Building International Stability and Security in Cyberspace

January 2026

Building International Stability and Security in Cyberspace

Recommendations to the U.S. Government

Building International Stability and Security in Cyberspace

Recommendations to the U.S. Government

Princeton School of International and Public

Affairs Policy Workshop Report

Master in Public Affairs Program

Faculty Advisor

Teddy Nemeroff

Authors

Nadia Avianti | Adán Chávez | Charles Clouse | Ofir Cohen | Valerie Doze | Ethan Kahn | Maddie Legemah | Ryan Sung | Stefan Tobias

January 2026

Executive Summary

Cyberspace has become a defining arena for global cooperation, economic opportunity, and geopolitical competition. Yet, as the cyber domain has grown, adversarial states and criminal actors have increasingly exploited it to pursue espionage, disruption, coercion, and strategic advantage. The existing policy posture of the United States, anchored in strategic ambiguity and episodic international engagement, has not kept pace with the evolving threat landscape. The framework of responsible state behavior in cyberspace establishes a solid foundation for achieving global stability and security. However, it has failed to deter persistent, low-intensity cyber operations that occur below the threshold for armed conflict but collectively amount to strategic harm. The United States must reaffirm its commitment to the framework and restore credibility in deterrence efforts, by adopting a more proactive, structured, and enforceable approach. Doing so in alignment with allies, partners, and like-minded nations is critical, given the interconnected and borderless nature of the cyber domain.

To operationalize this shift, this report puts forward three mutually reinforcing sets of recommendations: redefining U.S. leadership, establishing a Partnership for International Cyber Stability (PICS), and achieving alignment with partners. It envisions renewed U.S. Leadership through the adoption of a more assertive U.S. policy posture, including a declaratory commitment to red lines and consequences; authorizing private sector active cyber defense against non-state actors; institutionalizing private sector collaboration for international engagement; and mobilizing seized crypto. Establishing PICS provides a pathway for other nations to demonstrate their commitment to responsible behavior in the form of responsible technology, infrastructure, declaratory red lines, improved attribution and consequence imposition. Lastly, it recommends that alignment with partners be protected through enhanced cyber capacity strengthening assistance, information sharing, instant response support, and privileged vendor access. Collectively, these recommendations offer a practical pathway to transform the framework of responsible state behavior from a voluntary standard into a more enforceable system, laying the foundation for a more secure and stable cyberspace.

1 | Introduction

The internet was built under American leadership as a global, free, open, and interoperable network. It is an ecosystem that has democratized access to information, connected disparate populations, and expanded economic opportunity on a global scale. With technological advancement, this ecosystem has given way to cyberspace, a virtual theater for nations and societies to interact, cooperate, and compete. Today, however, malign actors seek to fragment and destabilize cyberspace.

The United States faces growing national security risks as adversarial states and sophisticated criminal groups exploit cyberspace for espionage, disruption, coercion, and economic gain. These actors threaten public safety and national resilience through pre-positioning malware, information and communications technology (ICT) backdoors, intellectual property (IP) theft, and critical infrastructure disruption. At the same time, cybercrime has endangered economic stability and public trust. From AI-enabled influence campaigns conducted by China in Southeast Asia and persistent Russian attacks on Ukrainian telecommunications networks, to North Korean cryptocurrency theft and Iranian-backed actors disrupting Albanian government networks; malign actors exploit cyberspace to weaken social cohesion, distort information environments, and drain the resources of democratic governments worldwide.

This report examines these challenges against the context of an increasingly polarized international environment and offers concrete recommendations for strengthening U.S. strategy. It recommends making the UN framework of responsible state behavior in cyberspace enforceable through the adoption of a more assertive U.S. policy posture and encouraging allies to follow suit. It further proposes a pathway for nations at different levels of capacity and political alignment to move toward a shared vision by demonstrating their commitment to responsible behavior. These recommendations form an ambitious, mutually reinforcing system, aligning national self-interest with global stability.

Prepared in the Fall of 2025 by nine policy students at Princeton’s School of Public and International Affairs, this report is the product of the workshop Building International Stability and Security in Cyberspace. The findings reflect the group’s collective conclusions and not necessarily the individual views of each author. As part of the workshop, students engaged with more than 40 cybersecurity experts (full list on pp. 44–45) across the public, private, and non-governmental sectors, including during a week-long trip to Estonia to study its whole-of-society approach to cybersecurity. Additionally, one student traveled to New York to meet with practitioners working on U.S.-Israel cyber cooperation.

In an era of accelerated digitization and rapid AI adoption, the group assessed whether the UN framework of responsible state behavior in cyberspace remains a viable foundation for international stability. The United States played a central role in shaping and advancing the framework, which has helped prevent cyber operations from escalating to the threshold of armed conflict. Yet below that threshold, the absence of clear and credible enforcement mechanisms has allowed adversaries to persistently test and violate the eleven norms articulated by the United Nations Group of Governmental Experts on Information Security (UNGGE). Similarly, the lack of consensus on the applicability of international law to cyberspace has constrained its effectiveness. The group considered alternatives – such as a formal treaty and a more aggressive offense-led strategy – but concluded that

the framework remains valuable in advancing U.S. strategic interests. Fostering an environment where states continue to meaningfully uphold these norms therefore necessitates a reassessment of U.S. strategy and a more active, institutionalized approach to engaging partners. This strategy will help states move toward a more stable equilibrium rooted in adherence to these norms, supported by strong accountability mechanisms that credibly signal when violations invite proportional and commensurate consequences. The resulting resilience will deliver a conducive environment for technological innovation, economic advancement, and free flow of information.

To that end, the report is organized as follows. Section II articulates a vision for cyberspace that the United States and like-minded nations should pursue to engender greater stability and security. Section III traces the evolution of cyberattacks since the 2007 Estonia incident and the subsequent emergence of international cyber diplomacy over the past two decades. Section IV analyzes the challenges that undermine the effectiveness of the current U.S. cyber strategy and impede more proactive global engagement. Section V offers concrete recommendations, including a renewed commitment to red lines and consequences, leveraging private sector capabilities and seized cryptoassets, and creating an ambitious framework to encourage international adherence to responsible behavior. The report concludes by reaffirming the imperative for the United States to strengthen global cyber resilience in support of economic prosperity and democratic stability.

2 | Vision for a Secure and Stable Cyberspace

Our vision for cyberspace is an ecosystem that is secure and stable, safeguarded in cooperation with trusted partners, and generative of economic prosperity. This vision does not imply the absence of conflict in the cyber realm, but rather the presence of mechanisms that foster partnership, prevent escalation, contain disruption, and ensure that malicious behavior bears credible costs.

Security in cyberspace means preventing adversaries from exploiting digital connectivity to undermine democratic norms, as well as the economic and strategic interests of the United States and its allies. In a domain where adversaries can generate economic, technological, and military advantage without crossing borders and can target civilian infrastructure with relative impunity, security is achieved through the enforcement of clear behavioral thresholds that deny adversaries the ability to operate without consequence. China, Russia, North Korea, Iran, cybercriminals, and other malicious actors continue to exploit vulnerabilities in the global digital ecosystem to gain strategic advantage. To date, the United States has relied on a de facto doctrine of strategic ambiguity, intended to preserve operational flexibility and inject uncertainty into adversaries’ calculations. Yet this approach has resulted in a permissive environment, enabling adversaries to continually push the limits of acceptability, thereby compromising U.S. security and strategic interests.

Stability in cyberspace entails a trusted global ecosystem, governed by shared rules, predictability in conduct, and partnership between nations. Cooperation in cyberspace is not a zero-sum game; it can deliver prosperity for all. The complex web of digital infrastructure facilitates trillions of dollars of trade every day, enables seamless global communications, and places American technology at the heart of daily life. Rules are required to impose order on this complex web, however. The framework of responsible state behavior in cyberspace, coupled with international law, forms the basis of a trusted global order that stands in sharp contrast to the restricted and surveilled cyber domain pursued by malign states.

The United States is joined by allies, partners, and like-minded nations who are committed to this vision for an interoperable global ecosystem and responsible state behavior in cyberspace. Building on this consensus requires inviting nations to share in the prosperity that a credible, norms-based order can deliver, provided they demonstrate a credible commitment to protecting it.

3 | Global Cyber Security and Governance Landscape

The United Nations Institute for Disarmament Research (UNIDIR) defines cyberspace as the interconnected environment of computers, networks, and information-distribution technologies that together form the multi-layered technological substrate of modern societies and enable the creation, storage, modification, exchange, and exploitation of information through interdependent ICT systems.1 This characterization extends to the cables, satellites, and telecommunications systems that enable global interconnectedness. Cyberspace is not merely a technical environment but rather a critical layer of economic activity, governance, and national security.

States, however, differ fundamentally in how they conceive of this domain. The United States and its allies view cyberspace as an open, interoperable, and multistakeholder arena. China and Russia instead promote a state-centric vision anchored in cyber sovereignty, prioritizing strong governmental control over information flows to protect regime stability and limit foreign influence.2 Russia goes further, conceptualizing information security as extending beyond digital networks to safeguard the cognitive integrity of society.3 These fundamentally divergent ideas challenge the efficacy of international governance mechanisms for cyberspace. This section explores the security threats posed by state and non-state actors to citizens, governments, and the private sector that emerge from these opposing conceptions. It then reviews the collective steps the international community has taken to counter these challenges.

Cybersecurity: Threats and Challenges

Increasing digitization, while unlocking new avenues for economic growth, innovation, and connectivity, has made societies more vulnerable to disruption. This reality came into sharp focus nearly two decades ago in Eastern Europe. Beginning in April 2007, Estonia faced a wave of unprecedented cyberattacks following the relocation of a Soviet-era war memorial. Large-scale distributed denialof-service (DDoS) assaults crippled government, banking, and media websites for more than twenty days.4 The attacks originated from Russian IP addresses and were accompanied by Russian language instructions, leading Estonian officials to suspect Kremlin involvement, although definitive state attribution was never declared.5 The incident marked a turning point, demonstrating how low-cost, low-risk cyber operations can upend essential services and generate civil instability. For the first time, digital tools were used to disrupt democratic peace and foment geopolitical tensions.

Cyberattacks have since grown significantly in scale and sophistication, both by state and nonstate perpetrators. This evolution is illustrated by North Korea’s crippling attack on Sony Pictures Entertainment in 2014, which marked the first direct targeting of a multinational corporation on American soil by a foreign government. The operation destroyed data, leaked confidential emails, held the company to ransom, and disrupted a major film release, revealing both the disruptive power of cyber tools and the vulnerable position of multinational corporations.6 The Sony attack also shattered a long-held assumption: that the government would shield private industry from state-affiliated threats.

As more critical infrastructure and essential services move online, the vulnerability of governments, businesses, and citizens to cyberattacks has grown. The 2017 WannaCry ransomware campaign, attributed to North Korean actors, disrupted the U.K.’s National Health Service and underscored how cyber incidents risk directly harming patient safety and healthcare delivery.7 Additionally, Russia’s 2017 NotPetya attacks crippled global supply chains and caused billions of dollars in economic damage.8 Together, these incidents illustrate the profound economic and social costs that modern cyber operations pose. A 2018 White House report estimated malicious cyber activity costs the U.S. economy between $57 and $109 billion annually.9

State-backed cyber actors are increasingly leveraging pre-positioning tactics. These strategies create access points during peacetime within critical infrastructure that may be exploited during a later crisis. Such activities compromise national security, risk triggering widespread instability, and may be perceived as violations of sovereignty. This pattern is most clearly seen in the case of Volt Typhoon, a China-sponsored operation that quietly infiltrated U.S. critical infrastructure networks, including energy, water, and telecommunications systems.10 U.S. agencies assessed that the operation’s objective was to pre-position access inside these networks for potential disruptive or destructive attacks in the event of a major crisis or conflict between the United States and China. Simultaneously, another China-backed advanced persistent threat, Salt Typhoon, conducted extensive espionage across more than 80 countries, targeting individuals, private firms, and even the networks of the United States Army National Guard.11 Together, these campaigns reveal how adversarial states are shifting toward persistent stealth operations, an approach designed to weaken resilience over the long-term and exploit vulnerabilities that may inflict damage when it matters most.

Further heightening risks, capabilities once reserved for state actors are now widely available for purchase on the dark web, as well as from spyware companies like the NSO Group,12 enabling criminal groups to conduct increasingly sophisticated cyber operations. This blurring of lines between state and non-state actors complicates national defense, especially as nations such as Russia tolerate criminal hackers who operate within their borders.

Cyber Diplomacy: Evolution and Current State

Cyberspace is a globally interconnected environment, meaning international cooperation is imperative to address pervasive threats. To impose order on this environment, the United States and its allies leveraged the UNGGE as a forum to advance and consolidate norms of responsible state behavior in cyberspace, culminating in the 2015 consensus report.13 This document formed the basis of what many now refer to as the framework of responsible state behavior in cyberspace, consisting of three pillars: (1) recognition of the applicability of international law to state conduct in cyberspace, (2) nonbinding norms of state behavior in peacetime, and (3) cyber confidence-building measures.14 The United Nations reaffirmed its commitment to the framework and the norms in 2021, despite extensive and continuing diplomatic efforts by Russia, supported by China, to advance an alternative model of cyber sovereignty and push for a new binding international cyber treaty.15 This reaffirmation marked a significant diplomatic achievement for the United States and its partners, preserving the existing framework of voluntary norms and averting the adoption of more restrictive, state-centric approaches to governing cyberspace. In the four years since, Russia and China have continued to press for a statecentric treaty but have not built sufficient consensus to shift the position of UN member states.

