Abstract

This thesis asks: how can small states deter cyberattacks that sit in the grey zone between peace and war? It argues that small states cannot deter through scale or offence but by layering four mechanisms – punishment, denial, norms and entanglement – in ways that fit their strategic cultures. Using a comparative case study of Estonia and Singapore, the project assesses how each state combines denial, calibrated punishment, and norm- and interdependence-based strategies to raise costs, reduce gains, and narrow the payoff surface for hostile operations. The analysis adopts a realistic benchmark: deterrence is evidenced not by zero incidents, but by adversary restraint from large-scale, destructive, or politically significant attacks, and by rapid containment and recovery when incidents occur. Findings show denial-as-resilience is the foundation; norms and entanglement amplify its effects by widening coalitions and reputational costs; and punishment works best when proportionate, coalition-minded, and signalled clearly. Estonia demonstrates agenda-setting power through CCDCOE, the Tallinn Manual process, EU/NATO tools, and public attribution; Singapore emphasises institutional resilience, legal-regulatory instruments, economic entanglement, and diplomatic convening. The result is a tailored, layered cyber deterrence posture that small states can afford, sustain, and credibly signal.

Abbreviations and Acronyms

The detailed abbreviations and definitions used in the paper are listed in Table 1.

Chapter 1: Introduction

1.1 Background

Over the past two decades, cyberspace has become both a critical enabler of prosperity and an arena of contestation. The Internet and digital connectivity underpin global finance, communications, critical infrastructure, and national security. Yet the same interdependence generates great vulnerability. States and non-state actors exploit the digital domain to pursue political goals through operations below the threshold of armed attack. These grey zone (GZ) activities deliberately calibrate coercion, exploiting legal and political ambiguity to erode state capacity and will.¹

For small states, this environment poses acute challenges. Lacking the scale, offensive capacity, and redundancy of major powers, small states are disproportionately exposed to cyber threats.² Estonia’s 2007 distributed denial-of-service campaign highlighted this vulnerability, when attacks linked to Russia significantly disrupted government, banking, and media networks.³ In Southeast Asia, Singapore has been a sustained target of advanced persistent threats (APTs).⁴ These cases illustrate that cyber coercion is no longer a theoretical risk but an everyday feature of international competition.

Classical deterrence theory, rooted in nuclear strategy, offers only partial guidance. Whereas nuclear deterrence sought total prevention through credible threats of retaliation, cyber deterrence is less absolute. Attribution difficulties, low barriers to entry, and the sheer frequency of malicious cyber activity complicate the translation of Cold War concepts to the digital age. As Joseph Nye argues, cyber deterrence should be conceived flexibly: raising costs and reducing gains through punishment, denial, entanglement, and norms.⁵ This layered approach is particularly relevant for small states, which cannot rely on scale or offence but can shape adversary behaviour through resilience, signalling, and multilateral posture.

1.2 Puzzle Statement and Research Question

The core puzzle that animates this thesis is straightforward: how can small states deter cyberattacks in the GZ despite their structural disadvantages?

On the one hand, sceptics argue that deterrence in cyberspace is impossible, pointing to the persistent volume of intrusions and the limits of attribution.⁶ From this perspective, small states remain vulnerable, reliant on external security guarantees and unable to impose costs on adversaries. On the other hand, others suggest that deterrence in cyberspace can work – but in more modest and behavioural terms.⁷ Since 2007 Estonia has not again suffered a nationwide disruption, despite repeated Russian-linked campaigns.⁸ Similarly, Singapore has thus far avoided large-scale, destructive cyber incidents that undermined its national security.⁹ These outcomes raise an important question: if zero incidents are an unrealistic benchmark, what constitutes effective deterrence for small states?

This thesis contends that cyber deterrence should be assessed not by absence of all intrusions, but by whether adversaries refrain from large-scale, destructive, or politically decisive operations; and whether, when intrusions occur, the state can absorb, contain, and recover quickly. By this behavioural benchmark, deterrence in cyberspace is less about total prevention than about shaping adversary expectations and denying easy success.

Guided by this puzzle, the thesis asks: How can small states deter GZ cyberattacks, and what lessons can be drawn from the cases of Estonia and Singapore? This question has both theoretical and practical significance. Theoretically, it contributes to ongoing debates about the applicability of deterrence to cyberspace, in particular, for small states. Practically, it offers insights for policymakers in small states, who must craft strategies of survival and influence in a domain where asymmetry is acute.

1.3 Scope

This thesis examines how small states deter politically motivated GZ cyberattacks – specifically, computer network attack (CNA) and computer network exploitation (CNE).¹⁰ CNA aims to disrupt or destroy computer systems, networks, information or programmes, while CNE involves the covert exfiltration of confidential information.¹¹ Propaganda and disinformation campaigns are recognised as part of the broader threat in cyberspace, but lie outside the scope for this thesis. Purely profit-motivated crime is also excluded, unless directed, tolerated, or instrumentalised by state actors. Accordingly, it is limited to cyber operations with strategic intent or national-security implications. This delimitation reflects analytical tractability and the distinct legal-strategic challenges of GZ state activity.

1.4 Methodology and Case Selection

This thesis employs a comparative case study method. Case studies allow in-depth analysis of how theoretical concepts are applied in practice, and comparison between cases provides the basis for drawing more generalisable lessons. Estonia and Singapore are selected for three reasons.

First, both are small states: with populations under ten million, they fit the UN Forum of Small States’ definition.¹² Both are highly digitalised, with economies and governance systems dependent on secure networks, making them especially exposed to cyber threats.

Second, both have been early movers in shaping cyber policy. Estonia’s 2007 crisis catalysed the development of whole-of-society resilience, international legal works such as the Tallinn Manuals, and institution-building including NATO’s Cooperative Cyber Defence Centre of Excellence.¹³ Singapore has invested in a centralised Cyber Security Agency, a statutory framework through the Cybersecurity Act, and regional and UN cyber diplomacy.¹⁴

Third, the cases offer variation in strategic culture and geopolitical context. Estonia is a member of the North Atlantic Treaty Organisation (NATO) and the European Union (EU) confronting persistent pressure from Russia, and anchors deterrence in collective defence and norm entrepreneurship.¹⁵ Singapore, by contrast, is a non-aligned, trade dependent hub in a multipolar Asia, balancing major powers.¹⁶ This variation allows assessment of how small states adapt cyber deterrence strategies to distinct environments.

The empirical material for this study draws on a wide range of primary and secondary sources: government strategies, laws, and speeches; reports from NATO, Association of Southeast Asia Nations (ASEAN), and the UN; scholarly analyses; and policy documents. Given the sensitivity of cyber incidents, open-source data are partial, but sufficient to trace patterns of state practice and outcomes.

Case-Selection Caveat

Both Estonia and Singapore are relatively wealthy,¹⁷ institutionally capable small states with high levels of digitalisation and governance capacity,¹⁸ and strong defensive cyber capabilities.¹⁹ This selection enables in-depth analysis of advanced small-state approaches to cyber deterrence, but it also constrains generalisability. The lessons are most directly applicable to small states with comparable resources and institutional strength and will require adaptation for poorer, fragile, or conflict-affected contexts.

1.5 Structure of the Thesis

The thesis proceeds in six chapters. Chapter 2 lays out key definitions and the theoretical framework. Chapters 3 and 4 present the case studies of Estonia and Singapore respectively, examining their deterrence posture and assessing their efficacy. Chapter 5 then compares the two cases, identifying common strategies and divergences. Chapter 6 synthesises findings, evaluates the viability of the layered deterrence framework for small states, and sets out limitations and generalisability, outlines implications for policy, practice, and future research.

Chapter 2: Theoretical Framework

2.1 Introduction

This chapter establishes the theoretical foundation for the thesis. It does three things. First, it sets a clear definitional baseline for “small states” and outlines recurrent behavioural traits associated with smallness (Section 2.2).²⁰ Second, it explains why cyberspace is a privileged arena for GZ competition and why classical deterrence logic maps only partially onto this domain (Sections 2.3–2.5). Third, it introduces Joseph Nye’s four mechanisms—punishment, denial, norms and entanglement—as the organising framework for cyber deterrence and shows how they apply to small states (Section 2.6).

Throughout, the chapter advances the thesis argument: small states deter by layering mechanisms in ways consistent with their strategic cultures – anchoring deterrence in resilience (denial), clear signalling (including proportionate punishment and attribution), and a multilateral posture (norms and entanglement). This framework sets the criteria and vocabulary used in the Estonia and Singapore case studies.

2.2 Defining Small States and Behavioural Traits

There is no consensus definition of a “small state”. Different authors deploy varying measures – population size, territory, GDP, or power.²¹ Even one of the most common measures – population size – is operationalised at different cut-offs.²² Further, relative size also matters, since smallness is frequently understood as relational.²³ For definitional clarity in this thesis, however, we adopt a pragmatic baseline: the UN Forum of Small States (FOSS) convention defining small states as those with a population under 10 million.²⁴ This places both Estonia and Singapore within scope while preserving comparability.

