Motivating Examples

Two key features of our model are the endogenous strategic complementarity among attackers and the decomposition of attribution problems into false alarms, detection failures, and misidentification. Each of these features of the model is reflected in real-world cyber incidents.

The strategic complementarity mechanism—“less suspect” attackers’ desire to hide their attacks behind “more suspect” attackers—is reflected in many incidents. It is perhaps most clearly evident in false-flag operations. According to American authorities, the Russian military agency GRU executed a cyberattack during the opening ceremony of the 2018 Pyeongchang Winter Olympics. The GRU used North Korean IP addresses to deflect suspicion onto North Korea (Nakashima Reference Nakashima2018), which was already highly suspect because of its hack of Sony Pictures and a variety of other cyber operations. Similarly, the National Security Agency reports that Russian hackers used Iranian tools to infiltrate organizations in the Middle East in an effort to hide their origin, exploiting Iran’s reputation as a significant cyber aggressor (National Cyber Security Center 2019). These examples illustrate our mechanism: the high level of cyber activity of North Korea and Iran reduced Russia’s costs from cyberattacks, which contributed to making Russia more aggressive.

The Stuxnet worm was used to disrupt the Iranian nuclear facility at Natanz by causing centrifuges to malfunction over the course of more than a year. During the attack, the Iranians believed the problems with their centrifuges were the result of faulty parts, engineering incompetence, or domestic sabotage (Singer and Friedman Reference Singer and Friedman2014). Stuxnet was eventually uncovered not by the Iranians but by European cybersecurity researchers who found a worm that was infecting computers all over the world but was configured to do damage only in very specific circumstances tailored to the facility at Natanz. This was a startling case of detection failure.

In 1998, the United States Department of Defense discovered attacks exploiting operating system vulnerabilities to retrieve sensitive data from military computer networks. The US was preparing for possible military action in support of UN weapons inspections in Iraq, and the cyberattacks emanated from Abu Dhabi. A Department of Defense investigation, called Solar Sunrise, initially attributed the attacks to Iraq, and the US went so far as to send a strike team to Abu Dhabi. Ultimately, the attacks turned out to be the work of three teenagers in San Francisco and Israel (Adams Reference Adams2001; Kaplan Reference Kaplan2016). Conversely, the hacking of the Democratic National Committee servers during the 2016 presidential election was initially attributed to a lone Romanian hacker who went by the moniker Guccifer 2.0. Later, US authorities determined the hack was perpetrated by Russian security agencies trying to cover their tracks by pretending to be Guccifer 2.0 (ThreatConnect 2016). These are cases of misidentification.

Finally, the Democratic National Committee notified the FBI that it had detected what appeared to be an attempt by Russian hackers to infiltrate its voter database in the run-up to the 2018 US midterm elections, but the “attack” turned out to be the work of hackers hired by the Michigan Democratic Party to simulate a Russian incursion (Sullivan, Weiland, and Conger Reference Sullivan, Weiland and Conger2018). This perceived attack was thus a false alarm.

Cyberwarfare Policy Debates

Two advances relative to current policy debates relate directly to strategic complementarity.

First, the policy debate has tended to proceed in bilateral terms. In his “mosaic model” of cyberdeterrence, Buchanan (Reference Buchanan2014, 133) breaks from traditional deterrence theory by providing a typology of cyberattacks and appropriate responses. But he nonetheless analyzes deterrence adversary-by-adversary: “what deters the Chinese might not deter the Russians, and vice versa.” Likewise, while the 2018 U.S. National Defense Strategy notes the emergence of threats from rogue states and non-state actors, it nonetheless proposes a “focus … on the States that can pose strategic threats to U.S. prosperity and security, particularly China and Russia,” (Department of Defense 2018). By contrast, our analysis suggests bilateral cyberdeterrence is ineffective: if the US focuses only on China and Russia, this encourages belligerence by other actors, which in turn makes the Chinese and Russians less suspect and hence creates new opportunities for them as well.

Second, the literature has typically conceptualized attribution as an almost exclusively technical problem. Rid and Buchanan (Reference Rid and Buchanan2015, 7) call for a more nuanced approach in which attribution is understood to be both probabilistic and strategic—“attribution is what states make of it.” But even they focus on the technological inputs to the attribution process, leaving strategy aside. By contrast, our model highlights how attribution is fundamentally both technical and strategic: the probability that the (Bayesian) defender attributes an attack to a particular adversary depends on both technological inputs (modeled as the defender’s signals) and the underlying strategic environment (equilibrium conjectures about different adversaries’ behavior). The latter input is what drives strategic complementarity, and it is absent from existing discussions.

Our results also speak to a range of policy questions. If cyberattacks could be perfectly detected, then deterrence in cyberspace would be no more difficult than in other domains. As such, a natural intuition is that improving attribution improves deterrence. According to the Department of Defense’s (2015) official Cyber Strategy,

And commenting on U.S. investments in improved attribution, then Secretary of Defense Leon Panetta warned, “Potential aggressors should be aware that the United States has the capacity to locate them and to hold them accountable for their actions that may try to harm America” (Panetta Reference Panetta2012).

These proclamations do not distinguish between different types of attribution errors. Our analysis will show that whether improvements in attribution unambiguously improve deterrence or can instead backfire depends crucially on our classification of attribution problems.

In our applications discussion, we first analyze when and whether non-cyber weapons should be used to respond to a cyberattack (Hathaway et al. Reference Hathaway, Crootof, Levitz, Nix, Nowlan, Perdue and Spiegel2012; Libicki Reference Libicki2009; Lin Reference Lin2012). As early as 2011, the Obama administration declared, “the United States will respond to hostile acts in cyberspace as we would to any other threat to our country… . We reserve the right to use all necessary means—diplomatic, informational, military, and economic” (United States 2011). In 2018, the Trump administration extended this logic and declared that the United States might respond to a cyberattack with nuclear weapons (United States 2018). In 2019, Israel became (apparently) the first state to respond to a cyber threat with direct military force, bombing a facility that allegedly housed Hamas hackers.Footnote ² We show that the defender always benefits from gaining access to a new retaliatory weapon that is more destructive than all previously feasible means of retaliation; in contrast, gaining access to a less destructive weapon can sometimes undermine deterrence.

We then consider the possibility of “false-flag” operations. These let states dodge accountability for cyberattacks either by mimicking another state or by pretending to be the victim of mimicry, exacerbating the attribution problem (Bartholomew and Guerrero-Saade Reference Bartholomew and Guerrero-Saade2016; Singer and Friedman Reference Singer and Friedman2014). We extend our model to allow one attacker to attempt to mimic another. We find that more aggressive attackers are more likely to be mimicked, as are attackers whose attacks are easier to detect and attribute.

Finally, policy discussion increasingly calls for states to clearly articulate their cyberdeterrence policies (Glaser Reference Glaser2011) because it is believed that “[t]he lack of decisive and clearly articulated consequences to cyberattacks against our country has served as an open invitation to foreign adversaries and malicious cyber actors to continue attacking the United States.”Footnote ³ Building on intuitions from traditional deterrence theory, recent arguments call for a cyber-retaliation doctrine that is more aggressive across the board (e.g., Clarke and Knake Reference Clarke2010; Hennessy Reference Hennessy2017). We characterize the optimal deterrence policy when the defender can commit to a retaliatory strategy and show that the optimal doctrine is more nuanced: while the defender should retaliate more aggressively after some types of attacks, retaliation should not necessarily increase after every attack. In particular, it may be optimal to retaliate less aggressively following attacks whose attribution is particularly ambiguous. In addition, notwithstanding the Department of Defense’s call to focus on Russia and China, the optimal cyber doctrine does not call for increased aggressiveness against a defender’s most aggressive adversaries—rather, it calls for increased aggressiveness against the most deterrable adversaries, where an adversary is deterrable if its attacks are particularly easy to attribute (e.g., it is technologically limited, or other countries are not trying to mimic it) or it is particularly responsive to a marginal increase in retaliation (e.g., due to its own cyber vulnerability or domestic political considerations).

Alternative Applications and Theoretical Literature

While attribution problems are endemic to cyberwarfare, they also arise in many other environments where deterrence matters. Even in conventional warfare, it is sometimes difficult to determine who initiated a given attack.Footnote ⁴ The problem is amplified in counterinsurgency, where often multiple competing factions could be responsible for an attack (Berman, Shapiro, and Felter Reference Berman2011; Shaver and Shapiro Reference Shaver and Shapiro2016; Trager and Zagorcheva Reference Trager and Zagorcheva2006). Turning to non-conflict environments, it is possible to measure pollution, but it may be difficult to assign responsibility to one potential polluter over another (Segerson Reference Segerson1988; Weissing and Ostrom Reference Weissing, Ostrom and Selten1991). Similar issues arise in other areas of law and economics (Lando Reference Lando2006; Png Reference Png1986; Shavell Reference Shavell1985; Silva Reference Silva2016).

