Whether a nation should retaliate against a cyber attack is a complicated decision, and a new framework guided by game theory could help policymakers determine the best strategy.
The “Blame Game” was developed in part by Robert Axelrod, a University of Michigan political scientist who is well known for solving a version of the classic game theory scenario known as “the prisoner’s dilemma.” Axelrod is the Walgreen Professor for the Study of Human Understanding at the U-M Gerald R. Ford School of Public Policy.
The new study, published in Proceedings of the National Academy of Sciences this week, examines when a victim should tolerate a cyber attack, when a victim should respond–and how. The researchers, including others from the University of Michigan and their colleagues at the University of New Mexico and IBM Research, use historical examples to illustrate how the Blame Game applies to cases of cyber or traditional conflict involving the United States, Russia, China, Japan, North Korea, Estonia, Israel, Iran and Syria.
It is released as the U.S. faces increasing cybersecurity threats, including the recent attacks against the Democratic National Committee and the Chinese theft of databases containing the personal information of 21.5 million federal employees.
“Conflict is increasingly common and severe on the internet today, as governments and corporations have recognized its potential as an instrument of power and control,” said Stephanie Forrest, a distinguished professor at the University of New Mexico and an external faculty member at the Santa Fe Institute.
“Unlike nuclear technology, it can be extremely challenging to identify the party responsible for a cyber attack, and this complicates the strategic decision of when to assign blame. Our model elucidates these issues and identifies key parameters that must be considered in formulating a response.”
In many cases it may be rational for nations to tolerate cyber attacks, even in the face of strong public criticism.
“You might think you should always publicly blame and retaliate in a cyberwarfare situation,” Axelrod said. “But that’s not true. The reason it’s not is that the attacker may not be vulnerable. It may not matter whether they’re blamed or not. And if that’s true, you might be in a situation where if you assign blame, your own people would expect you to do something, but there’s nothing you can do.”
Blame Game offers a series of questions that policymakers can ask as they work through how to respond to a cyber attack. Victims should first ask: Do I know if my attacker is vulnerable? Vulnerability comes in several forms. It could mean a nation is susceptible to a counter cyber attack. It could also mean the attacker is in a difficult geopolitical position and being blamed for a high-profile cyber breach could be detrimental.
If the victim knows that the attacker is vulnerable, the framework moves to the next question: Is the cost of doing nothing higher than the cost of blaming? Nations should always assign blame if the attacker is vulnerable.
Victims can next determine whether to counter attack, switching sides in the game theory model. Questions potential attackers should ask are: Am I vulnerable to blame? If I am, does my intended victim know this? If the answer to either question is no, an attack may be the right option.
While the questions are straightforward, the researchers say the answers are not.
In the cyber domain, assigning blame for an attack or intrusion is complicated both by technical factors and by lack of agreement on basic definitions, such as what constitutes an attack or what counts as critical infrastructure, according to the study.
But the stakes are high.
“It’s certainly possible that cyber attacks could be used in a much larger way than we’ve seen yet,” Axelrod said. “It pays to try to understand as much as we can about the incentives and dynamics so we can think about how to prevent them. We hope our model will help policymakers identify gaps in their knowledge and focus on estimating parameters in advance of new cyber attacks.”