In lieu of an abstract, here is a brief excerpt of the content:

173 8 The Cartwright Conjecture The Deterrent Value and Escalatory Risk of Fearsome Cyber Capabilities jason healey We’ve got to talk about our offensive capabilities . . . ​ to make them credible so that ­ people know ­ there’s a penalty [for attacking the United States]. —­General James Cartwright, USMC, retired, 2011 Many advocates of cyber deterrence argue that the United States needs both fearsome cyber capabilities and assurance that Amer­ i­ ca’s adversaries know about them. This opinion might be called the Cartwright Conjecture, as expressed by General James Cartwright in this chapter’s epigraph. I’ve heard very se­ nior national security and cyber experts express relief that China believes the United States is “ten feet tall” in cyberspace ­ because it has led China to be fearful and deterred, perhaps causing them to show The author wishes to acknowledge the feedback provided by colleagues at workshops held at the Hoover Institution at Stanford University and at the School of International and Public Affairs at Columbia University. Nicole Softness provided research and editorial help. This work was supported by the Car­ ne­ gie Corporation of New York and the Office Naval Research ­ under the OSD Minerva program, grant number N00014-17-1-2423. 08-3547-2-ch08.indd 173 11/08/18 9:31 pm 174 Bytes, Bombs, and Spies more restraint in their cyber operations than they other­ wise might. Having fearsome capabilities, in this view, leads to better national security outcomes. This view of the deterrent effect of U.S. cyber capabilities is mainstream in Washington, D.C., yet rarely put to the test. Stated more formally, the hypothesis of ­ those who support the Cartwright Conjecture might be that adversaries who become aware of U.S. cyber capabilities ­ will in turn restrain their own cyber operations. Evidence to support this hypothesis is surprisingly thin. The case studies hint that, rather than being restrained in the face of cyber capabilities, states instead ramp up their own cyber capabilities and operations. Not least ­ because cyber capabilities have most often been revealed through ­ actual use, nations are not cowed but rather counterattack. Thus, if cyber conflict is more escalatory than many experts realize, a policy of deterrence built on fearsome capabilities is likely a significant miscalculation. The Case for Being Feared This chapter is not a comprehensive assessment of cyber deterrence, but rather an assessment of one view among policymakers. Still, a summary of the topic is a useful place to start. ­ After all, having fearsome capabilities is not the only kind of deterrence. The White House policy (during the Obama administration) on the topic features deterrence by denial: “­ There should be certainty about the fact that, even in the face of sophisticated cyber threats, the United States can maintain robust defenses, ensure resilient networks and systems, and implement a robust response capability that can proj­ ect power and secure U.S. interests .”1 Adversaries would decide not to conduct significant cyberattacks­ because such attacks would not be likely to lead to positive and meaningful strategic outcomes.2 Denying benefits is often the preferred kind of deterrence ­ because it is useful against a range of adversaries and attack types, and is even useful against many kinds of accidental failures. Moreover, deterrence by denial is usually defensive in nature and therefore not escalatory. But such power­ ful defense and resilience is difficult in cyber conflict, as the offense tends to have so many tactical advantages over the defense. Accordingly , it is not just General Cartwright who recommends deterrence by punishment or by cost imposition. The White House policy is clear that the United States is pursuing mea­ sures to both “threaten and carry out actions 08-3547-2-ch08.indd 174 11/08/18 9:31 pm The Cartwright Conjecture 175 to inflict penalties and costs against adversaries that choose to conduct cyber attacks or other malicious cyber activity” against the nation through economic costs, such as sanctions, law enforcement, and military options.3 A Defense Science Board task force, of which the author was a member, completed a report on cyber deterrence, including recommendations for both denial and cost imposition.4 To ­ these mechanisms Joseph Nye has added entanglement and normative taboos.5 More recently, Michael Fischerkeller and Richard Harknett have convincingly argued that deterrence is the wrong model, since adversaries are in constant contact with each other, though they also argue explic­ itly for a “capabilities-­ based strategy” that “would focus less on who might threaten the United States or where...


Additional Information

Related ISBN
MARC Record
Launched on MUSE
Open Access
Back To Top

This website uses cookies to ensure you get the best experience on our website. Without cookies your experience may not be seamless.