A large literature explores aspects of deterrence other than the attribution problem. Schelling (Reference Schelling1960) explained the logic of deterrence and the importance of commitment. Jervis (Reference Jervis1978) elucidated the “security dilemma,” which applies to cyberwarfare as much as conventional warfare (Buchanan Reference Buchanan2017). The security dilemma has been formalized using the idea that arms might be strategic complements (Baliga and Sjöström Reference Baliga and Sjöström2004; Chassang and Padró i Miquel Reference Chassang and Miquel2010; Kydd Reference Kydd1997). For example, Chassang and Padró i Miquel (Reference Chassang and Miquel2010) show that, in a coordination game, arms acquisition can increase preemptive incentives to go to war faster than it strengthens deterrence. Acemoglu and Wolitzky (Reference Acemoglu and Wolitzky2014) incorporate an attribution problem into a dynamic coordination game with overlapping generations. A player does not know whether an ongoing conflict was started by the other “side” or by a past member of his own side. This leads to cycles of conflict as players occasionally experiment with peaceful actions to see if the other side plays along. Another literature explores how the threat of retaliation can be made credible, including the role played by both domestic politics and reputation (see, for example, Di Lonardo and Tyson Reference Di Lonardo2018; Fearon Reference Fearon1997; Gurantz and Hirsch Reference Gurantz2017; Powell Reference Powell1990; Smith Reference Smith1998). We abstract from these themes in order to focus on the implications of attribution problems for deterrence with multiple attackers.

Our model also relates to the literature on inspection games. In such a game, an inspectee may or may not act legally, and an inspector decides whether to call an alarm as a function of a signal of the inspectee’s action (see Avenhaus, von Stengel, and Zamir Reference Rudolf, von Stengel, Zamir, Aumann and Hart2002 for a survey). This literature usually allows only one inspectee, though some of our comparative statics results also apply to that case. In particular, we show that a Blackwell improvement in information can make the defender worse off (without commitment)—this appears to be a novel result for inspection games. Some inspection game models do allow multiple inspectees, but these models study issues other than attribution, such as the allocation of scarce detection resources across sites (Avenhaus, von Stengel, and Zamir Reference Rudolf, von Stengel, Zamir, Aumann and Hart2002; Hohzaki Reference Hohzaki2007).

Inspection games appear in economics in the guise of “auditing games,” where a principal tries to catch agents who “cheat.” These games have many interesting features. For example, the principal might commit to random audits to save on auditing costs (Mookherjee and Png Reference Mookherjee and Png1989). The principal also faces a commitment problem, as she may not have an incentive to monitor the agent ex post (Graetz, Reinganum, and Wilde Reference Graetz1986; Khalil Reference Khalil1997). However, the attribution problem we study does not arise in these models.

Interpreting the attackers in our model as criminal suspects and the principal as a judge who seeks to punish the guilty but not the innocent, our model relates to law and economics. The traditional approach to deterrence in this area assumes full commitment and ex post indifference between convicting innocent suspects and guilty ones (Polinsky and Shavell Reference Polinsky and Shavell2000). Moreover, it does not fully model the strategic interaction among multiple possible offenders, taking into account that the equilibrium behavior of one offender affects how likely the judge is to assign guilt to other attackers.Footnote ⁵

There is also a literature on “crime waves” that models crime as a game of strategic complements among criminals: the more crimes are committed, the more law enforcement resources are strained, and the greater the incentive to commit additional crimes (Bar-Gill and Harel Reference Bar-Gill and Harel2001; Bassetto and Phelan Reference Bassetto and Phelan2008; Bond and Hagerty Reference Bond and Hagerty2010; Ferrer Reference Ferrer2010; Freeman, Grogger, and Sonstelie Reference Freeman, Grogger and Sonstelie1996; Glaeser, Sacerdote, and Scheinkman Reference Glaeser, Sacerdote and Scheinkman1996; Sah Reference Sah1991; Schrag and Scotchmer Reference Schrag and Scotchmer1997). This complementarity is related to the one in our model, if we interpret the defender’s supply of “suspicion” as a fixed resource: the more one attacker attacks, the more suspect he becomes, and the less suspicion is left for other attackers. However, the crime-waves literature emphasizes the possibility of multiple equilibria with different levels of crime, while our model has a unique equilibrium. This is because suspicion is a special kind of resource, which responds to the relative attack probabilities of different attackers rather than the absolute attack probabilities: if all attackers double their attack probabilities, they remain equally suspicious (in fact more suspicious because the relative probability of a false alarm has decreased) and thus face just as much retaliation. Our analysis is thus quite different from this literature, despite sharing the common theme of strategic complementarity.

Finally, repeated games with imperfect monitoring model multilateral moral hazard without commitment (Abreu, Pearce, and Stacchetti Reference Abreu, Pearce and Stacchetti1990; Green and Porter Reference Green1984; Radner Reference Radner1986). Our model collapses the infinite horizon into a principal who plays a best response. This approach might also be a useful shortcut in other contexts.Footnote ⁶

Comments on Interpretation of the Model

We offer a few comments on interpretation.

First, the presence of the null signal let us define three types of attribution failures. A false alarm occurs if a non-null signal $$ s\ne 0 $$ arises when no one attacked. A detection failure occurs if the null signal $$ s=0 $$ arises when an attack took place. And there is scope for misidentification if a non-null signal $$ s\ne 0 $$ where $$ {\pi}_i^s>0 $$ arises when some attacker $$ j\ne i $$ attacked. Note that “no attack” can occur either because no attacker had an opportunity to attack or because some attacker did have an opportunity to attack but chose not to. We allow the former possibility (i.e., $$ \gamma <1 $$) both for realism and to accommodate the case where there is only a single attacker ($$ n=1 $$).Footnote ⁹

The presence of the null signal is also important for the strategic complementarity at the heart of our model. By Assumption 1, when attacker $$ i $$ becomes more aggressive, he becomes more “suspect” after every non-null signal and all other attackers become less suspect. By Assumption 2, this increases retaliation against attacker $$ i $$ and decreases retaliation against all other attackers, as retaliation occurs only following non-null signals.

Second, $$ {y}_i\ \ge\ 0 $$ implies that retaliation would be credible for the defender if she knew who attacked. We thus abstract from the “search for credibility” in the traditional deterrence literature (Powell Reference Powell1990; Schelling Reference Schelling1960; Snyder Reference Snyder1961) to isolate new issues associated with imperfect attribution. In reality, there are several possible benefits of successful retaliation. Retaliation can disrupt an ongoing attack. It can provide reputational benefits and thus prevent future attacks. And it can satisfy a “taste for vengeance,” which could result from psychological or political concerns (Jervis Reference Jervis1979; McDermott, Lopez, and Hatemi Reference McDermott2017).

Relatedly, it may seem unlikely that a victim would ever retaliate against two different countries for the same cyberattack, as our model allows. This possibility can be ruled out by assuming that $$ {y}_i<\frac{1}{2} $$ for all $$ i\in I $$ with probability 1, which (as we will see) implies that the defender retaliates against a given attacker only if she believes that he is guilty with probability at least $$ 1-{y}_i>\frac{1}{2} $$—a condition that cannot be satisfied for two attackers simultaneously.

Third, the special case of perfect attribution arises when $$ {\pi}_0^0=1 $$ and, for each attacker $$ i $$, there exists a signal $$ {s}_i\ne 0 $$ such that $$ {\pi}_i^{s_i}=1 $$. In this case, since $$ {y}_i\in \left[0,1\right) $$, attacker $$ i $$ faces retaliation if and only if he himself attacks. In contrast, with imperfect attribution, attacker $$ i $$ might not face retaliation when he attacks, and he might face retaliation when no one attacks (as the result of a false alarm) or when a different attacker attacks (as the result of misidentification). Thus, deterrence with perfect attribution reduces to bilateral interactions between the defender and each attacker, while imperfect attribution introduces multilateral strategic considerations.

