Would a ‘Cyber Warrior’ Protect Us? Exploring Trade-offs
Between Attack and Defense of Information Systems
[Position Paper]
Tyler Moore, Allan Friedman and Ariel D. Procaccia
Center for Research on Computation & Society, Harvard University
{tmoore,allan,arielpro}@seas.harvard.edu
ABSTRACT
As information security shifts from the realm of computer
science to national security, the priority for safe and secure
systems will be balanced against the appeal of using infor-
mation insecurity as a strategic asset. In “cyber war”, those
tasked with defending friendly computer networks are also
expected to exploit enemy networks. This paper presents
two game-theoretic models of vulnerability discovery and
exploitation, where nations must choose between protecting
themselves by sharing vulnerability information with ven-
dors or pursuing an offensive advantage while remaining at
risk. One game describes a cold war of stockpiling, the other
allows for actual attack. In both models, we predict that at
least one state will have an incentive to pursue an aggres-
sive cyber war posture, rather than secure its own systems.
This finding – that a mutually defensive approach to secu-
rity is not a stable equilibrium – holds up under a range of
assumptions about social risk of cybercrime, technical so-
phistication, military aggressiveness and the likelihood of
vulnerability rediscovery. We conclude with a discussion of
the security policy implications of a militarized cyberspace.
Categories and Subject Descriptors
J.4 [Computer Applications]: Social and Behavioral Sci-
ences—Economics; K.4.1 [Computing Milieux]: Comput-
ers and Society—Public Policy Issues
General Terms
Economics, Security
1. INTRODUCTION
Computer scientists used to study information security by
stating assumptions about the capabilities of an adversary
and then building systems to protect against these assump-
tions. This approach worked well for the design of encryp-
tion algorithms and cryptographic protocols. However, it
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
NSPW’10, September 21–23, 2010, Concord, Massachusetts, USA.
Copyright 2010 ACM 978-1-4503-0415-3/10/09 ...$5.00.
has not coped as well with the Internet’s rise, and the emer-
gence of a strategic adversary capable of adapting to the cho-
sen defenses. Instead, a new perspective was required, which
has been met primarily by applying an economic perspective
to information security [1]. Attackers and defenders are now
understood as being locked in a strategic battle, where the
incentives to disrupt and protect systems matter most. An
economic approach has been especially helpful for dealing
with the rise of the profit-motivated online criminal [6, 15].
In this paper, we argue that the paradigm is shifting once
more. The existing literature has treated attack and defense
as activities carried out by two mutually exclusive groups,
the ‘good’ guys and ‘bad’ guys. In fact, the distinction
between attacker and defender is becoming blurred in the
context of cyber warfare. As the United States collects re-
sponsibility for cybersecurity at a national level under the
unified Cyber Command, a single organization assumes re-
sponsibility for defending domestic Internet infrastructure
and cyber resources, or attacking enemies through offensive
operations. In this paper, we present a game-theoretic model
that reflects this new paradigm and explores the strategic
interactions of actors capable of both attack and defense.
1.1 Cyber Command
The strategic use of information technology in the national
security context has traditionally been the domain of the
National Security Agency (NSA), with an almost legendary
capacity for offensive signals intelligence. The establishment
of US Cyber Command reflects a compromise between in-
ternal forces inside the US national security community, in-
cluding the desire to avoid duplication of the NSA’s techni-
cal capacities, the desire to accommodate new cyber-focused
efforts inside the military, particularly the Air Force, and a
need to balance legally defined boundaries between the civil-
ian intelligence community and the offensive-focused defense
community [4]. The newly created Cyber Command will be
placed under the charge of the NSA director, and will co-
ordinate cyber war units inside the armed forces. The goal
is to cluster and coordinate US strategic cybersecurity ca-
pacity to concentrate efforts in prosecuting national security
policy with a united purpose.
Cyber Command, as a single organization, will have to
navigate a number of challenging technical and policy hur-
dles, many of which have been discussed elsewhere [5, 11].
Of particular importance to this paper is the challenge of de-
fending information security systems while still maintaining
an offensive readiness. The National Military Strategy for
Cyberspace Operations places a strategic priority on “main-
taining a robust defense of cyberspace while exploiting ad-