Beyond size, small states tend to exhibit recurring behavioural traits shaped by external exposure: adaptiveness and niche specialisation; a propensity to seek influence through membership in international organisations; selective alliance participation for hard-security guarantees; a strong preference for a rules-based order and legalism;²⁵ coalition-building and network diplomacy; and heightened attention to reputation and signalling.²⁶ In cyberspace specifically, these patterns translate into emphasis on public–private cooperation, capacity-building with partners, advocacy for international norms, and participation in regional or functional arrangements that enable information-sharing and collective response.²⁷

2.3 Grey Zone and Cyberspace

The GZ describes the ambiguous space between peace and war, where actors pursue strategic objectives through coercive or disruptive means without crossing thresholds that would trigger conventional military responses. GZ threats span a wide spectrum, including disinformation campaigns, economic coercion, cyberattacks, and political interference.²⁸ In this sense, the concept can be seen as a modern evolution of George Kennan’s 1948 notion of political warfare: “the use of all the means at a nation’s command, short of war, to achieve its national objectives,”²⁹ albeit manifesting in a more interconnected and technologically advanced world.

Cyberspace has become an especially potent arena of GZ competition. Its inherent attributes – speed, global reach, anonymity and low cost of entry – make it an attractive environment for state actors to conduct GZ operations covertly and with plausible deniability. In cyberspace, GZ threats span a continuum to impose costs and shape behaviour. These include: (1) low-end nuisance activity: website defacements, phishing, and distributed denial-of-service (DDoS); (2) mid-range coercion: stealthy espionage and supply-chain compromises; and (3) high-end disruptive or destructive operations: pre-positioning in critical infrastructure, data-wiping campaigns, and cyber-physical attacks on industrial control systems.

The 2020 SolarWinds cyber-espionage campaign illustrates the GZ dynamics. Exploiting a trusted supply-chain, a Russian state-linked group compromised the update mechanism of a widely used IT management platform, gaining access to U.S. government and private-sector networks. For months, the operation remained undetected and yielded significant intelligence benefits. Because the exploit caused no physical damage, it remained below the legal and political threshold of armed conflict, enabling the perpetrators to extract strategic gains while avoiding escalation.³⁰

2.4 Classical Deterrence Theory

Deterrence aims to prevent hostile action by convincing an adversary that the costs of acting will outweigh any possible benefits. Though the idea is ancient, it was most fully developed during the Cold War in the context of nuclear strategy. Thomas Schelling described deterrence as “to prevent from action by fear of consequences,”³¹ while Glenn Snyder conceptualised it as an adversary’s cost-gain calculation.³² The logic of deterrence is fundamentally psychological: it seeks to shape the perceptions of adversaries rather than their capabilities alone.

Two primary mechanisms underpin classical deterrence. The first is punishment, which threatens severe consequences after aggression to raise the perceived costs. The second is denial, which reduces the likelihood of an attack’s success, thereby lowering the perceived benefits. Over time, scholars distilled effective deterrence into the “three Cs”: capability, credibility, and communication. First, the deterring state must possess the capability to punish or deny. Second, this capability must be credible, meaning that the adversary believes the state has the willingness to act. Third, the threat must be communicated clearly and unambiguously.³³ A failure in any of these dimensions undermines deterrence as a whole.³⁴

2.5 Challenges of Classical Deterrence in Cyberspace

Classical deterrence, developed in the context of nuclear strategy, struggles to map neatly onto the dynamics of cyberspace, where both punishment and denial face particular difficulties. The very features that make cyberspace attractive for GZ activity – speed, anonymity, and the limited visibility of effects – also undermine the applicability of classical deterrence logic.

Challenges in Punishment

Deterrence by punishment is especially constrained in cyberspace because of two interrelated problems.

Attribution. Cyberattacks are often routed through multiple jurisdictions, using proxy servers, botnets, or compromised infrastructure to conceal their origin. Even when attribution is technically feasible, forensic investigation is time-consuming,³⁵ and political leaders may hesitate to assign blame publicly without near-certainty – both to avoid escalation due to flawed evidence and to protect sensitive intelligence sources.³⁶ This uncertainty undermines the credibility of punishment, since retaliation requires confidence in identifying the responsible actor.

Proportionality. Cyber operations such as espionage, data theft, or service disruption often lack the visibility or immediacy of conventional attacks. Their impacts are diffuse and incremental, raising doubts about whether they warrant a forceful response. Retaliation with military force would often appear disproportionate, while the use of offensive cyber capabilities is further constrained by their one-use nature, as such tools lose value once exposed.³⁷ This dynamic further undermines the credibility of punishment.

Challenges in Denial

Denial strategies also confront distinctive obstacles in cyberspace:

Accessibility of cyberattack tools. Unlike nuclear deterrence, where possession of a second-strike capability offers a credible deterrent effect, no defensive posture in cyberspace can ensure a zero-incident environment. The accessibility of cyberattack tools and the array of exploitation methods – such as phishing, insider threats, and supply-chain compromises – within a highly networked environment make perfect prevention impossible.³⁸

As these challenges demonstrate, the two central pillars of classical deterrence – punishment and denial – are difficult to apply effectively in cyberspace.

2.6 Cyber Deterrence and Small States

Given the above limitations, a zero-incident standard for cyber deterrence is both unrealistic and unhelpful. Scholars and practitioners argue that deterrence can still operate in cyberspace, but it cannot be measured by the mere absence of hostile activity. A more realistic benchmark is whether adversaries refrain from conducting large-scale, destructive, or politically significant cyberattacks. In this sense, cyber deterrence is less about preventing every intrusion than about shaping adversary behaviour: raising perceived costs, reducing likely gains, and denying easy success.³⁹

Applied to small states, three scope conditions shape the choice and weight of mechanisms: limited unilateral punishment capacity; priority on denial and whole-of-society resilience; and leverage through norms and entanglement.

Joseph Nye provides a particularly useful framework for cyber deterrence, identifying four mechanisms to influence adversary decision-making by raising costs and reducing benefits through punishment, denial, entanglement, and norms. Each represents a distinct way of influencing adversary decision-making, and together they capture the range of options available to mount deterrence in cyberspace – particularly useful for deterring GZ threats in cyberspace.⁴⁰ This thesis adopts Nye’s framework for GZ threats in cyberspace and applies it to small states.

For small states the relevance and applicability of these mechanisms vary. Limited military and economic power constrain their ability to wield punishment credibly. The salience of denial and resilience is further heightened for those with high digital dependence. Norms and entanglement, meanwhile, offer pathways for small states to leverage interdependence and legitimacy to offset material weakness by raising reputational and collateral costs.

The following subsections examine each of these mechanisms in turn. For each, the discussion first outlines the general logic of deterrence and then considers its specific implications for small states.

Punishment

Punishment seeks to deter by threatening retaliation severe enough to outweigh the benefits of aggression. In cyberspace, while this logic continues to be constrained by attribution challenges and proportionality dilemmas, it still has a role. Where attribution is strong, states may impose costs through cyber countermeasures, economic sanctions, diplomatic expulsions, or even military signalling.⁴¹

For small states, punishment is often the least accessible deterrence mechanism. Their limited offensive cyber capabilities and modest economic or military leverage undermine the credibility of unilateral retaliation. While measures such as criminal prosecution, targeted sanctions, or diplomatic expulsions are available, they are rarely decisive on their own. Consequently, punishment tends to play a supplementary rather than central role in small-state deterrence, though its effectiveness can be enhanced through collective attribution and multilateral action with larger powers or international organisations.

Denial

Denial focuses on reducing the adversary’s likelihood of success. This includes hardening digital infrastructure, increasing redundancy, improving incident response, and raising societal awareness. Denial does not depend on retaliatory capacity. A well-prepared target that can absorb and recover swiftly from an attack raises the cost and denies the aggressor their intended outcome.⁴²

For small states, denial assumes heightened importance. Because they cannot rely on punishment to credibly deter, their primary imperative is to frustrate adversaries’ strategic objectives by reducing the effectiveness of attacks. This extends beyond technical safeguards to include political and societal resilience: the ability of state institutions and population to adapt and continue functioning despite disruption. In this sense, denial provides small states with a practical and credible foundation for deterrence, signalling that cyber operations will not yield the destabilisation or leverage that aggressors seek.

Entanglement

Entanglement deters by leveraging interdependence to complicate decision-making. When states are bound together through economic, political, or institutional linkages, an attack on one risks producing costs for the attacker as well as the victim. Interdependence can also generate caution, as leaders hold back from aggression for fear of wider repercussions. In cyberspace, the logic of entanglement is amplified because digital operations can produce cascading effects across interconnected networks, including those on which the attacker itself relies.⁴³

For small states, entanglement is both constrained and conditional. Often lacking the economic or strategic weight to generate interdependence on their own, their deterrent value from entanglement may rest more on embedding themselves in alliances, regional institutions, and global markets. By integrating into these wider networks, small states can indirectly raise the costs of aggression, since attacks risk cascading effects across systems that also affect larger stakeholders. This prospect of wider consequences can induce caution in potential adversaries, enhancing the small state’s security despite its limited independent means.

Norms

Finally, norms provide deterrence through shared expectations about responsible behaviour. Normative deterrence does not rely on direct threats, but on reputational and diplomatic costs for violators. Active participation in international forums, consistent signalling of norms, and public attribution of violations can enhance the reputational risks for aggressors, particularly those who value their global standing. Norms are not absolute constraints, but they raise the political and diplomatic price of irresponsible behaviour in cyberspace.⁴⁴

For small states, norms function as a strategic multiplier. Because they cannot rely on material power, small states can amplify their influence by positioning themselves as norm entrepreneurs or trusted participants in global cyber governance. By championing responsible behaviour, they can enhance the reputational and diplomatic costs faced by aggressors, and build coalitions that enable collective responses. While norms cannot prevent all hostile activity, they create political space that small states can leverage to reinforce deterrence and compensate for their limited hard power.

