Strategic aspects of cyberattack, attribution, and blame

Contributed by Robert Axelrod, January 11, 2017 (sent for review October 14, 2016; reviewed by Ross Anderson, Matthew Bishop, and Bruce Schneier)
February 27, 2017
114 (11) 2825-2830

Significance

Attribution of cyberattacks has strategic and technical components. We provide a formal model that incorporates both elements and shows the conditions under which it is rational to tolerate an attack and when it is better to assign blame publicly. The model applies to a wide range of conflicts and provides guidance to policymakers about which parameters must be estimated to make a sound decision about attribution and blame. It also draws some surprising conclusions about the risks of asymmetric technical attribution capabilities.

Abstract

Cyber conflict is now a common and potentially dangerous occurrence. The target typically faces a strategic choice based on its ability to attribute the attack to a specific perpetrator and whether it has a viable punishment at its disposal. We present a game-theoretic model, in which the best strategic choice for the victim depends on the vulnerability of the attacker, the knowledge level of the victim, payoffs for different outcomes, and the beliefs of each player about their opponent. The resulting blame game allows analysis of four policy-relevant questions: the conditions under which peace (i.e., no attacks) is stable, when attacks should be tolerated, the consequences of asymmetric technical attribution capabilities, and when a mischievous third party or an accident can undermine peace. Numerous historical examples illustrate how the theory applies to cases of cyber or kinetic conflict involving the United States, Russia, China, Japan, North Korea, Estonia, Israel, Iran, and Syria.

Continue Reading

Acknowledgments

We thank Alton Worthington, Brandon Kaplowitz, Herb Lin, Steve Crocker, Joseph Nye, Vinh Nguyen, Cari Martinez, Susan Landau, and Sam Liles for their comments on early drafts of this paper. S.F. and R.A. were partially supported by National Science Foundation (NSF) Grant 1444871, and S.F. acknowledges NSF Grant 1518878, Defense Advanced Research Projects Agency Grant FA8750-15-C-0118, Air Force Research Laboratory Grant FA8750-15-2-0075, and the Santa Fe Institute.

Supporting Information

Appendix (PDF)

References

1
R Axelrod, R Iliev, Timing of cyber conflict. Proc Natl Acad Sci USA 111, 1298–1303 (2014).
2
RA Clarke, RK Knake Cyber War (HarperCollins, New York, 2011).
3
JH Davis, Hacking exposed 21 million in U.S., government says. New York Times, Section A, p 1. (July 10, 2015).
4
E Wong, Hackers find China is land of opportunity. New York Times, Section A, p 1. (May 23, 2013).
5
M Riley, J Robertson, FBI said to examine whether Russia tied to JPMorgan hacking. Bloomberg. Available at https://www.bloomberg.com/news/articles/2014-08-27/fbi-said-to-be-probing-whether-russia-tied-to-jpmorgan-hacking. Accessed February 4, 2017. (August 27, 2014).
6
J Silver-Greenberg, M Goldstein, N Perlroth, Hackers’ attack struck systems at 10 companies. New York Times, Section A, p 1. (October 3, 2014).
7
E Nakashima, M Zapotosky, U.S. indicts 7 in connection with cyberattacks linked to Iranian government. Washington Post, Section A, p 14. (March 24, 2016).
8
E Nakashima, U.S. officially condemns Russia over hacking. Washington Post, Section A, p 1. (October 7, 2016).
9
S Waterman, US needs to publicly attribute cyberattacks, former House intel chair says. Fedscoop. Available at https://www.fedscoop.com/fmr-rep-rogers-u-s-needs-to-publicly-attribute-cyberattacks/. Accessed February 4, 2017. (June 30, 2016).
10
A Schmidt, The Estonian cyberattacks. A Fierce Domain: Conflict in Cyberspace, 1986 to 2012, eds Healy J (Cyber Conflict Studies Association, Arlington, VA), pp 174–193. (2013).
11
FBI National Press Office (December 19, 2014) Update on Sony investigation. Available at https://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation. Accessed February 4, 2017.
12
J Appelbaum, et al., Inside the NSA’s war on internet security. Der Spiegel Online. Available at http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html. Accessed February 6, 2017. (December 28, 2014).
13
D Sanger, M Fackler, Tracking the Cyberattack on Sony to North Koreans. New York Times, Section A, p 1. (January 18, 2015).
14
K Scannel, FBI details North Korean attack on Sony. Financial Times. Available at https://www.ft.com/content/287beee4-96a2-11e4-a83c-00144feabdc0. Accessed February 4, 2017. (January 8, 2015).
15
T Rid, B Buchanan, Attributing cyber attacks. J Strat Stud 38, 4–37 (2015).
16
DE Sanger, N Perlroth, U.S. is said to find North Korea behind cyberattack on Sony. New York Times, Section A, p 1. (December 18, 2014).
17
DA Wheeler, GN Larsen Techniques for Cyber Attack Attribution (Institute for Defense Analysis, Alexandria, VA, Tech Rep ADA468859. (2003).
18
Mandiant (2013) APT1: Exposing One of China’s Cyber Espionage Units. Available at https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf. Accessed February 6, 2017.
19
Kaspersky Labs (2015) Equation group: Questions and answers. Available at https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf. Accessed February 4, 2017.
20
SB McVey, Cyber attribution: Useful evidence in attributing malware and cyber attacks. PhD thesis (Utica College, Utica, NY). (2015).
21
DD Clark, S Landau, Untangling attribution. Harvard Law School National Security J 2, 323–352 (2011).
22
J Hunker, C Gates, M Bishop, Attribution requirements for next generation internets. Proceedings of the IEEE International Conference on Technologies for Homeland Security (IEEE, Piscataway, NJ), pp. 345–350 (2011).
23
S Caltagirone, A Pendergast, C Betz The Diamond Model of Intrusion Analysis (Center for Cyber Intelligence Analysis and Threat, Hanover, MD, Tech Rep ADA586960. (2013).
24
M Bishop, E Goldman, The strategy and tactics of information warfare. Contemp Security Policy 24, 113–139 (2003).
25
B Schneier, We still don’t know who hacked Sony. The Atlantic. Available at https://www.theatlantic.com/international/archive/2015/01/we-still-dont-know-who-hacked-sony-north-korea/384198/. Accessed February 4, 2017. (January 5, 2015).
26
M Bishop, C Gates, J Hunker, The sisterhood of the traveling packets. Proceedings of the 2009 Workshop on New Security Paradigms Workshop, eds R Ford, MH Heydari, A Somayaji (Association for Computing Machinery, New York), pp. 59–70 (2009).
27
M Van Dijk, A Juels, A Oprea, RL Rivest, FlipIt: The game of stealthy takeover. J Cryptology 26, 655–713 (2013).
28
S Roy, et al., A survey of game theory as applied to network security. Proceedings of the 2010 43rd Hawaii International Conference on System Sciences, eds Sprague RH (IEEE, Los Alamitos, CA), pp 1–10. (2010).
29
MH Manshaei, Q Zhu, T Alpcan, T Bacşar, JP Hubaux, Game theory meets network security and privacy. ACM Comput Surv 45, 25 (2013).
30
G Yan, R Lee, A Kent, D Wolpert, Towards a Bayesian network game framework for evaluating DDoS attacks and defense. Proceedings of the 2012 ACM Conference Computer and Communications Security (Association for Computing Machinery, New York, NY), pp. 553–566 (2012).
31
SW Brenner, “At light speed”: Attribution and response to cybercrime/terrorism/warfare. J Crim Law Criminol 97, 379–475 (2007).
32
MC Libicki Cyberdeterrence and Cyberwar (Rand Corporation, Santa Monica, CA, 2009).
33
JR Lindsay, Tipping the scales: The attribution problem and the feasibility of deterrence against cyberattack. J Cybersecurity 1, 53–67 (2015).
34
JD Fearon, Domestic political audiences and the escalation of international disputes. Am Polit Sci Rev 88, 577–592 (1994).
35
E Nakashima, Economic cyberespionage by China has dropped steeply, security firm says. Washington Post, Section A, p 3. (June 21, 2016).
36
DE Sanger, E Schmitt, Spy agency consensus grows that Russia hacked D.N.C. New York Times, Section A, p 1. (July 26, 2016).
37
M Maschler, E Solan, S Zamir, Game Theory (Cambridge Univ Press, Cambridge, UK). (2013).
38
E Nakashima, Following US indictments, Chinese cybertheft waned after U.S. indictments. Washington Post, Section A, p 3. (December 1, 2015).
39
D Sanger, U.S. and China seek arms deal for cyberspace. New York Times, Section A, p 1. (September 19, 2015).
40
B Obama, Press conference by the president. White House. Available at https://obamawhitehouse.archives.gov/the-press-office/2015/12/18/press-conference-president-121815. Accessed February 4, 2017. (December 15, 2016).
41
N al Mughrabi, Islamic Jihad rockets hit Israel after West Bank raid. Reuters. Available at http://www.reuters.com/article/us-palestinians-israel-idUSL1278499020080313. Accessed Feb 4, 2017. (March 13, 2008).
42
KB Alexander, Digital acts of war: Evolving the cybersecurity conversation before the subcommittees on information technology and national security of the Committee on Oversight and Government Reform. Testimony to the House Oversight Committee. Available at https://oversight.house.gov/wp-content/uploads/2016/07/Gen-Alexander-Statement-Digital-Acts-of-War-7-13.pdf. Accessed February 4, 2017. (July 13, 2016).
43
; Washington Post Editorial Board, The U.S. has been complacent and lazy in responding to cyberattacks. Washington Post. Available at https://www.washingtonpost.com/opinions/the-us-has-been-complacent-and-lazy-in-responding-to-cyberattacks/2015/08/12/d10040c2-3d4d-11e5-8e98-115a3cf7d7ae_story.html. Accessed February 4, 2017. (August 12, 2015).

