Can Stronger Accountability Measures Deter Cyber-Attacks?
This question was the focus of a workshop recently convened in Brussels by the EU Institute for Security Studies/EU Cyber Direct and co-facilitated by the Stimson Center’s Cyber Program.
The scale of cyber operations today has reached unprecedented levels, with state-sponsored actors, criminal syndicates, and independent hackers launching increasingly sophisticated attacks against critical infrastructure, financial systems, and government networks worldwide. These operations can compromise sensitive data affecting millions of individuals, disrupt essential services, and even potentially manipulate democratic processes or disable military capabilities. A strong deterrent response has become necessary because traditional defensive measures alone are insufficient against persistent and evolving threats.
Yet there is a long-running debate in the cybersecurity and cyber policy communities about the wisdom and practicality of attempting to apply traditional concepts of deterrence to the cyber domain. While this was initially a popular approach, especially among academic and policy experts, over time it has become clear that several prevalent characteristics of cyber operations and capabilities—such as deniability and challenges of attribution, persistence of threats, and the rapid pace of technological development and tactical adaptation among threat actors—have all seemingly conspired to make traditional approaches to deterrence more difficult, insufficient, or irrelevant. Nonetheless, it is increasingly understood by public and private actors alike that the sheer volume and severity of cyber threats necessitate greater action to prevent them.
With this objective in mind, the Stimson Center’s Cyber Program has launched a new project focusing specifically on “cyber deterrence,” building on its previous project on Advancing Accountability in Cyberspace: Models, Mechanisms, and Multistakeholder Approaches (Stimson 2024). The continuity across these two projects speaks to the deep interlinkages between the concepts of accountability and deterrence, which is also why these two concepts are part of a unified “Accountability and Deterrence Workstream” for the European Cyber Agora planned for the fall of 2025.
As a part of that workstream, Stimson’s Cyber Program has partnered with Microsoft and collaborated with EU Cyber Direct for a series of two multi-stakeholder workshops to discuss more effective approaches to discouraging and deterring the irresponsible use of cyber capabilities, and forging a more nuanced understanding across the cyber policy community of what makes for an effective deterrence policy.
Global and Actor-Specific Perspectives on Cyber Accountability and Deterrence Workshop
The first workshop took place in Brussels on March 26, 2025, and included participants from the European Union, its member states, industry, academia, and civil society. Some of the major takeaways and themes from the workshop included:
- “Global and Actor-Specific Perspectives on Accountability and Deterrence,” with expert presentations and comments on regional perspectives about cyber accountability in Latin America and the Indo-Pacific, as well as Europe. Context matters – cyber accountability is shaped by historical experiences, economic development, and differentiated threat perceptions.
- Deterrence and accountability must be understood through an actor-specific lens because of the different threats faced by different parties, and/or due to differences in how threats are perceived.
- Different threat actors may require starkly different approaches to deterrence, depending on their unique values, goals, and tactics, techniques, and procedures (TTPs).
- Different types of actors may be more or less receptive to different approaches, from security-centric tools and approaches, including military action on the higher end of the threat spectrum, to legal regulations and other financial and market incentives for industry actors, to informal or semiformal normative commitments, for example, agreement to industry best practices, on the softer end of the spectrum.
- There is a need to look at trends and patterns of behavior in cyberspace rather than over-fixating on individual incidents. Cyber threats are most often part of concerted, longer-running campaigns designed to create and exploit vulnerabilities over time and can thus have quite severe cumulative effects even if individual incidents or attacks are relatively marginal in terms of their immediate effects.
- Greater cohesion across national approaches to accountability and deterrence can facilitate greater collective action to deter unwanted and irresponsible behavior. A major challenge for accountability and deterrence is the lack of consistent or compatible understandings and interpretations of legal concepts and terms, as well as different standards of evidence and procedure for how that evidence can be presented in court or shared across jurisdictions. For example, if a threat-actor is found to be operating from the territory of another state, the victim must be able to present an acceptable form of technical attribution, including the requisite evidence, in order to pursue legal recourse. This is further impeded by the absence of clear agreement on standards of evidence and procedure across different jurisdictions.
- It was stressed by some that public attributions should be made based on common definitions and legal or normative frameworks and to clearly and consistently call out the specific violations of rules and norms in order to lend greater deterrence potential to those rules and norms. It would also be of benefit to attribute patterns of behavior, rather than only specific incidents, and to impose some form of consequences for proscribed behaviors.
- The ‘toolbox’ of political, legal, and technical consequences or costs was discussed. This could, for example, include countermeasures in the cyber domain; however, a more comprehensive approach to deterrence, including diplomatic and economic sanctions and even military action, may be necessary. Measures taken to impose costs should fulfill all relevant obligations to international law and norms of responsible behavior.
Both sessions in the workshop were moderated by Stimson’s Allison Pytlak. Stimson’s James Siebens provided opening remarks for the second session, which focused on “strengthening deterrence.”