Taken together, these four mechanisms offer small states a spectrum of tools to influence adversary decision-making despite their structural vulnerabilities. While Nye introduced them as distinct logics of deterrence, subsequent scholarship has highlighted the value of layering them to create cumulative effects.⁴⁵ Building on this insight, this thesis adapts the layered posture:

1. Norms – shaping expectations of responsible behaviour to promote cyber stability;
2. Entanglement – embedding the small state within wider networks so that any attack risks broader consequences;
3. Denial – building defences and resilience to frustrate attacks and deny adversaries their intended outcomes; and
4. Punishment – imposing costs to reinforce norms and deter future violations.

(Note: In this schema, denial is primarily inward-facing; while norms, entanglement and punishment are outward-facing.)

The case studies that follow assess how Estonia and Singapore have operationalised these mechanisms in practice, and how a layered posture enhances cyber deterrence.

2.7 Summary

This chapter set the theoretical foundation for the thesis by (1) fixing a pragmatic definition of small states (population under 10 million) and sketching recurrent behavioural traits; (2) explaining why cyberspace intensifies grey-zone competition; and (3) showing how classical deterrence travels only partially into this domain due to attribution frictions, proportionality dilemmas, and the ubiquity of low-cost attack tools.

In response, the chapter adopted Nye’s four mechanisms – punishment, denial, norms and entanglement – as a coherent toolkit for cyber deterrence and argued for a layered posture: inward-facing resilience and rapid recovery (denial) complemented by outward-facing levers (norms, entanglement, and, where credible, punishment). For small states, layering frustrates adversaries’ objectives, raises reputational and collateral costs through institutions and partnerships, and communicates resolve without material overreach.

The next chapters apply this framework to Estonia and Singapore, tracing how each state layers mechanisms in line with strategic culture and digital dependence, and drawing comparative lessons for small states seeking to deter grey-zone threats in cyberspace.

Chapter 3: Estonia

3.1 Introduction

Estonia’s experience with cyber coercion has become emblematic of how small states can respond to and deter GZ threats in cyberspace. A pioneer in e-governance and digital innovation, Estonia was among the earliest victims of politically motivated cyber operations in 2007, when large-scale attacks targeted its critical networks.⁴⁶ Its response has shaped a distinctive deterrence posture, anchored in technical hardening and population-level digital resilience that offers valuable lessons for small states seeking to defend themselves against hostile cyber activity. This case study examines Estonia’s layered approach to cyber deterrence, applying Joseph Nye’s framework of punishment, denial, norms, and entanglement to assess its effectiveness in addressing the persistent and evolving threats it faces.

3.2 Background, Strategic Context and Threat Landscape

Following its independence from the Soviet Union in 1991, Estonia rapidly embraced digital transformation as a means to enhance public administration, reduce corruption, and project modernity. Central to this transformation was the development of a comprehensive e-governance ecosystem, including digital ID cards, e-voting, and paperless cabinet meetings, making Estonia one of the most digitised societies in the world by the early 2000s.⁴⁷ In 2004, Estonia joined NATO and the EU, anchoring its security and economic orientation firmly within the Euro-Atlantic community. These political and digital integrations, however, heightened Estonia’s visibility and vulnerability in the increasingly contested cyberspace.

In April 2007, Estonia suffered a series of coordinated DDoS attacks targeting government ministries, banks, and media outlets. The attacks, widely attributed to actors linked to Russia, were triggered by a dispute over the relocation of a Soviet-era war memorial in Tallinn. Although the attacks, which lasted over three weeks, caused no physical destruction, they severely disrupted critical services.⁴⁸ More significantly, they exposed the fragility of Estonia’s cyber infrastructure and demonstrated how cyberspace could be weaponised to achieve geopolitical goals below the threshold of armed conflict.⁴⁹

The incident marked a turning point in Estonia’s strategic outlook. Recognising that digital vulnerabilities could be exploited to exert political pressure, Estonia began building a comprehensive national cyber defence posture, integrating technological hardening, institutional preparedness, and international cooperation. The inaugural Cyber Security Strategy, the first of its kind globally, was published in 2008 and laid the foundation for a systematic and forward-looking approach to national cybersecurity.⁵⁰ Over successive updates, Estonia has refined and expanded its efforts, and today boasts one of the most mature and adaptive cybersecurity architectures among small states.⁵¹

Today, regional tensions persist and Estonia continues to face persistent threats – from phishing campaigns and espionage operations to politically motivated disruptions.⁵² That said, since the 2007 cyberattacks, no large-scale cyber incident has significantly impacted its networks – an outcome often viewed in Tallinn as evidence of an effective deterrence posture.⁵³

3.3 Normative Deterrence

The 2007 cyberattack exposed the lack of legal clarity surrounding cyberattacks and their consequences. For Estonia, this vulnerability posed an existential risk to its highly digitised society, prompting the recognition that long-term security would depend on embedding its defence within a predictable, rules-based international order.⁵⁴ In the aftermath, Estonia pursued norm-entrepreneurship to convert legal ambiguity into strategic leverage for a small state: it pre-positions coalitions for faster coordinated response, raises expected reputational costs for visible disruption, and secures agenda-setting influence disproportionate to size.

Strategically, Estonia seeks to shape the rulebook because rules shape others’ choices. It supported the Tallinn Manual process – an independent academic project hosted by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn. The project explores how existing principles of international law, such as sovereignty, non-intervention, and the use of force can apply in cyberspace. Although non-binding, the Tallinn Manual has been widely cited in international legal and policy discourse, providing reference points for states and organisations responding to GZ cyberattacks.⁵⁵ Anchoring the project at CCDCOE places Estonia at the centre of doctrinal debate and gives allies a shared interpretive baseline – lowering coordination costs when responses are considered and increasing the plausibility of collective action.⁵⁶

Estonia pursues normative activism multilaterally to translate legal argument into political practice, creating a shared understanding of rules, thresholds, and consequences in cyberspace. At the UN level, Estonia has participated actively in the GGE and OEWG processes to embed the view that existing international law applies online.⁵⁷ In June 2021, while serving as the UNSC’s rotating president, Estonia chaired the first-ever formal UNSC open debate on cybersecurity, socialising major powers to the applicability of International Humanitarian Law (IHL) in cyberspace and expectations of responsible-state behaviour.⁵⁸ At the EU level, Estonia helped to develop the Cyber Diplomacy Toolbox in 2017, institutionalising a framework for coordinated responses to malicious cyber activity.⁵⁹ Estonia has also been active in pushing for a coherent EU cyber diplomacy posture – to treat cyber stability as a foreign policy priority.⁶⁰

The shared understanding of norms enables public attribution – a mechanism that imposes diplomatic and reputational costs on offenders and creates focal points for coordinated response. In turn, Estonia uses public attribution as a norm-building tool, socialising expectations and clarifying thresholds — signalling that irresponsible cyber behaviour will be publicly identified and censured.⁶¹ Estonia employs attribution on a spectrum, ranging from cautious references to “pro-“actors (e.g., pro-Russian groups) to explicit identification of responsible states or entities. It also engages in collective attribution to amplify the normative signals while sharing political risks. For instance, in 2018, Estonia joined the U.K., U.S., and Australia in attributing the NotPetya cyberattacks to Russian state-linked actors.⁶² In 2019, Estonia established its public attribution guidelines,⁶³ and in 2024, made its first unilateral public attribution, naming Russia’s GRU for the 2020 cyber espionage campaign targeting Estonian ministries.⁶⁴

Net effect: shared norms enable public attribution and coordinated signalling that raise reputational costs and reduce the friction of collective responses. The limits of norms are clear: norms are non-binding and consensus-dependent; major-power convergence on the applicability of IHL in cyberspace remains contested;⁶⁵ and naming-and-shaming exerts little leverage, especially over reputation-insensitive states (e.g., North Korea).⁶⁶ Hence, Estonia treats norms as a force-multiplier that is most effective when layered with denial (to blunt operational gains) and entanglement (to raise political risk). In 3Cs terms, norms contribute communication and credibility by socialising expectations and enabling coalition signalling.

3.4 Deterrence by Entanglement

Estonia’s most consequential entanglement is politico-security. This is manifested in its membership in NATO and EU. As a member of NATO and the EU, Estonia is embedded within their decision frameworks, and this raises the expected costs and risks of coercive cyber operations: an attacker must consider not only Estonia’s response but also how the collective entities will react. With NATO, under Article 5 of the North Atlantic Treaty, a cyberattack judged to be sufficiently grave could trigger collective defence response from the Alliance.⁶⁷ With the EU, the Cyber Diplomacy Toolbox binds members into coordinated signalling and potential sanctions for cyberattacks.⁶⁸ This kind of entanglement differs from economic or technical interdependence, which Estonia has only in limited ways. Its deterrent value lies in the political reality that Estonia’s networks, institutions, and infrastructure are not defended in isolation but are bound into the wider NATO and EU frameworks.

Net effect: entanglement raises baseline political risk for attackers by binding Estonia into NATO/EU decision frameworks. Two caveats temper the effect: first, collective-action thresholds are politically constructed and responses are subject to intra-alliance/ intra-union bargaining;⁶⁹ second, cyber escalation ladders, if they exist, are opaque and adversaries may probe below perceived thresholds. Taken together, entanglement is best understood as a credible backstop and uncertainty multiplier, most potent when paired with rapid attribution and a resilient defence, and when communicated in advance. In 3Cs terms, entanglement primarily bolsters credibility ex ante by raising perceived coalition risks.

