Should a nation retaliate against a cyber attack? A new framework guided by game theory could help policymakers land on their best strategy.
The new study, published in Proceedings of the National Academy of Sciences, examines when a victim should tolerate a cyber attack, and when a victim should respond—and how.
The researchers use historical examples to illustrate how the Blame Game applies to cases of cyber or traditional conflict involving the United States, Russia, China, Japan, North Korea, Estonia, Israel, Iran, and Syria.
Victims should first ask: Do I know if my attacker is vulnerable?
Its release comes as the US faces increasing cybersecurity threats, including the recent attacks against the Democratic National Committee and the Chinese theft of databases containing the personal information of 21.5 million federal employees.
“Conflict is increasingly common and severe on the internet today, as governments and corporations have recognized its potential as an instrument of power and control,” says Stephanie Forrest, professor at the University of New Mexico and an external faculty member at the Santa Fe Institute.
“Unlike nuclear technology, it can be extremely challenging to identify the party responsible for a cyber attack, and this complicates the strategic decision of when to assign blame. Our model elucidates these issues and identifies key parameters that must be considered in formulating a response.”
In many cases it may be rational for nations to tolerate cyber attacks, even in the face of strong public criticism.
“You might think you should always publicly blame and retaliate in a cyberwarfare situation,” says Robert Axelrod, professor at the University of Michigan’s Gerald R. Ford School of Public Policy. “But that’s not true. The reason it’s not is that the attacker may not be vulnerable. It may not matter whether they’re blamed or not. And if that’s true, you might be in a situation where if you assign blame, your own people would expect you to do something, but there’s nothing you can do.”
Blame Game offers a series of questions that policymakers can ask as they work through how to respond to a cyber attack. Victims should first ask: Do I know if my attacker is vulnerable?
Vulnerability comes in several forms. It could mean a nation is susceptible to a counter cyber attack. It could also mean the attacker is in a difficult geopolitical position and being blamed for a high-profile cyber breach could be detrimental.
If the victim knows that the attacker is vulnerable, the framework moves to the next question: Is the cost of doing nothing higher than the cost of blaming? Nations should always assign blame if the attacker is vulnerable.
Victims can next determine whether to counter attack, switching sides in the game theory model. Questions potential attackers should ask are: Am I vulnerable to blame? If I am, does my intended victim know this? If the answer to either question is no, an attack may be the right option.
While the questions are straightforward, the researchers say the answers are not.
In the cyber domain, assigning blame for an attack or intrusion is complicated both by technical factors and by lack of agreement on basic definitions, such as what constitutes an attack or what counts as critical infrastructure, according to the study.
But the stakes are high.
“It’s certainly possible that cyber attacks could be used in a much larger way than we’ve seen yet,” Axelrod says. “It pays to try to understand as much as we can about the incentives and dynamics so we can think about how to prevent them. We hope our model will help policymakers identify gaps in their knowledge and focus on estimating parameters in advance of new cyber attacks.”
Funding for the study came from the National Science Foundation, DARPA, and the Santa Fe Institute.
Source: University of Michigan