[is] the historical cornerstone of defense, and attribution — the identification of the perpetrator as well as method of attack — forms the foundation upon which deterrence rests.
consists of essentially two basic components: first, the expressed intention to defend a certain interest; secondly, the demonstrated capability actually to achieve the defense of the interest in question, or to inflict such a cost on the attacker that, even if he should be able to gain his end, it would not seem worth the effort to him.
operates by affecting the calculations of an adversary, specifically by convincing the adversary that the expected costs of a potential act (a type of attack or costly cyber intrusion) outweigh the expected benefits.
deterrence by denial (the ability to frustrate the attacks) and deterrence by punishment (the threat of retaliation).
"Deterrence relies on the idea that inducing a would-be intruder to refrain from acting in a hostile manner is as good as successfully defending against or recovering from a hostile cyber operation. Deterrence through the threat of retaliation is based on imposing negative consequences on adversaries for attempting a hostile operation."
Deterrence is partially a function of perception. It works by convincing a potential adversary that it will suffer unacceptable costs if it conducts an attack on the United States, and by decreasing the likelihood that a potential adversary's attack will succeed. The United States must be able to declare or display effective response capabilities to deter an adversary from initiating an attack; develop effective defensive capabilities to deny a potential attack from succeeding; and strengthen the overall resilience of U.S. systems to withstand a potential attack if it penetrates the United States' defenses.