Title: Analytic framework for the United States cyber deterrence strategy. Final draft, 2nd submission (20 May 2015]

If the United States (U.S.) government allows cyberattacks to continue on their current trajectory of increased frequency and effect, the bonds holding our society together will be jeopardized, potentially impacting the survival of our society as we know it. Actions must be taken not only to defend against, but also to deter future cyberattacks. To achieve a credible and actionable U.S. Cyber Deterrence Strategy, the following three lines of effort are recommended for implementation by the White House: 1. Add a sixth priority to the Obama Administration's current cyberspace priorities to state: "Advance our cyber response policies and capabilities to further protect the country's national interests by deterring attacks within cyberspace." 2. Adopt the proposed Cyber Deterrence Analytic Framework as a guide for policy makers to use when determining the appropriate response to a cyberattack. 3. Implement the proposed Presidential Policy Directive outlining the United States' deterrence policy for cyber. These recommendations for establishing a U.S. Cyber Deterrence Strategy address the following key findings: As the U.S. private sector owns and operates over 90% of all of the networks and infrastructure of cyberspace, an effective policy must be communicated clearly across the government, business enterprise, and most importantly, to the people; More so than any time in our nation's history, individuals, companies, and organizations depend on cyberspace for uses ranging from social interactions to sustaining democracy; Threats existing within the cyber domain have grown both in attack vector complexity and societal impact; and, The current Presidential Executive Orders and Policy Directives related to cyber deterrence do not include a strategy for deterring attacks. The concepts presented in this paper were derived from interviews with experts in subjects ranging from deterrence philosophy, nuclear weapons implementation, U.S. cyber operations, and U.S. cyber policy. In addition, theories on deterrence strategies are explored, ranging from the 1960s to present to develop a deterrence strategy unique to cyber. Lastly, recent examples of cyberattacks are examined to provide evidence for the need to establish consequences for those individuals or countries that continue to behave nefariously within cyberspace. To form a strong foundation for a U.S. Cyber Deterrence Strategy, the U.S. must establish and clearly articulate the consequences for nations or individuals if they choose to initiate a cyberattack on the U.S. or its national interests.