General Cartwright on Offensive Cyber Weapons and Deterrence

By Jack Goldsmith
Tuesday, November 8, 2011, 10:27 AM

In an interview with Reuters, General James Cartwright, who retired a few months ago as the vice chairman of the Joint Chiefs of Staff, maintains that the United States needs to disclose its offensive cyber capabilities in order to enhance the deterrent effect of these capabilities.  “We've got to step up the game; we've got to talk about our offensive capabilities and train to them; to make them credible so that people know there's a penalty to this,” he said.  “You can't have something that's a secret be a deterrent.  Because if you don't know it's there, it doesn't scare you.”  Cartwright added that the United States needed to send a signal that it would exercise its “right to self-defense” in response to cyber attacks.   "We've got to get that done, because otherwise everything is a free shot at us and there's no penalty for it."

One cannot read too much into snippets of an interview, but of course matters are more complex than this.  First, talking about offensive cyber-capabilities is a tricky business.  Merely talking about the weapons in general terms, without revealing and perhaps demonstrating their capabilities, cannot advance deterrence very much.  But on the other hand, too much detail about what the weapons can do make it easier, and potentially very easy, for adversaries to defend against these weapons by (among other things) closing the vulnerabilities that the weapons exploit.  Moreover, openly demonstrating or even discussing cyber capabilities would further enflame the cyber arms race in ways that might be self-defeating.

Second, revealing the circumstances in which these weapons will be used might invite infiltrations just short of those circumstances.  “As soon as you declare a red line, you're essentially telling people that everything up to that line is OK,” noted former Pentagon official Eric Sterner in the Reuters story.

Third, and to my mind most fundamental, revealing the weapons capabilities and the (possible) circumstances of their use will not go far toward establishing deterrence unless the United States can credibly commit to using the weapons.  This, I think, is hard to do.  The main threat today is cyber-exploitation (i.e. espionage, theft, copying) that does not violate international law and that would not warrant any use of force under international law.  I have a hard time understanding how a law-sensitive DOD will credibly commit to ever using cyber-weapons, or kinetic weapons for that matter, in response to even the most devastating cyber-exploitations.

It is easier to imagine the use of cyber-weapons (or kinetic weapons) in response to a cyber-attack (i.e. disruptions of the operations of computer systems and the systems that depend on them), especially if the attack is large-scale and perceptible by the public.  But there are unique challenges even in this context, for it is harder to credibly threaten to respond to cyber-attacks than to (most) traditional kinetic attacks.  There are two related challenges here.  The first is attribution.  The USG will often have a difficult time identifying the geographical source of a cyber-attack, and linking that attack to a responsible nation (which is perhaps a nation other than the nation that was the geographical source of the attack).  To the extent that the United States lacks certainty about what nation is responsible for the attack, it will hesitate in using any weapons – cyber or kinetic – in response, for fear of mistake.  This problem can be overcome when attribution is certain, but that will not always or even usually be the case, and thus in the run of cases the problem of attribution will render threatened responses less likely and thus less credible on average.  Second, and relatedly, even if the United States has perfect attribution of the attack, unless it can publicly prove attribution, public support for its cyber or kinetic responses – in the United States and around the globe – will be less robust than a response to an attack with publicly verifiable attribution (like, for example, 9/11 or Pearl Harbor).  Thus the USG, anticipating contestation over the legitimacy of its response because of public uncertainty about attribution, is less likely to respond, and thus less capable of establishing the credibility of its response.

These are but some of the challenges of establishing a deterrent policy in response to cyber exploitations and attacks.  A good introduction to this general topic is the Computer Science and Telecommunication Board’s collection of essays, Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy.