Choosing the right cyberattack response is a complicated game

New analysis offers a framework for deciding on cyber retaliation

cyberattack

HACK REACT  Responding to a cyberattack isn’t straightforward; a new game theory analysis reveals when a counterattack is and isn’t a good strategy.

welcomia/iStockphoto

Many Americans were outraged over Russia’s e-mail hacking during the 2016 presidential election and expected a vigorous response from the U.S. government. But new research that views cyberattacks from a game theory perspective suggests that the delayed response was a sound one.

While instinct suggests that such attacks deserve swift retaliation, viewing cyberwarfare through a mathematical lens can reveal situations where that knee-jerk response is useless. The new study, published online February 27 in Proceedings of the National Academy of Sciences, explores various cyberattack scenarios as games of strategy where rational choices are made by the attacker and the victim. This game theory analysis finds that how or even whether to respond to an attack depends on how much and what the players know about each other.

The take-home message of the study is sobering, says Jon Lindsay, a cybersecurity expert at the University of Toronto. “It’s not just about whodunit,” he says. “They’ve shown that you can invest a lot in identifying who carried out an attack but that’s not necessarily going to stop the attackers.”

The analysis makes explicit what many victims know, whether attacked by a schoolyard bully or foreign government: Vulnerability matters. Consider an attacker A, who strikes out at victim B. After the attack, the response depends largely on the vulnerability of the players. The victim can hurt a vulnerable attacker and gain from that strategy. Or, if the attacker is invulnerable, the victim can pay a cost for trying to fight back. In the schoolyard, for instance, telling a teacher about a bully might mean future torment with no relief, making it safest to do nothing.

In the realm of cyberattacks, vulnerability can be interpreted in several ways. The United States, for example, could have industrial secrets that make it vulnerable to an attack from China. But if the reverse isn’t true, then China might not be afraid of the United States countering a hack with an industrial espionage attack. When hackers from North Korea compromised and leaked Sony Picture’s e-mails, the U.S. government didn’t have a similar target in North Korea. So the United States was left in the awkward position of either ignoring the attacks, retaliating disproportionately (which could escalate things) or retaliating in a different domain (which it did, imposing economic sanctions that were largely symbolic).

The game theory approach also incorporates knowledge: To make decisions about vulnerability, you have to know who your attacker is. Here, the cyber world is often different from the physical one, says computer scientist Benjamin Edwards, of IBM’s Thomas J. Watson Research Center in Yorktown Heights, N.Y. “Attribution can be harder with terrorist organizations or lone actors,” says Edwards, who led the new study. Even when an attack might be traced to a physical location, it doesn’t necessarily mean that there’s an obvious target for retaliation, like a state government.

The players’ types (vulnerable attacker, knowledgeable victim, for example), payoffs (such as the cost of public anger over a victim’s inaction if the attacker’s identity is known) and beliefs (about the other’s nature and knowledge) create a calculus that reveals various strategies, like when it is rational to tolerate an attack. Given the various types of players and moves, the game yields three stable outcomes where neither player has an incentive to change strategy: no attack, attack and no blame, or attack and blame.

While the questions that players ask, both of and about each other, appear straightforward, the answers aren’t, the researchers note. Such was the case with the presidential election hacks, says Edwards. There was growing public outcry following Russia’s leaking of Democratic National Committee e-mails, an attack that seemed aimed at influencing the outcome of the U.S. presidential election. This outcry was a cost for the U.S. government, the victim. Yet the U.S. government didn’t take public action against Russia until December 29, when it announced that 35 Russians living in the United States under diplomatic protection would be expelled.

It seems President Barack Obama knew his game theory. In a news conference on December 16, he discussed the hacks, stating that “the idea that somehow public shaming is going to be effective, I think doesn’t read the thought process in Russia very well.”

(At the time, the researchers had finished their analysis, says Edwards. Obama’s remarks were “very validating.”)

The research is timely because cyberattacks are increasingly a tactic of choice, says Lindsay, who served as an intelligence officer in the U.S. Navy. The good news, he says, is that adversaries are opting for cyberwar because they don’t want to challenge nations with military might. “There’s less war, but there’s now more diversity in things that are not quite war.”