States are stuck in a “cybersecurity dilemma”. They can’t reliably distinguish between other states’ offensive and defensive activities. E.g., surveillance or probing being used by a state for defense might look like offensive measures to those states being surveilled or probed. As a result, cyber powers engage in a never ending ratcheting up of attacks threatening each other and the broader Internet. Given this seemingly intractable situation, how can we defuse it? In this post, we lay out the cybersecurity dilemma as a strategic game and look at one proposed solution. We then suggest a way to alter the payoffs by using alternative governance structures dealing with attribution and network monitoring.
The cybersecurity dilemma can be viewed as a strategic game (Figure 1). While states (and the broader Internet) would benefit mutually by defending (cell a), in the absence of knowledge of what your opponent is doing, the payoff for each state of attacking is greater regardless of what your opponent does (cells b, c). Therefore, the equilibrium of the game is that players are more likely to continue to attack rather than defend.
|(a) 2, 2
|(b) 0, 3
|(c) 3, 0
|(d) 1, 1
Figure 1: Cybersecurity dilemma game
How can we shift the payoffs, thereby increasing the probability that states will defend? In other words, how do we shift states to cell (a)? One suggestion is using the traditional statecraft to increase trust between states to reduce the probability of them attacking one another. This, in effect, increases a state’s knowledge of what its opponent might do. While diplomacy could work, this proposal suffers from several problems. It relies on the fuzzy concept of trust – what is it, how is it enforced? Maybe states could act credibly and enshrine their arrangement in some hierarchical governance structure, e.g., a bilateral treaty or some other instrument. However, despite the best intentions, ex ante institutions can be (and often are) ignored or broken as political, economic, technological, or other conditions change. This approach also leaves states in control of the outcome, despite the externalities for non-state actors (e.g., network operators) and the Internet. Critically, a diplomatic solution doesn’t address the underlying incentives at work. To do that, it makes more sense to 1) raise costs (decrease the payoff) of attacking, and 2) lower costs (increase the payoff) of defending. How do we do this? We believe it’s through other governance structures.
Raising the cost of attacking
The first objective could be achieved by creating a new networked governance structure, specifically a non-governmental, authoritative attribution organization. There have been a handful of proposals for an attribution organization. These include: a multilateral “attribution and adjudication council for cyber attacks rising to the [legal] level of ‘armed conflict’” (Healy, et al., 2014); “a Global Cyber Attribution Consortium” based on non-state actors (Microsoft, 2017; Davis, et al., 2017); and an “independent, international cyber court or arbitrage method that deals only with government-level cyber conflicts” (Chernenko et al., 2018). Most recently, the NSA’s general counsel has renewed the call for a national cyber strategy which emphasizes that organization’s role in attribution:
“Attribution of malicious cyber activity should be incorporated in a national cyber strategy. Attribution often requires the expertise of various government components; however, primary responsibility for coordinating efforts to attribute malicious cyber activity could be centralized within one agency. Regardless of how a national cyber strategy assigns this function, I would expect NSA to have an important role to play in the execution of this function, given the agency’s expertise in this area.”
Each proposal offers different scopes of activity for a cyber attribution organization and pushes for dramatically different structures, e.g., national or multilateral vs. non-governmental, or hierarchical vs. networked governance structure. Davis, et al. (2017) make powerful arguments why states have conflicting incentives in an attribution organization and caution against their participation. We couldn’t agree more, state participation in the organization’s decision making (other than providing evidence of an attack for evaluation) would be a non-starter for other states.
But a global, non-governmental, authoritative attribution organization, where interdependent private actors voluntarily opt for collaboration in the absence of overarching authority could raise the costs of attacking. First, it would do so by offering public evidence and authoritative assessment. This would counter the frequent competing theories of attacks which offer plausible deniability but are unproven. Second, authoritative attribution would allow the victim to respond justifiably and with appropriate measures to an attack. These measures could take a variety of forms from legally based actions like lawsuits or sanctions to even, in the extreme, military force.
Lowering the cost of defense
The second objective is well underway in another governance structure, the cybersecurity market sector of network analytics and monitoring. That market sector is growing substantially, projected conservatively by some to be $11B in 2019, with CAGR rates anywhere from 15% to 26%. E.g., techniques like reverse engineering and machine learning to identify algorithmically generated domains used in malicious threats are being integrated into carrier and enterprise networks worldwide. We see this in the acquisitions in the past couple years of DNS companies like OpenDNS and Nominum by Cisco and Akamai, respectively. These services allow easier, more widespread, and effective network defense. Moreover, there are strong economic incentives at work. Network operators spend far more on these measures than the states that use these networks. Case in point, a presentation at the recent RSA conference stated “that 3 or 4 of the top banks spend more on cybersecurity than DHS and FBI combined.”
Together, these governance structures could increase attacking costs and lower defending costs, resulting in new payoffs for states as Figure 2 shows. The payoffs shifting alter the equilibrium of the game, with states now more likely choosing to defend instead of attack.
|(a) 3, 3
|(b) 1, 2
|(c) 2, 1
|(d) 0, 0
Figure 2: A new cybersecurity game
Admittedly, this is a simplified representation. But in assessing the cybersecurity dilemma and the way to get out of it, it is helpful to think of the ways actors’ payoffs would be affected by various solutions. Thinking strategically also uncovers who would be opposed to any proposed changes. E.g., it’s pretty clear that states with stronger offensive capabilities would be opposed to higher attacking costs. How might they oppose it? Suggestions for a national or multilateral attribution organization of allied states, where outcomes could be influenced to their advantage, seems a likely place to start.