On Track
Deny
Cyber
National Cybersecurity
Proposed,
Ecosystem
Certification and
Related E.O.
Towards
Labeling Authority
Issued
Greater Security
4.1.1
Create or Design
Appropriations
On Track
Deny
Critical Technology
Needed,
Security Centers
Legislation
Proposed
4.1.2
Expand and Support
Legislation
Delayed
Deny
NIST’s Security Work
Proposed,
Appropriations
Needed
4.2
Establish Liability for
Faces Significant
Significant
Deny
Final Good Assemblers
Barriers to
Barriers
Implementation
4.2.1
Incentivize Timely Patch Appropriations
On Track
Deny
Implementation
Needed
4.3
Establish a Bureau of
Legislation
On Track
Both
Cyber Statistics
Proposed
4.4
Resource a Federal y
Partial
On Track
Deny
Funded Research and
Implementation
Development Center to via Legislation
Develop Cybersecurity
Passed in the
Insurance Certifications
FY2021 NDAA
4.4.1
Establish a Public-Private E.O. Proposed
On Track
Both
Partnership on Modeling
Cyber Risk
Congressional Research Service

19

Cybersecurity: Deterrence Policy

Deter or
Pillar
Rec. #
Recommendation
Status
Assessment
Deny
4.4.2
Explore the Need for a
Partial
On Track
Both
Government
Implementation
Reinsurance Program to via Legislation
Cover Catastrophic
Passed in the
Cyber Events
FY2021 NDAA
4.4.3
Incentivize IT Security
Implemented via
Implemented
Deny
Through Federal
E.O.
Acquisition Regulations
and Federal Information
Security Management
Act Authorities
4.4.4
Amend the Sarbanes-
Legislation
On Track
Deny
Oxley Act to Include
Proposed
Cybersecurity Reporting
Requirements
4.5
Develop a Cloud
Executive or
On Track
Deny
Security Certification
Legislative
Action Needed
4.5.1
Incentivize the Uptake
Legislation
On Track
Deny
of Secure Cloud
Introduced
Services for SMB and
SLTT Governments
4.5.2
Develop a Strategy to
Partial y
Nearing
Deny
Secure Foundational
Implemented in
Implementation
Internet Protocols and
the FY2021
Email
NDAA
4.5.3
Strengthen the U.S.
Legislation
On Track
Both
Government’s Ability to Introduced
Take Down Botnets
4.6
Develop and Implement
In Process
Nearing
Deny
an ICT Industrial Base
Implementation
Strategy
4.6.1
Increase Support to
Partial
On Track
Both
Supply Chain Risk
Implementation
Management Efforts
4.6.2
Commit Significant and
Partial
On Track
Deny
Consistent Funding
Implementation
toward R&D in
Emerging Technologies
4.6.3
Strengthen the Capacity Appropriations
Delayed
Both
of the Committee on
Needed
Foreign Investment in
the United States
4.6.4
Invest in the National
Appropriations
On Track
Deny
Cyber Moonshot
Needed
Initiative
4.7
Pass a National Data
Faces Significant
Significant
Deny
Security and Privacy
Barriers to
Barriers
Protection Law
Implementation
Congressional Research Service

20

Cybersecurity: Deterrence Policy

Deter or
Pillar
Rec. #
Recommendation
Status
Assessment
Deny
4.7.1
Pass a National Breach
Legislation
On Track
Both
Notification Law
Proposed
Operationalize
5.1
Codify the Concept of
Legislation
On Track
Both
Cybersecurity
“Systemical y Important
Introduced
with the Private
Critical Infrastructure”
Sector
5.1.1
Review and Update
Legislation
On Track
Deny
Intel igence Authorities
Proposed
to Increase Intel igence
Support to the Broader
Private Sector
5.1.2
Strengthen and Codify
Legislation
On Track
Deny
Processes for Identifying Proposed
Broader Private-Sector
Cybersecurity
Intel igence Needs and
Priorities
5.1.3
Empower Departments
Legislation
Implemented
Both
and Agencies to Serve
Passed in the
Administrative
FY2021 NDAA
Subpoenas in Support of
Threat and Asset
Response Activities
5.2
Establish and Fund a
Legislation
On Track
Both
Joint Col aborative
Proposed, E.O.
Environment for Sharing Issued
and Fusing Threat
Information
5.2.1
Expand and Standardize
E.O. Proposed
On Track
Deny
Voluntary Threat
Detection Programs
5.2.2
Pass a National Cyber
Legislation
Nearing
Both
Incident Reporting Law
Introduced
Implementation
5.2.3
Amend the Pen Register
Legislation
On Track
Deny
Trap and Trace Statute
Proposed
to Enable Better
Identification of
Malicious Actors
5.3
Strengthen an
Legislation
Implemented
Both
Integrated Cyber
Passed in the
Center within CISA and
FY2021 NDAA
Promote the Integration
of Federal Cyber
Centers
5.4
Establish a Joint Cyber
Legislation
Implemented
Deny
Planning Cel in CISA
Passed in the
FY2021 NDAA
5.4.1
Institutionalize
Legislation
Implemented
Both
Department of Defense
Passed in the
Participation in Public-
FY2021 NDAA
Private Cybersecurity
Initiatives
Congressional Research Service

