Cyberattacks have damaged an Iranian uranium enrichment facility, brought a multinational oil company’s operations to a halt, and stolen the personnel files of millions of U.S. federal employees. But the best way to deal with these internet perpetrators may be to let them get away with it, according to new research. In some cases, scientists have found, assigning blame publicly leaves the victim worse off.
The counterintuitive finding stems from a study sparked by the U.S. government’s claim that North Korea was responsible for hacking Sony Pictures in 2014. The attack exposed confidential information in an effort to blackmail the company into pulling the plug on the film The Interview, which poked fun at North Korea. The U.S. government’s reluctance to provide evidence for its accusation left many cybersecurity experts skeptical. This placed the government in the difficult position of choosing between exposing intelligence sources and having its credibility and motives questioned.
To figure out why pointing the finger in cyberattacks is not always the right move, political scientist Robert Axelrod of the University of Michigan in Ann Arbor and postdoctoral researcher Benjamin Edwards of IBM Research in Yorktown Heights, New York, turned to game theory—the mathematical modeling of competition and cooperation among people, organizations, or governments. They and other researchers have used game theory to study how to carry out and defend against cyberattacks, but the new research takes a broader approach by also factoring in the attacker’s and victim’s political strengths and weaknesses and how much they know about each other. “We’re trying to incorporate that uncertainty and that political climate into the game as well,” Edwards says.
The team developed a model that was informed by not only the 2014 Sony attack, but also the theft of security clearance–related information for 21.5 million current and former government employees from the U.S. Office of Personnel Management, allegedly carried out by Chinese nationals in 2014 and 2015, and the stealing of electronic files from the Democratic National Committee during the 2016 presidential election that the Central Intelligence Agency attributed to the Russian government.
The scientists developed a game, dubbed the blame game, involving two players. Player A chooses whether to attack player B, and player B chooses whether to blame player A for the attack. Each player can be one of two types. A can either care whether B blames it or not care, and B can either know whether A cares about being blamed or not know. The model calculates how much each side gains and loses from an attack and from the decision to cast blame or not. For example, choosing not to cast blame for a known attack could cost the victim in the form of a public outcry.
In cases where the attacker’s domestic and international political standing wouldn’t take much of a hit from being blamed, it makes sense for the victim to refrain from making a public accusation even in the face of criticism for inaction, the team reports in the Proceedings of the National Academy of Sciences. For example, Iran did not publicly blame the United States and Israel, the presumed perpetrators of the Stuxnet computer virus attack on an Iranian nuclear facility in 2009 and 2010, because the Iranian government likely recognized that the two countries would be able to brush off Iran’s recriminations. Given that Iran has limited capacity for retaliating and preventing future attacks, blaming the United States and Israel would make Iran look weak.
“If they scream publicly but can’t back that up, they incur loss of status,” says Howard Shrobe, a cybersecurity researcher at the Massachusetts Institute of Technology in Cambridge who was not involved in the study. “In some cases not even acknowledging the attack is the best strategy."
Another risk in casting blame is exposing the victim’s intelligence capabilities for little gain, says Herbert Lin, a cybersecurity researcher at Stanford University in Palo Alto, California. The new study’s game theory approach does an admirable job of clarifying the nature of the trade-offs involved in weighing whether to commit a cyberattack and whether and how to respond to one, he says.
“That kind of analysis is very important to policy planners, because it can help us avoid putting resources where they’re not going to matter very much,” Shrobe says. “Frankly, it’s something I was hoping would be done for quite some time now.”