Fourth, while we have presented the choices of whether to attack and retaliate as binary decisions made by agents with private information ($$ {x}_i $$ for attacker $$ i $$; $$ y $$ for the defender), an equivalent, equally realistic, interpretation is that these are continuous choices made under complete information. Here, rather than interpreting $$ {r}_i^s\in \left[0,1\right] $$ as the probability of retaliation (against attacker $$ i $$, after signal $$ s $$), interpret it as the intensity of retaliation, where retaliating with intensity $$ {r}_i^s $$ against a guilty attacker yields a concave benefit $$ {b}_i\left({r}_i^s\right) $$ (and retaliating against an innocent attacker yields $$ {b}_i\left({r}_i^s\right)-1 $$). This is equivalent to the binary-retaliation model, with $$ {b}_i\left({r}_i^s\right) $$ equal to the expected retaliation benefit $$ {y}_i $$ for the defender when she retaliates with ex ante probability $$ {r}_i^s $$.Footnote ¹⁰ A similar comment applies for the attackers, where now $$ {p}_i $$ is interpreted as the intensity of attack.Footnote ¹¹

Fifth, we consider a static model where at most one potential attacker has an opportunity to attack. This approach is equivalent to considering the Markov perfect equilibrium in a continuous-time dynamic model where, for each attacker, an independent and identically distributed Poisson clock determines when that attacker has an attack opportunity. As the probability that independent Poisson clocks tick simultaneously is zero, in such a model it is without loss of generality to assume that two attackers can never attack at exactly the same time. If multiple attackers can attack simultaneously, our model continues to apply if the payoff consequences of each attack (and any subsequent retaliation) are additively separable and signals are independent across attacks.

Sixth, the payoff functions admit several different interpretations. We have normalized both the cost to an attacker of facing retaliation and the cost to the defender of retaliating in error to 1. This means that $$ {x}_i $$ and $$ y $$ measure the benefit of a successful attack/retaliation relative to the cost of facing retaliation/retaliating in error. There are many possible benefits from successful cyberattacks. The Chinese used cyber espionage to acquire plans for the F-35 from a US military contractor, allowing them to build a copy-cat stealth fighter at accelerated speed and low cost. The United States and Israel used cyberattacks to disrupt the Iranian nuclear program. Cyberattacks have also been used to incapacitate an adversary’s military capabilities—for instance by disrupting communications, banking, or intelligence—by the United States (against Iraqi insurgents), Russia (in Ukraine, Georgia, and Estonia), Israel (in Syria), and others. Variation in the costs of retaliation could derive from the vulnerability of a country’s civil or economic infrastructure to cyberattack. Thus, for example, North Korea may be more aggressive in the cyber domain than the United States because it does not have a vulnerable tech sector that could be disrupted by cyber retaliation. Finally, as technologies for hardening targets, denying access, and improving security improve, the distribution of benefits may worsen (Libicki, Ablon, and Webb Reference Libicki, Ablon and Webb2015).

Finally, a signal$$ s $$ should be interpreted as containing all information available to the defender concerning the origin of a potential attack. This may include, for example, the systems targeted by the attack, the location of the servers where the attack originated, and the language and style of any malicious code.

Unique Equilibrium

Notwithstanding the strategic complementarity in the model, there is always a unique equilibrium. As discussed in the Introduction, this is in stark contrast to standard models of crime waves, which emphasize multiple equilibria. To see the intuition, suppose there are two equilibria and attacker $$ i $$’s attack probability increases by the greatest proportion (among all attackers) in the second equilibrium relative to the first. Then, because the defender’s beliefs are determined by the attackers’ relative attack probabilities, attacker $$ i $$ is more suspect after every signal in the second equilibrium. The defender therefore retaliates against attacker $$ i $$ more often in the second equilibrium. But then attacker $$ i $$ should attack less in the second equilibrium, not more.

Complementary Aggressiveness

Lemma 4 shows that, if one attacker attacks with higher probability, this induces all attackers to attack with higher probability. Of course, attack probabilities are endogenous equilibrium objects. To understand how such a change in behavior might result from changes in model primitives, we turn to comparative statics with respect to the distributions $$ {F}_i $$ and $$ G $$.

As we have already discussed, the parameter $$ {x}_i $$ represents attacker $$ i $$’s benefit from a successful attack relative to the cost of facing retaliation. Similarly, the parameter $$ {y}_i $$ represents the benefit of successful retaliation relative to the cost of retaliating against the wrong target. Thus, a change in the distributions $$ {F}_i $$ or $$ {G}_i $$ might result from a change in the distribution of benefits or the distribution of costs. In what follows, we say that attacker $$ i $$ (resp., the defender) becomes more aggressive if $$ {F}_i $$ (resp., $$ {G}_i $$ for all $$ i\in I $$) increases in the first-order stochastic dominance sense.

Equilibrium Mutes Attacker Heterogeneity

If we put a little more structure on the model, we can make two further observations about attacker aggressiveness. First, not surprisingly, inherently more aggressive attackers attack with higher probability in equilibrium. Second, notwithstanding this fact, equilibrium mutes attacker heterogeneity: that is, inherently more aggressive attackers use a more demanding cutoff (i.e., a higher $$ {x}_i^{\ast } $$), and hence the difference in equilibrium attack probabilities between differentially aggressive attackers is less than it would be if such attackers used the same cutoff. The intuition is that inherently more aggressive attackers are more suspect and therefore face more retaliation, which leads them to attack only for higher realized attack benefits.

This result implies another sense in which settings with imperfect attribution are fundamentally multilateral. Suppose attacker 1 is inherently much more aggressive than attacker 2. A naïve analysis would suggest that attacker 2 can be safely ignored. But this neglects attacker 2’s great advantage of being able to hide behind attacker 1: if all attacks were assumed to come from attacker 1, attacker 2 could attack with impunity. Hence, equilibrium requires some parity of attack probabilities, even between attackers who are highly asymmetric ex ante.

To isolate the effect of heterogeneous aggressiveness, in this subsection we restrict attention to symmetric information structures—without such a restriction, an inherently more aggressive attacker might nonetheless use a less demanding cutoff, if his attacks are more difficult for the defender to detect or attribute. The information structure is symmetric if, for every permutation $$ \rho $$ on $$ I $$, there exists a permutation $$ {\rho}^{\prime } $$ on $$ S\setminus \left\{0\right\} $$ such that $$ {\pi}_i^s={\pi}_{\rho (i)}^{\rho^{\prime }(s)} $$ for all $$ i\in I $$ and $$ s\in S\setminus \left\{0\right\} $$. Intuitively, this says that any two attacks have a symmetric effect on the defender’s signal distribution: for any possible relabeling of the attackers, there exists a corresponding relabeling of the signals that leaves the signal distribution unchanged.Footnote ¹²

Proposition 4’s message that equilibrium attack probabilities must be moderated relative to attackers’ underlying preferences is relevant for assessing the US shift to a focus on China and Russia, discussed earlier. We will provide a more detailed discussion of this aspect of the 2018 Cyber Strategy in the context of the commitment model.

Sufficient Conditions for a Change in the Information Structure to Improve Deterrence

This subsection presents general sufficient conditions for a change in the information structure to improve deterrence.

Let $$ {r}_i^s\left(p;\pi \right) $$ be the probability that attacker $$ i $$ faces retaliation given signal $$ s $$, prior attack probabilities $$ p $$, and information structure $$ \pi $$:

$$ {r}_i^s\left(p;\pi \right)=1-{G}_i\left(1-{\beta}_i^s\left(p;\pi \right)\right), $$

where $$ {\beta}_i^s\left(p;\pi \right) $$ is given by equation (3), and we have made the dependence of $$ \beta $$ on $$ \pi $$ explicit. Let $$ {x}_i\left(p;\pi \right) $$ be the increase in the probability that attacker $$ i $$ faces retaliation when he attacks given prior attack probabilities $$ p $$ and information structure $$ \pi $$:

$$ {x}_i\left(p;\pi \right)=\sum_{s\ne 0}\left({\pi}_i^s-{\pi}_0^s\right){r}_i^s\left(p;\pi \right). $$

Recall that, in equilibrium, $$ {x}_i^{\ast }={x}_i\left(p;\pi \right) $$.

Our first main result is that, if the information structure changes such that the defender becomes “more retaliatory,” in that all cutoffs $$ {x}_i\left(p;\pi \right) $$ increase holding the attack probabilities fixed, then in equilibrium all attack probabilities must decrease. Intuitively, this is a consequence of strategic complementarity: if $$ \pi $$ changes so that each $$ {x}_i\left(p;\pi \right) $$ increases for fixed $$ p $$, strategic complementarity then pushes all the cutoffs even further up.

