Introduction

The United States government has long sought to effectively deter (or stop) cyberattacks and to respond to attacks in a manner that prevents future ones. Both goals have appeared elusive as the frequency of cyberattacks, from petty to significant, have increased over time.¹ These attacks show that deterrence is difficult to achieve in cyberspace. There are nuances surrounding cyberattacks that invert previous notions of deterrence policy. Despite challenges, many regard deterrence as a necessary step to establishing order for cyberspace operations, and as a building block for future actions, and policymakers continue to pursue a strategy of deterrence for cyberspace and cyberattack. This report analyzes the strategy of deterrence in relation to cyberattacks and discusses options Congress may pursue in advancing deterrence policy.

In March 2020 the Cyberspace Solarium Commission (Commission) launched its report advocating for a "layered cyber deterrence" strategic approach for cybersecurity.² As the second anniversary of the Commission's report approaches, policymakers may seek to examine a deterrence strategy in light of recent advancements in cybersecurity policy and recently evolved cyberattacks.

While this report discusses deterrence policy strategically, it does not discuss in depth potential capabilities related to deterring cyberattack. Policies surrounding the use of instruments of national power (e.g., diplomacy, intelligence activities, armed forces, and sanctions) are not significantly discussed in this report.³ Types of attacks also are not discussed in this report, as deterrence policy is intended to apply broadly to all types of attacks.⁴

The Cyberspace Solarium Commission

The John. S. McCain National Defense Authorization Act for Fiscal Year 2019 (FY2019 NDAA, P.L. 115-232) established the Cyberspace Solarium Commission (Section 1652) to develop approaches to defend the United States against significant cyberattacks. The FY2019 NDAA expressly directed the Commission to examine policies around norms, denial, and deterrence. The statute directed the Commission:

To review and make determinations on the difficult choices present within such options, among them what norms-based regimes the United States should seek to establish, how the United States should enforce such norms, how much damage the United States should be willing to incur in a deterrence or persistent denial strategy, what attacks warrant response in a deterrence or persistent denial strategy, and how the United States can best execute these strategies.

In its final report, the Commission advocated for a strategic approach of layered cyber deterrence and promoted three ways to achieve this end state.

• Shape Behavior—working with partners to influence how parties act in cyberspace.
• Deny Benefits—securing critical networks (e.g., infrastructures and governments) and working to create systemic security and resiliency in cyberspace.
• Impose Costs—retaliating against malicious actors who use cyberspace to harm the United States.

The Commission viewed "deterrence [as] an enduring American strategy."⁵ In the Commission's view, deterrence is about imposing costs on adversaries. Within the confines of the report, the Commission saw deterrence incorporating two concepts. First, the Commission acknowledges that many of their recommendations are designed to achieve deterrence through denial—that is, improving defense so to make it more expensive for adversaries to carry out attacks. Second, the strategy promotes defending forward—that is, continually detecting, hunting, and opposing adverse behavior in cyberspace to increase their costs of operating.

Since the report's release, the Commission has published additional white papers, legislative proposals, and a progress report. The Commission recommended 109 actions in those documents that Congress and the President could take to implement this strategic approach. A list of the recommendations and their status can be found in the Appendix. Using descriptions of denial and deterrence (found in "Deterrence Factors" section) the recommendations are analyzed and arranged according to their ability to enable strategies of denial, deterrence, or both. Table 1 provides a count of the recommendations by their implementation status (i.e., some action taken by the President or Congress) and strategy categorization.

Examining the distribution and status of recommendations, the lower number of deterrence-related recommendations and their comparative lack of implementation stands out. This may be because of the relative difficulty of implementing deterrence policy, which is discussed in the "Response Options" section of this report. It may also be because denial strategies are more direct and Congress has experience addressing those types of activities.

