Cyber deterrence has become a buzzword in national security, but in my opinion, it is a concept that still lacks teeth in most ways. The idea is simple: stop an adversary from launching cyber attacks through a combination of denial and punishment or better still, make it costly enough that they think twice before trying. But despite all the talk, state-sponsored cyber attacks have only become more frequent, more sophisticated, and more disruptive. That tells us something important: what we call “cyber deterrence” today isn’t actually working.
I’ve spent a lot of time thinking about why, and have come to a momentary conclusion that we’re trying to apply an old-world concept to a battlefield that doesn’t play by the same rules. I’d even argue that we still don’t fully understand the role of cyber warfare in the broader landscape of modern conflict. Traditional deterrence like the kind we saw in the Cold War was built on nuclear threats, military might, and visible consequences. In cyberspace, the rules are different. There’s no clear attribution most of the time, there’s no instant retaliation because cyber attacks are often discovered months after they’ve done their damage, and worst of all, there’s no universally accepted red line that forces a response.
Take Russia’s cyber operations against the West. Moscow isn’t just hacking out of curiosity. It is using cyber attacks as a tool of political warfare, economic disruption, and military strategy. The SolarWinds attack, where Russian intelligence compromised major U.S. government agencies, was a textbook example of cyber espionage at an unprecedented scale. Did it trigger any real retaliation? Not really. The U.S. responded with sanctions and diplomatic warnings, but that hardly deterred Russia from further cyber aggression. Why? Because these kinds of attacks are low-risk and high-reward for an adversary like Russia.
China plays the game differently. Instead of blunt-force cyber attacks, China focuses on long-term espionage and economic theft. The Volt Typhoon campaign, for instance, as advised by CISA in Alert CodeAA24-038A has quietly infiltrated U.S. critical infrastructure, likely pre-positioning malware that could be used in future conflicts. It’s not just about stealing information, it’s about gaining strategic leverage in a potential U.S.-China showdown. If China were deterred, it wouldn’t be investing so heavily in these kinds of operations.
And then there’s Iran, which has taken cyber attacks in a more asymmetric direction, using them as part of its broader proxy conflicts. When Iranian networks were hit by Stuxnet, Tehran didn’t just sit back and accept it. It adapted. Iranian-backed hackers have since targeted U.S. banks, infrastructure, and even Israeli water systems. That’s the reality of cyber deterrence: it doesn’t stop attacks; it just changes how adversaries operate.
So why is deterrence failing? One of the biggest issues is attribution. In nuclear deterrence, if a missile is launched, everyone knows exactly where it came from. In cyberspace, even if security analysts can trace an attack back to a nation-state, proving it in a way that justifies a decisive response is incredibly difficult. The ambiguity creates plausible deniability, which nation-states exploit. It’s why Russia can interfere in elections and China can steal trade secrets without facing major repercussions. Another challenge is response asymmetry. If a country suffers a major cyber attack, what should its response be? A counter-cyber operation? Economic sanctions? A military strike? Unlike traditional warfare, there’s no universally accepted way to escalate or retaliate. Some cyber attacks get met with a shrug, others with legal indictments that hardly scare anyone. Even when the U.S. takes action—like the DOJ publicly charging Chinese and Russian hackers—it’s a symbolic move, not a deterrent.
Then there’s the cost-benefit problem. For many state actors, the benefits of cyber operations outweigh the risks. If stealing blueprints for a next-generation fighter jet or infiltrating a power grid gives an adversary a strategic advantage, they will continue to do it—because the worst-case scenario for them is usually just a diplomatic protest or a few targeted sanctions. Cyber deterrence isn’t credible when there’s no real consequence that outweighs the reward.
So what’s the way forward? It starts with shifting away from an overreliance on retaliation and instead focusing on denial and resilience. If adversaries find it significantly harder to penetrate networks, manipulate supply chains, or pre-position attacks, the cost-benefit equation changes. Hardening critical infrastructure, investing in threat detection, and most importantly enforcing stronger public-private security partnerships need to be prioritized.
However, we also can’t ignore offensive deterrence. The U.S. has the capability to respond aggressively to cyber threats, but there’s still hesitation to fully integrate cyber retaliation into national defense strategy. That has to change. If a nation-state like China or Russia knows that their cyber infrastructure could be compromised in retaliation, they might think twice before escalating their operations. But for that to work, deterrence has to be credible, public, and immediate. Not just backroom diplomacy and classified warnings.
At the end of the day, cyber deterrence is only as strong as a nation’s willingness to act. Right now, I do not believe that adversaries take it seriously because they’ve seen time and again that cyber aggression doesn’t invite real consequences. Until that changes, deterrence will remain a theory. one that state-sponsored hackers will keep exploiting, while analysts like me keep debating whether it even exists.
USS Carl Vinson enters Busan Port as deterrence measure against North Korea(Photo: Reuters)