21

Cybersecurity: Deterrence Policy

Deter or
Pillar
Rec. #
Recommendation
Status
Assessment
Deny
5.4.2
Expand Cyber Defense
Executive Action On Track
Deny
Col aboration with ICT
Required
Enablers
Preserve and
6.1
Direct DOD to
Legislation
Implemented
Both
Employ Military
Conduct a Force
Passed in the
Instruments of
Structure Assessment of FY2021 NDAA
Power
the Cyber Mission
Force
6.1.1
Direct DOD to Create
Partial y
Nearing
Both
a Major Force Program
Implemented via
Implementation
Funding Category for
FY2021 NDAA
U.S. Cyber Command
6.1.2
Expand Current
Executive Action Delayed
Deny
Malware Inoculation
Required
Initiatives
6.1.3
Review Delegation of
Legislation
Implemented
Both
Authorities for Cyber
Passed in the
Operations
FY2021 NDAA
6.1.4
Reassess and Amend
E.O. Proposed
Delayed
Both
Standing Rules of
Engagement and
Standing Rules for Use
of Force for U.S. Forces
6.1.5
Cooperate with Al ies
E.O. Proposed
Nearing
Both
and Partners to Defend
Implementation
Forward
6.1.6
Require DOD to Define
Legislation
On Track
Deny
Reporting Metrics
Required
6.1.7
Assess the
Legislation
Implemented
Both
Establishment of a
Passed in the
Military Cyber Reserve
FY2021 NDAA
6.1.8
Establish Title 10
Executive Action Delayed
Both
Professors in Cyber
or Legislation
Security and Information Required
Operations
6.2
Conduct Cybersecurity
Legislation
Implemented
Deny
Vulnerability
Passed in the
Assessment of Al
FY2021 NDAA
Segments of the NC3
and NLCC Systems and
Continual y Assess
Weapon Systems’
Cyber Vulnerabilities
6.2.1
Require DIB
Partial y
Nearing
Deny
Participation in a Threat
Implemented via
Implementation
Intel igence Sharing
FY2021 NDAA
Program
6.2.2
Require Threat Hunting
Partial y
Nearing
Deny
on DIB Networks
Implemented via
Implementation
FY2021 NDAA
Congressional Research Service

22

Cybersecurity: Deterrence Policy

Deter or
Pillar
Rec. #
Recommendation
Status
Assessment
Deny
6.2.3
Designate a Threat-
Executive Action Delayed
Deny
Hunting Capability
Required
Across the DODIN
6.2.4
Assess and Address the
Legislation
Implemented
Deny
Risk to National
Passed in the
Security Systems Posed
FY2021 NDAA
by Quantum Computing
Cybersecurity
PAN1.1
Provide SLTT
Partial y
Nearing
Deny
Lessons from the
Government and SMB
Implemented in
Implementation
Pandemic
IT Modernization
the IIJA
Grants
PAN1.2
Pass an Internet of
Partial y
On Track
Deny
Things Security Law
Implemented in
the FY2021
NDAA
PAN1.3
Support Nonprofits that Legislation
Delayed
Deny
Assist Law
Proposed
Enforcement’s
Cybercrime and Victim
Support Efforts
PAN1.4
Increase NGO Capacity
Legislation
Delayed
Both
to Identify and Counter
Proposed
Foreign Disinformation
and Influence Campaigns
PAN1.4.1
Establish the Social
Authorized
Nearing
Both
Media Data and Threat
Implementation
Analysis Center
National Cyber
NCD1
Establish and National
Legislation
Implemented
Both
Director
Cyber Director
Passed in the
FY2021 NDAA
Growing a
WF1
Establish Leadership and E.O. Proposed
Delayed
Both
Stronger Federal
Coordination Structures
Cyber
Workforce
WF2
Properly Identify and
E.O. Proposed
Delayed
Both
Utilize Cyber-Specific
Occupational
Classifications
WF3
Develop
Legislation
On Track
Both
Apprenticeships
Introduced
WF4
Improve Cybersecurity
Legislation
Implemented
Deny
for K-12 Schools
Passed
WF5
Provide Work-Based
E.O. Proposed
Delayed
Deny
Learning via Volunteer
Clinics
WF6
Improve Pay
E.O. Proposed
Delayed
Both
Flexibility/Hiring
Authority
WF7
Incentivize Cyber
Legislation
On Track
Both
Workforce Research
Proposed
Congressional Research Service