Even as this reaffirmation and the UN’s muted stance toward a new treaty represent a remarkable diplomatic victory for the United States and its allies, persistent limitations continue to impede the effective implementation of the framework. There remains little alignment among nations on the applicability of international law to offensive cyber operations. Countries diverge sharply on the thresholds for what constitutes a breach of international law and on the legality and proportionality of countermeasures, creating accountability gaps that adversaries readily exploit.16 While some regional groupings, such as the Association of Southeast Asian Nations (ASEAN) and the African Union (AU), have articulated shared interpretations of how international law applies to cyberspace, many states have not.17 Their reluctance may reflect a lack of political prioritization or a preference for maintaining strategic ambiguity.

The framework of responsible state behavior has been instrumental in forging a broad international consensus and has contributed to a degree of security in cyberspace. Yet destabilizing cyber activity persists below the threshold for armed conflict. This shortfall stems from the absence of robust enforcement and incentive mechanisms to motivate compliance by states. Variation in how the norms are applied further impedes enforcement; for example, under norm (f), states agree not to conduct or support ICT activity that intentionally damages critical infrastructure, yet classifications of ‘critical’ differ across nations.18

Recent diplomatic developments present a formidable new challenge. More than 70 countries signed the UN Convention Against Cybercrime in October 2025, a process spearheaded by Russia.19 The treaty will enter into force soon, becoming effective 90 days after the fortieth country completes its domestic ratification procedure.20 Once in force, Russia could leverage the Convention to introduce additional protocols that effectively backdoor its preferred vision of a cyber treaty. Such developments risk undermining the progress the United States and its allies have made in advancing the framework of responsible state behavior, the applicability of international law, and the norms to date.

Taken together, these developments reveal a rapidly evolving threat landscape in which cyber operations have become more persistent, more strategic, and more deeply enmeshed in geopolitics. Yet the global response, in the form of diplomatic efforts, legal undertakings, and investment in new technical capabilities, has not kept pace. As the cyber ecosystem become less stable, there is an evermore-urgent need for coordinated action by the United States and like-minded nations.

4 | Assessing U.S. Cyber Strategy: Deterrence, Ambiguity,

and International Engagement

While the United States has long been at the forefront of shaping and adhering to the framework of responsible state behavior in cyberspace, the global environment remains fragmented, with norms unevenly implemented, inconsistently enforced, and frequently disregarded. Enhancing cyber resilience across military, civilian, public, and private infrastructure is an essential prerequisite for a credible international cyber strategy, this section examines the broader institutional, strategic, and global complexities that have contributed to this persistent instability.

Limitations of the Deterrence Approach

Deterrence remains a crucial component of the cyber strategy the United States and its allies follow. Deterrence strategies encompass multiple facets. Deterrence by punishment strategies typically seek to prevent hostile action through the credible threat of consequences while deterrence by denial aims to reduce the effectiveness of hostile actions so that the costs of action outweigh the perceived benefits.21 Active defense measures such as ‘hunt forward’ operations to detect and evict malicious actors should be deployed, but deterring malign activity altogether is optimal. Given the rapidly evolving speed, nature, and scale of contemporary cyber operations, existing deterrence measures have proven insufficient. While an incident rising to the level of a devastating armed attack, termed a 'Cyber Pearl Harbor', has yet to occur, the persistence of below-threshold, low-intensity cyber operations continues to pose serious and accumulating risks.22

Efforts to implement a deterrence by denial strategy have included building more resilient networks, enhancing information sharing, protecting critical infrastructure, and conducting proactive operations. There have been some isolated successes – for example, Iranian cyber operations against Albania failed to compel Tirana to expel the Mujahedeen-e-Khalq (MEK) – but these cases are the exception rather than the rule. On a day-to-day basis, the United States and its allies face a persistent onslaught of ransomware attacks, IP theft, influence operations, long-term pre-positioning in critical infrastructure, and targeted attacks on essential services.23 These operations fall below the 'use of force' threshold, but their aggregate effect undermines economic security, democratic resilience, and military readiness.24 Many analysts describe this pattern as a deterrence failure below the level of armed conflict, as adversaries now expect inaction.25

Likewise, deterrence by punishment has proven inadequate. While the United States and its partners have issued sanctions, indictments, asset seizures, public attributions, and law-enforcement actions, these measures have been episodic, inconsistently enforced, and rarely tied to definitive behavioral

benchmarks. The U.S. response to the 2015 Office of Personnel Management (OPM) breach by Chinese Advanced Persistent Threat (APT) actors exemplifies this reactive, rather than proactive, approach. Perpetrators exfiltrated highly sensitive SF-86 background check data and millions of fingerprint records, resulting in a congressional investigation and the resignation of top OPM officials.26 Yet the international response remained limited, with the arrest of only a sole Chinese national. China has since continued to conduct new campaigns, including Volt Typhoon and Salt Typhoon.27 Planned sanctions on China’s Ministry of State Security for the latter campaign were reportedly shelved to avoid jeopardizing broader diplomatic and trade negotiations, weakening the credibility of U.S. retaliation.28 Adversaries are therefore emboldened to operate with relative impunity because predictable or meaningful consequences are not imposed. Hence, while the current approach has been successful in preventing debilitating cyberattacks, it fails to curb persistent, low-level campaigns that cumulatively impose significant strategic harm.

Case Study | 2022 Albanian Cyber Attack

In 2022, Iran targeted Albania in an attempt to coerce the government to expel members of the MEK residing in the country.29 In the immediate aftermath of the attack, the United States moved quickly to support the Albanian government. U.S. cybersecurity experts were deployed to Tirana to coordinate incident response and restore critical systems. The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a detailed advisory outlining Iranian operations, and the White House publicly condemned the attack while affirming full U.S. backing.30 The U.S. Treasury Department subsequently imposed significant sanctions on Iran’s Ministry of Intelligence and Security, including the Minister of Intelligence himself. The United States then worked with Albania, NATO Allies, and other close partners on a coordinated international response condemning Iran’s actions, after which Albania severed diplomatic relations with Tehran.31 In addition, the United States pledged more than $50 million to bolster Albania’s cybersecurity and critical infrastructure defenses. This response combined effective deterrence by punishment, through diplomatic costs and sanctions, and deterrence by denial by preventing Iran from achieving its political objective. The attack was not only ineffective but was also ultimately counterproductive to Iran’s interests.

Implications of Strategic Ambiguity

To date, a de facto doctrine of strategic ambiguity has defined U.S. cyber deterrence by punishment. The U.S. government has asserted that it may respond to malicious cyber activity with all instruments of national power, yet it has provided little clarity about which actions trigger consequences.32 Although ambiguity in cyberspace can preserve operational flexibility and introduce uncertainty into adversaries’ calculations, it has increasingly functioned as a justification for inaction. State-backed and criminal actors now routinely probe U.S. systems, confident that responses will be delayed, symbolic, or imposing minimal cost. The result is a permissive operating environment in which cyber operations against the United States continue largely unchecked.33

The core weakness does not lie in the lack of U.S. capability but in ambiguous red lines.34 The United States has neither linked its deterrence posture to specific thresholds – whether that be violations of agreed UN norms or attacks on critical infrastructure – nor articulated the consequences that would follow if thresholds were crossed.35 When thresholds are undefined, adversaries escalate incrementally, exploiting ambiguity without fear of meaningful consequences.36 While some degree of ambiguity is necessary to preserve flexibility, including the ability to de-escalate, it can also undercut credible signaling. If deterrence is to remain effective, the United States and its partners must articulate clearer behavioral boundaries while retaining discretion over how they respond, rather than delaying action until a debilitating attack occurs.

The Underutilization of International Engagements

Cyber stability at the international level is further weakened by uneven capabilities across countries and regions. While the United States and its Five Eyes partners have strong cyber capacities, many NATO members do not.37 Attribution capabilities are also uneven, and in many developing countries are almost entirely absent, particularly in parts of the African Union and the Organization of American States (OAS). These uneven dynamics reveal a pattern of reactive engagement, fragmented coordination, and underleveraged international partnerships that undermines long-term cyber stability.

Compounding these capability gaps is the absence of predictable funding streams, shared planning mechanisms, or clearly defined roles for industry in international capability building efforts. U.S. efforts to bolster the cyber resilience of other nations has been ad hoc and reactive in nature, as well as over-dependent on voluntary private sector action. The investment of resources tends to occur in crisis-driven bursts. This strategy carries two major risks: sustainability and moral hazard. Without structured follow-up and domestic investment, partner countries often slip back into reactive postures once external support ends. At the same time, when states come to expect guaranteed backup from allies, they may underinvest in their own defenses.

The limitations of the current system were evident in the response to the 2022 Albanian cyberattacks by Iranian state-linked actors. The United States’ response was reactive, with State Department officials assembling an improvised, patchwork coalition of cross-agency support. Ultimately, the United States provided immediate incident-response support and pledged $50 million to help Albania strength its critical infrastructure.38 Yet this assistance, like similar responses elsewhere, was compelled only by a major crisis, underscoring the lack of a proactive strategy for incident response and sustained capacity building.

The U.S. response to the ransomware attacks in Costa Rica later that same year followed a similar pattern. Costa Rica declared a state of national emergency as its critical systems were crippled.39 The United States deployed experts to support recovery and subsequently pledged $25 million in cybersecurity assistance. Supportive, yet ad hoc, this funding sought to establish a security operations center, improve critical infrastructure defenses, enhance intrusion detection and incident response, and provide training and secure equipment.40

The Russo-Ukrainian war highlights how cyber defense support for allies has been reliant on voluntary private sector efforts.41 From the war’s onset, companies like Microsoft, Google, and Amazon Web Services stepped in of their own volition. Microsoft alone provided more than $500 million in free and discounted technical assistance,42 shifting Ukraine’s government servers to the cloud and relocating critical data to European data centers beyond missile range. These actions preserved essential public services yet occurred without a formal government framework to direct or coordinate them. In response to Ukraine’s urgent needs, the Cyber Defense Assistance Collaborative (CDAC) emerged in 2022 as a collaborative, private-sector-led effort, connecting firms with Ukrainian ministries and stateowned entities to provide operational cyber assistance. It offers a repeatable model for how states can partner with private vendors to access expertise, advanced defense tools, and threat intelligence capabilities to protect critical infrastructure.43

Private-sector support has been pivotal in defending Ukraine’s national security, but its largely voluntary nature raises questions about long-term sustainability. There are several well-grounded reasons for private firms to commit voluntary resources and significant coordinating effort institutionalized publicprivate partnerships. Cyber diplomats and the IT Ukraine Association argue private organizations can significantly benefit from the threat intelligence gathered and innovations deployed in defending against Russian incursions.44 Partnering with governments unlocks a new target market for long term investment, particularly as developing countries embrace digital infrastructure. Beyond the financials, deploying assistance to a globally recognized and lauded cause provides great marketing. Yet fatigue can damage private sector momentum over time, prompted by dwindling resources, fears of ‘forever wars’ developing, and the diversion of public attention. Public-private partnerships must become more predictable through institutionalization.

CDAC demonstrates what is possible when capable private actors mobilize, but its existence also highlights what is missing. The United States still lacks an institutional mechanism to coordinate, sustain, and strategically direct such cyber defense assistance. As a result, critical international support is being delivered through ad hoc support or voluntary assistance, rather than through a consistent structure that may better advance strategic and economic interests.

Failing to encourage public-private partnerships between trusted private sector vendors and foreign nations also constitutes a missed opportunity to promote American technology. Less-resourced nations often choose technology providers based on short-term economic benefits, creating a prime opportunity for competitors such as China to offer cyber capacity building assistance, through which they can place backdoors in ICT.45 When it comes to calling out such activity, less-resourced countries often conclude that silence and passivity are less costly than pursuing accountability against powerful malign actors, so irresponsible behavior goes unpunished. De-risking key ICT networks away from the technology developed by China and other adversaries will help secure cyberspace, but an affordable alternative must also be offered to nations.

Overall, U.S. responses to malign cyber activity remain insufficiently institutionalized and cumbersome. Capitalizing on the strength of the American private sector is essential for creating streamlined mechanisms to deploy support. With clear response frameworks, sustained investment in capacity building, and structured avenues for public-private cooperation, the United States can enhance stability and security in cyberspace. Such structures would also encourage allies to invest in their own cyber defenses, build lasting capacity, and move more consistently toward shared norms of responsible state behavior.

