Cyber Deterrence or

How We Learned to Stop Worrying and Love the Signal

by Jonathan William Welburn, Justin Grana, Karen Schwindt

Download eBook for Free

FormatFile SizeNotes
PDF file 1.7 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Traditional deterrence theory relies on numerous assumptions that in new domains of attack — especially computer networks — may no longer all be valid. One central assumption of traditional deterrence theory is having common knowledge of each actor's ability to retaliate effectively and accurately (i.e. with perfect attribution). Such an assumption is implausible in the domain of computer security. Instead, attribution is imperfect and it is difficult for each actor to know the retaliation capability of other actors with certainty. Motivated by these features of cyberattacks and retaliation, we examine a game of deterrence between an attacker and a defender. In the game, the attacker does not know the defender's ability to retaliate but only receives a (possibly noisy) signal from the defender. Similarly, the defender is not able to perfectly attribute an attack but only receives a noisy signal that provides information about the potential attacker. We show that it is never in the best interest of the defender to perfectly signal its retaliation capability. There are (possibly several) equilibria where the defender does not signal any information about its retaliatory capability. However, we show that there are equilibria in which the defender can strategically release noisy information that is imperfectly correlated with its retaliation capability to increase its expected payoffs. While we reveal cases where the defender can use signaling to deter an attacker, we also uncover a counter-intuitive "anti-deterrent" result that illustrates how the defender can increase its expected utility though signaling by inducing the attacker to attack more. The new contributions of this approach have important implication for cyber policy. We find that it is never in the best interest of the defender to signal truthfully, that an effective cyber policy must be flexible and amenable to change, that enhancing the strength of attribution may be the most powerful deterrence tool, and elucidate the curious value of anti-deterrence — a finding which suggests that policy makers should consider whether deterrence is the only option.

Table of Contents

  • Chapter One

    Introduction

  • Chapter Two

    Model Outline

  • Chapter Three

    Model Specification

  • Chapter Four

    Results and Analysis

  • Chapter Five

    Findings

  • Chapter Six

    Conclusion — Towards a Cyber Deterrence Policy

This research was sponsored by the Office of the Secretary of Defense and conducted within the Cyber and Intelligence Policy Center of the RAND National Defense Research Institute, a federally funded research and development center FFRDC.

This report is part of the RAND Corporation working paper series. RAND working papers are intended to share researchers' latest findings and to solicit informal peer review. They have been approved for circulation by RAND but may not have been formally edited or peer reviewed.

Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.