23

Cybersecurity: Deterrence Policy

Deter or
Pillar
Rec. #
Recommendation
Status
Assessment
Deny
WF8
Mitigate Retention
Legislation
Delayed
Both
Barriers and Invest in
Proposed
DEI in Recruiting
Congressional Research Service

24

Cybersecurity: Deterrence Policy

Building a
SC1
Develop and Implement
In Process
Nearing
Deny
Trusted ICT
an ICT Industrial Base
Implementation
Supply Chain
Strategy
SC2
Identify Key ICT
In Process
Nearing
Deny
technologies and
Implementation
materials
SC3
Conduct a Study on the
Legislation
Nearing
Deny
Viability of and
Engrossed
Implementation
Designate Critical
Technology Clusters
SC3.1
Provide R&D Funding
Appropriations
On Track
Deny
for Critical
Needed
Technologies
SC3.2
Incentivize the
Legislation
On Track
Both
Movement of Critical
Proposed
Chip and Technology
Manufacturing out of
China
SC3.3
Conduct a Study on a
Legislation
On Track
Deny
National Security
Proposed
Investment Corporation
SC4
Designate a Lead
In Process
Nearing
Deny
Agency for ICT Supply
Implementation
Chain Risk
SC4.1
Establish a National
Legislation
On Track
Both
Supply Chain
Proposed
Intel igence Center
SC4.2
Fund Critical
Legislation
On Track
Deny
Technology Security
Proposed
Centers
SC5
Incentivize Open and
Executive Action Delayed
Both
Interoperable Standards
Needed
and Release More Mid-
Band Spectrum
SC5.1
Develop a Digital Risk
Executive Action On Track
Deny
Impact Assessment for
Needed
International Partners
for Telecommunications
Infrastructure Projects
SC5.2
Ensure That the EXIM,
Legislation
On Track
Deny
DFC, and USTDA Can
Proposed
Compete with Chinese
State-Owned and State-
Backed Enterprises
SC5.3
Develop a List of
Legislation
On Track
Deny
Contractors and
Proposed
Vendors Prohibited
from Implementing
Development Projects
Source: CRS analysis of Cyberspace Solarium Commission, “2021 Annual Report on Implementation,” report,
August 2021, at https://drive.google.com/file/d/19V7Yfc5fvEE6dGIoU_7bidLRf5OvV2__/view.
Congressional Research Service
R47011 · VERSION 1 · NEW
25

Cybersecurity: Deterrence Policy

Notes: The fol owing abbreviations are used in the table: National Cyber Director (NCD); Fiscal Year (FY);
National Defense Authorization Act (NDAA); Executive Order (E.O.); Infrastructure Investment and Jobs Act
(IIJA, P.L. 117-58); National Institute of Standards and Technology (NIST); Information Technology (IT); Smal
and Medium-Sized Businesses (SMB); State, Local, Tribal, and Territorial (SLTT); Information and
Communications Technology (ICT); Research and Development (R&D); Cybersecurity and Infrastructure
Security Agency (CISA); Department of Defense (DOD); Nuclear Command, Control, and Communications
(NC3); National Leadership Command Capabilities (NLCC); Defense Industrial Base (DIB); DOD Information
Network (DODIN); Nongovernmental Organization (NGO); Diversity, Equity, and Inclusion (DEI); Export-
Import Bank of the United States (EXIM); U.S. International Development Finance Corporation (DFC); and
United States Trade and Development Agency (USTDA).

Author Information

Chris Jaikaran

Analyst in Cybersecurity Policy

Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan
shared staff to congressional committees and Members of Congress. It operates solely at the behest of and
under the direction of Congress. Information in a CRS Report should n ot be relied upon for purposes other
than public understanding of information that has been provided by CRS to Members of Congress in
connection with CRS’s institutional role. CRS Reports, as a work of the United States Government, are not
subject to copyright protection in the United States. Any CRS Report may be reproduced and distributed in
its entirety without permission from CRS. However, as a CRS Report may include copyrighted images or
material from a third party, you may need to obtain the permission of the copyright holder if you wish to
copy or otherwise use copyrighted material.

Congressional Research Service
R47011 · VERSION 1 · NEW
26

Download PDF

Download EPUB

Revision History

Jan. 18, 2022

HTML · PDF

Metadata

Topic areas

Foreign Affairs

Intelligence and National Security

National Defense

Report Type: CRS Report

Source: CRSReports.Congress.gov

Raw Metadata: JSON