3.5 Deterrence by Denial

Denial is Estonia’s most dependable pillar because it reduces the expected payoff of attacks regardless of attribution. It works by compressing attacker dwell time, compartmentalising failure, and assuring continuity of critical functions across technology, institutions, and society.⁷⁰

Technically, Estonia engineers continuity into state functions. Its Cybersecurity Act obliges Critical Information Infrastructure (CII) operators to meet baseline security requirements. Its digital system architecture is designed to minimise single points of failure and to allow the isolation of compromised nodes without paralysing national functions.⁷¹ “Data embassies” provide sovereign, off-site replicas of critical government databases hosted in foreign countries.⁷²

Image: Cyber Command - Estonian Defence Forces

Societally, a whole-of-society approach increases capacity and reduces cognitive attack surfaces. Estonia treats every citizen, organisation, and sector as a contributor to national security. ⁷³ It invests in population-level resilience: digital competence and cyber hygiene are embedded from school curricula through to adult learning. ⁷⁴ The RIA issues public advisories, runs national awareness campaigns, and offers free cyber hygiene courses, and public-sector organisations conduct regular staff awareness training and exercises.⁷⁵ This broad-based literacy shrinks the attack surface for phishing and social engineering, raises baseline security, and shortens detection-to-reporting timelines during incidents.⁷⁶

Estonia’s whole-of-society approach also includes the Cyber Defence Unit (CDU) – the cyber-arm of the Estonian Defence League – a volunteer reserve. Comprising cybersecurity professionals and individuals with expertise in information security from the private and public sectors,⁷⁷ the CDU contributes technical expertise for threat analysis, supports awareness through training and exercises, and provides surge support to state authorities during major incidents.⁷⁸ This mobilises private-sector talent, shortens response timelines, and raises the perceived probability of rapid remediation.

Collectively, these choices function as strong deterrent signalling: they lower the attacker’s expected gains, increase operational costs, and curtail windows of advantage.

Internationally, collaboration deepens defensive depth and increases discovery risk for adversaries. As host of the NATO CCDCOE, Estonia contributes to NATO’s cyber doctrine development, capability building, and strategic coordination.⁷⁹ It hosts and participates in major cyber exercises such as Locked Shields and Cyber Coalition. These exercises simulate complex cyberattack scenarios, test incident response capabilities, build trust among participating states, and foster interoperability across national systems and international partners.⁸⁰ In 2020, the Cyber Command also conducted joint operations with the US Cyber National Mission Force to perform threat hunting on EDF’s networks.⁸¹ Estonia’s participation in multinational cyber threat intelligence-sharing networks further enhances early warning capacity and defensive depth beyond national borders. For adversaries, this raises the likelihood of prompt detection and multi-vector countermeasures.

Net effect: denial supplies capability, exercises establish credibility, and transparent messaging completes the loop; together they make cyberattacks low-payoff and short-lived. That said, two limits matter: first, high-end attacks such as APT-class intrusions can still succeed – denial constrains effects rather than eliminates them;⁸² second, resilience must be visible – measured, exercised, and communicated – to shape adversary expectations. Estonia addresses these by investing in layered safeguards and publicising standards, drills, and after-action learning to demonstrate recoverability. In 3Cs terms, denial provides capability and demonstrated credibility, while transparent public messaging supplies communication.

3.6 Deterrence by Punishment

In Estonia’s model, punishment functions as an amplifier: it converts attribution into legal and coalitional instruments that raise cumulative costs and strengthen the credibility of the broader deterrence posture. As a small state, Estonia has limited ability to impose direct economic or military costs on adversaries. While Estonia is assessed to possess offensive cyber capabilities, little is publicly disclosed and these are assessed to be limited.⁸³ Accordingly, punishment is modest in means and targeted in effect. In practice, this takes three main forms: coordinated sanctions with the EU, unilateral legal actions, and the prosecution of cybercrime.

The EU sanctions regime is central here: by aligning on joint attributions for major incidents, Estonia helped move the Union from statements to designations. For example, in the 2020 collective attribution of WannaCry, NotPetya, Operation Cloud Hopper, and the attempted cyberattack on the Organisation for the Prohibition of Chemical Weapons to state-linked actors in North Korea, China, and Russia, the EU imposed travel bans and asset freezes on six individuals and three entities responsible for or facilitating these operations.⁸⁴ For a small state, this converts normative success into punitive scale: while Estonia cannot meaningfully sanction a major adversary alone, the EU market – the world’s second-largest – can.⁸⁵

National measures fill gaps where collective action is slow or politically constrained. In September 2024, Estonia undertook unilateral attribution of a Russian GRU operation and issued international arrest warrants for three suspected GRU officers for the 2020 cyber espionage campaign against its ministries.⁸⁶ While the material impact of such measures is limited – targets may not travel to jurisdictions where enforcement is feasible – the legal and reputational costs are real, constraining mobility and signalling that state-sponsored operators are not invisible. Domestic criminal law and cooperation with other law-enforcement agencies, such as Europol, further enable investigations and prosecutions against non-state or proxy actors, where criminal justice can be more immediate than geopolitics.⁸⁷ Granted, many perpetrators may remain beyond the reach of Estonian jurisdiction, yet its willingness to pursue cross-border legal action increases the risks for those who might otherwise act with impunity.

These actions demonstrate Estonia’s resolve to impose consequences for hostile activity and provide a bridge until coalition responses can be mobilised. Indeed, in January 2025, almost five months after Estonia’s unilateral attribution and issuance of arrest warrants, the Council of the EU added three GRU officers to its cyber-sanctions list,⁸⁸ illustrating that collective measures may arrive after a lag because consensus-building and legal designation procedures take time.

Net effect: punishment adds cumulative costs, raises operational security burdens, and publicly reinforces attribution credibility. That said, trade-offs remain: first, overuse of symbolic designations can dull impact; second, slow EU consensus can create response-time asymmetries that adversaries exploit;⁸⁹ and third, unilateral actions carry diplomatic risk.⁹⁰ Estonia mitigates these by nesting punishment within a layered approach: deny benefits first, frame violations normatively, entangle politically, and punish where feasible – preferably with allies. In 3Cs terms, punishment contributes credibility and communication when capability is thin.

3.7 Assessment – Effectiveness of Cyber Deterrence

Applying the behavioural benchmark set out in Chapter 2 – Section 2.6, Estonia’s layered cyber deterrence posture is assessed on whether it has (1) dissuaded large-scale, destructive, or politically decisive cyber operations and (2) reduced routine hostile activity to marginal returns, recognising that a zero-incident standard is neither realistic nor informative in a GZ environment with contested attribution.

Where Deterrence Worked

Since the 2007 DDoS campaign, Estonia has not suffered a system-wide disruption of comparable scale. Repeated waves of politically motivated activity have been contained at the tactical level and have not produced strategic effects. In 2022, for instance, pro-Russian hacktivists mounted intense DDoS campaigns; services were interrupted in places but restored swiftly, and officials noted that impacts were “mostly not even noticed by the average user.”⁹¹ The campaign lasted only a few days – suggesting that the attackers may have curtailed their efforts once it became clear that their objectives could not be achieved. A subsequent campaign in 2024, described as the “largest cyberattack to date” was similarly reported to “have no visible impact” beyond brief disruptions.⁹² The inability of these operations to coerce policy change or erode public confidence points to the strength of Estonia’s denial posture: layered resilience, broad public cyber hygiene, rehearsed incident management, and rapid recovery have raised the cost and lowered the payoff of disruptive cyber activity.

Normative and entanglement mechanisms have reinforced these outcomes rather than substituting for denial. Estonia’s sustained norm entrepreneurship has helped consolidate shared expectations about responsible behaviour in cyberspace and increased reputational costs for violators. Concurrently, alliance entanglement – above all NATO’s political-security umbrella – adds uncertainty for aggressors about potential collective consequences should a cyber incident escalate. Even without Article 5 being invoked for cyber, the possibility of alliance involvement acts as a brake on more ambitious operations.

Where Deterrence Remains Limited

Estonia continues to face persistent lower-level intrusions – espionage, phishing, ransomware, and harassment – reflecting the challenge of deterring GZ tactics that sit below collective-response thresholds. The 2020 espionage campaign, which Estonia attributed in 2024 to Russia’s GRU, indicates that sophisticated actors can still penetrate networks.⁹³ While Estonia responded with arrest warrants and legal measures, such actions carry primarily reputational and legal risks for perpetrators; their coercive bite is modest.

Punishment, moreover, is structurally constrained for a small state. EU cyber sanctions provide scale and credibility but are consensus-driven and often slow.⁹⁴ The almost five-month gap between Estonia’s September 2024 unilateral attribution and the Council of the EU’s January 2025 listings of three GRU officers for malicious cyber activities against Estonia in 2020 further illustrates this.⁹⁵ This time lag limits the immediacy of punishment’s effect, even as eventual listings add cumulative costs.

Summary

In sum, Estonia’s cyber deterrence strategy has constrained adversaries rather than eliminated hostile activity. It has worked in the sense that despite persistent coercive disruption activities, they have failed to achieve strategic outcomes and that the expected returns on large-scale operations against Estonia appear diminished and short-lived. The most reliable pillar is denial – a deliberately cultivated resilience that turns attacks into tactical nuisances. Norms amplify this by shaping expectations and imposing reputational costs, while entanglement provides a credible backstop that complicates adversaries’ risk calculus. Punishment contributes but remains the least decisive tool given scale limitations and multilateral politics.