An important consequence of this result is the following: Suppose, conditional on an attack by $$ i $$, probability weight is shifted from a signal $$ s $$ where $$ i $$ did not face retaliation to a signal $$ {s}^{\prime } $$ where no one else faced retaliation. This always improves deterrence. The logic is that, holding the attack probabilities fixed, such a change in the information structure induces weakly more retaliation against $$ i $$ (at signal $$ {s}^{\prime } $$, since $$ i $$ has become more suspect at $$ {s}^{\prime } $$) and also induces weakly more retaliation against everyone else (at signal $$ s $$, since everyone else has become more suspect at $$ s $$). Theorem 2 then implies that all equilibrium attack probabilities must decrease.

Types of Changes that Always Improve Deterrence

We can now derive the “positive” results previewed above.

Improving Detection Independently of Identification

Fourth, in the important special case of our model where the detection and identification processes are independent, improving detection always improves deterrence. To formulate this case, suppose there exists a common detection probability $$ \in \left[0,1\right] $$, a false alarm probability $$ \phi \in \left[0,1\right] $$, and a vector of identification probabilities $$ \left({\rho}_i^s\right)\in {\left[0,1\right]}^{n\left|S-1\right|} $$ with $$ {\sum}_{s\ne 0}\ {\rho}_i^s=1 $$ for each $$ i\in I $$, such that

$$ {\displaystyle \begin{array}{cc}{\pi}_i^0=1-\delta\ \mathrm{for}\ \mathrm{all}\ i\ne 0,& {\pi}_i^s=\delta {\rho}_i^s\ \mathrm{for}\ \mathrm{all}\ i,s\ne 0,\\ {}{\pi}_0^0=1-\phi, & {\pi}_0^s=\phi {\rho}_0^s\ \mathrm{for}\ \mathrm{all}\ s\ne 0.\end{array}} $$

Corollary 4 If detection is independent of identification, improving detection decreases all equilibrium attack probabilities.

Proof. By Theorem 2, it suffices to show that $$ {\beta}_i^s\left(p;\overset{\sim }{\pi}\right)\ \ge\ {\beta}_i^s\left(p;\pi \right) $$ for all $$ i $$ and all $$ s\ne 0 $$. We have

$$ {\beta}_i^s\left(p;\pi \right)=\frac{\upgamma \updelta {p}_i{\rho}_i^s}{\upgamma \updelta \sum_j\ {p}_j{\rho}_j^s+\left(n-\gamma \sum_j\ {p}_j\right)\phi {\rho}_0^s}. $$

Clearly, $$ {\beta}_i^s\left(p;\pi \right) $$ is non-decreasing in $$ \delta $$.

Moreover, note that $$ {\beta}_i^s\left(p;\pi \right) $$ depends on the detection probability and the false alarm probability only through their ratio $$ \delta \divslash \phi $$. Thus, when detection is independent of identification, improving detection is strategically equivalent to reducing false alarms.

Types of Changes that Can Degrade Deterrence

We now give our “negative” results. We can organize these results by showing why the conclusion of Theorem 3 can fail if either $$ {r}_i^s>0 $$ or $$ {r}_j^{s^{\prime }}>0 $$ for some $$ j\ne i $$.

Improving Detection while Worsening Identification

We first show how deterrence can be undermined by improving detection but simultaneously worsening identification. That is, shifting weight from the null signal to a signal where someone other than the attacker faces retaliation can reduce retaliation against both attackers and increase attacks. This is a partial converse to the result that replacing misidentification with non-detection improves deterrence (Corollary 2).

Example 1 There are two attackers and three signals. To fix ideas, think of the defender as Iran, and the two attackers as Israel (attacker 1) and Saudi Arabia (attacker 2). Let $$ \gamma =\frac{2}{3} $$, so with equal probability Israel can attack, Saudi Arabia can attack, or no one can attack. The information structure $$ \pi =\left({\pi}_i^s\right) $$ is

$$ {\displaystyle \begin{array}{ccc}{\pi}_0^0=1& {\pi}_0^1=0& {\pi}_0^2=0\\ {}{\pi}_1^0=\frac{1}{3}& {\pi}_1^1=\frac{2}{3}& {\pi}_1^2=0\\ {}{\pi}_2^0=\frac{1}{3}& {\pi}_2^1=\frac{1}{3}& {\pi}_2^2=\frac{1}{3}\end{array}} $$

Thus, signal 1 is a good signal that Israel attacked (though it could also indicate a Saudi attack), while signal 2 unambiguously indicates a Saudi attack. There is also a possibility of detection failure.

Let $$ {x}_1\in \left\{{x}_1^L=\frac{1}{2},{x}_1^H=1\right\} $$, with $$ \mathit{\Pr}\left({x}_1={x}_1^H\right)=\frac{4}{5} $$.

Let $$ {x}_2\in \left\{{x}_2^L=\frac{1}{4},{x}_2^H=1\right\} $$, with $$ \mathit{\Pr}\left({x}_2={x}_2^H\right)=\frac{1}{2} $$.

Let $$ {y}_1={y}_2=\frac{1}{4} $$ with probability 1.Footnote ¹⁴

Claim 1 In the unique equilibrium with information structure $$ \pi $$, Israel attacks if $$ {x}_1={x}_1^H $$; Saudi Arabia attacks if $$ {x}_2={x}_2^H $$; and Iran retaliates against Israel if $$ s=1 $$and against Saudi Arabia if $$ s=2 $$. Thus, $$ {p}_1=\frac{4}{5} $$and $$ {p}_2=\frac{1}{2} $$.

Proof. It suffices to check that these strategies form an equilibrium. Given the conditional attack probabilities and the information structure, Iran’s posterior beliefs $$ \left({\beta}_i^s\right) $$ are given by

$$ {\displaystyle \begin{array}{ccc}{\beta}_0^0=\frac{51}{64}& {\beta}_1^0=\frac{8}{64}& {\beta}_2^0=\frac{5}{64}\\ {}{\beta}_0^1=0& {\beta}_1^1=\frac{16}{21}& {\beta}_2^1=\frac{5}{21}\\ {}{\beta}_0^2=0& {\beta}_1^2=0& {\beta}_2^2=1\end{array}} $$

Since $$ y=\frac{1}{4} $$, Iran retaliates against attacker $$ i $$ after signal $$ s $$ if $$ {\beta}_i^s>\frac{3}{4} $$. Thus, Iran retaliates against Israel if $$ s=1 $$, and against Saudi Arabia if $$ s=2 $$. Therefore, $$ {x}_1^{\ast }=\frac{2}{3} $$ and $$ {x}_2^{\ast }=\frac{1}{3} $$. It follows that Israel attacks if $$ {x}_1={x}_1^H $$ and Saudi Arabia attacks if $$ {x}_2={x}_2^H $$. So this is an equilibrium.

Now suppose the Iranians improve their ability to detect Israeli attacks, such that the information structure changes to

$$ {\displaystyle \begin{array}{ccc}{\overset{\sim }{\pi}}_0^0=1& {\overset{\sim }{\pi}}_0^1=0& {\overset{\sim }{\pi}}_0^2=0\\ {}{\overset{\sim }{\pi}}_1^0=0& {\overset{\sim }{\pi}}_1^1=\frac{2}{3}& {\overset{\sim }{\pi}}_1^2=\frac{1}{3}\\ {}{\overset{\sim }{\pi}}_2^0=\frac{1}{3}& {\overset{\sim }{\pi}}_2^1=\frac{1}{3}& {\overset{\sim }{\pi}}_2^2=\frac{1}{3}\end{array}} $$

Thus, when Israel attacks, the attack is always detected. But this improved detection isn’t “clean” with regard to identification: many Israeli attacks now look to the Iranians like Saudi attacks. In equilibrium, this causes Iran to stop retaliating after perceived Saudi attacks (signal 2), which leads Saudi Arabia to start attacking more. But this increased aggressiveness by Saudi Arabia degrades Iran’s confidence in its attribution of perceived Israeli attacks (signal 1), as these are now more likely to result from an attack by a more aggressive Saudi Arabia. This in turn causes Iran to stop retaliating after perceived Israeli attacks as well. Thus, this change in Iran’s information, whereby it gets better at detection but worse at identification, degrades deterrence.

Claim 2 In the unique equilibrium with information structure $$ \overset{\sim }{\pi } $$, both attackers attack whenever they have the opportunity, and Iran never retaliates. Thus, $$ {p}_1={p}_2=1 $$.