For instance, some denial activities that have been implemented through recently enacted legislation seek to strengthen the authorities of the Cybersecurity and Infrastructure Security Agency (CISA)⁶ and address a perceived gap in national cybersecurity resiliency by improving kindergarten to high school cybersecurity capabilities.⁷ In addition, the Fiscal Year 2022 National Defense Authorization Act included provisions pertaining to vulnerability identification (Section 1544) and information sharing (Section 1548).⁸ In these examples, Congress passed legislation implementing one or more of the Commission's recommendations, and in both sets of examples the recommendations affected domestic actors for which legislation or executive action is directly effective.

Some recommendations—such as those related to exercises—may enable both strategies. Exercises may promote denial (i.e., hindering or preventing an adversary from launching successful attacks) by building partner confidence in capabilities and use of those capabilities so that further coordinated actions are possible. Exercises may also promote deterrence (i.e., influencing adversaries' behaviors) by showing cyber operation capabilities in an effort to highlight that the capabilities will outmatch an opponent's.⁹

Deterrence Factors

While Congress and the President have pursued policies of deterrence in cyberspace, their actions to date have primarily focused on denying adversarial actions. At times, this focus is intentional; the Department of Defense's (DOD) strategy of "persistent engagement" seeks to occupy adversaries and deny them the time and resources to carry out attacks.¹⁰ At times, it is consequential, such as pursuing strategies to impose costs on adversaries, thus denying gains of attacks or resources for future attacks. Because of this historical prominence of implementing denial strategies, it may be helpful to consider deterrence policy contrasted against denial policy for context and comparison.

Denial and deterrence cybersecurity strategies are different approaches to achieve the same goal: a safer digital environment. These strategies are not mutually exclusive. As seen by the Commission's recommendations, particular activities can serve both strategies, and combining activities can have a multiplier effect on the actions.

Generally, for cybersecurity, denial strategies seek to improve technology, processes, and practices over something in one's own control so that despite an adversary's efforts, their success rate is low. Deterrence strategies seek to affect the behavior of other individuals or entities—stopping them from engaging in an unwanted activity. The DOD developed descriptions of "denial" and "deterrence," which are used in this report in the context of cybersecurity to categorize activities and provide a framework for discussing policy options.

The definition of denial can be interpreted as stopping the adversary from using something. For this interpretation, many potential cybersecurity activities satisfy the definition. For example, disrupting an adversary's internet infrastructure (e.g., a botnet¹³) inhibits their malicious use of cyberspace as a domain, and proper configuration and maintenance of one's own information and communications technology (ICT) denies an adversary the opportunity to exploit it. Unique to this interpretation is the focus not on the adversaries themselves, but instead on the things they seek to exploit (e.g., unpatched ICT).

The definition of deterrence can be interpreted as influencing the adversary in such a way as to prevent their engaging in malicious behavior. In this model, deterrence relies on norms and demonstrated capabilities. Nations will need to understand what other nations consider acceptable versus unacceptable (violating) behaviors, a government will need capabilities to influence the behavior of other governments as well as non-state actors, other nations will need to believe that the capabilities will be used, and the government's intentions will need to be messaged to potential adversaries. It is arguable that for cyberspace, these conditions are nascent or do not exist.

Conventional deterrence policy relies on a few conditions: there is a high cost to develop, maintain, and use certain offensive capabilities; there are a limited set of actors with those capabilities; if actors choose to use the capabilities, then they will incur known consequences; and there is a history of norms compliance upon which to rely.¹⁴

Cyberspace arguable is characterized by the inverse of those conditions: the cost of entry for potential malicious actors is low; there are many potential malicious actors to address (both state and non-state); the retaliatory consequences for successful cyberattacks are ambiguous or unknown; and there is not a long history of norms compliance.