Looking ahead, Chapter 4 will apply the same framework to Singapore to assess its deterrence posture.

Chapter 4: Singapore

4.1 Introduction

As one of the world’s most digitally competitive countries,⁹⁶ Singapore’s experience with persistent cyberattacks underscores the challenges faced by small, highly connected states in safeguarding national security. As a global hub in several respects,⁹⁷ Singapore’s CII supports essential services ranging from finance and energy to healthcare and transport,⁹⁸ making it a high-value target for both state-linked and criminal actors.⁹⁹ While no single incident has triggered a wholesale strategic shift, incidents and targeted campaigns over the years – such as the 2018 SingHealth data breach affecting 1.5 million citizens – have reinforced the view that GZ cyberattacks are a constant feature of Singapore’s security landscape.¹⁰⁰ These incidents are assessed not simply as technical disruptions but as potential enablers of strategic coercion, capable of eroding public trust and undermining the functioning of the state.

This case study examines Singapore’s approach to cyber deterrence, applying Joseph Nye’s framework of punishment, denial, norms, and entanglement to assess its effectiveness in reducing the strategic utility of hostile cyber activity.

4.2 Background, Strategic Context and Threat Landscape

Singapore has long pursued an ambitious national digitisation agenda, beginning with the National Computerisation Plan in 1980 and advancing through successive national IT masterplans. This sustained transformation has deeply embedded technology across government, economy, and society, making the city-state one of the most digitally integrated economies in the world.¹⁰¹ Against this backdrop, Singapore’s economic profile and geographic position amplify its exposure to cyberattacks.¹⁰² As a global hub for trade, finance, logistics, and advanced manufacturing, the city-state’s critical systems are deeply integrated with digital technologies. It is also a regional data centre hub, supporting the storage and processing of vast amounts of commercial and cross-border data.¹⁰³ The government’s Smart Nation agenda has accelerated the digitalisation of governance, public services, and everyday life, enhancing efficiencies but also expanding potential vulnerabilities.¹⁰⁴

Over the past decade, several high-profile incidents have highlighted the vulnerabilities of Singapore’s digital domain. These include the 2014 cyberattack on the Ministry of Foreign Affairs and the 2018 SingHealth breach.¹⁰⁵ More recently, in July 2025, the government raised the alarm over APTs mounting covert campaigns against government systems and CII, with objectives that include espionage, theft of sensitive information, and potential disruption of essential services.¹⁰⁶ Alongside these higher-end threats, Singapore-based organisations were also subject to ransomware, social engineering scams, and cloud misconfiguration exploits. In 2023, more than eight in ten organisations reported at least one cybersecurity incident, with most incidents resulting in operational disruption, reputational harm, or data loss. ¹⁰⁷

Regionally, Singapore operates in a competitive and evolving security environment shaped by several dynamics. The intensifying technological competition between the United States and China extends into cyberspace. Within ASEAN, cyber capabilities remain uneven, with some members possessing advanced defences while others lag behind, creating vulnerabilities for collective resilience.¹⁰⁸ At the same time, cyber tools are increasingly used as instruments of interstate competition — for espionage, political influence, or disruption — adding volatility to the regional security landscape.¹⁰⁹ As a highly connected economy dependent on secure trade flows, cross-border data transfers, and international investment, Singapore has strong incentives to maintain a stable and rules-based digital environment.

4.3 Normative Deterrence

As a small state with limited capacity to unilaterally shape the strategic environment, Singapore treats norms as strategic leverage grounded in diplomacy. It operationalises this by leading UN rule-making, translating and socialising norms in ASEAN, and issuing calibrated public statements that cue coordinated responses to violations.

Internationally, Singapore exercises procedural leadership by shaping agendas and outcomes in UN processes. As chair of the 6th UN GGE, it brokered consensus reaffirming the applicability of international law in cyberspace and the 11 voluntary norms of responsible state behaviour.¹¹⁰ Leading the 2^nd OEWG,¹¹¹ it advanced confidence- and capacity-building measures and secured agreement to establish the Global Mechanism – a permanent UN forum for rules-based dialogue on state behaviour in cyberspace – setting the stage for future normative development by all UN members.¹¹² These roles embed Singapore as a rules broker with recognised legitimacy, furnishing both a vocabulary and a venue for collective signalling when norms are breached.

Regionally, Singapore converts principle into practice. Through the ASEAN Ministerial Conference on Cybersecurity, it championed the implementation of the 2015 UN GGE-established voluntary norms of responsible state behaviour and the accompanying confidence-building measures (CBMs).¹¹³ With Malaysia, it co-developed the ASEAN Norms Implementation Checklist, mapping concrete steps across policy, legal, operational, technical, and diplomatic pillars, and prioritising CBMs such as designated points-of-contact networks, shared incident taxonomies and reporting templates, crisis-communication protocols, voluntary transparency on national policies, and regular joint exercises. Through the ASEAN-Singapore Cybersecurity Centre of Excellence and the ASEAN Regional CERT, Singapore hosts regional training and capacity-building programmes, including ASEAN CERT Incident Drills, and provides a dedicated venue for in-person cyber exercises, workshops, and CERT-to-CERT cooperation that rehearse these CBMs in practice. These initiatives facilitate timely information-sharing and coordination among ASEAN Member States and align regional practice with evolving international expectations.¹¹⁴ More importantly, they socialise ASEAN members into shared expectations of acceptable behaviour, raising the reputational costs of violation and thereby discouraging norm-breaking.

Calibrated public statements against coercive GZ cyberattacks complement this diplomacy. Historically, Singapore has condemned behaviours rather than naming perpetrators. Even after the 2018 SingHealth breach affecting 1.5 million citizens, official statements only highlighted that it was “a deliberate, targeted and well-planned cyberattack… not the work of casual hackers or criminal gangs, “implying state sponsorship.¹¹⁵ In July 2025, Singapore raised the bar by issuing its first public attribution, naming the APT group UNC3886 as responsible for a sophisticated campaign targeting Singapore’s CII.¹¹⁶ Although no state was identified, the move narrowed plausible deniability, cued partners and platform mitigations,¹¹⁷ and signalled a willingness to escalate messaging when thresholds are crossed. The aim is not retaliation but to enable coordinated, rules-based responses and to harden the reputational and operational downsides for repeat violations.

Net effect: Norm entrepreneurship with diplomatic convening gives Singapore outsized leverage. It supplies a common language for calling out unacceptable behaviours, puts partners in position to act together quickly, and raises the reputational and operational costs for would-be violators. However, limits remain: some actors discount reputation; ASEAN capacity is uneven; consensus processes can be slow. In 3Cs terms, Singapore’s diplomatic actions strengthen credibility, sharpen communication, and build capability by diffusing workable procedures across the region.

4.4 Deterrence by Entanglement

Singapore’s deterrent value from entanglement is economic-infrastructural. As a global financial centre, maritime hub, and regional data hub,¹¹⁸ it sits at junctions where disruption of its CII can generate second- and third-order costs across borders – creating a form of self-deterrence for state actors contemplating high-impact cyber operations.

In maritime trade, interference with port logistics, terminal operating systems, or key vendors would propagate through charter schedules, bills of lading, insurer liabilities and supply-chain contracts. As a finance hub, degradation of market infrastructure, core banking interfaces or payment rails would reverberate through correspondent networks and regional corporates with Singapore exposure. In the data layer, concentrated data-centre capacity and submarine-cable connectivity mean outages affect cloud tenancy and content delivery for regional customers, including entities linked to the attacker’s own economy. Because these systems are embedded in a dense web of interdependence, adversaries face downside uncertainties: collateral damage can exceed intended boundaries and raise the cost-benefit threshold for any large-scale cyber disruption.

Net effect: Interdependence raises the expected blowback from major disruption and can hurt the adversary’s own interest. However, it may not deter criminals or ideologically driven actors; states can also reroute over time; and the prospect of outsized impact can entice risk-acceptant adversaries. Entanglement therefore works best as shaping pressure, complementing denial by shortening outages, and norms by mobilising third parties. In 3Cs terms, it primarily strengthens credibility by making escalation risks and collateral costs more salient to adversaries.

4.5 Deterrence by Denial

Denial is Singapore’s centre of gravity for deterrence in cyberspace. The aim is to lower the expected utility of hostile operations by making successful penetration less likely, containing any intrusion quickly to prevent spread, and assuring continuity of essential services. The approach combines statutory leverage, institutional coordination, rehearsed crisis management, and broad-based user hygiene.

At the core is a law-backed, centrally managed capability. The Cybersecurity Act converts best practice into enforceable duties on CII operators: risk assessments, periodic audits, and prompt incident reporting. Non-compliance is expressly criminalised and carries penalties ranging from substantial fines to imprisonment.¹¹⁹ The Cyber Security Agency of Singapore (CSA) leads national cybersecurity strategy and operations, and enforces the Act.¹²⁰ Sectoral regulators also oversee periodic audits, red-team/penetration-test programmes, and incident-reporting rehearsals to validate playbooks and escalation paths.¹²¹ In a crisis, CSA can issue binding directions to CII operators or temporarily assume control of systems, reflecting Singapore’s preference for centralised, top-down resilience.¹²² SingCERT serves as the incident-response arm, providing early warning, technical advisories, and incident handling for government, industry, and the public.¹²³ Because compliance is monitored and breaches attract penalties, the rules bite; this is where capability and credibility meet in day-to-day regulation rather than in one-off statements.

