Policy makers could look up to the game theory and adopt it to tackle the difficult issue of cyberwarfare strategy, researchers have suggested.
Cyberwarfare is a tricky aspect of a nation’s security and unlike physical attack a cyber attack can’t be blamed on someone right away without the adequate proof and evidence. When it comes to retaliating to a cyber attack, nations need to take into consideration a number of factors including when and how to respond. Answers to these questions are not always straightforward and it is down to the policy makers to come up with an effective strategy.
That’s where game theory could help, scientists at University of Michigan suggest. The “Blame Game”, which was developed in part by Robert Axelrod, a University of Michigan political scientist, examines when a victim should tolerate a cyber attack, when a victim should respond–and how. Using historical examples, scientists at Michigan and their colleagues at University of New Mexico and IBM Research illustrated how the Blame Game applies to cases of cyber or traditional conflict in a number of countries including the United States, Russia, China, Japan, North Korea, Estonia, Israel, Iran and Syria.
The study published in the Journal Proceedings of the National Academy of Sciences involves a model that is capable of elucidating the complicated issues in cyberwarfare and identifies key parameters that must be considered in formulating a response.
Through the Blame Game approach, policy makers are required to answer a series of questions on how to respond to a cyber attack. This means that a victim would first ask whether I know if the attacker is vulnerable? Vulnerability comes in several forms. It could mean a nation is susceptible to a counter cyber attack. It could also mean the attacker is in a difficult geopolitical position and being blamed for a high-profile cyber breach could be detrimental.
If the answer to the question of attacker’s vulnerability is affirmative, then the framework moves to the next question: Is the cost of doing nothing higher than the cost of blaming? Nations should always assign blame if the attacker is vulnerable.
Victims can then decide whether a counter attack is in order. This effectively calls for switching the sides in the game theory model with the victim now thinking like an attacker. The question that need to be answered could be whether I am vulnerable to blame? If I am, does my intended victim know this? If the answer to either question is no, an attack may be the right option.
While the questions are straightforward, the researchers say the answers are not. In the cyber domain, assigning blame for an attack or intrusion is complicated both by technical factors and by lack of agreement on basic definitions, such as what constitutes an attack or what counts as critical infrastructure, according to the study.