The Escalating, Distributed Threat of Global Cybercrime

Global cybercrime imposes enormous, growing costs on citizens and businesses. Conservative estimates place the annual cost of cybercrime at more than one trillion dollars, reflecting both the growing sophistication of threat actors and the expanding number of access points to people’s sensitive data.46 Some criminal activities are conducted by private actors with purely for-profit motives, while others serve geopolitical objectives. The vast majority of cyberattacks against U.S. entities emanate from four countries: China, Iran, North Korea, and Russia.47 Most Chinese cyber operations involve traditional or economic espionage aimed at securing strategic and commercial advantages over the United States, while ransomware attacks conducted by Russian criminal gangs often occur with the tacit approval of the Russian state and protection from its security services.48

Most criminal activities in cyberspace, whether a malware attack against an insurance company or a breach of a university donor database, will, individually, have a minimal impact on national security. The U.S. government rightly deploys its law enforcement capabilities, rather than its diplomatic and military assets, to address such behavior. For example, U.S. regulators and law-enforcement agencies are intensifying efforts to curb systemic risks posed by illicit cryptocurrency transactions that enable money laundering and financing by organized cybercriminal networks. Private sector estimates place known illicit crypto transaction volumes at more than $40 billion annually, with significant additional flows occurring through unidentified wallets.49 In October 2025, U.S. authorities seized more than $15 billion in cryptocurrency from a Cambodia-based organized crime group, the largest seizure to date.50 This was followed in November 2025 by another seizure exceeding $400 million from a Southeast Asia–based syndicate, underscoring the scale and persistence of crypto-enabled illicit activity.51

However, the cumulative impact of cybercrime inflicts strategic harm on U.S. security and economic interests, necessitating a new approach. Rampant cybercrime damages democratic resilience by eroding citizens’ faith in the government’s ability to keep them safe. For example, a 2017 Pew Research survey found that half of Americans were not confident that the federal government could keep their personal information secure from unauthorized access, including more than a quarter who were ‘not confident at all’.52 A 2022 experimental study concluded that exposure to cyberattacks ‘significantly diminishes public confidence among segments of the population who are exposed to the attack’.53 Moreover, some cybercrime incidents have put people’s lives directly at risk, like the aforementioned WannaCry ransomware attack on the U.K. hospitals. Finally, cybercrime acts as an economic anchor, dragging down growth and investment: the Council of Economic Advisers estimated that malicious cyber activity cost the U.S. economy about 0.5 percent of GDP in 2016,54 while other research found that cybercrime depresses investment and firms’ market value.55 U.S. adversaries correctly assess that hosting and sponsoring cybercriminals offers a strategic advantage: they can use these criminal proxies to weaken U.S. resilience, security, and growth, while preserving deniability.

Case Study | Chinese Cyber Investment in Latin America, Africa, and the Indo-Pacific

Latin America is a rapidly growing arena for China’s Digital Silk Road and a major market for Chinese 5G, cloud and surveillance infrastructure firms. Chinese companies Huawei and ZTE remain major suppliers of the region, challenging U.S. securitization efforts.62 China’s Digital Silk Road offers an opportunity for Latin American countries to develop by providing a range of high-quality equipment at prices significantly cheaper than those offered by the West.63 Chinese companies also benefit from significant state subsidies, allowing them to offer equipment and services at prices often 30-40 percent lower than Western alternatives. Chinese technology is being integrated into critical infrastructure, such as the growth of ‘Safe Cities’, where surveillance systems are being integrated into the infrastructure grids of major cities.64

A similar model is being pursued by China in Africa, where smart-city projects integrate AI-enabled surveillance networks, biometric databases, cloud platforms, and municipal management tools. Chinese-backed smart-city systems are already operating in nine African countries, enabled in part by financing from the China Development Bank and the Export-Import Bank of China. This activity is bolstered by China’s broader economic presence on the continent, where more than 10,000 Chinese firms operate and total investments exceed $300 billion.65

In the Indo-Pacific, China maintains one of its most active areas of Digital Silk Road engagement. Regional initiatives span major undersea cable routes, national data centers, cloud-computing platforms, and broader ICT infrastructure that support both public and commercial systems. China has concluded at least 24 digital cooperation agreements across Southeast Asia, South Asia, and the Pacific, reflecting a wide footprint in the region. Between 2013 and 2022, Chinese firms invested an estimated $12.8 billion in ICT-related projects, alongside expanded cybersecurity training, technical capacity building, and standards-focused cooperation.66

The private sector can no longer take for granted the ability of the government to protect it against all relevant threats.56 Existing law-enforcement tools, designed to address individual incidents of cybercrime, have failed to mitigate their collective strategic impact. Federal agencies lack the capacity to defend every vulnerable private network or impose costs on tens of thousands of diffuse criminal actors. Multilateral arrangements focused on state cyber conduct, like the framework of responsible state behavior, have not meaningfully reduced the incidence of cybercrime nor imposed costs on states that sponsor it.

The U.S. government may consider an alternative approach: leveraging private sector defense capacity against these threats. When an organization experiences a cyberattack, it may choose to deploy its own capabilities against the attacker. These operations are known as active cyber defense, or more popularly as hack-back. Active cyber defense denotes cyber operational activity used to 'prevent or preempt attack … outside the defender’s or other friendly terrain’,57 and can enable the organization to determine the identity of the attackers, eject them from its home network, or even disrupt activity on the attackers’ network. However, private actors are prohibited from doing so under the Computer Fraud and Abuse Act (CFAA).58 Specifically, the U.S. Department of Justice has published guidance stating that any action by a victim to respond to a cyber incident by ‘accessing, modifying, or damaging a computer it does not own or operate … may violate’ the CFAA.59

Some policymakers and scholars have proposed authorizing private actors to conduct more assertive active cyber defense in limited circumstances, e.g., the never-passed Active Cyber Defense Certainty Act (ACDCA), most recently introduced in 2019.60 This strategy appropriately recognizes the potential for private actors to be a valuable force multiplier in disrupting cybercrime, assisting law enforcement investigations, and deterring future attacks.

Such an approach carries significant risks and limitations that must be mitigated. Aggressive, highly disruptive retaliatory cyber activity could spark state-level retaliation if carried out against state-backed actors. It could damage innocent, third-party systems that are often exploited as launching pads for cyberattacks, eroding trust in American technologies. It could interfere with ongoing, covert law enforcement or intelligence activities. It may be seen globally as a violation of customary international law, and American business leaders could face civil or criminal liability abroad. For example, if an American CEO were arrested by a U.S. ally in such a circumstance, the United States might be forced to expend valuable diplomatic capital to secure their release. Some firms, like Microsoft, have publicly declared opposition to legalization of such activity.61 However, these risks and limitations may be sufficiently mitigated through a combination of legal guardrails, oversight, and diplomacy, which this report’s recommendations section will address.

In view of these rising threats, it is imperative to strengthen the private sector’s capabilities to defend against systemic cybercrime. At the same time, the U.S. government could more strategically leverage a powerful but underutilized asset – the billions of dollars in cryptocurrency seized from criminal and state-linked actors – to strengthen its cyber capabilities.

5 | Policy Recommendations

A secure and stable cyberspace promises global prosperity but requires a reimagining of how to protect it. The framework of responsible state behavior in cyberspace sets out the architecture of a predictable and prosperous norms-based cyber order, but more concrete policies are needed to make it enforceable. An enforceable system is one in which violations of agreed norms reliably trigger predictable, coordinated, and proportionate consequences, even below the threshold for armed conflict.

The mounting threats faced by the United States and its allies over the past two decades necessitate a tougher and more deliberate approach. The United States must take decisive action to deter, repel, and impose costs on adversaries that seek to weaponize cyberspace. The nation possesses unique advantages to do so, including sophisticated law enforcement and intelligence tools, world-leading private sector capabilities, substantial economic resources and deep alliances. Building on these strengths, the recommendations in Redefining U.S. Leadership outline how the United States may lead by example to make the framework of responsible state behavior enforceable by narrowing the space in which persistent norm violations occur without consequence.

Cyberspace transcends territorial borders, so the United States is best protected by shaping the behavior of other nations in ways that align with our values and priorities. Broadening the tent of nations committed to responsible behavior in cyberspace best protects our vision for a secure and stable future. This approach means overcoming existing fractured global responses to emerging threats. To this end, we propose a Partnership for International Cyber Stability, which sets out policy recommendations through which foreign nations can contribute to achieving a secure and stable cyberspace. Nations may progressively realize deeper alignment by shifting policy posture and investing resources in line with the framework. The mechanisms through which the United States might encourage such behavior is put forward in Achieving Alignment with Partners. Like the networks it seeks to protect, this framework is mutually reinforcing: U.S. enforcement actions will be more impactful if coordinated with allies, economic opportunity will grow with broadened participation, and future attacks will be less disruptive if resilience measures are endemic.

Policy Recommendations: Redefining U.S. Leadership

Taking decisive action against malign actors and strengthening partnerships does not demand massive new spending or military adventurism. It requires a reorientation toward credible signaling that makes clear to adversaries that the United States will no longer tolerate malign activity through persistent probing and pre-positioning. Although the United States possesses formidable cyber capabilities across the public and private sectors, many of its assets remain underused and poorly aligned. To address this gap, the country’s exceptional private sector cyber capabilities and its substantial financial resources – in the form of seized crypto assets – must be far more effectively leveraged to build a more stable and secure global digital ecosystem.

Redefining U S Leadership

Declaratory Commitment to Red Lines and Consequences

Authorize Private-Sector Active Cyber Defense Against Non-State Actors

Institutionalize Private Sector Collaboration for International Engagement

Mobilize Seized Crypto

The United States must lead by example in securing the global cyber ecosystem. Adopting the policy posture outlined below would demonstrate a clear U.S. commitment to making the framework of responsible state behavior in cyberspace both enforceable and defensible internationally. To achieve this goal, the section puts forward four recommendations: declaratory commitment to red lines and consequences; authorizing private sector active cyber defense against non-state actors; institutionalizing private sector collaboration for international engagement; and mobilizing seized crypto.

U.S. Recommendation 1: Declaratory Commitment to Red Lines and Consequences

The United States should explicitly declare cyberspace red lines and impose pre-set consequences on violations of those red lines. The current U.S. posture of ambiguity in responding to hostile cyberspace activities has failed to adequately deter America’s adversaries. A more explicit and aggressive stance is needed, one that exploits the United States’ vast capabilities in order to deter adversary aggression. Less ambiguity and a firmer commitment to red lines is needed to improve the United States’ deterrence posture. Although a more explicit stance may somewhat limit policy flexibility, the deterrence benefits of pre-commitment outweigh the drawbacks.

As the first step toward building a declaratory red lines policy, the U.S. government should distinguish between incidents that should warrant a response vs. incidents that must be responded to. Low threshold incidents that the United States lacks the resources to comprehensively suppress should be responded to within available resource constraints. More damaging incidents must be responded to in order to maintain proper cyber deterrence.

The United States should publicly publish its red lines for ‘must respond’ incidents while keeping the list of ‘should respond’ incidents internal. To maintain policy flexibility, public messaging should stress that the United States reserves the right to respond to all incidents at its discretion, including those not listed in public declarations. Red lines serve as a floor, not a ceiling, for what the nation’s response will be, narrowing the range of acceptable activity in cyber competition.

The public declaration of ‘must respond’ incidents creates a political pre-commitment to action that serves to shape adversary behavior and compels policy makers to act. Explicit communication of credible commitments, paired with consistent enforcement, is among the most direct means of influencing adversary perceptions. While ambiguous messaging may be advantageous under some circumstances, the United States’ record of under-response to cyber incidents has sapped the deterrence value of strategic ambiguity. For example, When President Trump ordered attacks on Syria for chemical weapon use during his first term, the threat of further attacks successfully deterred the Syrian government from further use of chemical weapons. Enforcing public red lines would similarly improve the United States’ deterrence posture in cyberspace. Although the adoption of U.S. red lines risks encouraging adversaries to articulate their own, this approach need not be escalatory. On the contrary, credible red lines set by adversaries may expose how far their behavior already falls outside accepted bounds and further narrow the space for miscalculation.

If red lines are breached, the United States must be prepared to use its full spectrum of policy tools to impose proportionate consequences. Offensive cyber operations should constitute just one element of an integrated policy strategy to punish those who seek to harm or steal from the United States and its allies. Consequences should begin with diplomatic measures, including public attributions, démarches, expulsions of diplomats, and travel bans. More severe activity should trigger escalating penalties. At the next level, economic tools such as asset freezes, asset confiscation, and sanctions should be leveraged. For high-threshold attacks, proportionate offensive cyber operations should be used to disarm attackers, disrupt infrastructure, or block intrusions. Finally, for attacks that meet the threshold of an armed attack, proportionate kinetic consequences under the right of self-defense should be pursued.

While the declared public red lines and responses should be applicable to all adversaries, the United States should also engage in adversary-specific messaging in response to ongoing campaigns. The principle of peace through strength should guide consequence imposition, targeting specific domains where the United States possesses a strategic advantage over adversaries and is able to inflict appropriate cost at minimal expense to actors at home. This strategy may mean targeting specific individuals, industries, and political avenues. Diffuse and high-cost consequences should only be pursued if attribution is undisputed in order to avoid retaliatory spirals.

A sample list of responses tied to malign activities is provided in Table 1.

Table 1: Sample Response Policies

Outcome of Malicious Cyber Activity

Should be Responded To

IP Theft

Large-scale Economic Disruption by Stateaffiliated Actors or Criminal Actors (through Ransomware, DDoS attacks or other means)

Erosion of Societal Resilience (through Information Operations)

Critical Infrastructure Pre-Positioning

Risk Posed to Human Life

Must be Responded To

Disruption of Essential Services Infrastructure (e.g. water, power, sewage)

Kinetic Damage within U.S. Territory

Human Casualties

Menu of Response Options

Prosecution

Asset freezing

Asset seizure

Litigation

Prosecution

Démarche/Persona Non Grata (PNG)

Sanction of company

Sanction of sponsoring state

Offensive cyber

Hack-back

Asset freezing and seizure

Sanctions

Démarche/PNG

Démarche/PNG

Prosecution

Offensive cyber

Démarche/PNG

Prosecution

Offensive cyber

Sanctions

Offensive Cyber

Non-Lethal strike

Embargo

Sanctions

Offensive Cyber

Non-Lethal strike

Embargo

Sanctions

Offensive Cyber

Non-Lethal strike

Embargo

Lethal strike

U.S. Recommendation 2: Authorize Private-Sector Active Cyber Defense Against Non-State Actors

The United States should authorize certain forms of active cyber defense by private sector actors against non-state cybercriminals, while ensuring strong oversight of such activities. Doing so would harness private sector cyber capacity to deter rampant cybercrime, limit the risk that these operations destabilize cyberspace or spark state-level conflict, and enable finite U.S. government cyber resources to remain directed to the most consequential, national-security-relevant cyber operations.

This authorization should take the form of a narrowly tailored amendment to the CFAA that exempts private entities from prosecution for certain defensive actions taken in response to a qualifying cyber intrusion by a non-state actor. Rather than granting broad discretion for cyber retaliation, this amendment should enumerate permitted activities that are calibrated to impose costs without posing a high risk of collateral damage or escalation. Permitted operations, spanning commonly accepted defensive practices through more assertive measures, could include, in escalating order of assertiveness:

• Containment and disruption measures within the defender’s own systems, including ejecting attackers and disabling their access or tooling on the defender’s network

• Cyber beacons that track the attacker’s location and collect other basic forensic evidence67

• Dye pack mechanisms that automatically encrypt or otherwise render useless stolen data once removed from the authorized environment, without affecting unrelated data on the same system68

• Reversible defensive locking tools (often analogized to white-hat ransomware) that temporarily restrict access to stolen data on attacker-controlled infrastructure to incentivize data recovery and prevent further harm69

• Narrowly scoped operations to delete or render inaccessible stolen data or other clearly identified stolen property on attacker-controlled infrastructure where there is a clear, imminent risk of serious harm, and no less intrusive means are available

In the short-term, the Department of Justice should announce that it is deprioritizing legal enforcement against specified categories of good-faith active cyber defense, consistent with the activities listed above, through the issuance of a DOJ guidance memo stating that certain private sector active cyber defense would not be prioritized for prosecution under the CFAA. Furthermore, DOJ should revise its existing guidance discouraging private response measures.70

The risks of private sector active cyber defense are real, including destabilization, escalation, and disruption of innocent networks, but they may be mitigated with robust oversight mechanisms. First, private sector entities should be required to provide prompt and full reporting to the FBI National Cyber Investigative Joint Task Force and DOJ of any active cyber defense activities that involve access outside the defender’s own networks. They should also be permitted to notify the FBI in advance under a consultation program, through which the FBI and partner agencies could assess the legality of the proposed activity and its anticipated impact on ongoing law enforcement operations. Such information sharing already has a legal foundation: the Cybersecurity Information Sharing Act authorizes nonfederal entities to voluntarily share ‘cyber threat indicators’ and ‘defensive measures’ with law enforcement for a cybersecurity purpose.71 Second, to mitigate risks of misattribution and engagement with state actors, the FBI should develop a certification program to qualify private sector

organizations as possessing sufficient attribution capacity to distinguish, with an acceptable degree of confidence, between state and non-state actors.72 Third, the CFAA amendment should clarify that any U.S. entity targeted by such activities would still be able to seek civil remedy for damages.

The United States should mitigate risks to relations with allies through legal and diplomatic measures. The CFAA amendment should prohibit active defense operations that are reasonably likely to affect innocent systems in allied jurisdictions, absent express consent from the host state. In parallel, the United States should seek to establish diplomatic understandings on active cyber defense with allies and partners. The parties to these arrangements would declare their intention to respond to incidents of inadvertent harm to third parties caused by active cyber defense through diplomatic notification, consultation, and compensation mechanisms, rather than by bringing criminal charges.

These risk mitigation measures would intentionally limit the number of firms that choose to engage in active cyber defense. Large multinational companies that prioritize preserving market access and minimizing legal liability may decide that the residual risks outweigh the benefits. Their inaction is not a great loss; the marginal benefit of active cyber defense for such firms is generally lower, as they can devote more resources to traditional cybersecurity capabilities. They also serve as key drivers of U.S. economic growth and the diffusion of American technology abroad, so it would be counterproductive to U.S. interests for them to risk their market access. In contrast, smaller, more domestically focused businesses are more likely to engage in, and benefit from, active cyber defense; they would be able to choose defense measures with varying degrees of assertiveness in line with their individual risk tolerance.

Even without comprehensive private sector participation in active cyber defense, the approach advances the strategic goal of deterring rampant cybercrime. Deterrence does not demand that each and every incident be met with a retaliatory operation. Rather, by authorizing limited active cyber defense, the United States can significantly increase how often cybercriminals face meaningful costs, such that they doubt the utility of future attacks.

U.S. Recommendation 3: Institutionalizing Private Sector Collaboration for International Engagement

The United States should institutionalize private–public collaboration for international cyber engagement by formalizing procurement and cooperation mechanisms between U.S. technology firms and values-aligned partner nations. Private sector firms build, maintain, and protect most digital infrastructure worldwide, yet public-private collaboration on cyber initiatives remains largely ad hoc, as illustrated by the 2014 Sony hack and 2022 Iran-sponsored cyberattacks on Albania. This reactive model delays deployment, strains voluntary private sector engagement, and limits scalability.

The United States should facilitate the creation of a private-sector-led coalition so that private capabilities are organized, pre-vetted, and accessible before crises occur, rather than assembled in response to them. As highlighted by the Atlantic Council, there is the need to develop a service taxonomy and interoperable registries of the technical capabilities available globally.73 This would allow for states to seamlessly adopt secure digital tools during peacetime, and access trusted support in the case of conflict. Coordinated assistance would also help educate policymakers as to what defense capabilities are available across industry.

Existing models offer useful points of reference. Mechanisms such as the Tallinn Mechanism, the EU Cyber Solidarity Act, and the CDAC demonstrate how pre-established pools of trusted providers can be mobilized quickly and matched to recipient needs. The EU-led Tallinn Mechanism is primarily focused on the state-led transfer of funds for cyber defense capabilities in Ukraine; the EU Cyber Solidarity Act provides a reserve of providers to support member states in responding to large-scale cyberattacks, while CDAC was deployed by private actors to facilitate the deployment of technology and expertise. While these mechanisms vary in structure, they share an emphasis on standing arrangements rather than crisis-driven deployment. A U.S.-supported coalition should build on these, enabling recipient governments to draw from a pool of reliable, certified providers as needs arise.

Sustaining such a coalition will require more predictable modes of participation. Regular convenings among U.S. agencies, allied governments and leading technology firms involved in cyber resilience efforts should be used to maintain capability registries, update technical standards, and align expectations for deployment. From such coordination, the United States should and encourage the development of a coordinated capabilities taxonomy. Direct funding channeled through these mechanisms may also help offset fatigue associated with voluntary private sector assistance and help compel long-term private sector engagement in times of crisis. To be effective, these mechanisms are best established in advance of the next major incident, rather than in response to it. Over the next 12 to 24 months the United States should move to formalize standing private sector coordination, capability registries, and procurement pathways, capitalizing on the partnership momentum established during assistance to Ukraine. This scheme would signify a key step in sustaining private sector engagement, by formalizing and standardizing how capabilities are catalogued, requested, and integrated.

As a critical source of digital R&D, trusted private firms should also work in close collaboration with governments to accelerate innovation. Trusted firms should work alongside governments to prototype and scale cybersecurity solutions with international applicability, drawing on models such as the Defense Innovation Unit’s (DIU) approach. DIU partners with organizations across the Department of War to rapidly prototype and field dual-use capabilities that solve operational challenges at speed and scale. The United States should look to prioritize cyber capabilities within DIU and work alongside

allies to scale these innovations. Long-term, we should consider establishing a multilateral Cyber Innovation Unit tasked with prototyping and fielding commercial cybersecurity solutions on a global scale.

Certifying eligible U.S. businesses as partners for foreign cyber capacity building provides business opportunities to U.S. tech businesses abroad. It also provides an opportunity for U.S. companies to help build the basic technological and security infrastructure of countries worldwide, boxing out companies like Huawei and ZTE that have been expanding their reach with the help of lavish state assistance.

U.S. Recommendation 4: Mobilize Seized Crypto

The United States should move to seize cryptocurrency involved in illicit transactions and mobilize these funds for cyber capacity strengthening efforts. The estimated $40+ billion per year in illicit crypto transaction volumes represent a significant potential asset pool. Targeting this money would deter criminal activity and unlock a new revenue stream for government security initiatives and victim compensation. Of course, seized money should be returned to victims where possible, but many victims will be unidentifiable or fail to come forward, leaving the question of what to do with the substantial pile of seized assets. These assets, if strategically allocated, could augment cyber resilience and fund security initiatives.

Funneling seized assets toward cyber stability justly redistributes criminal assets to protect against future harms. The value of seized cryptocurrency already in the U.S. government’s possession is large relative to existing cyber capacity building efforts and would accommodate a reasonably sized expansion. For comparison, the entire yearly budget of CISA is around $3 billion, while the U.S. government seized $15 billion in October 2025 from Cambodia-based crime group.74 Cryptocurrency seizure has the dual virtue of punishing cyber criminals by depriving them of their ill-gotten gains, and of providing a large source of funds that can be turned to cyber hardening and capacity-building efforts without impacting the budget. Cybercrime is unlikely to dissipate in the near term, so substantial future seizures are likely to be available. By using adversaries’ resources, the United States can supercharge cyberspace security efforts at minimal cost.

Policy Recommendations: Establishing a Partnership for International Cyber Stability

Our allies and partners across the world share in the vision that cyberspace offers endless opportunities for global growth and prosperity. If a broader tent of nations participates in this global ecosystem, these opportunities will only multiply. Yet in this connected ecosystem, the policy posture and resilience of other states is consequential for the national security of the United States and our allies. With the framework of responsible state behavior acting as the foundation, we must work in parallel to demonstrate credible commitment to our shared vision for cyberspace. This set of policy recommendations offers a structure for states to emulate the behavior that will deliver a secure and stable cyber ecosystem worldwide, while maintaining policy flexibility. It amounts to a Partnership for International Cyber Stability (PICS) organized along four pillars: Responsible Technology Infrastructure, Red lines, Attribution, and Consequences.

We recognize that nations who share our vision are not homogeneous; they face varied stages of technological maturity, differing regional allegiances, and differing domestic conditions. Each PICS Pillar of Participation therefore contains tiers. Nations are free to align with as many or few tiers as are feasible. Ascending tiers reflect increasing alignment with recommended U.S. conduct in cyberspace: the higher the tier, the closer the alignment. In return for deeper demonstrated alignment, nations may earn enhanced access through cooperation mechanisms. These cooperation mechanisms include Cyber Capability Strengthening (CCS) support, incident response support, and privileged private vendor access.

The advantages of American partnerships, technology, and resources mean the United States is best placed to initiate this coordinated effort, but we should look to allies in sharing the burden of leadership. There are security and economic gains to be had from moving in lockstep with close allies. Our Five Eyes intelligence partners, leaders in cyber diplomacy like the European Union, and digital innovators like Singapore and Estonia, should be invited to co-lead PICS. Bringing regional anchor countries deemed more politically neutral into the leadership fold will help broaden the tent of countries we cooperate with. Developing nations or those on the precipice of partnering with other powers should be welcomed in. Given this broad membership, accountability under PICS is enforced through conditional participation. Access to coordination mechanisms is contingent on demonstrated adherence, and countries that renege on commitments will lose the support, standing, and benefits of an extensive international partnership.

Partnership

Cyber Stability

Implementation

Implementation

Implementation

Framework of Responsible State Behavior in Cyberspace

Pillar 1: Responsible Technology Infrastructure

A globally interconnected cyberspace will not only accelerate economic growth and innovation but will also invite incursions. Safeguarding the global system requires each individual part to be well defended. Therefore, each nation has a responsibility to secure their own infrastructure on behalf of the global ecosystem. PICS-aligned nations should be encouraged to deploy technology infrastructure that ensures long-term societal resilience.

Tier 1: Introduction of Minimum-Security Standards

Most digital infrastructure is owned and operated by private vendors, including that which may pose a risk to human life if disrupted, such as public utilities, healthcare facilities, and telecommunications. To ensure operators invest sufficiently in cyber defenses, sector specific regulation should be introduced outlining the steps private firms should take to protect data, networks, and systems. This regulation may be legally mandated or voluntary. The EU's cybersecurity certification framework of information and communication technology provides a model here, whereby a unified, voluntary risk-based certification scheme for ICT products has been established.75

Tier 2: Domestic Investment in Securing Cyber Systems

PICS-aligned nations should be encouraged to demonstrate their commitment to fostering a secure and stable cyberspace by allocating a share of their national budget to build their domestic cyber capacity. Building capacity should be viewed as a long-term partnership, rather than a one-off investment in skills or technology. At the minimum, nations should invest in training personnel and securing digital infrastructure. Nations may demonstrate greater commitment by scaling domestic investments to include more sophisticated capabilities like intrusion detection, data embassies, behavioral biometrics, and R&D. International

Nations with nascent digital infrastructure should look to regional anchor countries for investment advice. For example, CyberNet, led by Estonia’s Information System Authority, deploys experts to support partners worldwide. Similarly, Singapore’s ASEAN-Singapore Cybersecurity Centre of Excellence and Japan’s Indo-Pacific cyber initiatives can provide technical advice.

