The Myth of the Cyber Offense: The Case for Cyber Restraint

16 Pages Posted: 29 May 2019

Date Written: January 15, 2019


In the context of recent shifts in cybersecurity policy in the United States, this paper examines the character of cyber conflict through time. Data on cyber actions from 2000 to 2016 demonstrate evidence of a restrained domain with few aggressive attacks that seek a dramatic, decisive impact. Attacks do not beget attacks, nor do they deter them. But if few operations are effective in compelling the enemy and fewer still lead to responses in the domain, why would a policy of offensive operations to deter rival states be useful in cyberspace?

We demonstrate that, while cyber operations to date have not been escalatory or particularly effective in achieving decisive outcomes, recent policy changes and strategy pronouncements by the Trump administration increase the risk of escalation while doing nothing to make cyber operations more effective. These changes revolve around a dangerous myth: offense is an effective and easy way to stop rival states from hacking America. New policies for authorizing preemptive offensive cyber strategies risk crossing a threshold and changing the rules of the game.

Keywords: cyber, defense, hacking, computer, security, cybersecurity

JEL Classification: N72, Q55

Suggested Citation

Valeriano, Brandon G. and Jenson, Ben, The Myth of the Cyber Offense: The Case for Cyber Restraint (January 15, 2019). Cato Institute Policy Analysis No. 862, 2019, Available at SSRN:

Brandon G. Valeriano (Contact Author)

Marine Corps University ( email )


Ben Jenson

Cato Institute ( email )

1000 Massachusetts Avenue, N.W.
Washington, DC 20001-5403
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Abstract Views
PlumX Metrics