Advancing a Free Society

General Cartwright on Offensive Cyberweapons and Deterrence

Wednesday, November 9, 2011

In an interview with Reuters, General James Cartwright, who retired a few months ago as the vice chairman of the Joint Chiefs of Staff, maintains that the United States needs to disclose its offensive cyber capabilities in order to enhance the deterrent effect of these capabilities.  “We’ve got to step up the game; we’ve got to talk about our offensive capabilities and train to them; to make them credible so that people know there’s a penalty to this,” he said.  “You can’t have something that’s a secret be a deterrent.  Because if you don’t know it’s there, it doesn’t scare you.”  Cartwright added that the United States needed to send a signal that it would exercise its “right to self-defense” in response to cyber attacks.   ”We’ve got to get that done, because otherwise everything is a free shot at us and there’s no penalty for it.”

One cannot read too much into snippets of an interview, but of course matters are more complex than this.  First, talking about offensive cyber-capabilities is a tricky business.  Merely talking about the weapons in general terms, without revealing and perhaps demonstrating their capabilities, cannot advance deterrence very much.  But on the other hand, too much detail about what the weapons can do make it easier, and potentially very easy, for adversaries to defend against these weapons by (among other things) closing the vulnerabilities that the weapons exploit.  Moreover, openly demonstrating or even discussing cyber capabilities would further enflame the cyber arms race in ways that might be self-defeating.

Second, revealing the circumstances in which these weapons will be used might invite infiltrations just short of those circumstances.  “As soon as you declare a red line, you’re essentially telling people that everything up to that line is OK,” noted former Pentagon official Eric Sterner in the Reuters story.

In an interview with Reuters, General James Cartwright, who retired a few months ago as the vice chairman of the Joint Chiefs of Staff, maintains that the United States needs to disclose its offensive cyber capabilities in order to enhance the deterrent effect of these capabilities.  “We’ve got to step up the game; we’ve got to talk about our offensive capabilities and train to them; to make them credible so that people know there’s a penalty to this,” he said.  “You can’t have something that’s a secret be a deterrent.  Because if you don’t know it’s there, it doesn’t scare you.”  Cartwright added that the United States needed to send a signal that it would exercise its “right to self-defense” in response to cyber attacks.   ”We’ve got to get that done, because otherwise everything is a free shot at us and there’s no penalty for it.”

One cannot read too much into snippets of an interview, but of course matters are more complex than this.  First, talking about offensive cyber-capabilities is a tricky business.  Merely talking about the weapons in general terms, without revealing and perhaps demonstrating their capabilities, cannot advance deterrence very much.  But on the other hand, too much detail about what the weapons can do make it easier, and potentially very easy, for adversaries to defend against these weapons by (among other things) closing the vulnerabilities that the weapons exploit.  Moreover, openly demonstrating or even discussing cyber capabilities would further enflame the cyber arms race in ways that might be self-defeating.

Second, revealing the circumstances in which these weapons will be used might invite infiltrations just short of those circumstances.  “As soon as you declare a red line, you’re essentially telling people that everything up to that line is OK,” noted former Pentagon official Eric Sterner in the Reuters story.

Continue reading Jack Goldsmith...