It is for this reason that some suggest that deterrence in cyberspace is not a viable strategy.¹⁵ The Commission recognized that Cold War-era analogies of deterrence are likely not applicable in cyberspace, yet considered that some form of deterrence may be achievable, especially through improved security measures and behavior shaping.¹⁶

For deterrence activities, it is important to consider non-cyberspace-based responses to cyberspace-based incidents. Cybersecurity experts can help identify and frame issues to consider when examining deterrence strategies, but the range of activities available to government agencies to influence adversaries is far greater than those within the cybersecurity field. Experts across fields will be necessary to provide multidisciplinary solutions for effective deterrence strategies. Experts to consider consulting when drafting deterrence actions include those for specific countries (e.g., Russia, China, North Korea and Iran)¹⁷ and experts in the capabilities policymakers are seeking to employ (e.g., diplomatic, intelligence, military, or economic). This position is reinforced by cybersecurity experts who view cyberattacks as a challenge for the computer science community, but for which solutions cannot be purely technical.¹⁸

It has long been the policy of the United States government that responses to cyberattacks will be proportional, but may not be limited to cyberspace operations only.¹⁹ Experts believe that the U.S. government has not fully embraced this posture, but doing so may be necessary to deter future cyberattacks.²⁰

Limits Related to Cyber-Only Responses to Cyberattacks

Some Members of Congress have expressed frustration with the lack of public discourse surrounding cyberattacks and the U.S. government's response capabilities.²¹ Such discussions are frequently held in classified venues, thereby excluding public scrutiny. While this practice may limit debate, offensive cyber response capabilities are a fragile resource, and publicizing them may reduce their effectiveness.

For a government, it takes research and operational security to discover, develop, and deploy offensive cyber capabilities in a manner that allows for repeated use and covert or clandestine action. This is especially true for attacks on systems that have regimented security procedures, such as those of a foreign government agency.

The moment an attack is discovered, access to the breached systems may start to disappear, evidence may be collected that attributes the attack to those behind it, and additional operations they have may become vulnerable, especially if they shared operational infrastructure or techniques, tactics or procedures. In the event that the United States were to have its capabilities disclosed as part of public discourse, it too may lose the ability to use those capabilities.

For the public debate on capabilities, it is also important to consider the difference between conventional weapons and offensive cyber capabilities. Conventional weapons are developed for use in a domain. Defending against those weapons may also use some other tool applied in that domain. For example, a ballistic missile may be intercepted by an anti-ballistic missile system in the air before it hits the intended target.²² However, an offensive cyber capability usually exploits a weakness against the domain—or a weakness against a system or network itself in cyberspace. Thus, defending against a cyberattack may include the development and use of a new tool, or patching an existing system to mitigate the effect of an offensive cyber tool.

Norms

"Norms," some experts assert, "can be understood as rules for behaving that forbid or encourage certain activities."²³ A challenge to normative behavior in cyberspace is that cyberspace is a domain where behaviors occur, and cyberspace operations are tools of national power that nations may choose to employ. As Congress examines cyberattacks and responses to them, it may be helpful to consider the duality that cyberspace is both a domain and a capability. For example, cyberattacks can occur within cyberspace (e.g., data and identity theft attacks) and can occur against cyberspace itself (e.g., attacks against cloud service providers). In both types of attacks information and communications technology (ICT) is used and harmed, and it is that harm that nations may seek to curtail with norms.

The development of norms in the context of deterring cyberattacks is further complicated by the fact that cyber operations can occur across the entire spectrum of conflict ranging from localized, nonviolent incidents to far more consequential events with potentially national consequences. As shown in Figure 1, the Office of the Director of National Intelligence sees cyber operations as spanning the full range of such incidents.

Figure 1. Spectrum of Conflict

Source: Adapted from Director of National Intelligence, Global Trends 2040: A More Contested World, March 2021, at https://www.dni.gov/files/ODNI/documents/assessments/GlobalTrends_2040.pdf. Notes: WMD=Weapons of Mass Destruction.

Aggressive nations may explore the use of limited cyberspace operations as an alternative to other types of attacks and opt to use cyberattacks as a tool to reduce other forms of conflict. Cyberspace operations may be adopted by adversarial nations if they believe that victim nations will adhere to a norm that responses to aggression be proportional. If aggressive nations pursue this strategy, it is likely that cyberattacks will increase in frequency as a tool in the lower spectrum of attacks.²⁴ This strategy would seek to force proportional (i.e., cyber) response from victim nations and seek to inhibit the use of other instruments of national power.

