6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Merritt Baer<br />
Effective cyberintrusion defenses analog the epidemiological model for responding to an invader.<br />
Some have warned of a “cyber pearl harbor”; this seems too kinetic-world to form an accurate<br />
description of the threat. As Giesler asserts, we ought to be talking about cyber-destruction like a<br />
cancer—“you already have it, it‟s hard to detect, it may be fatal but it‟s also treatable.” It may be that<br />
the best responses to cyberwar are not found by studying war—at least not the ones in our history<br />
books involving cannons or tanks.<br />
Similarly, rather than a process of continual growth, cyber evolution, like biological evolution, seems<br />
more aptly characterized as punctuated equilibrium—fairly long periods of relative stasis followed by<br />
quick, drastic periods of breakthrough. (An example of a breakthrough in the cyber context could be<br />
the advent of cloud computing.) Correspondingly, one of the reasons why reaching Nash equilibrium<br />
is unlikely in the cyberwar context is that it under unstable conditions, evolutionarily stable strategies<br />
don‟t run a typical course. As evolutionary biologist Klaus Rohde (2005: Appendix 3) writes, “frequent<br />
and drastic abiotic and biotic changes in the environment which affect the fitness (reproductive<br />
success) of potential contestants in evolutionary „games,‟ will make it more difficult to establish<br />
evolutionary stable strategies, because the establishment of an ESS cannot keep up with the<br />
changes.” Because cyber evolution is not linear but organic, it forces us to treat it according to the<br />
economics of biology. The DNI‟s “Vision 2015” report addresses the deliverables aspect of this: “We<br />
cannot evolve into the next technology „S curve‟ incrementally; we need a revolutionary approach.<br />
Breakthrough innovation, disruptive technologies, and rapid transition to end-users will be required…”<br />
Applying game theory to cyberwarfare strategy allows us to make predictions that transcend lockstep<br />
models, that change based on resources, and that take into account other players‟ strategies and<br />
environmental conditions. Thus, while there is no solution nor even an accurate map of potential<br />
moves in game theory, it seems yet to be our best tool for transcending the perpetual reactiveness<br />
that has characterized cyber- information security efforts.<br />
5. Uses of game theory<br />
5.1 Layered defense<br />
While cyberwar strategy is a game of imperfect information, there are always choices available, and<br />
the vulnerabilities associated with each choice are not random but are often knowable or predictable,<br />
at least to some extent. We know that the risks of using open-source materials are in its lack of<br />
restriction; we know that the weakness that comes from use of highly classified, air-gapped (or in<br />
Zittrain-speak, “tethered”), networks come from a loss of functionality and “generativity.” Diversity and<br />
interoperability are tradeoffs, as are embrittlement and toughening. These are zero-sum games; but<br />
the overall strategy is not. While one can not create a network that is maximally resistant to random<br />
faults and maximally resistant to targeted faults, one can take into account the particular weaknesses<br />
and likelihoods of attack so that the weaknesses overlap in resistant ways-- ways that correspond to<br />
risk preferences and security priorities. As the banking and credit card systems have worked to create<br />
overall robustness through non-overlapping weaknesses, other providers (including infrastructural)<br />
should be able to create calculated layers of defense if there were coordination and appropriate<br />
budgeting.<br />
5.2 Identifying nodes robustly<br />
In game theory, the identification of possible choices is termed alpha-beta pruning—there is not an<br />
unlimited number of desirable outcomes therefore there is not an unlimited number of choices. One<br />
can prune down the number of nodes evaluated in the search tree. Alpha-beta pruning represents the<br />
fact that as soon as one move can be proven less desirable than another, it need not be further<br />
evaluated. One‟s search can then steer toward the more promising subtree(s), creating an optimal<br />
search path.<br />
To do this effectively first requires diversity and creativity—that is, the ability to identify many possible<br />
nodes. Defense Secretary Robert Gates stated that the Pentagon is “desperately short of people who<br />
have capabilities (defensive and offensive cybersecurity war skills) in all the services and we have to<br />
address it.” (Booz Allen 2009: 1). The key human-side aspect of cyberwar strategy is to effectively<br />
uncover all possible decision paths, which requires foundationally that the Department of Defense do<br />
a more effective job of recruiting and retaining diverse talent.<br />
27