State Responsibility and Cyber Deterrence
Identifying state strategies designed to deter sub-threshold malicious cyber behaviour, focusing on protecting Critical National Infrastructure from cyber threats.
Western governments have increasingly strengthened cyber deterrence strategies to counter malicious cyber activities from both state and non-state actors. These measures include the EU’s cyber diplomacy toolbox, national attribution frameworks, joint public attributions, sanctions against state-sponsored individuals, and cross-jurisdictional cyber cooperation. However, doubts remain about their effectiveness.
Despite efforts, cyber deterrence strategies have largely fallen short. The Volt Typhoon case highlights how adversaries continue to infiltrate critical infrastructure networks. Sanctions on state-affiliated individuals and groups remain insufficient due to outdated legal frameworks and overly individualised consequences. Moreover, only a few states have publicly articulated their cyber deterrence strategies.
To strengthen cyber deterrence, states must close existing gaps and uphold their UN commitments to responsible state behaviour. Fresh policy thinking is needed to enhance accountability and effectiveness. While Western states aim for harmonisation, a broader international consensus remains elusive, weakening overall deterrence efforts.
Project sponsor
This project is sponsored by Microsoft
Aims and objectives
The project explores how states can deter malicious state-sponsored or affiliated cyber activity targeting critical infrastructure. The research focuses on up to four NATO member states and allies, using a three-step approach:
- Assessing Effectiveness Identifying which state-led deterrence measures have been most successful in countering malicious cyber behaviour.
 - Learning from Other Regimes Examining how lessons from other deterrence frameworks can be integrated into cyber policy.
 - Providing Policy Recommendations – Offering actionable insights to policymakers on enhancing cyber deterrence strategies.
Emphasising critical infrastructure is essential considering the growing risk posed by adversaries establishing a presence in key sectors. This approach promotes a comprehensive understanding of cyber deterrence that encompasses both physical and informational dimensions.
Rather than treating cyber deterrence in isolation, this research project integrates it with broader statecraft tools. Additionally, it explores how lessons from other deterrence regimes can shape future research and policy responses.
Primary objectives
- Strengthen the evidence base and foster debate on cyber deterrence.
- Inform policymakers about the effectiveness of current and potential deterrence mechanisms.
- Examine public and private sector perspectives on imposing costs for cyber activities below the armed conflict threshold.