Proof. Again, we check that these strategies form an equilibrium. Combining the conditional attack probabilities and the information structure, Iran’s posterior beliefs are given by

$$ {\displaystyle \begin{array}{ccc}{\beta}_0^0=\frac{3}{4}& {\beta}_1^0=0& {\beta}_2^0=\frac{1}{4}\\ {}{\beta}_0^1=0& {\beta}_1^1=\frac{2}{3}& {\beta}_2^1=\frac{1}{3}\\ {}{\beta}_0^2=0& {\beta}_1^2=\frac{1}{2}& {\beta}_2^2=\frac{1}{2}\end{array}} $$

Note that $$ {\beta}_i^s<\frac{3}{4} $$ for all $$ i\in \left\{1,2\right\} $$ and all $$ s $$. Hence, Iran never retaliates. This implies that $$ {x}_1^{\ast }={x}_2^{\ast }=0 $$, so both attackers always attack.

Refining Signals that Already Cause Retaliation

Deterrence can also be undermined by refining a signal that is already strong enough to cause retaliation. This can occur even if the signal refinement corresponds to a strict improvement in the information structure in the sense of Blackwell (Reference Blackwell and Neyman1951), and even if there is only one attacker, so that the model is a classical inspection game (Avenhaus, von Stengel, and Zamir Reference Rudolf, von Stengel, Zamir, Aumann and Hart2002).Footnote ¹⁵

To get an intuition for how this can work, suppose the US discovers some snippet of code that only the North Koreans use. The presence of this snippet then unambiguously attributes an attack to North Korea. So, when the US observes an attack from a North Korean server that doesn’t have the snippet, it might reason, “if this attack were really North Korea, we’d probably see that snippet.” This logic can make the US less willing to retaliate than it was before discovering the snippet. Such reluctance, in turn, makes North Korea more aggressive.

To see this in the context of our model, suppose there is a single attacker and three possible signals: null, imperfectly informative $$ \left(s=1\right) $$, and perfectly informative $$ \left(s=2\right) $$. Think of $$ s=1 $$ as an attack that appears to originate from North Korean servers and $$ s=2 $$ as an attack containing the snippet of code. Initially, the US doesn’t know to look for this snippet, so it never sees $$ s=2 $$. But the US is willing to retaliate when it sees attacks coming from North Korean servers, even though they might be a false alarm.

Example 2 There is one attacker and three signals. Let $$ \gamma =1 $$. The information structure is

$$ {\displaystyle \begin{array}{ccc}{\pi}_0^0=\frac{3}{4}& {\pi}_0^1=\frac{1}{4}& {\pi}_0^2=0\\ {}{\pi}_1^0=\frac{1}{4}& {\pi}_1^1=\frac{3}{4}& {\pi}_1^2=0\end{array}} $$

Let $$ x=\frac{1}{3} $$ and $$ y=\frac{1}{2} $$.

Claim 3 In the unique equilibrium with information structure $$ \pi $$, the attacker attacks with probability $$ \frac{1}{4} $$, and the defender retaliates with probability $$ \frac{2}{3} $$when $$ s=1 $$.

Proof. It is clear that the equilibrium must be in mixed strategies. Let $$ p $$ be the probability the attacker attacks. The defender’s posterior belief when $$ s=1 $$ is $$ {\beta}_1^1=\frac{3p}{1+2p} $$. For the defender to be indifferent, this must equal $$ \frac{1}{2} $$. This gives $$ p=\frac{1}{4} $$.

For the attacker to be indifferent, the retaliation probability when $$ s=1 $$ must solve $$ \left(\frac{3}{4}-\frac{1}{4}\right){r}_1=\frac{1}{3} $$, or $$ {r}_1=\frac{2}{3} $$.

Now suppose the US gets better at attributing North Korean attacks: it becomes aware of, and can sometimes find, the identifying snippet of code when it is present. To capture this, suppose the information structure changes to

$$ {\displaystyle \begin{array}{ccc}{\overset{\sim }{\pi}}_0^0=\frac{3}{4}& {\overset{\sim }{\pi}}_0^1=\frac{1}{4}& {\overset{\sim }{\pi}}_0^2=0\\ {}{\overset{\sim }{\pi}}_1^0=\frac{1}{4}& {\overset{\sim }{\pi}}_1^1=\frac{1}{2}& {\overset{\sim }{\pi}}_1^2=\frac{1}{4}\end{array}} $$

Finding the snippet is still difficult, so the perfect signal only has probability $$ \frac{1}{4} $$.Footnote ¹⁶ As a result, even certain retaliation following the perfect signal is not enough to deter an attack on its own. Moreover, the imperfect signal is now less indicative of an attack because the perfect signal is possible—when the snippet of code is missing, the US thinks it more likely that a perceived attack is really a false alarm. Realizing that it can now escape retaliation after an imperfect signal, North Korea becomes more aggressive.

Claim 4 In the unique equilibrium with information structure $$ \overset{\sim }{\pi } $$, the attacker attacks with probability $$ \frac{1}{3} $$, and the defender retaliates with probability $$ \frac{1}{3} $$when $$ s=1 $$and retaliates with probability $$ 1 $$when $$ s=2 $$.

Proof. Clearly, the defender retaliates with probability 1 when $$ s=2 $$. As $$ x>{\overset{\sim }{\pi}}_1^2 $$, this is not enough to deter an attack, so the defender must also retaliate with positive probability when $$ s=1 $$. The defender’s posterior belief when $$ s=1 $$ is now $$ {\overset{\sim }{\beta}}_1^1=\frac{2p}{1+p} $$. For the defender to be indifferent, this must equal $$ \frac{1}{2} $$. This gives $$ p=\frac{1}{3} $$.

For the attacker to be indifferent, the retaliation probability when $$ s=1 $$ must solve $$ \left(\frac{1}{2}-\frac{1}{4}\right){r}_1+\left(\frac{1}{4}\right)(1)=\frac{1}{3} $$, or $$ {r}_1=\frac{1}{3} $$.

Note, if the cost of being attacked ($$ K $$) is sufficiently large, the defender is better off with less information. The intuition is that, when weight shifts from $$ {\pi}_1^1 $$ to $$ {\pi}_1^2 $$, the attacker must attack with higher probability to keep the defender willing to retaliate after signal $$ 1 $$.

This result shows that a defender can be harmed by chasing too much certainty. In general, deterrence is undermined by extra information in regions of the defender’s belief space where the probability of retaliating against a given attacker is concave in the defender’s posterior belief about whether that attacker attacked. Since this is typically the case when the defender is almost certain the attacker attacked (as then she retaliates with probability close to $$ 1 $$), this implies that pursuing too much certainty in attribution is usually a mistake.

Of course, for any fixed attack probabilities, the defender benefits from having additional information, as this can only make retaliation more accurate. Thus, if the effect of improving the defender’s information on deterrence is positive, the overall effect on the defender’s payoff is positive; while if the effect on deterrence is negative, the overall effect can go either way.

Different Kinds of Retaliation

A central debate in cyber strategy concerns what weapons should be available for retaliation against a cyberattack. This question was raised with new urgency by the 2018 United States Nuclear Posture Review, which for the first time allowed the possibility of first-use of nuclear weapons in response to devastating but non-nuclear attacks, including cyberattacks (Sanger and Broad Reference Sanger2018). Less dramatically, the 2018 National Cyber Strategy allows both cyber and kinetic retaliation as possible responses to cyber activity (United States 2018).

Our model can capture many aspects of this debate, but not all of them. We do model the fact that a more destructive form of retaliation is likely more costly to use in error. But we cannot capture all possible objections to the Nuclear Posture Review, such as the potential consequences of “normalizing” first-use of nuclear weapons. Nonetheless, in the context of our model, we provide some support for the spirit of the Nuclear Posture Review by showing that adding a more destructive weapon to the defender’s arsenal always improves deterrence. By contrast, adding a less destructive weapon to the defender’s arsenal has competing effects and, as such, can either weaken or strengthen deterrence.