Image: Singapore Ministry of Defence

Denial also depends on the demand side. Digital Defence, introduced as the sixth pillar of Total Defence in 2019, extends responsibility to citizens and firms through public advisories, school curricula, and SME toolkits.¹²⁴ Routine campaigns on phishing, patching, and backups shrink the commodity attack surface that often enables higher-end operations.¹²⁵ When authorities issue calibrated warnings about APT activity against critical systems, they not only tip off potential targets but also force adversaries to rotate tools and infrastructure, reducing expected returns.

External participation reinforces these effects. The ASEAN CERT Incident Drills embed shared methods with neighbours, improving speed and compatibility of cross-border response.¹²⁶ The DIS also participates in demanding multilateral cyber exercises, such as the British Army’s Exercise Defence Cyber Marvel and NATO’s Exercise Locked Shields, which expose operators and decision-makers to complex attack chains and independent assessment.¹²⁷ These exercises strengthen crisis-management readiness for national IT systems and critical infrastructure, and help mature the DIS’s ability to lead across agencies.

Net effect: Denial provides observable capability, demonstrates credibility through enforcement and exercised readiness, and sustains clear communication to operators and the public. The posture turns many incursions into tactical nuisances and narrows the window for strategic effect. Residual risks remain in cloud misconfigurations, third-party supply-chain exposures, social-engineering pathways, and APTs. Overall the combination of statute, supervision, rehearsal, and hygiene credibly shifts attacker calculus at the margin.

4.6 Deterrence by Punishment

Singapore’s use of punishment as a tool of cyber deterrence is limited and calibrated. As a small state, its posture is shaped by pragmatism and strategic caution: it has no publicly declared offensive cyber capabilities,¹²⁸ and has neither threatened nor taken punitive actions against state or state-linked actors for malicious cyber operations. Punitive effects are therefore most consistent domestically through its criminal law and internationally through multilateral law-enforcement cooperation.

Domestically, the Computer Misuse Act and related statutes provide significant penalties for unauthorised access, data theft and attacks on CII.¹²⁹ While primarily aimed at criminal actors, this enforcement raises the cost of operating within or through Singapore’s jurisdiction and signals the state’s willingness to pursue exploitation chains end-to-end. The signal is simple: exploitation chains that touch Singaporean jurisdiction face real legal risk.

Internationally, Singapore leans on cooperative policing and transparency to sharpen punishment. Participation in INTERPOL operations and joint investigations increases the probability that infrastructure and enablers are identified and disrupted. In 2025, Singapore contributed to an INTERPOL-led crackdown that ran over four months and took down over 1,000 Singapore-based IP addresses linked to cybercrime activity, demonstrating cross-border coordination alongside domestic enforcement.¹³⁰

Net effect: As a stand-alone pillar against state adversaries, punishment remains the weakest leg; escalation risks and scale constraints limit overt options. Its value is additive: domestic and international law-enforcement pressure increase costs for enablers and proxies. In 3Cs terms, punishment modestly supports credibility by demonstrating consequences and strengthens communication by clarifying thresholds, while norms and denial carry most of the deterrent load.

4.7 Assessment - Effectiveness of Cyber Deterrence

A zero-incident standard for cyber deterrence is unrealistic and unhelpful. In line with the benchmark set in Chapter 2 – Section 2.6, the question is whether adversaries refrain from large-scale, destructive, or politically significant operations, and whether, when intrusions occur, Singapore contains compromises and restores services quickly. Put differently, the test is whether Singapore raises perceived costs, reduces likely gains, and denies easy success.

Where deterrence worked

Due to national security considerations, Singapore publishes limited details on the GZ cyberattacks that it faces. That said, there have been no known cyber incidents that resulted in sustained disruption of essential services or politically decisive effects.¹³¹ Statutory duties on CII operators, exercised crisis management through CIDeX and Exercise Cyber Star, and the ability to issue binding directions have likely supported rapid containment and continuity. ¹³²

A recent stress test of recovery capacity was the 19 July 2024 CrowdStrike global IT outage. In that incident, Changi Airport was the most affected local operator: business continuity plans were activated, the airport operator switched to manual processes, and SingCERT issued an advisory to guide recovery. One flight was cancelled and 108 flights were delayed by more than 30 minutes, after which affected systems largely recovered within a day and services returned to normal. ¹³³ Although this was not a cyberattack, the episode shows readiness and recovery processes consistent with a deterrence by denial posture.

Where deterrence remains limited

Suspected APT activity increased more than fourfold between 2021 and 2024, indicating persistent pressure from capable state-linked actors.¹³⁴ Prevention is not assured against APTs, particularly stealthy espionage and supply-chain compromise. Strong cyber defences did not prevent the 2014 MFA breach, the 2017 NUS and NTU breaches, the 2018 SingHealth breach, and the 2025 campaign attributed publicly to UNC3886 that targeted CII.¹³⁵ Because Singapore has not publicly attributed GZ cyberattacks to any state, there is limited basis for state-level punitive measures. With a few lines of code, a breach can transform from espionage to deliver a destructive payload,¹³⁶ and unless that happens, entanglement bears no weight.

Summary

In sum, Singapore’s posture has constrained adversaries rather than eliminated hostile activity. It has worked in the sense that attempts at coercive disruption have not produced strategic outcomes, and recovery has been fast when systems were stressed. Denial is the most reliable pillar, supported by law-backed baselines, visible supervision, and rehearsed cross-sector drills that raise attacker costs and compress the window for effect. Normative diplomacy socialises expectations and helps partners coordinate responses and frame violations, which reduces perceived gains from escalation. Entanglement raises the blowback risk for large-scale disruptions. Punishment remains the least decisive lever against state-linked actors, especially since no direct public attribution has been made.

The next chapter synthesises the Estonia and Singapore cases to draw comparative lessons and policy implications for small states.

Chapter 5: Lessons for Small States

5.1 Introduction

Small states cannot deter cyber coercion by matching great-power capabilities; they deter by shaping adversaries’ cost–benefit calculations. This chapter distils comparative lessons from Estonia and Singapore across the four mechanisms – denial, norms, entanglement, and punishment – and draws out applicable lessons for small states to deter GZ cyber operations. The aim is practical: identify what travels, what must be tailored, and how to combine mechanisms so that GZ cyber operations become costly, and strategically unproductive. The lessons are organised to cover the four mechanisms – norms, entanglement, denial and punishment – followed by overarching guidance on layering, context-fit, and signalling. Throughout, the benchmark is not a zero-incident standard, but whether adversaries refrain from large-scale, destructive, or politically significant cyberattacks, and whether routine intrusions are contained and recovered from swiftly so that essential services endure, partners rally, and reputational or regulatory costs mount for the attacker.

5.2 Lesson 1: Normative Deterrence is a Practical Toolkit

First, normative deterrence is a practical toolkit and a long game of building adherence. For small states, norms function as a strategic equaliser: when material power is limited, rule-based constraints, reputational costs, and institutionalised expectations curb predation and create predictable operating space.¹³⁷ Hence, small states should expand and deepen buy-in through international and regional organisations, and operational partnerships that turn abstract rules into routine practice.

Estonia’s norm entrepreneurship shows what this looks like in practice:¹³⁸ it leveraged the 2007 cyberattacks to drive cyber onto EU, NATO and UN agendas, hosting the NATO CCDCOE and facilitating the Tallinn Manual process.¹³⁹ Crandall and Allan characterise Estonia’s norm strategy as a “small state, big ideas” strategy – agenda-setting and institutional entrepreneurship to socialise expectations.¹⁴⁰ Estonia has regularly used public attribution to communicate unacceptable state behaviour.¹⁴¹ In 2019, Estonia adopted public-attribution guidelines, codified decision processes and established an inter-agency working group to align responses and evidence thresholds, thereby translating normative commitments into predictable state practice.¹⁴²

Singapore’s contribution to norm building as a norm leader is complementary, championing sustained, multilateral norm development and confidence-building measures as a way to prevent escalation in a globalised, interdependent environment.¹⁴³ For example, as chair for the 2^nd OEWG, it secured the establishment for the Global Mechanism to continue sustained dialogue for cyberspace normative development. Within ASEAN it also drove regional CBMs and capacity-building, including the ASEAN-Singapore Cybersecurity Centre of Excellence and the ASEAN Regional CERT initiative.¹⁴⁴ Compared to Estonia, its attribution practice is limited and highly calibrated – to keep diplomatic temperatures low. Singapore made its first public naming of an APT – UNC3886 – via a technical attribution that avoided naming any country, timed to coincide with the gathering of cyber professionals at the CSA’s 10th-anniversary dinner.¹⁴⁵ Beijing did not announce any formal protest; instead, the Chinese Embassy issued a public rebuttal on its website and Facebook denying any China link to UNC3886.¹⁴⁶

In concrete terms for other small states: embed agreed norms into regional instruments so breaches draw collective diplomatic or regulatory responses; and operationalise them through CERT-to-CERT channels, joint exercises, and CBMs. Small states should also be clear about their attribution principles and develop their own guidelines or “attribution ladder” that sets clear conditions for when to attribute publicly, at what level of government, and with what evidentiary threshold because guidelines make signalling credible and consistent, protect sensitive sources and methods, enable coalition/joint attributions, and manage escalation risks while preserving participation incentives.