Tier 3: CERT and National Cybersecurity Strategy in Place

PICS-aligned nations should establish an effective computer emergency response team (CERT) to coordinate defenses against and respond to cyber-attacks. Currently, 139 countries have an active national CERT, and 132 have adopted national cybersecurity strategies, leaving over 60 countries without either capability.76 The widest gaps are found among developing countries in Sub-Saharan Africa, Central Asia, and small island and Caribbean states. Even among countries with established CERTs, capacity varies widely; some operate only as advisory or reporting units rather than full-scale response centers. Effective CERTs should have the capacity to analyze and reduce cyber threats and vulnerabilities, disseminate cyber threat warning information, and coordinate incident response activities with allied nations. To demonstrate commitment, domestic resources should be deployed to strategic priorities.

Tier 4: Incorporation of Incident Response Playbook into National Policy

Disruptive cyber incidents are unavoidable in the near term, but their impact can be mitigated if nations follow consistent, effective, and well-communicated responses. PICS-aligned nations should demonstrate they have incorporated a response playbook into national policy. Doing so will help overcome ad hoc incident response on behalf of domestic actors and international partners looking to assist. CISA’s Operational Procedures for Planning and Conducting Cybersecurity Incident and Vulnerability Response Activities in Federal Civilian Executive Branch (FCEB) Information Systems provides a blueprint. While designed for FCEB Information Systems, these incident response and vulnerability playbooks provide critical guidance on how to standardize identification, coordination, remediation, recovery, and tracking procedures.77

Tier 5: Pursuit of Technology Cyber De-risking

The United States should encourage PICS-aligned nations to progressively reduce reliance on highrisk information and communications technologies embedded in critical infrastructure where legal, governance, or ownership structures create unacceptable security exposure. Technologies subject to opaque state influence, coercive legal obligations, or limited avenues for independent oversight should be replaced with trusted vendors. Given many states have already increased their exposure to highrisk technologies through accepting cyber capacity building assistance from China, implementation may vary by national context and necessitate phased diversification or targeted replacement in critical sectors only. At higher levels of commitment, nations should pursue accelerated transition toward trusted vendors with clear governance, legal transparency, and accountability mechanisms.

This approach mirrors emerging practice across the European Union, G7, and allied economies, where the objective is not technological isolation, but reducing systemic vulnerabilities. Cyber de-risking also serves strategic technology competition by promoting the trusted products of American and allied technology firms.

Pillar 2: Red Lines

In line with the recommendation that the United States move toward a declaratory posture advocating enforceable red lines, PICS members should pursue similarly proactive public messaging to declare clear red lines. These red lines need not precisely mirror the United States position but should be grounded in a collective pledge to act responsibly and publicly affirm international legal principles that govern state behavior in cyberspace. The declaration of red lines allows PICS-aligned nations to navigate political realities by distinguishing incidents that demand solidarity and decisive action from those that demand solidarity.

Tier 1: Declaration on the Interpretation of International Law as it Applies to Cyberspace

Publicly declaring how countries interpret international law in cyberspace is essential for states to reduce ambiguity about what behaviors they consider lawful, unacceptable, or escalatory. This transparency narrows the space for miscalculation, builds predictability into state interactions, and creates a shared vocabulary for accountability when norms are violated. Clear national positions also help align regional and global expectations, making collective responses to malicious activity more credible. Bodies like the African Union and NATO Cyber Defence Centre of Excellence Tallinn Manuals provide examples here.

Tier 2: Declaration of Red Lines

PICS-aligned nations should declare clear red lines that constitute a necessary pre-commitment to deterring malign cyber activity. Where politically feasible, these red lines should be aligned with U.S. posture. Policymakers should articulate what infliction of damage warrants a response. Nations may also define within their own security apparatus a set of lower-threshold cases that should trigger consequences if violated where resources permit. When such violations occur, they should trigger an automatic response from PICS-aligned nations. These incidents include:

● Cyber incidents that result in IP theft

● Cyber incidents that create significant economic disruption

● Cyber incidents that weaken societal resilience

● Cyber incidents that pre-position a malign actor within critical sectors

● Cyber incidents that disrupt essential services (i.e. power, water, sewage)

● Cyber incidents that inflict kinetic damage within sovereign territory

● Cyber incidents that pose risk to or result in the loss of human life

Tier 3: Commitment to Review Procedure

Given the quickly evolving nature of cyber capabilities, nations committed to maximizing the effectiveness of red line declaratory posture should pursue a policy review of cyber red lines at regular intervals. Doing so will provide an avenue to assess emerging cyber threats and domestic societal resilience, as well as the opportunity to adjust red lines accordingly. Proceduralizing the active review of red line posture may also act to deter escalatory methods of malign actors.

Pillar 3: Attribution

Attribution has become a central requirement for deterrence, accountability, and norm enforcement, and PICS should advocate for a structured approach to guide when and how members publicly identify malicious cyber activity. As cyberattacks grow more sophisticated and frequent, the technical and political challenges of determining responsibility risk delaying or undermining PICS’s ability to impose timely and credible costs on adversaries. Attributing a cyber incident to specific actors remains challenging for reasons of legality, technical capability, and political will, allowing many operations to occur with high deniability and below traditional response thresholds. Coordinated, coalition-based attribution is a growing area of strength among EU and NATO countries; their experience should be leveraged to lead efforts while expanding the number of participating states. Joint attributions by PICS-aligned nations will become particularly valuable for enhancing legitimacy and distributing political risk.

Tier 1: Public Commentary on Incidents of Concern

PICS-aligned nations should engage in routine public commentary on incidents of concern. Doing so enables nations to signal vigilance, raise awareness of emerging tactics, and reduce risks of misperception or misattribution while maintaining deniability in naming a perpetrator. This first tier functions as a low-risk confidence-building measure.

Tier 2: Supporting Attribution Made by Fellow PICS-aligned Nations

Joint-attribution mechanisms should be encouraged to amplify the legitimacy of attributions made by allies and partners. Multilateral coordinated attributions are already common practice, with the EU developing advanced mechanisms for collective responses to malicious cyber activity. Endorsing a fellow PICS-aligned nation’ attribution announcement further strengthens the coalition’s collective credibility and protects against hostile actors driving wedges between members. When one member leads a technically and legally grounded attribution, rapid public support from others amplifies legitimacy and reduces the political burden on any single state.

Tier 3: Leading Attribution Efforts

PICS-aligned nations with superior visibility, intelligence access, and technical capability may demonstrate commitment to responsible state behavior by leading attribution efforts. The joint issuance by the CISA and FBI of a detailed advisory on Iranian operations against the Albanian government exemplifies this tactic. Leadership at this tier requires significant technical, financial, and legal capabilities along with the capacity to bear the consequences of any retaliatory cyber activity. Leading attribution efforts are therefore likely to be pursued by only a handful of nations, although the Estonian-led attribution that named Unit 29155 of Russia’s military intelligence as responsible for the 2020 cyberattacks against its country demonstrates that smaller states may also assume this role.78

Pillar 4: Consequences

In line with the recommendation that the United States explicitly declare cyberspace red lines and impose pre-set consequences on violations of those red lines, PICS-aligned nations should follow suit. Harsher consequences should impose costs sufficiently high to deter malign actors. By moving away from ambiguity and toward enforceable cost implications, PICS-aligned nations may build a credible deterrent posture. Nations should first publicly commit to a menu of consequences and follow through on the implementation at the first incident occurrence to demonstrate commitment.

Tier 1: Implementation of Diplomatic Consequences

PICS-aligned nations should embrace a clearer declaratory posture by committing to a defined set of diplomatic steps that follow violations of red lines. These measures should include joint attributions tied to a PICS red line, coordinated démarches in the responsible state’s capital, recalling of ambassadors or lowering of diplomatic representation, pausing the offending state’s participation in cyber or digital-economy dialogues, and coordinated naming-and-shaming in multilateral bodies. Establishing this floor of diplomatic responses strengthens deterrence by making clear that malign activity will invite automatic political costs from a coalition rather than a single state.

Tier 2: Implementation to Economic Consequences

When violations become more serious or recur over time, PICS-aligned nations should escalate to a defined menu of economic and regulatory consequences. Measures may include targeted sanctions on individuals, agencies, or companies responsible for the activity; coordinated export controls on sensitive technologies such as chips, cloud services, security tools, or dual-use hardware; limits on market access, including procurement or critical-infrastructure tenders; heightened scrutiny of implicated financial institutions or sectors; and suspension or renegotiation of data-sharing, cloud, or ICT arrangements that could be exploited. By articulating these steps in advance, PICS-aligned nations reinforce the credibility of their deterrent posture and signal that escalating behavior will trigger proportionately escalating consequences.

Tier 3: Implementation of Military Consequences

PICS-aligned nations should announce a declaratory position that cyber operations crossing the threshold into an armed attack should be met with military consequences. Dependent on the extent of the disruption or destruction caused, non-kinetic or kinetic military consequences may be pursued. These may include offensive cyber response operations to disrupt infrastructure, block intrusions, or degrade attacker tools. In the case of high-threshold attacks, a proportionate kinetic response under the right of self-defense should be pursued. Such commitment demonstrates that high-threshold intrusions can trigger a coordinated state response.

Tier 4: International Harmonization of Legal Systems

To keep the system functioning over time and ensure the enforcement of international law as it pertains to cybercrime is most effective across territories, PICS-aligned nations should initiate long-term efforts to align legal frameworks. Such efforts should aim to achieve shared technical and evidentiary standards for attribution in national courts, streamline mutual legal assistance and extradition, and coordinate sanctions and export-control authorities so the enforcement of consequences can move quickly. While politically and administratively intensive, establishing such an environment would mean PICS-aligned nations may rely on coordinated legal systems and not only political will to enforce cyber stability across borders.

Policy Recommendations: Achieving Alignment with Partners

To achieve stability and security in cyberspace, interactions between nations must be predictable and harmonious. In recent years, however, mechanisms for cooperation and threat response have been globally fractured. The Pillars of Participation under the proposed Partnership for International Cyber Stability offer recommendations for how states may align their policy positions, but this strategy must be complemented by tangible coalition mechanisms. These mechanisms do not necessitate the formation of a new institution, but rather the consolidation of existing activities under renewed and more explicit commitments.

These mechanisms serve a dual purpose. First, as countries invest in them, they signal deeper commitment to responsible state behavior. Second, they offer avenues for the United States and allies to incentivize or reward deeper alignment. Such joint responsibility helps overcome the moral hazard issue of nations underinvesting in their cyber capabilities, and the sustainability issue of nations failing to invest in defense measures until it is too late. For example, a state that has progressed through the PICS tiers by investing in responsible infrastructure and formally adopting an incident response playbook can reasonably expect more timely and robust support in the event of an attack.

Engagement in these mechanisms and a nation’s decision to progressively realize deeper PICSalignment is not without cost. Countries will have to invest their own resources, change policy posture, and spend political capital to do so. Participation in coordinating mechanisms may also be rewarded by the United States and our allies, whereby ascension through the PICS Pillars of Participation facilitates foreign assistance in the form of information sharing, capacity strengthening, incident response support, and private vendor access. These activities could be financed by the United States by combining the existing cyber assistance budgets with new revenue streams such as crypto seizure. Partner nations would be expected to contribute financing, raised through their own means.

Cooperation Mechanism 1: Cyber Capacity Strengthening Assistance

All nations looking to share in the prosperity an open, interoperable cyberspace provides should pursue responsible Cyber Capacity Strengthening (CCS). Well-coordinated CCS offers a pathway to durable, long-term cyber capacity. Effective CCS coordination efforts will help more countries reach a baseline level of cyber capability where they can prevent, detect, and respond to incidents without depending on crisis-driven external support, reduce long-term reliance on high-risk technologies, and facilitate participation in regional and global cyber cooperation mechanisms.

To demonstrate commitment to PICS, nations should engage in domestically funded CCS efforts with the guidance and support of other PICS-aligned governments. Many developing nations require assistance in overcoming structural challenges in building cyber capacity: small workforces, limited technical expertise, and fragmented external support that arrives through short-term project cycles that undermine sustainability. The United States and its allies operate a wide range of CCS programs today, but these efforts lack cohesion across agencies, implementers, and regions. Today, U.S. assistance spans regulatory reform, legal and policy capacity building, technical training, national strategy development, CERT establishment, and operational readiness exercises across programs such as Digital Connectivity and Cybersecurity Partnership (DCCP) and CISA-led trainings.79 The EU also runs parallel cyber-capacity programs, including the EU CyberNet’s global training and advisory work and regional initiatives like the LAC4 center and Western Balkans support programs.80 While these investments matter, they operate without a shared framework that sets priorities or ensures that partners build stable and interoperable institutions. Greater coordination is required to move CCS beyond digital solidarity toward a more strategic effort to reinforce a trusted global digital ecosystem.