For example, it is not normative for military capabilities to be used in response to criminal activity. However, repeated cyberattacks have led policymakers to explore novel uses of capabilities as adversaries have escalated attacks and the impacts of those attacks have become more severe. One such case is the combatting of ransomware, which has the effect of degrading U.S. infrastructure in a way that may result in the endangerment of civilian populations (e.g., a ransomware attack against a hospital).²⁵ In response, decisionmakers have employed military capabilities to learn about ransomware gangs and move against them.²⁶

Cyberattacks may increase because nations view cyberspace as a novel operational domain without established rules of engagement. In such a lax environment, opportunities to test techniques, tactics, and procedures are plentiful both for attacks and responses. The National Intelligence Council assessed the outlook for international norms.²⁷ That assessment placed norms on a spectrum:

• Norms least likely to be contested are those that are broadly accepted by nations and for which violations are widely condemned (e.g., national sovereignty).
• Norms likely to experience regional variations are those where their acceptance is not broad (e.g., environmental protections).
• Norms at risk of weakening are those for which a major national power has already breached it or for which implementation has been curtailed (e.g., open commerce).
• Norms in early development are those not fully agreed to, not widely accepted, or for which a future is unclear (e.g., cybersecurity).²⁸

Concurrently, two United Nations working groups have developed a common set of norms for responsible state behavior in cyberspace. The first is the Group of Governmental Experts on the Developments in the Field of Information and Telecommunications in the Context of International Security (GGE). It is the older and smaller of the two with 25 member nations. The second group is the Open-Ended Working Group (OEWG), which is newer and larger and includes any interested nation. Russia was an original sponsor of this group, despite the existence of the GGE. The United States was an original supporter of the GGE and participated in the OEWG discussions.

In 2015, the GGE published a note where the group agreed to 11 norms.²⁹ In 2021, the OEWG released their final substantive report reinforcing those same 11 norms.³⁰ These norms for responsible state behavior in cyberspace are

• 1. Nations agree to cooperate;
• 2. Nations will consider all source information when making claims of attribution;
• 3. Nations will not knowingly allow their territory to be used to conduct cyberattacks;
• 4. Nations will share information;
• 5. Nations will respect human rights and secure ICTs to do so;
• 6. Nations will not knowingly use ICT to damage critical infrastructure;
• 7. Nations will appropriately protect their own critical infrastructure;
• 8. Nations will respond to requests for assistance from other nations;
• 9. Nations will take steps to secure supply chains;
• 10. Nations will support the reporting of vulnerabilities; and
• 11. Nations will not attack computer emergency response teams.

Relative to other international norms—such as those related to national sovereignty and defense—cybersecurity norms are in early development and adoption. It remains to be seen how nations will operate within those norms.³¹

The U.S. government has already taken overt actions in support of some of these norms. For example, the U.S. Intelligence Community published a white paper on attributing cyberattacks that takes into consideration open-source information.³² Federal agencies have launched efforts for supply chain security and vulnerability disclosure.³³ Congress has directed federal agencies to engage partner nations for cybersecurity and increase information sharing activities.³⁴

The U.N.'s ICT security efforts have been following a dual path of security fields. The first field addresses demilitarization, de-escalation, and prevention as they relate to nation-state actors. That is the field under which these 11 norms were developed. The second field is on cybercrime and non-state actors. Russia proposed a U.N. resolution to establish an ad-hoc group to address cybercrime and state sovereignty, which was agreed to by the General Assembly.³⁵ Some observers believe this is an effort to replace the existing order on international cybercrime and internet freedoms.³⁶