We model introducing a new retaliation weapon into the defender’s arsenal as follows: There is the original, legacy weapon $$ \ell $$, and a new weapon, $$ n $$. Each weapon $$ a\in \left\{\ell, n\right\} $$ is characterized by three numbers: the damage it does to an attacker, $$ {w}^a $$ (previously normalized to $$ 1 $$), the benefit using it provides to a type-$$ y $$ defender, $$ {y}^a $$, and the cost to the defender of using it on an innocent attacker, $$ {z}^a $$ (previously normalized to $$ 1 $$). Thus, when the defender observes signal $$ s $$ and forms belief $$ {\beta}_i^s $$ that attacker $$ i $$ is guilty, she retaliates using the weapon $$ a\in \left\{0,\ell, n\right\} $$ that maximizes

$$ {y}^a-\left(1-{\beta}_i^s\right){z}^a, $$

where $$ a=0 $$ corresponds to not retaliating, with $$ {y}^0={z}^0={w}^0=0 $$. We continue to assume that $$ K>{y}^a $$ for all $$ y\in \left[{\underset{\_}{y}}_i,{\bar{y}}_i\right] $$ and all $$ a $$, so that deterring an attack is preferred to being attacked and retaliating.

A couple points are worth noting. All else equal, the defender prefers to retaliate with a weapon that provides higher retaliatory benefits (higher $$ {y}^a $$) and lower costs for mistaken retaliation (lower $$ {z}^a $$). It seems reasonable to assume that these two features of a weapon may covary positively—more powerful weapons provide greater retaliatory benefits but are also more costly when misused. So the defender may face a trade-off, and she will balance this trade-off differently following different signals: when attribution is more certain, the defender is more willing to opt for a powerful response; while when attribution is less certain, the defender will respond in a way that limits costs in case of a mistake.

In light of this trade-off, we ask when introducing the new weapon into the arsenal improves the defender’s payoff.

First, it is easy to construct examples where introducing a weaker weapon (i.e., one with $$ {w}^n<{w}^{\ell } $$) into the defender’s arsenal makes her worse-off. For example, suppose that the new weapon also imposes lower costs when used in error ($$ {z}^n<{z}^{\ell } $$). Then there could be signals where the defender would have used the legacy weapon, but now switches to the new weapon. (Indeed, if $$ {y}^n>{y}^{\ell } $$ then the defender never uses the legacy weapon.) If $$ {w}^{\ell }-{w}^n $$ is sufficiently large, this undermines deterrence, which leaves the defender worse-off overall if the cost of being attacked ($$ K $$) is sufficiently large. The intuition is that, when a weaker weapon is available, ex post the defender is sometimes tempted to use it rather than the stronger weapon (in particular, when she is uncertain of the identity of the perpetrator). This is bad for ex ante deterrence. The defender can thus benefit from committing in advance to never retaliate with a less destructive weapon.

By contrast, introducing a new weapon that imposes greater costs on attackers (i.e., $$ {w}^n\ge {w}^{\ell } $$) always benefits the defender.Footnote ¹⁷ The intuition is that, holding the attack probabilities fixed, making a new, more destructive weapon available weakly increases the expected disutility inflicted on every attacker: this follows because, for each signal, the defender’s optimal response either remains unchanged or switches to the new, more damaging weapon. This reduces everyone’s incentive to attack, and strategic complementarity then reduces the equilibrium attack probabilities even more.

False Flags

The attribution problem creates the possibility for false-flag operations, where one attacker poses as another to evade responsibility. False-flag operations are common in the cyber context (see Bartholomew and Guerrero-Saade Reference Bartholomew and Guerrero-Saade2016). We have, for instance, already discussed Russia’s attempt to mask various attacks by attempting to mimic North Koreans or Iranians.

A false-flag operation amounts to one attacker attempting to attack in a way that mimics, or is likely to be attributed to, another attacker. If multiple attackers can mimic each other, there will naturally be multiple equilibria, where different attackers are mimicked most often, due to a coordination motive in mimicking. As our main question of interest here is who is mostly likely to be mimicked, we rule out this effect by assuming that only attacker 1 has the ability to mimic other attackers.

For simplicity, in this subsection we consider a version of our earlier “independent detection and identification” model, while allowing the detection probability to vary across attackers. In particular, we assume the information structure is

$$ {\displaystyle \begin{array}{ccc}{\pi}_i^0=1-{\delta}_i\ \mathrm{for}\ \mathrm{all}\ i\ne 0,& {\pi}_i^i={\delta}_i{\rho}_i\ \mathrm{for}\ \mathrm{all}\ i\ne 0,& {\pi}_i^j={\delta}_i\frac{1-{\rho}_i}{n-1}\ \mathrm{for}\ \mathrm{all}\ i\ne j\ne 0,\\ {}{\pi}_0^0=1-\phi, & {\pi}_0^s=\frac{\phi }{n}\ \mathrm{for}\ \mathrm{all}\ s\ne 0.& \end{array}} $$

Thus, attackers differ in how detectable they are ($$ {\delta}_i $$) and how identifiable they are ($$ {\rho}_i $$), but the information structure is otherwise symmetric.

The “mimic” (attacker 1) chooses an attack probability $$ {p}_1 $$ and, conditional on attacking, a probability distribution over whom to mimic, $$ \alpha\ \in\ \varDelta (I) $$. Given $$ \alpha $$, if the mimic attacks, signal $$ s=0 $$ realizes with probability $$ 1-{\delta}_1 $$ and each signal $$ i\ne 0 $$ realizes with probability

$$ {\pi}_1^i\left(\alpha \right) := {\delta}_1\left({\alpha}_i{\chi}_i+\sum_{j\ne i}\ {\alpha}_j\frac{1-{\chi}_j}{n-1}\right), $$

where $$ {\chi}_i\in \left(0,1\right) $$ measures 1’s ability to successfully mimic attacker $$ i $$. For example, an attacker with a less sophisticated arsenal of cyber weapons may be easier to mimic.

If the mimic chooses strategy $$ \alpha $$, for $$ i\ne 1 $$, we have

$$ {\beta}_1^i\left(\alpha \right)=\frac{\gamma {p}_1{\pi}_1^i\left(\alpha \right)}{\gamma \left[{p}_1{\pi}_1^i\left(\alpha \right)+{\delta}_i{p}_i{\rho}_i+\sum_{j\ne 1,i}{\delta}_j{p}_j\frac{1-{\rho}_j}{n-1}\right]+\left(1-\frac{\gamma }{n}\sum_j\ {p}_j\right)\frac{\phi }{n}}. $$

Denote the probability with which the mimic faces retaliation at signal $$ s $$ by

$$ {r}_1^s\left(\alpha \right)=1-{G}_1\left(1-{\beta}_1^s\left(\alpha \right)\right). $$

Given the vector of attack probabilities $$ p $$ (including $$ {p}_1 $$), the mimic chooses $$ \alpha $$ to solve

$$ \underset{\alpha^{\prime}\in \varDelta (I)}{\min}\sum_{s\in I}\ {\pi}_1^s\left({\alpha}^{\prime}\right){r}_1^s\left(\alpha \right). $$

(Note that $$ \alpha $$ is fixed here by equilibrium expectations.) The derivative with respect to $$ {\alpha}_i^{\prime } $$ is

$$ {\delta}_1\left({\chi}_i{r}_1^i\left(\alpha \right)+\sum_{j\ne i}\ \frac{1-{\chi}_i}{n-1}{r}_1^j\left(\alpha \right)\right). $$

Thus, at the optimum, this derivative must be equal for all $$ i\ \in\ \mathrm{supp}\ \upalpha $$, and must be weakly greater for all $$ i\notin \operatorname {supp}\ \alpha $$. In particular, if $$ i,{i}^{\prime}\in \operatorname {supp}\ \alpha $$, we have

$$ {\chi}_i\left(\frac{1}{n}\sum_{j\in I}\ {r}_1^j\left(\alpha \right)-{r}_1^i\left(\alpha \right)\right)={\chi}_{i^{\prime }}\left(\frac{1}{n}\sum_{j\in I}\ {r}_1^j\left(\alpha \right)-{r}_1^{i^{\prime }}\left(\alpha \right)\right), $$

where both terms in parentheses are non-negative. Note that $$ {r}_1^i\left(\alpha \right) $$ is increasing in $$ {\beta}_1^i\left(\alpha \right) $$, which in turn is increasing in $$ {\pi}_1^i\left(\alpha \right) $$ and decreasing in $$ {\delta}_i $$, $$ {p}_i $$, and $$ {\rho}_i $$. We obtain the following result:

More aggressive attackers are more like to be the victim of false-flag operations because they are more suspect when the signal points to them, which makes the mimic less suspect. The same intuition underlies the more subtle result that attackers that are easier to identify or detect are mimicked more: When such an attacker attacks, the signal is especially likely to point to him, rather than to a different attacker. This makes this attacker especially suspect when the signal points to him, which makes him an attractive target for false-flag operations.