5.3 Lesson 2: External Amplification Multiplies Deterrent Effect

Second, external amplification multiplies deterrent effects. It is generated by entanglement that gives other actors a stake in a small state’s stability and incentives to act with it. Small states’ deterrent signals can also be amplified by larger structures.

Estonia demonstrates how alliance entanglement through the EU and NATO magnifies both norms and punishment: coordinated EU attributions and targeted sanctions under the EU Cyber Diplomacy Toolbox raise costs on offenders; and NATO’s declared readiness to employ full range of capabilities and to consider collective defence (Article 5) in certain circumstances adds weight to national signalling.¹⁴⁷ Thorhallsson describes this as political shelter-seeking behaviour by small states — obtaining "diplomatic, military, and administrative backing from large states and international organisations,” and benefiting from norms and rules that reduce coercion.¹⁴⁸

Singapore shows that market entanglement can play a similar role via a different channel: a rules-first environment that partners rely on for trade and finance creates shared interests in stability, raising the reputational, diplomatic, and collateral costs of disruption for any would-be aggressor.

In both variants, gains are contingent – on alliance cohesion in Estonia’s case and on sustained interdependence in Singapore’s. Small states should therefore assess their structural position and cultivate avenues for amplification.

5.4 Lesson 3: Denial is the Foundation – Resilience makes it Credible

Third, denial is the foundation on which other mechanisms stand, and in GZ, resilience is the operational expression of deterrence by denial. For small states, denial is attractive because it can be built unilaterally, scales with capacity, and signals staying power without inviting escalation. In practice, whole-of-society resilience – baseline controls, rehearsed playbooks, and rapid recovery – functions as small-state strategy: it lowers expected returns even when attribution is contested.

The operational test is simple but decisive: whether essential services can absorb, contain, and recover under stress; whether decision pathways are rehearsed before a crisis; and whether public confidence in digital functions is sustained during and after incidents. Tim Prior describes resilience as a fifth wave of deterrence – deterring by limiting returns and demonstrating staying power.¹⁴⁹ Credible denial begins with strong defences: baseline controls and secure-by-design architectures; segmentation and least privilege; tested offline backups and data-recovery tiers; continuous monitoring and threat-intelligence sharing; crisis-management drills (technical and executive); and practised public communication to sustain trust.

Estonia’s ecosystem offers concrete examples: at home, Estonia’s Cybersecurity Act obliges operators of essential services to conduct risk assessments, implement baseline controls, report incidents, and participate in regular national and sector-specific drills and table-top exercises coordinated by RIA and sectoral regulators; the data embassy in Luxembourg hosts critical replicas of core state systems, ensuring continuity of state data and services hosted from abroad; and the Defence League’s Cyber Defence Unit (CDU) extends surge capacity to peacetime and private-sector incidents – all of which directly reduce attacker pay-offs. Collectively, these domestic measures implement denial by shortening dwell time, preserving service continuity, and raising recovery confidence. Complementing this day-to-day posture, Estonia rehearses allied crisis coordination through the annual NATO Cyber Coalition exercise, while Locked Shields adds a complementary readiness strand by stress-testing decision-making and technical teams under realistic pressure.¹⁵⁰

Singapore’s ecosystem similarly extends into the private sector: the CSA and SingCERT coordinate advisories, incident reporting, and response with industry; CII operators are legally mandated under Singapore’s Cybersecurity Act to maintain system safeguards and report incidents; and national exercises such as CIDeX and Exercise Cyber Star regularly drill CII operators alongside whole-of-government agencies. Sectoral regulators (e.g., Monetary Authority of Singapore, Infocomm Media Development Authority, Energy Market Authority) also oversee periodic audits, red-team/ penetration-testing programmes, and incident-reporting rehearsals to validate playbooks and escalation paths.¹⁵¹ Together, these instruments make denial credible in day-to-day operations by tightening baselines, clarifying roles, and rehearsing recovery.¹⁵²

Common to both is whole-of-society involvement: sustained public education and media-literacy programmes; baseline cyber-hygiene by default (e.g., multi-factor authentication, timely patching, password managers, and tested backups); clear incident-reporting channels and public hotlines; structured public-private information-sharing through sector forums and regulator-industry briefings; regular joint exercises that include private operators and key vendors; and volunteer or auxiliary cyber programmes to surge specialist capacity. Both states also invest in workforce and SME uplift – scholarships, competitions, certification pathways, and practical toolkits or incentives for small and medium enterprises—to normalise safe behaviour, accelerate detection and reporting, and build redundancy beyond government. In short, resilience is deterrence-by-denial in practice: it lowers adversaries’ expected returns even when attribution is contested and escalation is undesirable.

Together, these measures keep essential services running under stress, lowering the expected pay-off of coercive cyber operations even when attribution is contested and escalation is undesirable. For many small states, building this kind of continuity, redundancy, and exercise culture is not merely “defensive”; it is core deterrence-by-denial. Investment must be persistent and adaptive to evolving technology and adversary tradecraft, and as such, costly.

5.5 Lesson 4: Punishment Requires Innovation and Restraint

A fourth lesson is that punishment requires innovation and restraint in equal measure. Small states cannot credibly threaten large-scale retaliation against a major power. As such, punitive credibility rests on two logics: pooling coercive tools through alliances and institutions, and using legal and regulatory and law-enforcement measures to impose targeted costs on jurisdictionally reachable actors while keeping escalation low.

Estonia compensates by pooling measures with allies and being willing to go visible when the normative and political returns are high – in 2018, it joined U.S., U.K. and Australia in the collective attribution of NotPetya to Russian state-linked actors, and in 2020, it supported the EU’s first cyber sanctions – together illustrate the approach.¹⁵³ In September 2024, Estonia issued a unilateral attribution of GRU espionage against its ministries; it was a calculated move, tightly calibrated to the U.S. indictment of the broader GRU campaign (which Estonia had supported), thereby priming EU follow-on sanctions and converting a national signal into allied consequences.¹⁵⁴

Singapore channels punishment primarily through law enforcement and regulatory action, while keeping diplomatic temperatures low. It’s Cybersecurity Act, Computer Misuse Act, and sectoral regulators enable targeted investigations, fines, and directives against reachable actors; CSA and SingCERT also publish technical exposures to warn industry and signal resolve without interstate escalation.¹⁵⁵ Despite facing cyberattacks over the years, Singapore has yet to retaliate against any state for cyberattacks. The closest analogue has been its public naming of UNC3886 – a calibrated signal of resolve that raised costs while signalling a willingness to escalate messaging – as discussed earlier.

For small states: think creatively about targeted legal tools, joint attributions, and coalition mechanisms that impose real costs on reachable actors, without making promises you cannot keep against those you cannot reach.

5.6 Lesson 5: Layered Deterrence Posture is Cardinal

Fifth, layered deterrence is not optional but cardinal.

From the case studies, neither state relies on any single mechanism. Estonia’s posture illustrates this: it couples denial through technical hardening and whole-of-society response with entanglement through membership in NATO and the EU, and punishment and norms through unilateral and collective attributions backed by EU restrictive measures. These instruments mutually reinforce one another. Singapore’s layering is different in form but similar in function: a centralised regulatory model with whole-of-society contribution, hub-economy interdependence, and norms-centred diplomacy work together to limit adversaries’ gains and broaden the circle of actors inclined to respond.

In practice, the mechanisms do distinct, complementary jobs for small states: denial keeps essential services running and depresses attackers’ expected returns; norms mobilise partners for joint attribution and regulatory follow-through; entanglement channels costs via alliances and markets (e.g., EU restrictive measures; reliance on Singapore’s hub functions); and punishment is used selectively against reachable actors through legal and financial tools.

For small states, the lesson is to design for complementarity: each mechanism should compensate for predictable limits in the others so that the overall effect is to make coercion costly, conspicuous, and strategically unproductive.

5.7 Lesson 6: Design Must Fit Context

Sixth, the design of each deterrence mechanism must fit context.

Estonia’s proximity to Russia, a persistent state adversary, and its integration into NATO and the EU have made visible the mutually reinforcing roles of norm enforcement, political-security entanglement, and societal resilience. Concrete manifestations include the 2007 cyberattack catalysing institution-building, including NATO CCDCOE and the Tallinn Manual process, the government’s adoption of public-attribution guidelines in 2019, and selective joint attributions with partners where the political pay-off warranted visibility. Estonia also participates in the EU’s cyber-diplomacy toolbox and sanctions regime, and rehearses allied crisis playbooks through large-scale exercises such as Cyber Coalition, aligning national responses with allied expectations.¹⁵⁶

Singapore, by contrast, operates at the crossroads of major-power competition and global commerce; centralised regulation, economic interdependence, and consensus-oriented diplomacy are the natural complements to its role as a trusted hub. In practice, this means centralised authority in the CSA to enforce its Cybersecurity Act, which mandates robust cyber defence measures for CII operators; regular cyber defence and crisis management exercises through CIDeX and Exercise Cyber Star; and investment in regional CBMs through initiatives such as the ASEAN-Singapore Cybersecurity Centre of Excellence and the ASEAN Regional CERT to promote stability and reduce escalation incentives.¹⁵⁷

For small states, the transferable insight is the logic, not the template: keep the deterrence logic constant, but tailor the form of each mechanism to your threats, alliances, institutions and economy.