Information & Authors

Information

Published in

The cover image for PNAS Vol.114; No.11
Proceedings of the National Academy of Sciences
Vol. 114 | No. 11
March 14, 2017
PubMed: 28242700

Classifications

Submission history

Published online: February 27, 2017
Published in issue: March 14, 2017

Keywords

  1. cyber conflict
  2. attribution
  3. blame
  4. Bayesian game theory
  5. strategy

Acknowledgments

We thank Alton Worthington, Brandon Kaplowitz, Herb Lin, Steve Crocker, Joseph Nye, Vinh Nguyen, Cari Martinez, Susan Landau, and Sam Liles for their comments on early drafts of this paper. S.F. and R.A. were partially supported by National Science Foundation (NSF) Grant 1444871, and S.F. acknowledges NSF Grant 1518878, Defense Advanced Research Projects Agency Grant FA8750-15-C-0118, Air Force Research Laboratory Grant FA8750-15-2-0075, and the Santa Fe Institute.

Authors

Affiliations

Benjamin Edwards1 [email protected]
Information Security Group, IBM Research, Yorktown Heights, NY 10598;
Alexander Furnas
Department of Political Science, University of Michigan, Ann Arbor, MI 48109;
Stephanie Forrest
Department of Computer Science, University of New Mexico, Albuquerque, NM 87131;
Santa Fe Institute, Santa Fe, NM 87501;
Gerald R. Ford School of Public Policy, University of Michigan, Ann Arbor, MI 48109

Notes

1
To whom correspondence may be addressed. Email: [email protected] or [email protected].
Author contributions: B.E., A.F., S.F., and R.A. designed research, performed research, and wrote the paper.
Reviewers: R.A., University of Cambridge; M.B., University of California, Davis; and B.S., Harvard University.

Competing Interests

The authors declare no conflict of interest.

Metrics & Citations

Metrics

Note: The article usage is presented with a three- to four-day delay and will update daily once available. Due to ths delay, usage data will not appear immediately following publication. Citation information is sourced from Crossref Cited-by service.


Citation statements

Altmetrics

Citations

Export the article citation data by selecting a format from the list below and clicking Export.

Cited by

    Loading...

    View Options

    View options

    PDF format

    Download this article as a PDF file

    DOWNLOAD PDF

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Personal login Institutional Login

    Recommend to a librarian

    Recommend PNAS to a Librarian

    Purchase options

    Purchase this article to access the full text.

    Single Article Purchase

    Strategic aspects of cyberattack, attribution, and blame
    Proceedings of the National Academy of Sciences
    • Vol. 114
    • No. 11
    • pp. 2783-E2265

    Figures

    Tables

    Media

    Share

    Share

    Share article link

    Share on social media