the goal of justice—an intruder should not be able to cause damage with impunity, and the penalty is a form of punishment for the intruder’s misdeeds. In addition, it sets the precedent that misdeeds can and will result in a penalty for the intruder, and it seeks to instill in future would-be intruders the fear that he or she will suffer from any misdeeds they might commit, and thus to deter such action, thereby discouraging further misdeeds.
What the nature of the penalty should be and who should impose the penalty are key questions in this regard. (Note that a penalty need not take the same form as the hostile action itself.) What counts as a sufficient attribution of hostile action to a responsible party is also a threshold issue, because imposing penalties on parties not in fact responsible for a hostile action has many negative ramifications.
For deterrence to be effective, the penalty must be one that affects the adversary’s decision-making process and changes the adversary’s cost-benefit calculus. Possible penalties in principle span a broad range, including jail time, fines, or other judicially sanctioned remedies; damage to or destruction of the information technology assets used by the perpetrator to conduct a hostile cyber operation; loss of or damage to other assets that are valuable to the perpetrator; or other actions that might damage the perpetrator’s interests.
But the appropriate choice of penalty is not separate from the party imposing the penalty. For example, the prospect that the victim of a hostile operation might undertake destructive actions against a perpetrator raises the spectre of vigilantism and easily leads to questions of accountability and/or disproportionate response.
Law enforcement authorities and the judicial system rely on federal and state law to provide penalties, but they presume the existence of a process in which a misdeed is investigated, perpetrators are prosecuted, and if found guilty are subject to penalties imposed by law. As noted in Section 4.2.3, a number of laws impose penalties for the willful conduct of hostile cyber operations. Deterrence in this context is based on the idea that a high likelihood of imposing a significant penalty for violations of such laws will deter such violations.
In a national security context, when the misdeed in question affects national security, the penalty can take the form of diplomacy such as demarches and breaks in diplomatic relations, economic actions such as trade sanctions, international law enforcement such as actions taken in international courts, nonkinetic military operations such as deploying forces as visible signs of commitment and resolve, military operations such as the use of cruise missiles against valuable adversary assets, or cyber operations launched in response.
In a cyber context, the efficacy of deterrence is an open question.