Deterrence is arithmetic, not theater.
In today’s hearing—“Defense through Offense: Examining U.S. Cyber Capabilities to Deter and Disrupt Malign Foreign Activity Targeting the Homeland”—Chairman Andy Ogles put it plainly: the United States must figure out how to change the cost-benefit analysis for our adversaries, because currently the math still works in their favor.1
The Internet Security Alliance (ISA) agrees. As long as malicious state and criminal actors can impose low-cost attacks that deliver outsized strategic and economic gains, they will keep coming.
But deterrence has a second side—one Washington too often treats as an afterthought because it’s less dramatic than offensive operations: we also have to change the cost-benefit calculus for the defenders. You can raise the attacker’s costs at the margins and still lose if the defender’s costs rise relentlessly, through a regulatory system that consumes scarce cyber talent without measurably reducing risk.
Here is the quiet scandal in American cyber policy: we can count compliance, but we rarely prove effectiveness. When regulation rewards documentation over demonstrated risk reduction, it doesn’t just waste money; it drains the time, attention, and capital we need to harden systems and respond to real threats.
Regulation isn’t the problem. Regulation without evidence is.
The United States is not short on cyber policy. We have frameworks, checklists, audits, reporting regimes, and an endless supply of well-intentioned requirements. What we lack is the discipline to separate what reduces risk from what merely produces paperwork, and to stop treating activity as a proxy for security.
The Government Accountability Office (GAO) captured the frustration in a sentence that should stop any policymaker cold:
“We are spending money on compliance that would better be spent on cybersecurity.”2
That isn’t anti-regulatory rhetoric. It’s an operational warning. Time spent reconciling inconsistent definitions, meeting different reporting thresholds, and feeding multiple compliance calendars is time not spent on detection engineering, segmentation, patching, incident response readiness, or hardening the systems adversaries actually target.2
And the stakes are not abstract. The Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) reported $16.6 billion in losses in 2024, based on recorded complaints.3 Global information security spending continues to climb into the hundreds of billions.4 In other words, we are spending enormous sums in the name of cybersecurity while still struggling to answer the most straightforward question Congress should ask: are our cybersecurity regulations enhancing security?
Offense can punish. It can’t substitute for governance.
Chairman Ogles’ focus on offense is timely. Offensive capabilities can impose costs, disrupt campaigns, and inject uncertainty into an adversary’s planning. Those are real tools.
But offense cannot compensate for a domestic defense posture that burns resources without reliably improving resilience. A deterrence strategy that only raises the attacker’s costs, while allowing the defender’s cost base to inflate, creates a vicious loop: the attacker adapts, the defender gets stretched, and everyone congratulates themselves on “doing something” while the underlying return on attack remains stubbornly attractive.
That is why ISA’s position is the complementary half of deterrence: lower the cost of effective defense and increase the return on every dollar spent on security. Not by wishing it into existence, and not by asking for blank checks, but by applying a discipline the federal government already uses in virtually every other serious area of regulation.
The missing tool is the one Washington already knows: cost-benefit analysis.
For major federal regulations, cost-benefit analysis is the default, not the exception. The Office of Management and Budget (OMB) calls benefit-cost analysis “the primary analytical tool” for regulatory analysis and directs agencies to evaluate both quantifiable and qualitative costs and benefits.5 Congress has summarized the same expectation: identify likely costs and benefits where possible, and compare alternatives rather than treating a mandate as self-justifying.6
Cybersecurity should not be the exception.
When agencies impose cybersecurity obligations without rigorous cost-benefit analysis, three predictable things happen—each of which weakens defense.
First, we never define success clearly enough to measure it. “Compliance achieved” is not a security outcome. A binder of policies is not resilience. A reporting pipeline is not risk reduction. Without a requirement to specify benefits in defensible terms, mandates drift toward what is easiest to audit—not what is most effective to defend.
Second, we push scarce talent toward low-return work. Cybersecurity labor is finite. Every hour spent assembling attestations, mapping controls to overlapping rules, and chasing inconsistencies is an hour not spent reducing exposure or improving response.2
Third, we accumulate legacy obligations that no one can justify, but no one can unwind. Cyber threats evolve; rules calcify. Without structured retrospective review, mandates pile up, paperwork grows, and defense costs more in precisely the wrong places.
If Congress wants deterrence that lasts, it should treat cost-benefit analysis as a security instrument—not a bureaucratic nicety.
A useful proof point: cost-benefit discipline is already trusted in this Administration.
Cost-benefit analysis is not some imported ideology. The federal government has long relied on it, and this Administration has a particularly relevant connection: the National Cyber Director, Sean Cairncross, previously served as the Millennium Challenge Corporation (MCC) ‘s Chief Executive Officer.7
MCC is not a cybersecurity agency, and that’s the point. It is a governing model built around measurable returns: it uses cost-benefit analysis to evaluate investments. It publishes economic rates of return as an accountability tool, including a hurdle rate used to decide whether projects merit investment.8
One clean conclusion is enough: if the federal government expects quantified returns before funding major development projects, it can expect quantified security returns before imposing major cyber mandates on the systems Americans depend on every day.
What cost-benefit analysis legislation would change—immediately.
ISA supports legislation that would require cost-benefit analysis for cybersecurity-related regulation, not only going forward but also for the stock of existing cyber regulatory requirements. Done correctly, that approach would deliver practical, immediate gains:
1) Force clarity. Agencies would have to define the intended security benefit of a requirement and explain why the chosen approach produces the best return relative to alternatives.
2) Reduce waste without reducing security. The point is not to relax standards; it is to stop spending disproportionately on compliance activity that does not produce measurable risk reduction.
3) Modernize the rulebook. A retrospective review would create a structured way to update, consolidate, or sunset requirements that cannot justify their costs relative to security benefits, without waiting for the next crisis to expose the problem.
Deterrence is not a slogan. It is a balance sheet. The attacker’s balance sheet matters—but so does ours. If we want adversaries to think twice, we should absolutely impose costs where we can. But we should stop imposing costs on ourselves through mandates that can’t demonstrate they improve security.
A cybersecurity rule that can’t show results isn’t neutral. In a resource-constrained environment, it becomes a security liability.
This can be cited as ISA’s official comment on the January 13 hearing before the House Homeland Cybersecurity Subcommittee hearing
For more information contact Larry Clinton, President CEO Internet Security Alliance (lclinton@isalliance.org)
