Cyber-sword v. cyber-shield:
The Dynamics of US Cybersecurity Policy Priorities
Allan Friedman, Tyler Moore, and Ariel D. Procaccia
Center for Research on Computation & Society, Harvard University
{allan, tmoore, arielpro}@seas.harvard.edu
ABSTRACT
Recent efforts to address cybersecurity risks have focused on
leveraging the immense technical capacity of the American
intelligence community to protect the nation’s information
technology infrastructure, and to project power in a new
domain. This creates a potential conflict of interest: the
joint duties of breaking into foreign systems while securing
our own raises questions about competing goals. This paper
highlights that tension, and introduces two game-theoretic
models of the strategic decisions faced in security vulnerabil-
ity discovery and disclosure. The country must both protect
itself in the new domain and pursue an offensive advantage
while still remaining at risk. One game describes a cold war
of stockpiling, while the other allows for actual attack. In
both models, we predict that at least one state will have an
incentive to pursue an aggressive cyber war posture, rather
than secure its own systems.
This finding – that a mutually defensive approach to secu-
rity is not a stable equilibrium – holds up under a range of
assumptions about social risk of cybercrime, technical so-
phistication, military aggressiveness and the likelihood of
vulnerability rediscovery. The model can also be used to
explore the broader national and international cybersecu-
rity context, including explain some observed behaviors, and
make predictions about the effects of different policy in-
terventions. Recognizing that securing our infrastructure
should be a priority for cyber policy makers, we propose pol-
icy recommendations that create the opportunity for more
defensive equilibria to take hold.
1. INTRODUCTION
As more attention is paid to cybersecurity, policy researchers
must understand the range of policy options and have the
tools to evaluate policy proposals and understand how de-
cisions at the how decisions at the forefront of national pol-
icy will impact the broader world of information technology.
The question of governance in the cyber domain is particu-
larly complex.
The issues span the boundaries of public and private, civil-
ian and defense, virtual and concrete. This paper ties a
set of specific management decisions in a new cybersecu-
rity organization, United States Cyber Command, to the
broader challenge of securing the IT infrastructure on which
our modern economy runs. Cybercommand occupies the
central national role in both cyber defense and cyber of-
fense. We argue that the nature of cybersecurity imposes a
trade-off on those two goals, and that the trade-offs play out
depends on the strategic interactions of the players involved.
Game theory modeling can help us understand how the joint
cybercommand likely to impact the overall security of the
national–and indeed the global–information infrastructure.
Moreover, it can be used to study the incentives of the ac-
tors involved and identify and evaluate cybersecurity policy
options.
It is important to state upfront that this paper is not ex-
plicitly about deterrence. The challenges and promises of
adapting traditional deterrence theory to cybersecurity have
been explored elsewhere [14], [10]. Moreover, there is lit-
tle consensus on the validity of deterrence games in other
settings, and they tend to be driven by strong behavioral
assumptions [27]. Nor is this paper a discussion of the le-
gal intricacies and uncertainties that have emerged with the
new cyber domain [24]. Instead, this paper seeks to high-
light a key tradeoff that must be made in mapping out the
nation’s cybersecurity policy: how do we balance the abil-
ity to project power in the cyber domain with the ability to
protect our own information systems.
As the United States collects responsibility for cybersecu-
rity at a national level under the unified Cyber Command,
a single organization assumes responsibility for defending
domestic Internet infrastructure and cyber resources, and
deterring or attacking enemies through offensive operations.
In this paper, we present a game-theoretic model that re-
flects this new paradigm and explores the policy challenges
that arise from this tension. Following a motivating discus-
sion further expanding on how attack and defense may serve
conflicting purposes, we present the modeling approach and
explain the assumptions on which it is built. In Sections 4
and 5, we present a detailed explanation of each game and
derive the equilibria predicting how the United States would
behave in response to an adversary certain conditions. We
then explore the policy implications of these games, and pro-
pose a set of recommendations on policies that support and
guide strategic decision making for a more secure internet.
A more technical version of this paper will be presented at the New
Security Paradigms Workshop in Concord, MA, Sept 21, 2010
