This paper critically examines a new U.S. policy called layered cyber deterrence and its proposed implementation under international law. The policy is introduced in an extensive report prepared by the Cyberspace Solarium Commission, a group of key U.S. academics, policymakers, cybersecurity experts, and others. It is billed as a more cohesive, extensively developed, and aggressive U.S. cyber policy than earlier strategies like persistent engagement and defend forward. It also is the first time the United States has articulated a whole-of-nation approach to defending itself against cyberattacks both below and above the use of force threshold. It is not, however, without its shortcomings. This paper supports the Solarium Commission’s observation that the United States must become more aggressive in responding to harmful cyberattacks. It argues, however, that the layered cyber deterrence strategy has yet to be accompanied by more aggressive action to back it up. Moreover, the strategy contains weaknesses that ultimately undermine its effectiveness and, in fact, may put the U.S. at increased risk of violating international law.

     Part I briefly describes the Cyberspace Solarium Commission and the work leading up to its report. Part II begins an analysis of several issues that can arise under the layered cyber deterrence strategy. They include a public-private partnership that may cause a reduction of government control over the strategy, attribution, and due diligence problems that can lead to U.S. accountability for private misconduct, law of war concerns that make civilians and civilian objects potential military targets, and an overreliance on an ineffective deterrence by denial strategy. Part III discusses the need for greater U.S. deterrence by punishment and considerations related to threats and uses of force under layered cyber deterrence. Parts IV and V address circumstances in which the United States may violate State sovereignty and the nonintervention principle respectively under layered cyber deterrence. Part VI considers defenses available to the United States should it violate international law in the implementation of the strategy. It further advocates for the U.S. to lead by example in establishing sound precedents in cyberspace where international law is silent or unclear. Part VII offers some overarching conclusions for consideration. Finally, because layered cyber deterrence was only recently introduced, earlier cyber incidents are interspersed throughout the paper for helpful insights into the lawfulness of U.S. conduct under the strategy.