We have already discussed recent operations where Russia chose to mimic Iran and North Korea, who had preexisting reputations for aggressiveness in cyber space. Another example involves China. In 2009, the Information Warfare Monitor uncovered the GhostNet plot, an infiltration of government and commercial computer networks the world over, originating in China. There were “several possibilities for attribution.” One was that the Chinese government and military were responsible. But the report also raises alternative explanations, including that the attack could have been the work of “a state other than China, but operated physically within China … for strategic purposes … perhaps in an effort to deliberately mislead observers as to the true operator(s).” (See Information Warfare Monitor Reference Monitor2009, 48–49.) Similar conclusions were reached half a decade earlier regarding the difficulty in attributing the Titan Rain attacks on American computer systems, which were again traced to internet addresses in China (Rogin Reference Rogin2010). In both cases, the United States government appears to have been highly reluctant to retaliate.

Given China’s reputation for aggressiveness in cyberspace, why is the United States so reluctant to retaliate for cyberattacks attributed to China? It seems a key factor is precisely the attribution problem and especially concerns about false-flags. In plain language, China’s reputation makes it particularly tempting for other actors to hide behind America’s suspicion of the Chinese. Singer and Friedman (Reference Singer and Friedman2014) describe exactly such a problem:

The Commitment Model

To analyze the commitment model, recall that the attackers’ strategies depend only on the defender’s retaliation probabilities $$ {\left({r}_i^s\right)}_{i\in I,s\in S} $$. Given a vector of retaliation probabilities, the optimal way for the defender to implement this vector is to retaliate against $$ i $$ after $$ s $$ if and only if $$ y>{G}^{-1}\left(1-{r}_i^s\right) $$. Hence, a commitment strategy can be summarized by a vector of cutoffs $$ {\left({y}_i^{s\ast}\right)}_{i\in I,s\in S} $$ such that the defender retaliates against $$ i $$ after signal $$ s $$ if and only if $$ {y}_i>{y}_i^{s\ast } $$.

What is the optimal vector of cutoffs, and how does it differ from the no-commitment equilibrium? The defender’s problem is

$$ {\displaystyle \begin{array}{cccc}& \underset{{\left({y}_i^s\right)}_{i\in I,s\in S}}{\max }& & \\ {}& \frac{\gamma }{n}\sum_i\left(1-{F}_i\left(\sum_s\left({\pi}_i^s-{\pi}_0^s\right)\left(1-{G}_i\left({y}_i^s\right)\right)\right)\right)\left[\begin{array}{c}-K\\ {}+\sum_s\ {\pi}_i^s\left(\begin{array}{c}{\int}_{y_i^s}^{\infty } yd{G}_i(y)\\ {}+\sum_{j\ne i}{\int}_{y_j^s}^{\infty}\left(y-1\right)\ d{G}_j(y)\end{array}\right)\\ {}-\sum_s{\pi}_0^s\sum_j{\int}_{y_j^s}^{\infty}\left(y-1\right)\ d{G}_j(y)\end{array}\right]& & \\ {}& +\sum_s{\pi}_0^s\sum_j{\int}_{y_j^s}^{\infty}\left(y-1\right)\ d{G}_j(y)& & \end{array}} $$

This uses the fact that $$ {x}_i^{\ast }={\sum}_s\left({\pi}_i^s-{\pi}_0^s\right)\left(1-{G}_i\left({y}_i^s\right)\right) $$, so attacker $$ i $$ attacks with probability $$ 1-{F}_i\left({\sum}_s\left({\pi}_i^s-{\pi}_0^s\right)\left(1-{G}_i\left({y}_i^s\right)\right)\right) $$. In the event attacker $$ i $$ attacks, the defender suffers a loss consisting of the sum of several terms (the terms in brackets above). First, she suffers a direct loss of $$ K $$. In addition, after signal $$ s $$, she receives $$ {y}_i $$ if she retaliates against attacker $$ i $$ (i.e., if $$ {y}_i>{y}_i^s $$) and receives $$ {y}_j-1 $$ if she erroneously retaliates against attacker $$ j $$ (i.e., if $$ {y}_j>{y}_j^s $$). If instead no one attacks, then the defender receives $$ {y}_j-1 $$ if she erroneously retaliates against attacker $$ j $$.

The first-order condition with respect to $$ {y}_i^s $$ is

$$ {\displaystyle \begin{array}{c}{f}_i\left({x}_i^{\ast}\right)\left({\pi}_i^s-{\pi}_0^s\right)\left[\begin{array}{c}-K\\ {}+\sum_s{\pi}_i^s\left[{\int}_{y_i^s}^{\infty } ydG(y)+\sum_{j\ne i}{\int}_{y_j^s}^{\infty}\left(y-1\right) dG(y)\right]\\ {}-\sum_s{\pi}_0^s\sum_{j=1}^n{\int}_{y_j^s}^{\infty}\left(y-1\right) dG(y)\end{array}\right]\\ {}-\left(1-{F}_i\left({x}_i^{\ast}\right)\right){\pi}_i^s{y}_i^s\\ {}+\sum_{j\ne i}\left(1-{F}_j\left({x}_j^{\ast}\right)\right){\pi}_j^s\left(1-{y}_i^s\right)\\ {}+\left(\frac{n}{\gamma }-\sum_{j=1}^n\left(1-{F}_j\left({x}_j^{\ast}\right)\right)\right){\pi}_0^s\left(1-{y}_i^s\right)=0.\end{array}} $$

The first term is the (bad) effect that increasing $$ {y}_i^s $$ makes attacker $$ i $$ attack more. The second term is the (also bad) effect that increasing $$ {y}_i^s $$ makes attacks by $$ i $$ more costly, because the defender successfully retaliates less often. The third term is the (good) effect that increasing $$ {y}_i^s $$ makes attacks by each $$ j\ne i $$ less costly, because the defender erroneously retaliates less often. The fourth term is the (good) effect that increasing $$ {y}_i^s $$ increases the defender’s payoff when no one attacks, again because the defender erroneously retaliates less often.

Denote the negative of the term in brackets (the cost of an attack by $$ i $$) by $$ {l}_i\left({y}^{\ast}\right) $$. Then we can rearrange the first-order condition to

$$ {y}_i^{s\ast }=\frac{n{\pi}_0^s+\gamma \sum_{j\ne i}\left(1-{F}_j\left({x}_j^{\ast}\right)\right)\left({\pi}_j^s-{\pi}_0^s\right)-\gamma \left(1-{F}_i\left({x}_i^{\ast}\right)\right){\pi}_0^s-\gamma {f}_i\left({x}_i^{\ast}\right)\left({\pi}_i^s-{\pi}_0^s\right){l}_i\left({y}^{\ast}\right)}{n{\pi}_0^s+\gamma \sum_j\left(1-{F}_j\left({x}_j^{\ast}\right)\right)\left({\pi}_j^s-{\pi}_0^s\right)}. $$

In contrast, in the no-commitment model, $$ {y}_i^{s\ast } $$ is given by the equation

$$ {y}_i^{s\ast }=\frac{n{\pi}_0^s+\gamma \sum_{j\ne i}\left(1-{F}_j\left({x}_j^{\ast}\right)\right)\left({\pi}_j^s-{\pi}_0^s\right)-\gamma \left(1-{F}_i\left({x}_i^{\ast}\right)\right){\pi}_0^s}{n{\pi}_0^s+\gamma \sum_j\left(1-{F}_j\left({x}_j^{\ast}\right)\right)\left({\pi}_j^s-{\pi}_0^s\right)}. $$

Thus, the only difference in the equations for $$ {y}^{\ast } $$ as a function of $$ {x}^{\ast } $$ is that the commitment case has the additional term $$ -{f}_i\left({x}_i^{\ast}\right)\left({\pi}_i^s-{\pi}_0^s\right){l}_i\left({y}^{\ast}\right) $$, reflecting the fact that increasing $$ {y}_i^{s\ast } $$ has the new cost of making attacks by $$ i $$ more likely. (In contrast, in the no-commitment case the attack decision has already been made at the time the defender chooses her retaliation strategy, so the defender trades off only the other three terms in the commitment first-order condition.) This difference reflects the additional deterrence benefit of committing to retaliate, and suggests that $$ {y}_i^{s\ast } $$ is always lower with commitment—that is, that commitment makes the defender more aggressive.