Regardless of a nation's intentions behind engaging in norms-setting activities, many nations agree that norms development is a worthy pursuit. While development is occurring, it is important to consider that these efforts are the beginning of a lengthy process. It takes time for norms to be developed and agreed to. It takes even more time for states to change their behavior and the norms to become common practice. Despite the far-off potential for return on investment, experts believe that norms are a vital pursuit, necessary for peaceful operations in cyberspace.³⁷

Response Options

Certainly, having the ability to determine perpetrators is a key element to deterrence. If perpetrators believed that they would never be identified, then they would not have to fear retaliatory action. Historically, barriers to effective response have included the difficulty in adequately attributing cyberattacks, the time it takes to do so, and the availability of information for public discussion related to attribution. However, the U.S. government has recently released information on a slew of cyberattacks, attributing them not just to nations or criminal organizations, but to individuals. The government has decreased the time it takes to make these attributions and has also made public the information agencies used to determine potentially guilty parties. A further discussion of attribution can be found in CRS Report R46974, Cybersecurity: Selected Cyberattacks, 2012-2021, by Chris Jaikaran. While work remains to improve confidence in attribution and decrease the time it takes to attribute attacks, it appears that attribution is no longer the barrier it used to be.

Having a level of attribution is a key step in responding to cyberattacks. But once a nation has confidence in potential perpetrators, the nation will need to decide if tools will be employed against those perpetrators, which tools against which perpetrators, and for how long.

Identifying a slate of options that nations intend to use in response to cyberattacks serves two potential purposes: (1) it signals to adversaries the actions victim nations are prepared to engage in to retaliate for attacks; and (2) it publicizes the options for its citizens so that they may debate with their elected leaders the appropriateness and suitability of those options. A long-standing criticism of cyberattack response in the United States is that the federal government has not revealed its menu of options. This is despite both congressional³⁸ and executive³⁹ direction to the U.S. Department of State to report on cyberspace policy.

The State Department has issued papers discussing elements of the policies but has generally not discussed specific retaliatory options publicly.⁴⁰ Some have argued that limiting public information about exact plans allows the United States to remain agile in its response.⁴¹ While discussing specific and technical responses to cyberattacks with offensive cyber capabilities may be challenging, a general discussion of tools available to the U.S. government and conditions under which certain tools may be deployed is not. The National Cyber Director, Chris Inglis, acknowledged the importance of all instruments of national power when bringing accountability to cyberspace, as well as the utility of the National Security Council in coordinating those tools:⁴²

The role of the national security council, which outside of cyberspace is accountable to use all the instruments of power that this nation can bring to bear—diplomacy, intelligence, military resources, financial resources, sanctions that might be applied—to bring about the proper conditions in all domains, not least of which [is] cyberspace.

Other governments have generally shown a willingness to more openly discuss options to respond to cyberattacks. The European Union (EU) developed the "Cyber Diplomacy Toolbox" to list and describe actions the EU may take in response to cyberattacks, depending on the level of confidence in attribution a victim member state has in the perpetrator, and the level of coordination necessary to effectively implement the action. Figure 2 list the actions in the Cyber Diplomacy Toolbox. The policy is still relatively new and how the EU chooses to adhere to it in the future remains to be seen. Key elements to response certainty include having stated consequences to cyberattacks and reliably executing the actions that deliver those consequences.

Figure 2. European Union Cyber Diplomacy Toolbox Actions By Attribution Confidence

Source: Erica Moret and Patryk Pawlak, "The EU Cyber Diplomacy Toolbox: Towards a Cyber Sanctions Regime?" European Union Institute for Security Studies, July 2017, at https://www.iss.europa.eu/sites/default/files/EUISSFiles/Brief%2024%20Cyber%20sanctions.pdf. Notes: European Union (EU). High Representative for the Union for Foreign Affairs and Security Policy (HR/VP).

