Traditional deterrence theory relies on numerous assumptions that in new domains of attack — especially computer networks — may no longer all be valid. One central assumption of traditional deterrence theory is having common knowledge of each actor's ability to retaliate effectively and accurately (i.e. with perfect attribution). Such an assumption is implausible in the domain of computer security. Instead, attribution is imperfect and it is difficult for each actor to know the retaliation capability of other actors with certainty. Motivated by these features of cyberattacks and retaliation, we examine a game of deterrence between an attacker and a defender. In the game, the attacker does not know the defender's ability to retaliate but only receives a (possibly noisy) signal from the defender. Similarly, the defender is not able to perfectly attribute an attack but only receives a noisy signal that provides information about the potential attacker. We show that it is never in the best interest of the defender to perfectly signal its retaliation capability. There are (possibly several) equilibria where the defender does not signal any information about its retaliatory capability. However, we show that there are equilibria in which the defender can strategically release noisy information that is imperfectly correlated with its retaliation capability to increase its expected payoffs. While we reveal cases where the defender can use signaling to deter an attacker, we also uncover a counter-intuitive "anti-deterrent" result that illustrates how the defender can increase its expected utility though signaling by inducing the attacker to attack more. The new contributions of this approach have important implication for cyber policy. We find that it is never in the best interest of the defender to signal truthfully, that an effective cyber policy must be flexible and amenable to change, that enhancing the strength of attribution may be the most powerful deterrence tool, and elucidate the curious value of anti-deterrence — a finding which suggests that policy makers should consider whether deterrence is the only option.
Table of Contents
Results and Analysis
Conclusion — Towards a Cyber Deterrence Policy