The United States currently expends approximately $140 million annually through the Bureau of Cyberspace and Digital Policy (CDP) for technology-related foreign assistance, $30 million of which is dedicated to cyber capacity strengthening efforts. Over time, this can be supplemented by directing forfeited digital assets into a dedicated cyber-stability fund. Allies also maintain significant cyber assistance budgets. The European Union alone has allocated around $450 million for its Digital Europe Work Programmes for 2025–2027,81 adding another significant stream of cyber and digital capacity funding. PICS can assist in prioritizing these efforts, providing a progressive model for attainment, allowing the United States and allies to reduce fragmented CCS planning and make financing efforts more cohesive. With the end state goal of technological de-risking (Tier 4 of the Responsible Tech Infrastructure Pillar) and improved public-private partnerships opportunities, this approach opens up investment opportunities for the United States and trusted vendors to support governments abroad in building resilient ICT architecture.

Cooperation Mechanism 2: Information Sharing

Nations should look to embrace, strengthen, and extend information sharing arrangements. Information sharing is essential to strengthening both U.S. and global cyber stability but exists along a spectrum. Conditional on the level of integration with PICS, avenues and types of information sharing will differ across nations, but the goal of increasing alignment over time is shared.

Several existing channels should be strengthened to support threat intelligence sharing, which gives network defenders the tools to protect themselves. Domestically, the Cybersecurity Information Sharing Act of 2015 created real-time channels for federal agencies and companies to exchange threat indicators and protected participants through liability and antitrust safeguards.82 Other countries have built similar architectures. Australia’s 2023–2030 Cybersecurity Strategy aims to build a whole-ofeconomy threat intelligence network,83 while Thailand’s Anti-Tech Crime Center links banks, telecom operators, regulators, and law enforcement for real-time coordination.84 Internationally, governments should turn to trusted channels for confidential reporting, such as the EU CyberNet program, which is expanding cross-sector information exchange through regional hubs and expert networks.85

Nations should reinforce and integrate these models to enable seamless threat intelligence sharing across borders. Emerging tools further strengthen this incentive. Companies such as IBM now use AI to detect anomalies and automate incident summaries at significantly higher speeds, increasing the volume and quality of information that can be shared. Integrating such tools would provide PICSaligned nations with a practical advantage: faster insight, better defenses, and a trusted environment for cooperation.86

Information sharing to serve attribution efforts requires a higher standard of alignment but should be a goal of PICS participation. Those nations with superior visibility, intelligence access, and technical capability should look to share intelligence leads and discovery tools with nations who have demonstrated commitment to responsible state behavior. Doing so under safe-harbor provisions, confidential lines of disclosure, and clear protections would permit nations to respond rapidly to emerging threats.

Cooperation Mechanism 3: Incident Response Support

In the unfortunate instance of cyberattacks inflicting damage to PICS-aligned countries, incident response support should be deployed to assist nations in their recovery. Incident response is often a defining test of cyber cooperation. A well-contained crisis can do more than restore systems; it can bolster alliances and reinforce the importance of responsible state behavior. In turn, this response reinforces deterrence by denial, making attacks harder to carry out through enhanced resilience. Incident response assistance should be prioritized for nations who have demonstrated sustained commitment to PICS principles.

The United States already operates rapid-response capabilities, which can serve as a model. The United States Foreign Assistance Leveraged for Cybersecurity Operational Needs (FALCON) mechanism, first deployed to the Costa Rican oil refinery cyberattack,87 enabled U.S. teams to assist partners in containing incidents, stabilizing critical services, and assessing the scope of compromise. Existing federal incident response playbooks emphasize early containment, coordinated communication, and partner-led response operations. Under PICS, these principles should be embraced by other nations who possess the resources to deploy technical expertise and financial assistance in times of need.

Effective incident responses can also create momentum for long-term cyber capacity strengthening. Crisis deployments often reveal structural gaps in governance, workforce capability, and technical readiness, and post-incident collaboration can accelerate broader reforms. Activities such as afteraction reviews, improved interagency coordination, and updates to national strategies help partners transition from recovery to long-term resilience. PICS pillars can help formalize this progression by guiding states toward policy that strengthens national systems and reduces dependence on external support over time.

Cooperation Mechanism 4: Privileged Vendor Access

Nations looking to gain deeper alignment with the United States and its allies in the digital realm should look to embed trusted private sector technology into critical infrastructure. The vast majority of cyberspace is built on the infrastructure, networks, and ingenuity of the private sector, yet many developing nations and smaller economies face challenges in accessing or financing their products and so are excluded from these gains.

The United States operates with a unique advantage, hosting the headquarters of tech giants like Microsoft, Google, Oracle, Starlink, and Anthropic. Our closest allies enjoy similar advantages, with tech innovators like Japan’s Sony, South Korea’s Samsung, Germany’s SAP, and Estonia’s Cybernetica. These firms play a key role in enabling technology-driven growth and securing both civilian and government digital infrastructure against malicious activity. In an increasingly competitive global technology environment, many developing companies are turning to Chinese firms like Huawei instead; however, PICS-aligned nations should demonstrate their commitment to responsible state behavior by embracing trusted technology.

To encourage this uptake, the United States and its allies should move to provide structured, privileged access to trusted vendors and favored pricing. Access to firms would also be facilitated in the form of invite-only meetings and procurement mechanisms. The institutionalization of access points would provide predictability to all parties and deepen long-term engagement. Permitting access to a catalogue of private sector capabilities and vendors that nations can access in times of crisis would streamline the procurement of best-in-class capabilities just when government-capacity is most tested and overstretched. Such arrangements lower market-entry barriers, reduce commercial uncertainty, and enable firms to offer more competitive and sustainable pricing to PICS-aligned nations. Foreign assistance financing should also be leveraged to subsidize costs and offer preferred pricing to nations demonstrating responsible behavior.

Corporations have strong incentives to participate in this system. Privileged vendor frameworks expand their market access, establish early relationships with emerging digital economies, and position them as trusted partners in a growing global cybersecurity ecosystem. Formalizing these channels also reduces commercial uncertainty, offering companies predictable procurement pathways and opportunities to shape standards and infrastructure in alignment with their technologies.

6 | Conclusion

Cyberspace has become a defining arena of economic opportunity and global cooperation, as well as one of geopolitical competition and systemic vulnerability. Over the past two decades, the United States and its partners have worked toward shared expectations of responsible state behavior in cyberspace, yet the gap between this framework and conduct in practice has widened. Malign actors continue to exploit ambiguity and inconsistent international response to pursue strategic advantage at low cost and low risk. As long as this environment persists, the United States will face accumulating threats to national security, economic prosperity, and democratic stability.

Incremental adjustments to the status quo are no longer sufficient. The United States must adopt a more deliberate, structured, and proactive strategy, one that redefines U.S. leadership, strengthens international alignment, and transforms the framework of responsible state behavior in cyberspace into an enforceable system. Doing so does not require the creation of new global institutions or massive new spending. Rather, it requires mobilizing the advantages the United States already possesses and the framework of responsible state behavior that remains the most viable foundation for global stability.

Recommitment to responsible state behavior in cyberspace begins at home. Clearer U.S. declaratory red lines, more predictably costly consequences for violations, and better integration of diplomatic, economic, and defensive cyber tools would restore credibility to U.S. deterrence. Systematizing publicprivate cooperation and responsibly enabling active cyber defense against non-state actors would better align national capabilities with the reality that most digital infrastructure is privately owned and operated. Redirecting seized cryptocurrency assets toward cyber stability would allow the United States to scale its efforts without drawing on already strained federal budgets.

Yet leadership cannot be exercised unilaterally. A stable and secure global cyberspace requires a broad coalition of states that are willing and able to uphold shared rules. The Partnership for International Cyber Stability proposed here offers a pathway for states at different levels of capacity and political alignment to demonstrate commitment to responsible behavior. Its tiered pillars recognize that not all partners can move at the same pace, yet all can move in the same direction. In return, deeper alignment with the framework unlocks long-term cyber capacity strengthening, privileged vendor access, threat-intelligence sharing, and incident-response support. These mutually reinforcing incentives align national self-interest with global stability.

Achieving stability and security in cyberspace is about realizing the full promise of a connected world. An interoperable, open, and trusted cyber ecosystem that expands economic opportunity, supports democratic resilience, and enhances collective security. Achieving that future requires sustained commitment, credible deterrence, and coordinated action across governments, industry, and like-minded nations. If we lead with clarity, invest with our allies, and hold malign actors to account, the United States can help move the global community toward a more secure, predictable, and prosperous digital order.

Supporting Materials

Acronyms

AI — Artificial Intelligence

APT — Advanced Persistent Threat

ASEAN — Association of Southeast Asian Nations

AU — African Union

AWS — Amazon Web Services

CDAC — Cyber Defense Assistance Collaborative

CDP Bureau of Cyberspace and Digital Policy

CERT/CIRT — Computer Emergency Response Team / Computer Incident Response Team

CFAA — Computer Fraud and Abuse Act

CISA — Cybersecurity and Infrastructure Security Agency

CNE — Computer Network Exploitation

CNI — Critical National Infrastructure

CSA — Cybersecurity Advisory

DDoS — Distributed Denial-of-Service

DHS — U.S. Department of Homeland Security

DIU — Defense Innovation Unit

DOJ — U.S. Department of Justice

EU — European Union

FALCON — Foreign Assistance Leveraged for Cybersecurity Operational Needs

FCEB — Federal Civilian Executive Branch

PICS — Partnership for International Cyber Stability

ICT — Information and Communications Technology

IOC — Indicator of Compromise

IP — Intellectual Property

LLM — Large Language Model

MEK — Mujahedeen-e-Khalq

MLAT — Mutual Legal Assistance Treaty

NASA — National Aeronautics and Space Administration

NATO — North Atlantic Treaty Organization

NSA — National Security Agency

NSC — National Security Council

OAS — Organization of American States

OEWG — UN Open-Ended Working Group

OPM — Office of Personnel Management

PNG — Persona Non Grata

PRC — People’s Republic of China

PW — Policy Workshop (the class)

SIGINT — Signals Intelligence

SOC — Summary of Conclusions

UN — United Nations

UNIDIR – United Nations Institute for Disarmament Research

UNGA — United Nations General Assembly

UNGGE — United Nations Group of Governmental Experts on Information Security

USCYBERCOM — United States Cyber Command

Glossary of Terms

Ambiguity (Strategic Ambiguity)

A deterrence posture in which the United States keeps unclear what specific cyber actions would trigger a response. In practice, this ambiguity has reduced deterrence by allowing adversaries to operate below the threshold of major retaliation.

Attribution

The technical, legal, and political process of determining who is responsible for a cyber operation. Joint or multilateral attribution increases legitimacy and reduces political risk for any one state.

Capacity Building (Cyber Capacity Strengthening)

Activities that help partner states build cyber resilience, including legislation, workforce development, CERT establishment, and operational readiness.

Consequences Framework

A structured ‘if–then’ model specifying what responses will follow certain cyber incidents. Includes diplomatic, economic, non-kinetic military, and, in extreme cases, kinetic tools.

Critical Infrastructure

Systems essential to national security and societal functioning, including energy, water, health, transportation, and communications. Increasingly targeted by state-backed actors.

Cyber De-risking

Reducing reliance on high-risk technologies — particularly ICT products tied to potential foreign influence. Often refers to reducing dependence on Chinese-origin infrastructure.

Cyber Diplomacy

Using foreign policy tools to shape cyber norms, manage escalation, and coordinate international responses to cyber threats.

Deterrence (By Denial / By Punishment)

Two core elements of cyber strategy:

● Denial: making attacks harder to carry out through resilience and defense.

● Punishment: imposing costs on adversaries after an attack.

Hunt Forward Operations

Proactive U.S. deployments into partner networks to detect and evict malicious actors before damage occurs.

Malicious Cyber Activity (Below Threshold)

State-backed or criminal activity that falls short of an armed attack — including ransomware, espionage, IP theft, influence operations, and pre-positioning.

Norms (UN Cyber Norms)

Eleven voluntary norms endorsed at the United Nations that outline responsible state behavior in cyberspace, forming the foundation for global cyber stability.

Persistent Engagement

A U.S. doctrine focused on continuous operations to disrupt adversaries ‘left of boom,’ rather than waiting for major incidents.

Pre-Positioning

Planting covert access inside networks for potential future use in crises or conflicts.

Public-Private Partnership

Operational collaboration between governments and major technology companies. Much of modern cyber defense relies on private-sector capabilities and infrastructure.

Red Lines

Clear thresholds that distinguish between incidents where states may respond and incidents where they must respond.

Standing Response Panel (SRP)

A proposed body that categorizes incidents, reviews attribution, and recommends appropriate responses from the pre-agreed consequences menu.

Strategic Stability (Cyber Stability)

A predictable environment where states operate under shared rules, clear expectations, and coordinated responses—reducing risks of escalation.

Volt Typhoon / Salt Typhoon

Major PRC-linked cyber campaigns:

● Volt Typhoon: long-term pre-positioning in U.S. critical infrastructure.

● Salt Typhoon: large-scale telecom espionage across dozens of countries.

About the Authors

Nadia Avianti

Nadia specializes in urban policy in developing countries, with a focus on transportation and climate adaptation. She previously worked at J-PAL on impact evaluations of tax reform and urban transport research in Indonesia, and completed her internship at the Asian Development Bank Institute, where she worked on translating evidence into policy insights.

