SoylentNews

c0lo writes:

Press release on UMich site reports on a game theory model designed to help decision makers in deciding whether to publicly blame the suspects of a cyber-attack or keep mum.

On one extreme, stealing secrets from Sony was positive for North Korea; because the country has little to hack, publicly announcing that they were the perpetrators only served to bolster their creds. On the other extreme, when hackers broke into the accounts of celebrities, the publicity surrounding the event helped identify the perpetrators; when caught and sentenced to jail, it sends a clear message to others willing to try the same.

The "Blame Game" was developed in part by Robert Axelrod, a University of Michigan political scientist who is well known for solving a version of the classic game theory scenario known as "the prisoner's dilemma."

The new study, published in Proceedings of the National Academy of Sciences this week, examines when a victim should tolerate a cyber attack, when a victim should respond—and how. The researchers, including others from the University of Michigan and their colleagues at the University of New Mexico and IBM Research, use historical examples to illustrate how the Blame Game applies to cases of cyber or traditional conflict involving the United States, Russia, China, Japan, North Korea, Estonia, Israel, Iran and Syria.
...
"Unlike nuclear technology, it can be extremely challenging to identify the party responsible for a cyber attack, and this complicates the strategic decision of when to assign blame. Our model elucidates these issues and identifies key parameters that must be considered in formulating a response."
...
"You might think you should always publicly blame and retaliate in a cyberwarfare situation," Axelrod said. "But that's not true. The reason it's not is that the attacker may not be vulnerable. It may not matter whether they're blamed or not. And if that's true, you might be in a situation where if you assign blame, your own people would expect you to do something, but there's nothing you can do."
...
Blame Game offers a series of questions that policymakers can ask as they work through how to respond to a cyber attack. Victims should first ask: Do I know if my attacker is vulnerable?
...
If the victim knows that the attacker is vulnerable, the framework moves to the next question: Is the cost of doing nothing higher than the cost of blaming? Nations should always assign blame if the attacker is vulnerable.

Victims can next determine whether to counter attack, switching sides in the game theory model. Questions potential attackers should ask are: Am I vulnerable to blame? If I am, does my intended victim know this? If the answer to either question is no, an attack may be the right option.

While the questions are straightforward, the researchers say the answers are not.

Ummm... not quite clear what the "blame game" would recommend for the, say, the Target hacking back in 2013. I guess Target's management would have loved to keep mum about the incident.

Original Submission