The existence of potential response options a nation may employ against cyberattack perpetrators need not bind that nation only to those options. As a deterrence tool, stated options can create potential fear of reprisal on the part of the attacker. Discussions on which tools may be publicly disclosed as possible responses presents an opportunity to engage the international community in norms-setting activities and developing normative behavior. Both may provide paths for increased stability in cyberspace.⁴³

Options for Congress

Over the past two years, the number of denial recommendations made by the Commission and acted upon by Congress or the President has outpaced those for dedicated deterrence activities. As discussed in "Deterrence Factors," Congress and the President have a history of pursuing and implementing strategies of denial to achieve cybersecurity.

Outstanding policy recommendations related to deterrence include

• Creating a bureau in the U.S. Department of State (nearing implementation);
• Strengthening norms of responsible state behavior in cyberspace (on track);
• Engaging in international standards setting fora (on track);
• Improving capability building and foreign assistance financing (on track);
• Developing confidence building measures (delayed);
• Leveraging sanctions and trade enforcement actions (on track); and
• Improving attribution (delayed).

These recommendations are further discussed below. Policymakers may choose to examine options to deter cyberattacks by creating government agencies to specifically address deterrence policy with allies and adversaries, advocating for the development and adoption of international norms and standards, and maturing certainty of response options.

New State Bureau

The Commission identified a challenge with addressing cyberattacks in the U.S. government; namely, that government activities are federated.⁴⁴ That is to say that agencies are independently authorized and it is at the Executive Office of the President where agency activities are regularly coordinated. The Commission recommended the creation of a National Cyber Director within the Executive Office of the President to oversee interagency activities related to national cybersecurity, which was enacted through the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021.⁴⁵

Another Commission recommendation relates to the creation of a bureau within the State Department to address cyberspace issues. Such a bureau was initiated during the Trump Administration—the Cyberspace Security and Emerging Technologies Bureau⁴⁶—to lead U.S. government diplomatic efforts on cybersecurity. The Government Accountability Office (GAO) found that its establishment was hasty and its responsibilities and relationships were ill-defined.⁴⁷ The Biden Administration halted progress on the bureau until October 2021. Secretary Blinken has since announced the creation of two new positions at the State Department to address cyber and digital concerns.⁴⁸ The first would be an ambassador-at-large heading the Bureau of Cyberspace and Digital Policy, and would focus on cybersecurity deterrence, policy, and negotiations. The second would be a Special Envoy for Critical and Emerging Technology, and would be responsible for coordinating policy with partner nations on artificial intelligence, quantum computing, and other technology-related fields. These developments came after the House of Representatives passed the Cyber Diplomacy Act of 2021 (H.R. 1251) authorizing a Bureau of International Cyberspace Policy.⁴⁹

As Congress and the Administration advance plans to create a unit within the State Department focused on cyber issues, there remain outstanding concerns that policymakers may choose to address and conduct oversight on. GAO found that the State Department did not coordinate with other federal agencies during their first effort to create a bureau, and recommended it do so going forward.⁵⁰ Other agencies play a substantial role in international discussions on cyber norms and standards, engage in operations with partner nations, and house expertise on technical matters related to cyberspace. Should the State Department proceed with independently forming and empowering a bureau, the potential for policy fragmentation and duplication of efforts may compound.⁵¹

Largely unaddressed in previous efforts to create a new bureau in State is how it would engage with partner nations (e.g., EU member states), multinational bodies researching cybersecurity (e.g., NATO's Cooperative Cyber Defence Centre of Excellence),⁵² or civil society efforts related to cybersecurity norm building (e.g., the Paris Call).⁵³ Engaging in these types of international fora provides opportunities for the United States to lead policy development and model desirable behaviors for cyberspace engagement and operations.

International Norms and Standard Setting

Two Commission recommendations address cybersecurity norms: one discusses advancing norms and the other makes suggestions around engaging international bodies on ICT standards development. These activities have the potential for the United States to model behaviors and lead the development of international order and ICT operations.