Adán Chávez

Adán is a public policy professional with extensive experience in civic engagement and democratic participation. He previously led state and local partnerships at Meta and served as Deputy Director of Civic Engagement at NALEO, advancing national efforts on election integrity, public safety, and community empowerment.

Charles Clouse

Charles focuses on international security and strategic competition. He previously served as a civilian analyst for the United States Army and NYPD and as a reserve military officer with operational experience in East Africa and the United States.

Ofir Cohen

Ofir specializes in social policy, labor markets, and inequality, with prior experience advising on federal economic policy in the United States Congress. He previously led public policy consulting projects for Israeli ministries and NGOs on social protection, workforce integration, and migration policy.

Valerie Doze

Valerie focuses on international relations and science, technology, environmental, and health policy. She has experience at the German Marshall Fund, Max Planck Institute, and Health Diplomacy Alliance on transatlantic policy, biochemistry research, and climate-health policy, respectively.

Ethan Kahn

Ethan specializes in defense policy and economic statecraft, with a regional focus on the Middle East and the Indo-Pacific. He is a SINSI Graduate Fellow with experience at the U.S. State Department, U.S. Department of Defense, and the U.S. Institute of Peace.

Maddie Legemah

Maddie’s expertise lies at the intersection of strategy, innovation, and international affairs. A British national, her professional experience spans the private and public sectors. Having worked at Bain & Co., the UN World Food Programme, and World Economic Forum, she focuses on food systems, public-private partnerships, and improving organizational effectiveness.

Ryan Sung

Ryan specializes in international relations with professional experience at the State Department, USIP, and the European Bank for Reconstruction and Development. A SINSI Fellow, he has worked on U.S.-China relations, cross-regional diplomacy, and Western Hemisphere policy.

Stefan Tobias

Stefan works at the intersection of technology policy, financial inclusion, and state capacity building. As a career civil servant in India, he has led national and district-level digital transformation and public-sector service-delivery initiatives.

Acknowledgements

This report was developed following extensive consultations with leading experts across government, industry, academia, and the international cyber policy community. From September to November 2026, the group engaged with 40+ practitioners, whose insights significantly enriched the analysis reflected in these pages. We are deeply grateful to the experts listed below for sharing their time and expertise. Their perspectives provided invaluable grounding for our findings. Inclusion in the acknowledgments below does not imply endorsement of this report’s conclusions or recommendations. The content of this report reflects the consensus conclusions of the students only.

Special thanks go to Teddy Nemeroff, the professor who has patiently guided us through this report-writing process. Thank you for coalescing a diverse group of student interests around such a purposeful set of topics, for your thoughtful feedback, and for your ceaseless puns.

Our profound appreciation also goes to Heli Tiirmaa-Klaar, for generously facilitating our engagements in Estonia and for her support throughout the project.

Experts Consulted

(listed alphabetically by last name)

Liina Areng — EU CyberNet Project Director, Estonian Information Systems Authority (RIA)

Joseph Bernath — Political/Economic Chief, U.S. Embassy Tallinn

Benjamin Brake — Director, Office of Cyber Affairs and Emerging Technology, Bureau of Intelligence and Research, U.S. Department of State

Nathaniel Fick — Former U.S. Ambassador-at-Large for Cyberspace and Digital Policy

Emily Goldman — Cyber Strategist, U.S. Department of War

Lauren Goldman — Former Director of Analytic Integration, Cyber Threat Intelligence Integration Center, Office of the Director of National Intelligence

Professor David Hai — Former head of the Cyber Center at the Hebrew University of Jerusalem

Oleksii Hichko — Counselor for Cyber and Digital Policy, Embassy of Ukraine in the United States

Luukas Ilves — Advisor to the Deputy Prime Minister, Ukraine Ministry of Digital Transformation

John Keefe — Former Director of Cross-Agency Strategy Integration at NASA; Special Assistant to the President and Senior Director for Cyber Policy; Senior Advisor to the Director of the National Security Agency

Steve Kelly — Chief Trust Officer, Institute for Security and Technology

Yuri Kim — U.S. Ambassador to the Republic of Albania (2020–2023)

LtCol Christoph Kühn — Deputy Director and Chief of Staff, NATO Cooperative Cyber Defence Centre of Excellence

Mart Laanemäe — Digital and Cyber Diplomacy Department, Estonian Ministry of Foreign Affairs

Manon LeBlanc — Coordinator for Cyber Issues, European External Action Service

Seungmin Helen Lee — Director of Intelligent Cyber Research, Next Peak, Cyber Defense Assistance Collaborative (CDAC)

Tarmo Luumann — Strategy Unit of the Estonian Government Office

Merle Maigre — Programme Director of Cybersecurity, Estonia e-Governance Academy

Teddy Nemeroff — Former Director of International Cyber Policy for the National Security Council

Rannar Park — Head of Business Engagement, e-Estonia Briefing Center

Taimar Peterkop — Senior Expert, Estonia e-Governance Academy

Helen Popp — Digital and Cyber Diplomacy Department, Estonian Ministry of Foreign Affairs

Kimberley Raleigh — Former U.S. Department of State & U.S. Department of Justice

Martin Sepp — Estonia National Security and Defense Coordination Unit

Keaty Siivelt — Estonia National Security and Defense Coordination Unit

Siim Sikkut — Managing Partner, Digital Nation, Former Government CIO of Estonia

Isaac Morales Tenorio — Former Mexican Foreign Ministry official; Managing Director for Cybersecurity, FTI Consulting

Heli Tiirmaa-Klaar — Chair of the Steering Group of UDCG IT Coalition, Distinguished Fellow at the German Marshall Fund of the United States

Oliver Väärtnõu — CEO, Cybernetica

Liis Vihul — Founder and CEO, Cyber Law International

Eve Vungo — Estonia National Security and Defense Coordination Unit

Seth Wyngowski — Political-Economic Officer, U.S. Embassy Tallin

References

1 Kavanagh, C. (2017). The United Nations, cyberspace and international peace and security: Responding to complexity in the 21st century. United Nations Institute for Disarmament Research. https://unidir.org/files/ publication/pdfs/the-united-nations-cyberspace-and-international-peace-and-security-en-691.pdf

2 Pijović, N. (2021). The cyberspace “Great Game”: The Five Eyes, the Sino-Russian bloc and the growing competition to shape global cyberspace norms. In T. Jančárková, L. Lindström, G. Visky, & P. Zotz (Eds.), 13th International Conference on Cyber Conflict: Going Viral (pp. 215–231). NATO Cooperative Cyber Defence Centre of Excellence. https://ccdcoe.org/uploads/2021/05/CyCon_2021_Pijovic.pdf

3 Hakala, J., & Melnychuk, J. (June 2021). Russia’s strategy in cyberspace. NATO Strategic Communications Centre of Excellence. https://stratcomcoe.org/cuploads/pfiles/Nato-Cyber-Report_11-062021-4f4ce.pdf

4 Segal, A. (2016). The hacked world order: How nations fight, trade, maneuver, and manipulate in the digital age. PublicAffairs.

5 McGuinness, D. (2017, April 27). How a cyber attack transformed Estonia. BBC News. https://www. bbc.com/news/39655415

6 Buchanan, B. (2020). The hacker and the state: Cyber attacks and the new normal of geopolitics. Harvard University Press.

7 Cellan-Jones, R. (2017, October 27). NHS ‘could have prevented’ WannaCry ransomware attack. BBC News. https://www.bbc.com/news/technology-41753022

8 Wolff, J. (2021, December 1). How the NotPetya attack is reshaping cyber insurance. Brookings Institution. https://www.brookings.edu/articles/how-the-notpetya-attack-is-reshaping-cyber-insurance/

9 The Council of Economic Advisers. (2018, February). The cost of malicious cyber activity to the U.S. economy. Executive Office of the President of the United States https://trumpwhitehouse.archives.gov/wpcontent/uploads/2018/02/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf

10 Lonergan, E., & Poznansky, M. (2025, February 25). A tale of two typhoons: Properly diagnosing Chinese cyber threats. War on the Rocks https://warontherocks.com/2025/02/a-tale-of-two-typhoonsproperly-diagnosing-chinese-cyber-threats/

11 Donde, M. (2025, December 9). New Report: Salt Typhoon Across the Internet. Global Cyber Alliance https://globalcyberalliance.org/new-report-salt-typhoon-across-the-internet/

12 Lopez, C. T. (2022, May 20). DOD: It’s not just state actors who pose cyber threat to U.S. U.S. Department of Defense. https://www.war.gov/News/News-Stories/Article/article/3039462/dod-its-not-juststate-actors-who-pose-cyber-threat-to-us/

13 United Nations. (2015, July 2022). Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (U.N. Doc. A/70/174). United Nations General Assembly. https://docs.un.org/en/A/70/174

14 Ruhl, C., Hollis, D. B., Hoffman, W., & Maurer, T. (2020, February 26). Cyberspace and geopolitics: Assessing global cybersecurity norm processes at a crossroads. Carnegie Endowment for International Peace. https://carnegieendowment.org/research/2020/02/cyberspace-and-geopolitics-assessing-global-cybersecuritynorm-processes-at-a-crossroads?lang=en

15 Hogeveen, B. (2022). The UN norms of responsible state behaviour in cyberspace: Guidance on implementation for Member States of ASEAN (Australian Strategic Policy Institute, International Cyber Policy Centre, in partnership with UNODA). United Nations Office for Disarmament Affairs. https://documents. unoda.org/wp-content/uploads/2022/03/The-UN-norms-of-responsible-state-behaviour-in-cyberspace.pdf

16 Segal, A., Akimenko, V., Giles, K., Pinkston, D. A., Lewis, J. A., Bartlett, B., Huang, H., & Noor, E. (2020). Roundtable: The future of cybersecurity across the Asia-Pacific. Asia Policy, 15(2), 57–114. https://www. nbr.org/wp-content/uploads/pdfs/publications/ap15-2_cyberrt_apr2020.pdf

17 Hurel, L. M., Salazar Albornoz, M., Fouad, N., Wilde, G., Pawlak, P., & Priyandita, G. (2025, March). Global compendium on responsible cyber behaviour. Royal United Services Institute for Defence and Security Studies https://static.rusi.org/global-compendium-rcb.pdf

18 CyberPeace Institute. (2023, April 26). Protecting critical infrastructure through the implementation of cyber norms. https://cyberpeaceinstitute.org/protecting-critical-infrastructure-through-cyber-norms/ HYPERLINK "https://cyberpeaceinstitute.org/protecting-critical-infrastructure-through-cyber-norms

19 United Nations Office on Drugs and Crime. (2025, October). Seventy-two nations sign first UN treaty to fight cybercrime, in milestone for digital cooperation https://www.unodc.org/unodc/frontpage/2025/ October/seventy-two-nations-sign-first-un-treaty-to-fight-cybercrime--in-milestone-for-digital-cooperation. html

20 United Nations News. (2025, October 25). Sixty-five nations sign first UN treaty to fight cybercrime, in milestone for digital cooperation. United Nations. https://news.un.org/en/story/2025/10/1166182

21 McKenzie, T. M. (2017). Is Cyber Deterrence Possible? (Perspectives on Cyber Power, CPP-4). Air Force Research Institute, Air University Press. https://media.defense.gov/2017/Nov/20/2001846608/-1/-1/0/ CPP_0004_MCKENZIE_CYBER_DETERRENCE.PDF

22 Montgomery, M., & Borghard, E. (2021). Cyber threats and vulnerabilities to conventional and strategic deterrence. Joint Force Quarterly, 102, 79–89. National Defense University Press. https://www.ndu.edu/ Portals/68/Documents/jfq/jfq-102/jfq-102_79-89_Features-Cyber_Threats.pdf

23 Office of the Director of National Intelligence. (2025, March). 2025 Annual Threat Assessment of the U.S. Intelligence Community https://www.dni.gov/files/ODNI/documents/assessments/ATA-2025Unclassified-Report.pdf

24 Daniel, M. (2021, July). Closing the gap: Expanding cyber deterrence (Cyberstability Paper Series: New conditions and constellations in cyber). The Hague Centre for Strategic Studies. https://hcss.nl/wp-content/ uploads/2021/07/Closing-the-Gap-Expanding-Cyber-Deterrence.pdf

25 Lewis, J. A. (2023, November 15). Deterrence and Cyber Strategy. Center for Strategic and International Studies. https://www.csis.org/analysis/deterrence-and-cyber-strategy

26 Bracy, J. (2015, July 10). 21.5 million breached in second OPM hack; director resigns. International Association of Privacy Professionals. https://iapp.org/news/a/21-5-million-breached-in-second-opm-hack/

27 Fruhlinger, J. (2020, February 12). The OPM hack explained: Bad security practices meet China’s “Captain America”. CSO. https://www.csoonline.com/article/566509/the-opm-hack-explained-bad-securitypractices-meet-chinas-captain-america.html

28 Sevastopulo, D. (2025, December 3). US halts plans to sanction Chinese spy agency to maintain trade truce. Financial Times. https://www.ft.com/content/61016803-baf5-4be5-8350-e0cc5ca4ab26

29 Higgins, A. (2023, February 25). A NATO minnow reels from cyberattacks linked to Iran. The New York Times. https://www.nytimes.com/2023/02/25/world/europe/albania-iran-nato-cyberattacks.html

30 Cybersecurity and Infrastructure Security Agency. (2022, September 23). Iranian cyber actors conduct malicious cyber activity (AA22-264A). U.S. Department of Homeland Security. https://www.cisa.gov/newsevents/cybersecurity-advisories/aa22-264a

