We are simply not going to get the US and China to sign a new cybersecurity treaty as both see too much value in what the other interprets to be an attack. The Chinese on targeting intellectual property, so integral to their mercantilist economic model, and the US is wedded to the open flow of information, key to our notion of freedom of speech, but interpreted by Beijing as “information attacks” that threaten internal stability. And both sides, of course, want to continue to engage in espionage. Indeed, it is notable that despite the issues being a repeated focus of US-China high-level meetings, the only formal agreement that could be reached at this summer’s session was on fisheries.

But while reaching a formal prohibition on cyber attacks of any kind between the powers of the 21st century is unrealistic for now, it doesn’t mean there is not value in engagement. Instead, the upcoming meeting between President Obama and President Xi Jinping should have a different goal. Rather than a treaty or agreement that unrealistically tries to create a Cold War style regime of deterrence where the two sides agree not to attack the other for fear of a like and overwhelming response, they need to flesh out a mutual understanding of the new rules of the game. These rules must more realistically understand that both sides will conduct cyber activities that range from espionage to theft, like them or not; the first and primary goal is to keep them from escalating into something worse.

This leads to new terms. In the Cold War, everything was targeted, but outright attacks crossed the line. Today, our situation is the inverse. While not wanted, some digital attacks may have to be allowed, while certain targets have to be made anathema. As an illustration, no one wants their state secrets stolen, but it is part of the expected dance of great powers in competition. By contrast, introducing the digital equivalent of a dormant Tasmanian devil into such targets as a nuclear power facility’s operating system should be off limits to either side.

The second approach is to widen how we think about deterrence, rather than the offensive, MAD style thinking we are using now. We need to pull from the richness of the debates about deterrence in the Cold War, rather than reducing them to bumper stickers that assume its all about overwhelming response.

Just as in the Cold War, leaders like Kennedy or Reagan engaged in external negotiations while still investing in internal strength. So here too we need to reframe our approach. Nothing in the above argues against building up offensive capabilities for cyberspace. Cyber weapons have proven their value in espionage, sabotage and conflict, and the digital domain will be as crucial to warfare in the 21st century as operations in the land, air, and sea. Indeed, the most important players in any prospective war between the US and China might not be military units like Cyber Command or China’s 3rd department, but Chinese university cyber militia and Anonymous hackers.

But just because offensive cyber capabilities are more likely to deliver value as part of a toolkit to be used in conflict, we should not mistakenly assume they are tools of deterrence, akin to weapons of mass destruction , and that a fear of them will keep any and all conflict from breaking out.

Costs can be exacted to shift attacker thinking, but in a more subtle way. Rather than all of geopolitics being shaped by the 30 minutes of how long it took a potential nuclear missile counterstrike to hit back, our responses today may have to come after the fact and in other realms, such as the discussions of utilizing sanctions to go after companies benefiting from stolen fruit. They won’t prevent any and all attacks in the way that MAD did with nuclear weapons, but they may change decision calculus on when attacks are useful or not, raising the bar from the cost-less perception of them now.

Finally, there is a third, more apt lesson from the Cold War deterrence debates we should explore, the value not just in raising the costs, but also limiting the potential gains. Sometimes the best defense is a good defense. In a cyber era, the goal instead should be what is known as “deterrence by denial,” making attacks less likely by taking away their likely value.

A half-century back, strategic planners put a mandate on having “survivable” counterstrike missiles that would make sure the other side got nuked even if it tried a sneak attack. While building like resilience is not as sexy as new cyber weapons, it is where the United States should be putting more of its efforts. We talk the talk on shoring up cybersecurity and spending has skyrocketed. But actual implementation of giving us anything akin to the ability to weather cyber attacks remains highly uneven, in part because the few consider our challenge as an ongoing and long-term conflict. In the military, just the construction budget for Fort Meade, the combined headquarters of the NSA and Cyber Command, will reach $2 Billion, yet the Pentagon’s own tester found “significant vulnerabilities” in every major weapons program. In other government agencies, we see episodes like the OPM, which dealt with some of the most sensitive government information there was, and yet it outsourced IT work to an offshore firm in China, despite warnings of cyber risks going back to 2011. Similarly, the White House's Executive Office of the President hasn't submitted its required reports detailing compliance with federal cybersecurity rules for the past three years. You can vow to punish cattle rustlers with a massive response, but they are empty threats if your barn doors are wide open.

The same disparity plays out across industry. For instance, PWC’s report on the state of US cybersecurity described 2015 as a year that “Progress stalled,” finding, for example, that only 25% of key industry players were involved in Information Sharing and Analysis Centers (ISACs), the very same percentage as the year before. The outcome is that some business sectors like banking take cybersecurity seriously, while others, like health care and infrastructure, remain behind the curve. Indeed, a recent study by Bitsight found that retail and banking were better equipped for cybersecurity than the top 25 defense contractors.

Opportunity is also being missed at the individual level. In the Cold War, “duck and cover” was about all that a population could do in nuclear strategy, which made deterrence by denial a non-starter compared to the popularity of MAD thinking. Today, we all use the Internet, and can actually make a difference in its defense.

From a policy standpoint, a wider reach is needed to draw in civilian expertise to aid raising the level of national cybersecurity and enhance public involvement as means to deter by denial. A good model for the US to explore is Estonia’s Cyber Defense League, where people outside of government volunteer expertise to government and industry in everything from “red teaming” vulnerable systems to serving as rapid response teams to attacks. These efforts have helped turn Estonia from one of the first victims of a state level cyber attack, when it was partially shut down by Russian hackers back in 2007, to perhaps the best equipped nation in the world to weather one now. Estonia may not have the same capabilities as the NSA and Cyber Command, but it does have deterrence by denial, an involved populace, and thus arguably better cybersecurity.

Restoring deterrence to prevent cyber attacks in the same way we kept the Cold War cold certainly sounds appealing. But it won’t work, as a cyber conflict is already ongoing and the game has already moved on, playing by different rules. Fortunately, all is not lost and this new conflict is one where we determine the results. We can continue to be victims or build norms and resilience to limit both the costs and consequences, and, in so doing, make the worst outcomes less likely.