According to U.S. officials, Russia is the likely perpetrator of the SolarWinds cyber compromise of federal agencies, private sector firms, NGOs and academic institutions. The scale and impact brought accusations of a reckless and indiscriminate operation. Some politicians labeled this an act of war, while other commentators dismissed the SolarWinds compromise as espionage. Calls for retribution were widespread.

We know few details about the breadth, depth and impact of the SolarWinds cyber operation, though the scale was clearly massive with over 18,000 SolarWinds customers uploading malware-laden tools. But we do not know which companies and agencies have been affected, what information was compromised or whether damage occurred to any information systems. This lack of public disclosure likely represents caution in revealing what is known and not known, but also signals the difficulty of assessing just how bad we’ve been had.

So how should the U.S. respond?

A natural inclination will be to strike back in order to modify future Russian behavior and to introduce stronger cyber deterrence for other potential actors. Responses might include declaring Russian intelligence personnel persona non grata, indictment of perpetrators, targeted sanctions and execution of similar operations against select Russian systems. The aim would not just be punishment, but to change the risk-gain calculation for Russia, and others, when considering new cyber operations.

In a recent Russia Matters article, Paul Kolbe argues that the United States should respond to the SolarWinds breach by focusing on improving defenses, rather than on conducting a retaliatory response such as some government officials have been advocating. Kolbe claims that prior U.S. responses to Russian cyber behavior—which have involved imposing sanctions, issuing indictments or conducting cyber operations—have failed to deter Russian operations or meaningfully change Moscow’s calculus.

Kolbe is right that, when it comes to SolarWinds, it is unlikely that retaliatory measures aiming to impose costs against Russia (inside or outside of cyberspace) will work to shift the Russian government’s risk-benefit assessment—but he’s right for the wrong reasons. It is also important to note that Russia continues to deny responsibility for the SolarWinds incident. Regardless, a punitive response to SolarWinds is unwise because the available evidence indicates that the objective of the operation was national security espionage. However, this does not mean that the pursuit of deterrence strategies to address other types of malicious behavior in cyberspace, beyond espionage, is a fool’s errand. Deterrence is not a one-size-fits-all concept in cyberspace—or in any other domain.

Paul Kolbe is entirely correct in reminding us that there is a great deal we still do not know about the SolarWinds hack. Russian official responsibility does seem probable, but it is not absolutely proven. The strongest statement that the U.S. agencies concerned have come up with is that the hack was “likely Russian in origin.”

Kolbe’s article and Erica Borghard’s response are also very valuable for their warning of the need to distinguish between cyber espionage and cyber sabotage or terrorism, as this crucial distinction has been blurred by the loose and lazy term “cyber attack,” as well as by the hysterical response to the SolarWinds hack by some U.S. politicians, with their very dangerous talk of an “act of war” (on which I have written previously here and here).

I would however like to point out in response to Borghard that Russia’s denial of responsibility is absolutely normal in espionage operations, even when these have been unquestionably revealed. In 2006, the British government denied Russian allegations of a British spying operation in Moscow using a device hidden in a fake rock, though after a few years a former British official admitted that the story was entirely true. The difference in the case of cyber operations is that (with all due allowance for freelances and double agents) conventional espionage has been the monopoly of states. On the internet, there are vastly more opportunities for independent actors, seeking personal gain or mere amusement. Most teenage hackers in the U.S. are not working for the CIA.

The United States has unveiled its overt response to Russia’s SolarWinds cyber operation—the expulsion of 10 Russian Embassy personnel from Washington, along with new sanctions on Russian sovereign debt and on Russian IT firms that support Moscow’s cyber intelligence operations. A “unseen” response promised by national security adviser Jake Sullivan, presumably cyber operations against Russian intelligence networks, has yet to publicly manifest. In response, Russia has denounced the “illegal” sanctions and predictably expelled 10 U.S. diplomats from Moscow.

Amid the flurry of accusation and counteraccusation, the question remains: Will the U.S. response to the SolarWinds compromise deter future Russian cyber activity? Based on what we’ve seen so far, I believe the costs on Russia imposed by the U.S. response will have little effect on future Russian cyber operations against U.S. government and private sector targets.

We do not know what the U.S. may undertake as part of the “unseen” response, but past experience would suggest cyber operations to signal displeasure are unlikely to change Russia’s behavior. A measured and proportional response will be shrugged off as the cost of business, and a cyber “shock and awe” campaign would risk escalation beyond U.S. intent.