5.8 Lesson 7: Communication is Part of the Mechanism – Align Words and Deeds

Finally, communication is part of the mechanism, not an afterthought. Estonia communicates resolve by making attacks and responses visible: public attribution is explicitly framed to send clear messages, set expectations of conduct, and reinforce collective action;¹⁵⁸ this visibility pairs with exercises and allied infrastructure on Estonian soil to show that coercion fails because functions persist and allies rally.

Singapore communicates credibility by projecting stability: the absence of major disruptions and the regularity of enforcement and compliance keep rhetorical temperature low, while exercises convey that attacks are unlikely to yield strategic returns. Its emphasis on norms and CBMs reinforces this signal to external audiences.

Neither approach is inherently superior; each matches the state’s broader strategy. The practical lesson is to align words and deeds. If a state chooses ambiguity to preserve room for manoeuvre, its domestic institutions must reliably deliver quiet resilience. If a state chooses visibility to galvanise allies and deter adversaries, it must be prepared to weather short-term friction in exchange for long-term credibility.

5.9 Putting it Together: A Sequencing Logic for Small States

Taken together, these lessons suggest a simple sequencing logic for small-state strategy in cyberspace. Start with denial and build outward: ensure that essential services can withstand and recover from attacks, and institutionalise resilience as deterrence; promote norms and work with like-minded partners to entrench their adoption regionally and internationally; select the form of entanglement that best leverages your structural position; and deploy punishment selectively. This reflects Nye’s insight that mutually reinforcing mechanisms – norms, entanglement, denial, and tailored punishment – must be combined to shape adversaries’ calculus. The precise mix will vary, but the objective remains constant: to make hostile operations in GZ unattractive not because they are impossible but because they are unlikely to achieve strategic effects, especially large-scale, destructive, or politically significant ones.

5.10 Summary

Estonia and Singapore show that small states can deter GZ cyber threats by layering mechanisms whose credibility does not hinge on great-power capabilities. Both employ norms, entanglement, denial, and punishment, but weight them differently: Estonia combines visible norm entrepreneurship and allied entanglement with a decentralised, whole-of-society denial posture; Singapore relies on consensus-based norm building and economic interdependence under a centralised denial model. Punishment is constrained in both cases and thus nested within alliances (Estonia) or technical and legal exposure (Singapore). Across the cases, denial is foundational: credible resilience makes other signals believable and keeps hostile operations strategically unproductive. Again, success is evidenced not by incident-free networks but by the absence of large-scale, destructive, or politically significant outcomes, and by rapid containment and recovery when intrusions occur.

For small states, the implications are practical: harden first for continuity and rapid recovery; fit each mechanism to context and audiences; align communication with what institutions can reliably deliver; and treat normative deterrence as a long game that extends beyond the UN into regional bodies, operational partnerships, industry forums, and domestic law. Deterrence in cyberspace will remain partial, but by making attacks costly, conspicuous, and ineffective, small states can blunt coercion without matching the capabilities of larger powers.

Chapter 6: Conclusion

This thesis set out to answer the question: how can small states deter cyberattacks that sit in the GZ between peace and war? The answer is not to mimic great-power playbooks, but to layer four distinct mechanisms – punishment, denial, norms, and entanglement – in ways that fit domestic institutions, alliances, and political style. Joseph Nye’s framework remains the most serviceable map.¹⁵⁹ Small states raise costs and reduce expected gains by combining denial with calibrated punishment, and by leveraging norms and interdependence to widen the circle of actors with a stake in stability. Crucially, cyber deterrence must be tailored, context-aware, and judged by behavioural outcomes rather than incident-free perfection.

Across the two cases, a common pattern emerges. Estonia and Singapore both deter not by threatening cyber dominance but by narrowing the payoff for hostile operations, signalling credibility through visible practice, and embedding their security in wider communities. Estonia’s experience shows how a small, exposed state can turn crisis into agenda-setting influence – hosting the NATO CCDCOE, driving the Tallinn Manual process, and using public attribution and EU instruments to translate legal argument into coordinated response.¹⁶⁰ Singapore, operating as a highly connected hub in a contested region, emphasises law-backed baselines for critical infrastructure, whole-of-society drills, and norms-centred diplomacy that lowers the political temperature while expanding practical cooperation.¹⁶¹ Neither relies on a single lever. Each state layers mechanisms to make coercion costly, conspicuous, and strategically unproductive.

The central pillar is denial, operationalised as resilience. Tim Prior captures this shift as a “fifth wave” of deterrence in which resilient socio-technical systems anticipate, absorb, and recover from shocks, denying attackers decisive effects even when attribution is delayed or contested.¹⁶² Viewed from this angle, resilience as operationalised by Estonia and Singapore is a governance style (flexible, distributed, and rehearsal-heavy) that reduces the adversary’s expected returns and demonstrates staying power under stress. For small states, this is deterrence they can afford, scale, and prove in peacetime.

Norms and entanglement then amplify denial. Estonia’s cyber diplomacy illustrates how multi-lateralising norms raises reputational costs for irresponsible behaviour and enables joint responses – from collective attribution to EU restrictive measures. More broadly, small states benefit disproportionately when international law is taken seriously. Legalism is not naïve idealism but a strategic hedge that substitutes rules for raw power.¹⁶³ Singapore’s regional initiatives similarly entrench expectations and practical confidence-building measures, turning abstract norms into routines across CERTs, regulators, and operators. In short, norms give small states voice and leverage, while entanglement ensures that attacks risk collateral consequences for larger stakeholders.

Yet the GZ is a lawyer’s minefield and a strategist’s headache. Adversaries operate below the threshold of armed attack and hence responses must draw on legal and regulatory tools, cross-government coordination, and alliance or market instruments short of force. The lesson is not to abandon deterrence, but to accept that the decisive battles are often fought in law, process, and partnerships – areas where small states can compete.

There are limits. Alignment politics can slow norm “cascades.” Entanglement may not bite if partners are distracted or divided. Punishment against state-linked actors is inherently constrained for small states. Resilience is resource-intensive and uneven across sectors. These are reminders that layered deterrence must be constantly maintained, communicated, and adapted.

For small states, the lessons are pragmatic and actionable:

1. Normative deterrence is a practical toolkit: Keep investing in norm entrepreneurship, and codify an attribution ladder your partners recognise. Translate UN/ASEAN commitments into repeatable CBMs, maintained points-of-contact directories, standing CERT-to-CERT channels and supply-chain assurance. Pre-agree evidence thresholds, decision venues and communications templates so movement from technical to political attribution is timely, coalition-minded and controlled.
2. Entanglement multiplies costs through alliances and markets: Pre-wire collective tools. Align national playbooks with regional or alliance instruments (for example, coordinated attribution, sanctions, regulatory actions) and set trigger criteria with partners in advance. Use market levers – joint procurement conditions, cyber insurance requirements, and vendor standards – to raise costs for attackers and enablers.
3. Denial is the foundation – resilience makes it credible: Institutionalise resilience as deterrence. Mandate sector baselines, run joint technical–executive exercises and publish after-action improvements. Harden by default (segmentation, least privilege, offline tested backups, monitored recovery tiers). Drill crisis communications so confidence in essential services hold under stress. Treat service continuity as the public metric of success.
4. Punishment requires innovation and restraint: Innovate punishment proportionately. Pool coercive power where possible. Otherwise, target reachable actors: legal seizures, compliance penalties, export-control designations, civil liability against facilitators and exclusion from government markets. Sequence measures on a pre-planned ladder to keep credibility high and escalation controlled.
5. Layered deterrence posture is cardinal: Anticipate cross-domain spillovers. Integrate cyber, information, economic and diplomatic instruments. Create an integrated-effects cell to synchronise timing and messaging, and run cross-domain exercises so hand-offs are smooth under pressure.
6. Design must fit context: Tailor to strategic culture, legal authorities, risk appetite and sector exposure. Choose governance that matches your system, and pick a signalling style that suits. Prioritise selected sectors, then scale. Measure what matters for your context (time-to-detect, time-to-contain, service continuity under stress, coalition response speed) and report annually.
7. Align words and deeds: Sustain audience-aware signalling. Match declarations, budgets, exercises and consequences so commitments remain credible. Coordinate releases with partners, explain incidents and fixes promptly and keep message discipline. When you signal red lines, enforce them; when you promise learning, show the fixes.

Further studies could develop shared, behaviour-based metrics (e.g., time to detect and contain, service continuity under stress, coalition response speed) that enable cross-country comparison; probe when entanglement truly deters versus when interdependence becomes leverage, including failure cases where partners are divided or slow; and trace how UN/ASEAN language becomes routine practice by testing specific mechanisms such as joint attribution procedures, incident-notification rules and supply-chain assurance. Advancing these lines will provide small states with a clearer playbook and firmer evidence for what works, what does not and what to fix next.

In conclusion, small states can deter cyber coercion not by out-muscling adversaries, but by making aggressive operations unlikely to deliver strategic effect. Layering denial, norms, entanglement, and selective punishment, they convert vulnerability into a posture that is credible, communicable, and coalition-ready. Estonia and Singapore demonstrate that when resilience holds, rules are socialised, and partners have skin in the game, adversaries learn that the returns to coercion are meagre and the risks of exposure are real. Cyber deterrence will never be perfect, but perfection is not the point. The point is to ensure that those who would coerce find that, in practice, they cannot, because essential services endure, partners rally, and the costs mount faster than the gains. That is how small states can deter in the GZ: not by shouting the loudest, but by designing failure into the attacker’s plan.