31 U.S. Embassy in Albania. (2023, February 7). Remarks by U.S. Ambassador Yuri Kim at the “Cyber Security Challenges in Albania” Conference https://al.usembassy.gov/remarks-by-u-s-ambassador-yuri-kim-atthe-cyber-security-challenges-in-albania-conference/

32 The White House. (2023, March 1). National Cybersecurity Strategy 2023 https://bidenwhitehouse. archives.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf

33 Harding, E., Pusztaszeri, A., & Dickson, J. (2025, September 4). Playbook for winning the cyber war, Part 5: Evaluating U.S. cyber strategy. Center for Strategic and International Studies. https://www.csis.org/ analysis/playbook-winning-cyber-war-part-5-evaluating-us-cyber-strategy

34 Pham, T. N. (2022, May 11). In cyberspace, no one can hear you bluff. Center for International Maritime Security (CIMSEC). https://cimsec.org/in-cyberspace-no-one-can-hear-you-bluff/

35 Siebens, J. A., Pytlak, A., & Scoggin, K. (2025). Beyond Denial: Toward a Credible Cyber Deterrence Strategy. The Stimson Center. https://www.stimson.org/2025/beyond-denial-toward-a-credible-cyberdeterrence-strategy/

36 Brake, B. (2015, May). Strategic risks of ambiguity in cyberspace (Contingency Planning Memorandum No. 24). Council on Foreign Relations. https://www.cfr.org/report/strategic-risks-ambiguity-cyberspace

37 Lété, B., & Pernik, P. (2017, December 15). EU–NATO cybersecurity and defense cooperation: From common threats to common solutions. German Marshall Fund of the United States. https://www.gmfus.org/ news/eu-nato-cybersecurity-and-defense-cooperation-common-threats-common-solutions

38 U.S. Department of State. (2024, February 14). The United States and Albania: NATO Allies and Close Friends [Fact sheet]. https://2021-2025.state.gov/the-united-states-and-albania-nato-allies-and-close-friends/

39 The White House. (2023, March 31). Statement by National Security Council spokesperson Adrienne Watson on U.S. Cybersecurity Support to Costa Rica https://bidenwhitehouse.archives.gov/briefing-room/ statements-releases/2023/03/31/statement-by-nsc-spokesperson-adrienne-watson-on-u-s-cybersecuritysupport-to-costa-rica/

40 Newman, L. H. (2023, March 29). The U.S. is sending money to countries devastated by cyberattacks WIRED. https://www.wired.com/story/white-house-costa-rica-albania-ransomware-aid/

41 Rattray, G., & Lee, S. (2025, April). Cyber defense assistance and Ukraine: Lessons and moving forward Aspen Institute. https://www.aspendigital.org/report/cyber-defense-assistance-ukraine/

42 Smith, B. (2025, April). Microsoft announces new European digital commitments. Microsoft Blogs. https://blogs.microsoft.com/

43 Cyber Defense Assistance Coalition. (2024, June). Cyber defense assistance evaluation framework https://cyberdefenseassistance.org/

44 Digital State Ukraine. (2025, February). Ukraine leading in cybersecurity resilience https://digitalstate. gov.ua/news/tech/ukraine-leading-in-cybersecurity-resilience

45 Article 19. (2025). Cybersecurity with Chinese characteristics: Digital governance in the Indo-Pacific and the Taiwanese alternative. ARTICLE 19. https://www.article19.org/wp-content/uploads/2025/02/cybersecuritywith-chinese-characteristics.pdf

46 Miliefsky, G. (2025, March). The true cost of cybercrime: Why global damages could reach $1.2–$1.5 trillion by end of year 2025. Cyber Defense Magazine.

47 Council on Foreign Relations. (2025). Cyber Operations Tracker https://www.cfr.org/cyber-operations/

48 Office of the Director of National Intelligence. (2025, March). 2025 Annual Threat Assessment of the U.S. Intelligence Community https://www.dni.gov/files/ODNI/documents/assessments/ATA-2025Unclassified-Report.pdf

49 Chainalysis. (2025, January 15). 2025 Crypto Crime Trends: Illicit Volumes Portend Record year as On-Chain Crime Becomes Increasingly Diverse and Professionalized https://www.chainalysis.com/blog/2025crypto-crime-report-introduction/

50 Cunningham, M. (2025, October 15). Feds seize $15 billion in bitcoin after busting alleged global crypto scam. CBS News. https://www.cbsnews.com/news/bitcoin-seizure-chen-zhi-pam-bondi-cambodia/

51 U.S. Secret Service. (2025, November 12). New Scam Center Strike Force battles Southeast Asian crypto investment fraud targeting Americans. U.S. Secret Service. https://www.secretservice.gov/newsroom/ releases/2025/11/new-scam-center-strike-force-battles-southeast-asian-crypto-investment

52 Olmstead, K., & Smith, A. (2017). Americans and cybersecurity. Pew Research Center. https://www. pewresearch.org/internet/2017/01/26/1-americans-experiences-with-data-security/

53 Shandler, R., & Gomez, M. A. (2023). The hidden threat of cyber-attacks: Undermining public confidence in government Journal of Information Technology & Politics, 20(4), 359–373. https://doi.org/10.1080 /19331681.2022.2112796

54 The Council of Economic Advisers. (2018). The cost of malicious cyber activity to the United States economy https://trumpwhitehouse.archives.gov/wp-content/uploads/2018/02/The-Cost-of-Malicious-CyberActivity-to-the-U.S.-Economy.pdf

55 Kamiya, S., Kang, J.-K., Kim, J., Milidonis, A., & Stulz, R. M. (2018). What is the impact of successful

cyberattacks on target firms? (NBER Working Paper No. 24409). National Bureau of Economic Research. https://www.nber.org/system/files/working_papers/w24409/w24409.pdf

56 Kello, L. (2017). Private sector active defense: An adequate response to the sovereignty gap? In The virtual weapon and international order (p. 229). Yale University Press.

57 Kello, L. (2017). Private sector active defense: An adequate response to the sovereignty gap? In The virtual weapon and international order (p. 229). Yale University Press.

58 18 U.S.C. § 1030 (2018). Fraud and related activity in connection with computers. 8 USC 1030: Title 18-CRIMES AND CRIMINAL PROCEDURE PART I-CRIMES CHAPTER 47-FRAUD AND FALSE STATEMENTS https://uscode.house.gov/view.xhtml?req=(title:18%20section:1030%20edition:prelim)

59 U.S. Department of Justice, Computer Crime and Intellectual Property Section. (2018). Best practices for victim response and reporting of cyber incidents (Version 2.0) https://www.justice.gov/criminal/criminalccips/cybersecurity-unit

60 U.S. Congress. (2019). Active Cyber Defense Certainty Act (H.R. 3270, 116th Congress). https://www. congress.gov/bill/116th-congress/house-bill/3270

61 Cybersecurity Tech Accord. (2020, November 12). Advancing cyber hygiene and speaking out on hack backs: Recognizing the 2nd anniversary of the Paris Call for trust and security in cyberspace with action. https://cybertechaccord.org/advancing-cyber-hygiene-and-speaking-out-on-hack-backs-recognizing-the-2ndanniversary-of-the-paris-call-for-trust-and-security-in-cyberspace-with-action/

62 de Sousa, A. T. L. M., Schutte, G. R., Abrão, R. A. F., & Ribeiro, V. L. (2023). China in Latin America: To BRI or not to BRI. In P. A. B. Duarte, E. M. Galán, & F. J. B. S. Leandro (Eds.), The Palgrave Handbook of Globalization with Chinese Characteristics: The Case of the Belt and Road Initiative (pp. 495–514). Palgrave Macmillan.

63 Arsentyeva, I. I. (2024). China’s Digital Silk Road: Challenges and opportunities for Latin America and the Caribbean. Vestnik RUDN. International Relations, 24(1), 51–64. https://doi.org/10.22363/2313-0660-202424-1-51-64

64 Reuters. (2019, July 5). “Safe like China”—In Argentina, ZTE finds eager buyer for surveillance tech https://www.reuters.com/article/world/safe-like-china-in-argentina-zte-findseager-buyer-for-surveillance-techidUSKCN1U00Z7

65 Warner, J., & Ajibade, T. (2024, November 18). China’s smart cities in Africa: Should the United States be concerned? Center for Strategic and International Studies. https://www.csis.org/analysis/chinas-smart-citiesafrica-should-united-states-be-concerned

66 Patil, S., & Gupta, P. (2024, January 3). The digital Silk Road in the Indo-Pacific: Mapping China’s vision for global tech expansion. Observer Research Foundation. https://www.orfonline.org/research/thedigital-silk-road-in-the-indo-pacific-mapping-china-s-vision-for-global-tech-expansion

67 Winstead, N. (2020, July 26). Hack-back: Toward a legal framework for cyber self-defense. American University, Center for Security, Innovation, and New Technology. https://www.american.edu/sis/centers/ security-technology/hack-back-toward-a-legal-framework-for-cyber-self-defense.cfm

68 Winstead, N. (2020, July 26). Hack-back: Toward a legal framework for cyber self-defense. American University, Center for Security, Innovation, and New Technology. https://www.american.edu/sis/centers/ security-technology/hack-back-toward-a-legal-framework-for-cyber-self-defense.cfm

69 Broeders, D. (2021). Private active cyber defense and (international) cybersecurity—Pushing the line? Journal of Cybersecurity, 7(1), tyab010. https://doi.org/10.1093/cybsec/tyab010

70 U.S. Department of Justice, Computer Crime and Intellectual Property Section. (2018, September). Best practices for victim response and reporting of cyber incidents (Version 2.0). https://www.justice.gov/ criminal/criminal-ccips/cybersecurity-uni

71 U.S. Department of Justice, Computer Crime and Intellectual Property Section. (2018, September). Best practices for victim response and reporting of cyber incidents (Version 2.0). https://www.justice.gov/ criminal/criminal-ccips/cybersecurity-uni

72 Pearl, M., & Klimburg, A. (2025, April 24). Back & forth 4: Should the United States adopt a “hack-

back” cyber strategy? Center for Strategic and International Studies. https://www.csis.org/analysis/back-forth4-should-united-states-adopt-hack-back-cyber-strategy

73 Sherman, J. (2025, May 20). Unpacking Russia’s cyber nesting doll. Atlantic Council. https://www. atlanticcouncil.org/content-series/russia-tomorrow/unpacking-russias-cyber-nesting-doll/

74 Department of Homeland Security. (2024). Cybersecurity and Infrastructure Security Agency Budget Overview: Fiscal year 2025 Congressional justification

75 European Union Agency for Cybersecurity (ENISA). (n.d.). EUCC Certification Scheme. EU Cybersecurity Certification Library. https://certification.enisa.europa.eu/certification-library/eucc-certificationscheme_en

76 International Telecommunication Union. (2024). Global cybersecurity index 2024 (5th ed.). https:// www.itu.int/epublications/publication/global-cybersecurity-index-2024

77 Cybersecurity and Infrastructure Security Agency. (2021, November). Cybersecurity incident & vulnerability response playbooks https://www.cisa.gov/sites/default/files/2024-08/Federal_Government_ Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf

78 Estonia Ministry of Foreign Affairs. (2024, September 5). Estonia names Russia’s military intelligence in a first-ever attribution of cyberattacks. https://vm.ee/en/news/estonia-names-russias-military-intelligencefirst-ever-attribution-cyberattacks

79 Department of State. (2024, May 6). United States International Cyberspace & Digital Policy Strategy: Towards an innovative, secure, and rights-respecting digital future. https://2021-2025.state.gov/united-statesinternational-cyberspace-and-digital-policy-strategy/

80 Service for Foreign Policy Instruments. (2025, September 15). EU CyberNet enters second phase to strengthen global cyber resilience. European Commission. https://fpi.ec.europa.eu/news/eu-cybernet-enterssecond-phase-strengthen-global-cyber-resilience-2025-09-15_en?prefLang=da

81 O’Grady, L. (2025, April 15). EU releases Digital Europe work programmes for 2025–2027. Center for Cybersecurity Policy and Law. https://www.centerforcybersecuritypolicy.org/insights-and-research/eu-releasesdigital-europe-work-programmes-for-2025-2027

82 U.S. Congress. (2015). Cybersecurity Information Sharing Act of 2015, S. 754, 114th Cong. https://www. congress.gov/bill/114th-congress/senate-bill/754/text

83 Australian Government Department of Home Affairs. (2023). 2023–2030 Australian cyber security strategy https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy/2023-2030australian-cyber-security-strategy

84 Siam Legal. (n.d.). What is Thailand’s Anti-Online Scam Operation Center? Thailand Law Library. https://library.siam-legal.com/what-is-thailands-anti-online-scam-operation-center/

85 U CyberNet. (n.d.). EU CyberNet: The bridge to cybersecurity expertise in the European Union. https:// www.eucybernet.eu/

86 IBM. (n.d.). AI cybersecurity solutions https://www.ibm.com/solutions/ai-cybersecurity

87 Matishak, M. (2025, January 17). U.S. deploys FALCON cyber response team to help Costa Rica’s stateowned fuel company recover from cyberattack. The Record by Recorded Future. https://therecord.media/statedepartment-falcon-cyber-response-costa-rica-recope