However, this intuition resulting from comparing the first-order conditions under commitment and no-commitment is incomplete: the $$ {x}^{\ast } $$’s in the two equations are different, and we will see that it is possible for $$ {y}_i^{s\ast } $$ to be higher with commitment for some signals. Nonetheless, we can show that with commitment all attackers attack with lower probability and the defender retaliates with higher probability after at least some signals.

The second part of the proposition is immediate from the first: if every attacker is less aggressive under commitment, every attacker must face retaliation with a higher probability after at least one signal. The first part of the proposition follows from noting that the endogenous best response function (cf. Definition 1) is shifted up under commitment, due to the defender’s additional deterrence benefit from committing to retaliate aggressively.

Theorem 4 shows that the defender benefits from committing to retaliate more aggressively after some signals. This is distinct from the search for credibility discussed in the nuclear deterrence literature (Powell 1990; Schelling 1960; Snyder 1961). There, one assumes perfect attribution, and the key issue is how to make retaliation credible (i.e., make $$ {y}_i $$ positive). Here, we take $$ {y}_i $$ positive for granted and show that the defender still has a problem of not being aggressive enough in equilibrium.

The US Department of Defense 2018 Cyber Strategy (Department of Defense 2018) differs from the Obama-era approach articulated in the 2015 Cyber Strategy (Department of Defense 2015) by focusing fairly narrowly on threats from Russia and China rather than from a broad range of major and minor powers and even non-state actors (see Kollars and Schenieder Reference Kollars and Schenieder2018, for a comparison). One interpretation of the new strategy is that it ranks attackers in terms of ex ante aggressiveness (i.e., the distributions $$ {F}_i $$ of the benefits of attack) and mainly threatens retaliation against the most aggressiveness attackers. But this misses the key role of deterrence in influencing marginal decisions. The marginal deterrence benefit to the defender from becoming more aggressive against attacker $$ i $$ after signal $$ s $$ is given by the $$ {f}_i\left({x}_i^{\ast}\right)\left({\pi}_i^s-{\pi}_0^s\right){l}_i\left({y}^{\ast}\right) $$ term in the equation for $$ {y}_i^{s\ast } $$. This benefit is larger if signal $$ s $$ is more informative that $$ i $$ attacked or if $$ i $$’s aggressiveness is likely to be close to the threshold. It has little to do with $$ i $$’s overall aggressiveness.

Finally, we remark that the strategic complementarity among attackers that drove our results in the no-commitment model partially breaks down under commitment. In particular, it is no longer true that an exogenous increase in attacker $$ i $$’s aggressiveness always makes all attackers more aggressive in equilibrium. The reason is that the complementarity effect from the no-commitment model may be offset by a new effect coming from the deterrence term $$ {f}_i\left({x}_i^{\ast}\right)\left({\pi}_i^s-{\pi}_0^s\right){l}_i\left({y}^{\ast}\right) $$ in the defender’s FOC. Intuitively, if attacker $$ i $$ starts attacking more often, this typically leads the defender to start retaliating more against attacker $$ i $$ ($$ {y}_i^{\ast } $$ decreases) and less against other defenders ($$ {y}_j^{\ast } $$ increases for $$ j\ne i $$). This strategic response by the defender has the effect of increasing $$ {l}_j\left({y}^{\ast}\right) $$ for all $$ j\ne i $$: since the defender retaliates more against $$ i $$ and less against $$ j $$, an attack by $$ j $$ becomes more costly for the defender, as it is more likely to be followed by erroneous retaliation against $$ i $$ and less likely to be followed by correct retaliation against $$ j $$. This increase in $$ {l}_j\left({y}^{\ast}\right) $$ then makes it more valuable for the defender to deter attacks by $$ j $$ (as reflected in the $$ {f}_j\left({x}_j^{\ast}\right)\left({\pi}_j^s-{\pi}_0^s\right){l}_j\left({y}^{\ast}\right) $$ term), which leads to an offsetting decrease in $$ {y}_j^{\ast } $$.

Signal Informativeness and Retaliation

Finally, we analyze which signals the defender is likely to respond to more aggressively under commitment, relative to the no-commitment equilibrium.

We start with an example showing that the optimal commitment strategy does not necessarily involve retaliating more aggressively after all signals. Suppose there are three signals: the null signal, an intermediate signal, and a highly informative signal. With commitment, the defender retaliates with very high probability after the highly informative signal. This deters attacks so successfully that the intermediate signal becomes very likely to be a false alarm. In contrast, without commitment, the equilibrium attack probability is higher, and the intermediate signal is more indicative of an attack. The defender therefore retaliates with higher probability following the intermediate signal without commitment.

Example 3 There is one attacker and three signals. Let $$ \gamma =\frac{1}{2} $$. The information structure is

$$ {\displaystyle \begin{array}{ccc}{\pi}_0^0=\frac{1}{2}& {\pi}_0^1=\frac{1}{3}& {\pi}_0^2=\frac{1}{6}\\ {}{\pi}_1^0=\frac{1}{6}& {\pi}_1^1=\frac{1}{3}& {\pi}_1^2=\frac{1}{2}\end{array}} $$

Let $$ x\in \left\{{x}^L=\frac{1}{4},{x}^H=1\right\} $$, with $$ \mathit{\Pr}\left(x={x}^H\right)=\frac{1}{2} $$.

Let $$ y\in \left\{{y}^L=\frac{1}{5},{y}^H=\frac{3}{5}\right\} $$, with $$ \mathit{\Pr}\left(y={y}^H\right)=\frac{1}{2} $$. Let $$ K=1 $$.

$$ {r}^0=0,{r}^1=\frac{1}{2},{r}^2=\frac{1}{2}. $$

$$ {r}^0=0,{r}^1=0,{r}^2=\frac{3}{4}. $$

Under some circumstances, we can say more about how equilibrium retaliation differs with and without commitment. Say that signals $$ s $$ and $$ {s}^{\prime } $$ are comparable if there exists $$ {i}^{\ast}\in I $$ such that $$ {\pi}_i^s={\pi}_0^s $$ and $$ {\pi}_i^{s^{\prime }}={\pi}_0^{s^{\prime }} $$ for all $$ i\ne {i}^{\ast } $$. If $$ s $$ and $$ {s}^{\prime } $$ are comparable, say that $$ s $$ is more informative than $$ {s}^{\prime } $$ if

$$ \frac{\pi_{i^{\ast}}^s}{\pi_0^s}\ge \frac{\pi_{i^{\ast}}^{s^{\prime }}}{\pi_0^{s^{\prime }}}. $$

That is, $$ s $$ is more informative than $$ {s}^{\prime } $$ if, compared with $$ {s}^{\prime } $$, $$ s $$ is relatively more likely to result from an attack by $$ {i}^{\ast } $$ than from no attack (or from an attack by any $$ i\ne {i}^{\ast } $$).

The next Proposition shows that, if $$ s $$ is more informative than $$ {s}^{\prime } $$ and the defender is more aggressive after $$ {s}^{\prime } $$ with commitment than without, then the defender is also more aggressive after $$ s $$ with commitment than without. (Conversely, if the defender is less aggressive after $$ s $$ with commitment, then the defender is also less aggressive after $$ {s}^{\prime } $$ with commitment.) That is, commitment favors more aggressive retaliation following more informative signals. The intuition is that the ability to commit tilts the defender towards relying on the most informative signals to deter attacks, and any offsetting effects resulting from the increased probability of false alarms are confined to less informative signals.

Note that the following result concerns the defender’s aggressiveness toward any attacker, not only the attacker $$ {i}^{\ast } $$ used to compare $$ s $$ and $$ {s}^{\prime } $$.

Theorem 4 is in broad agreement with recent arguments calling for more aggressive cyberdeterrence (e.g., Hennessy Reference Hennessy2017). One such proposal, due to Clarke and Knake (Reference Clarke2010), calls for holding governments responsible for any cyberattack originating from their territory, whether state sanctioned or otherwise. However, Example 3 shows that improving cyberdeterrence is more subtle than simply increasing aggressiveness across the board. While the optimal policy has the defender retaliate more aggressively after some signals, it does not necessarily involve increased retaliation after every signal. The problem with increased aggressiveness across the board is that it will lead to increased retaliation following relatively uninformative signals (e.g., the simple fact that an attack emanates from servers in Abu Dhabi or China). Increased aggressiveness following such uninformative signals heightens the risk of retaliation against an innocent actor. Moreover, as retaliatory aggressiveness ramps up and deters ever more attacks, this risk becomes greater, as a larger share of perceived attacks will turn out to be false alarms.