In an era where global conflict is increasingly shaped by cyber capabilities rather than conventional force, policymakers are grappling with a new frontier of national security. At the annual Frank E. and Arthur W. Payne Lecture hosted by the Center for International Security and Cooperation (CISAC), former deputy national security advisor for cyber and emerging technology, Anne Neuberger, laid out the urgent need to rethink how the United States approaches deterrence in the digital age as deterrence has failed today.

Neuberger began by outlining a chilling reality that in 2024 alone, North Korea dramatically escalated its cyber activities, while China quietly embedded malware across critical infrastructure systems in countries from the United Kingdom to the United States. These acts, she argued, are not merely espionage, they are preparation. The aim? To sow chaos, weaken military response, and deter intervention in a future conflict, such as a Chinese invasion of Taiwan. Neuberger noted that “ these cyber activities are integral to China's broader strategy of "active defense" and deterrence. If these activities are successful, it’s easy to imagine the PRC being able to impose enormous costs on the US to deter its intervening in a Taiwan conflict, circumscribing the US’s ability to influence events in the Pacific rim.”

“There's little to suggest these activities are espionage,” Neuberger explained. “Instead, they look like efforts to pre-position for sabotage, for cyber attacks that shut down the power or water system to impede us military mobilization in the event of a crisis or undermine support for the government in the opening phases of a conflict.”

Cyber conflict, she argued, is fundamentally different from conventional warfare. Take, for example, Israel’s cyber attack on Hezbollah’s pager system, a move that disoriented militants and played a key role in disabling the terror group whose missiles had killed at least 46 civilians, forced the evacuation of 90,000 people from Israel's north and terrorized Lebanon for two decades. It’s a textbook case of how cyber operations, when paired strategically with conventional tools, can shape the outcome of real-world conflict.

But Neuberger warned against assuming that offensive cyber capabilities alone can deter adversaries. Unlike nuclear weapons, the effects of cyber operations are often ambiguous, hard to attribute, and easier to downplay.

Drawing on the late Dr. Joseph Nye’s framework, Neuberger outlined three pillars of cyber deterrence:

• Denial, or hardening systems to make attacks less effective and to enable rapid recovery;
   
• Punishment, or threatening retaliation; and
   
• Entanglement, in which mutual dependence reduces the likelihood of conflict. 

Each is critical, but none is sufficient alone.

The United States, Neuberger said, must start by asking three fundamental questions. Who do we want to deter? What actions do we want to deter? And what do we need to undertake to achieve those goals?

Espionage, Ransomware, and Sabotage

The conversation turned to the major categories of cyber threats:

• Espionage, like Chinese state hackers targeting American businesses, remains pervasive. Yet the U.S. has largely refrained from retaliating in kind, unlike its adversaries. She proposed exploring whether threatening reciprocal commercial espionage could reset expectations and restore balance.
   
• Ransomware, often originating from criminal groups provided safe haven in Russia, has cost billions and disrupted hospitals, pipelines, and local governments globally. Despite high-profile crackdowns, many groups simply rebrand and continue. One proposed response for further research and evaluation? Allowing carefully regulated private-sector “hack-backs” counter-offensives launched by the companies under attack, against the criminals groups targeting them to raise the costs of the attackers.
   
• Sabotage, meanwhile, is the most concerning. China’s infiltration of water systems across multiple U.S. states suggests preparation for something far more destabilizing. “Chinese government hackers are already embedded in US and allied water systems, likely to disrupt them during a future crisis or conflict. Take a moment to think about what that means,”  Neuberger said.
   

Rethinking Deterrence

The challenge for the U.S. is stark. Today cyber deterrence isn’t working. Can we build deterrence? A rigorous cyber defense is the foundation of a more aggressive cyber offense.

Neuberger laid out three urgent priorities:

1. Strengthen Cyber Defenses Through AI by Investing in Digital Twins 
   Neuberger emphasized the need for “digital twins,” AI-generated replicas of infrastructure systems used to model cyber vulnerabilities and rehearse defensive responses. She also called for a national cyber alert system, akin to Cold War missile defenses, capable of identifying and blocking attacks against the most critical of national infrastructure in real-time.
    
2. Target What Adversaries Value
   Deterrence by punishment works only if the U.S. is willing to impose costs where it matters whether that’s actions in cyberspace or conventional military response.
3. Define Clear Red Lines and Retaliation Policies
   The United States, she argued, must publicly declare that attacks on critical infrastructure that would cause mass disruption, such as the power grid or air traffic control, will trigger consequences. “Cyber deterrence doesn't create certainty, but it can create enough doubt to stop the first strike.”
    

“We must communicate that we are resilient. We will attribute. We will retaliate,” she said. “These combined steps on denial and on retaliation combined with deterrence messaging, could, I believe, build deterrence in cyberspace, enough deterrence to make an adversary question whether it's worth disrupting U.S. civilian infrastructure via a cyber attack in a crisis.”

A Democratic Dilemma

Throughout the talk, one tension remained unresolved: how democracies can defend infrastructure they don’t monitor, own or operate. In authoritarian countries like China, the government monitors all major systems. But in the U.S., critical infrastructure is largely private and legal constraints prevent federal surveillance or proactive defense. That, Neuberger suggested, is the paradox of democratic cyber defense.

The talk ended with a call to action, for policymakers, technologists, and scholars to develop new policies, ethical, legal, and technical, for cyber deterrence in an AI-driven world. Research areas include everything from regulating hack-backs against cyber criminals to using AI to build find and close holes in critical infrastructure.

Ultimately, Neuberger warned, cyber conflict isn’t coming. It’s already here. And unless the U.S. adapts quickly, it risks falling further behind in a domain that now touches every part of modern life from electricity and healthcare to elections and war.