Would a 'cyber warrior' protect us: exploring trade-offs between attack and defense of information systems

As information security shifts from the realm of computer science to national security, the priority for safe and secure systems will be balanced against the appeal of using information insecurity as a strategic asset. In "cyber war", those tasked with defending friendly computer networks are also expected to exploit enemy networks. This paper presents two game-theoretic models of vulnerability discovery and exploitation, where nations must choose between protecting themselves by sharing vulnerability information with vendors or pursuing an offensive advantage while remaining at risk. One game describes a cold war of stockpiling, the other allows for actual attack. In both models, we predict that at least one state will have an incentive to pursue an aggressive cyber war posture, rather than secure its own systems. This finding -- that a mutually defensive approach to security is not a stable equilibrium -- holds up under a range of assumptions about social risk of cybercrime, technical sophistication, military aggressiveness and the likelihood of vulnerability rediscovery. We conclude with a discussion of the security policy implications of a militarized cyberspace

[1]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[2]  James Andrew Ozment,et al.  Vulnerability discovery & software security , 2007 .

[3]  Herbert S. Lin,et al.  Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities , 2009 .

[4]  G. Stigler The Economics of Information , 1961, Journal of Political Economy.

[5]  Ciência política,et al.  Chairman of the Joint Chiefs of Staff , 2010 .

[6]  John Markoff,et al.  U.S. and Russia Differ on a Treaty for Cyberspace , 2009 .

[7]  Vinay M. Igure,et al.  Security issues in SCADA networks , 2006, Comput. Secur..

[8]  J. Nash Equilibrium Points in N-Person Games. , 1950, Proceedings of the National Academy of Sciences of the United States of America.

[9]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[10]  Ross J. Anderson,et al.  The Economics of Online Crime , 2009 .

[11]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[12]  Stefan Savage,et al.  An inquiry into the nature and causes of the wealth of internet miscreants , 2007, CCS '07.

[13]  Harry D. Raduege,et al.  Securing Cyberspace for the 44th Presidency , 2008 .

[14]  Manfred Kochen,et al.  On the economics of information , 1972, J. Am. Soc. Inf. Sci..

[15]  Ariel Rubinstein,et al.  A Course in Game Theory , 1995 .

[16]  Ann Miller Trends in Process Control Systems Security , 2005, IEEE Secur. Priv..

[17]  Norton A. Schwartz,et al.  United States Air Force Posture Statement 2009 , 2009 .

[18]  Huseyin Cavusoglu,et al.  Emerging Issues in Responsible Vulnerability Disclosure , 2005, WEIS.