University of Michigan researcher uses game theory to craft cyberwarfare strategies

Robert Axelrod, a political scientist at the University of Michigan, along with colleagues from the University of New Mexico and IBM Research has developed a new framework that can guide countries on the appropriate measures to retaliate cyber attacks. The framework is called the “Blame Game”. Axelrod is famous for solving a version of the prisoner’s dilemma, a classic game theory scenario.

The new study, published in the Proceedings of the National Academy of Sciences  explores when cyber attacks should be ignored, and when and how to respond to them, using game theory. The researchers used historic examples to illustrate how the framework could have been applied to previous cyber attacks from the US, Russia, China, Iran, Israel, Japan and Syria.

Stephanie Forrest, a distinguished professor at the University of New Mexico said, “Conflict is increasingly common and severe on the internet today, as governments and corporations have recognised its potential as an instrument of power and control. Unlike nuclear technology, it can be extremely challenging to identify the party responsible for a cyber attack, and this complicates the strategic decision of when to assign blame. Our model elucidates these issues and identifies key parameters that must be considered in formulating a response.”

In many situations, it is prudent for nations to tolerate cyber attacks, even when facing strong public criticism. For example, if the attacker is not vulnerable, it is better off not to blame anyone, and create a situation where a counter-attack or retaliation of some form is expected. Blame Game formulates a series of questions that an attacked country can ask before coming up with a response.

The questions are, is the attacker vulnerable? Vulnerability can be in many forms, including exposure to cyber attacks, or in a difficult geopolitical position where the attacking country cannot afford to be blamed for a cyber attack. Next comes the question, is the cost of a blaming more than the cost of doing nothing? If an attacker is vulnerable, they should always be blamed for the attack.

The next question to ask is switch sides and ask if the enemy knows that a country is vulnerable to blame, and if the intended target is aware of this. If the answer to either question is no, then attacking would be the right response. While the questions are easy, the answers are not always easy considering the varying tolerances for cyber attacks, and different definition for what constitutes as critical infrastructure.

“It’s certainly possible that cyber attacks could be used in a much larger way than we’ve seen yet. It pays to try to understand as much as we can about the incentives and dynamics so we can think about how to prevent them. We hope our model will help policymakers identify gaps in their knowledge and focus on estimating parameters in advance of new cyber attacks,” Axelrod said.