A Better Kind of Cybersecurity Strategy
“In some sense this is a canonical kind of question for game theorists to think about,” Wolitzky says, noting that the development of game theory as an intellectual field stems from the study of nuclear deterrence during the Cold War. “We were interested in what’s different about cyberdeterrence, in contrast to conventional or nuclear deterrence. And of course there are a lot of differences, but one thing that we settled on pretty early is this attribution problem.” In their paper, the authors note that, as former U.S. Deputy Secretary of Defense William Lynn once put it, “Whereas a missile comes with a return address, a computer virus generally does not.”
In some cases, countries are not even aware of major cyberattacks against them; Iran only belatedly realized it had been attacked by the Stuxnet worm over a period of years, damaging centrifuges being used in the country’s nuclear weapons program.
In the paper, the scholars largely examined scenarios where countries are aware of cyberattacks against them but have imperfect information about the attacks and attackers. After modeling these events extensively, the researchers determined that the multilateral nature of cybersecurity today makes it markedly different than conventional security. There is a much higher chance in multilateral conditions that retaliation can backfire, generating additional attacks from multiple sources.
“You don’t necessarily want to commit to be more aggressive after every signal,” Wolitzky says.
What does work, however, is simultaneously improving detection of attacks and gathering more information about the identity of the attackers, so that a country can pinpoint the other nations they could meaningfully retaliate against.
But even gathering more information to inform strategic decisions is a tricky process, as the scholars show. Detecting more attacks while being unable to identify the attackers does not clarify specific decisions, for instance. And gathering more information but having “too much certainty in attribution” can lead a country straight back into the problem of lashing out against some states, even as others are continuing to plan and commit attacks.
“The optimal doctrine in this case in some sense will commit you to retaliate more after the clearest signals, the most unambiguous signals,” Wolitzky says. “If you blindly commit yourself more to retaliate after every attack, you increase the risk you’re going to be retaliating after false alarms.”
Wolitzky points out that the paper’s model can apply to issues beyond cybersecurity. The problem of stopping pollution can have the same dynamics. If, for instance, numerous firms are polluting a river, singling just one out for punishment can embolden the others to continue.
Still, the authors do hope the paper will generate discussion in the foreign-policy community, with cyberattacks continuing to be a significant source of national security concern.
“People thought the possibility of failing to detect or attribute a cyberattack mattered, but there hadn’t [necessarily] been a recognition of the multilateral implications of this,” Wolitzky says. “I do think there is interest in thinking about the applications of that.”
The research was supported, in part, by the Sloan Foundation and the National Science Foundation.
Peter Dizikes is the social sciences, business, and humanities writer at the MIT News Office. The article is reprinted with permission of MIT News.