To some extent, the United States engages in these activities today. The State Department's Office of the Coordinator for Cyber Issues (S/CCI)⁵⁴ worked on developing the 11 norms of responsible state behavior in cyberspace and many federal agencies participate in international standards development activities.⁵⁵

Should policymakers choose to pursue options to advance international norms and/or the strengthening of the United States' role in norms setting, there are both existing and new opportunities to do so. Congress may choose to direct an agency to coordinate federal activities on norms setting, or provide expertise to another agency to inform norms development and advancement activities. This is commonly done for other cybersecurity activities today. For example, the Cybersecurity Act of 2015 (P.L. 114-113, Division N)⁵⁶ directed the Secretary of Homeland Security to establish a voluntary information sharing program with the private sector, but also directed the Secretary to work with the Attorney General on the procedures for participating in the information sharing program.

Congress may also choose to direct an agency to engage in norms setting fora. Despite the existence of 11 norms of responsible state behavior in cyberspace, opportunities exist to advance these principles, advance scholarship on norms, and engage nongovernmental groups on the norms. For example, two civil society groups are working on achieving peace in cyberspace—the Global Commission on the Stability of Cyberspace⁵⁷ and the Paris Call for Trust and Security in Cyberspace (Paris Call).⁵⁸ The North Atlantic Treaty Organization's (NATO) Cooperative Cyber Defence Centre of Excellence,⁵⁹ develops scholarship on cyberspace operations. Among private sector stakeholders, the Microsoft Corporation has called for government and the private sector to work together to build new norms for cyber operations, akin to the Geneva Convention.⁶⁰ U.S. agency participation in these efforts provides an opportunity for the United States to drive norm-setting activities and influence the debate.

Policymakers may also choose to have agencies engage in new activities. For example, CISA has a strategy for engaging with national governments on securing the cyberspace.⁶¹ Congress may choose to codify in law these activities and further direct CISA, or another agency like the National Institute of Standards and Technology (NIST) or the National Telecommunications and Information Administration (NTIA), to assist in ongoing norms and standards setting activities by providing technical expertise.

Options to Mature Response Capabilities

U.S. policymakers may choose to pursue a strategy of declaratory actions to deny or deter cyberattacks. The Commission made recommendations concerning attribution and use of sanctions, which may be additions to a matured response. If Congress chooses to pursue a strategy of stated and certain actions, there are existing options for activities to be outlined and described.

Congress may request that a declaratory policy be included as part of the National Security Strategy.⁶² Congress may also request this information as part of the National Cyber Strategy.⁶³ Additionally, Congress may choose to make this request independent of existing strategy documents and task an agency or the National Cyber Director with producing the federal government's list of response actions to cyberattacks. In doing so, Congress may create an additional opportunity to conduct oversight of these activities and inquire as to how often they are being used and how effective they are at deterring cyberattacks. Congress recently requested that the Secretary of Defense provide a taxonomy of cyber capabilities.⁶⁴ Such a taxonomy may serve as a model for a fuller report on broader deterrence capabilities.

Conclusion

Deterring adversarial actions in cyberspace remains challenging. There are nuances to cyberspace that complicate the ability to apply current deterrence concepts to cyberattacks. Regardless of these challenges, many regard efforts to deter cyberattacks as a necessary step to achieve stable cyberspace operations. Establishing norms, having a way to detect violations, and developing reputable options to respond to attacks all contribute to a strategy of deterrence.

Appendix. Cyberspace Solarium Commission Recommendations

Table A-1 contains the 109 recommendations from the Commission and their status.⁶⁵ Each recommendation in the table is categorized as either a deterrence or denial (or both) activity based on the definitions set forth in this report. There are five options for the assessed status of a recommendation:

• Implemented recommendations have been enacted by legislation, executive action, or agency activity;
• Nearing Implementation recommendations are in legislation or executive action that have a clear path to approval;
• On Track recommendations are partially implemented or are being considered. In many cases, the Commission has drafted an Executive Order or bill to address these recommendations, but the recommendation has not been formally considered;
• Delayed recommendations have not been rejected but do not have a policy action or vehicle for implementation; and
• Significant Barriers recommendations have received significant pushback from policymakers or have been outright rejected.