This weekend, Nobel laureate John Nash died in a car accident. If there is any theory I could think of that could explain what we’re seeing in international cyber conflict, I believe it’s his theory of non-cooperative games, especially the “Nash equilibrium”. The theory is the centerpiece of Nash’s 30 page inaugural dissertation from 1950, simply titled non-cooperative games.
The Nash equilibrium basically expresses that adversaries may arrive at a choice of strategy that minimizes their mutual losses, thereby reaching a stable state.
The subject to which we can apply the theory is international cyber conflict among rational players. As with most approaches from game theory, the behavior of irrational actors is out of scope. A case in point would be North Korea.
The fact that cyberspace has become a new domain in which wealth of substantial dimension is created (and potentially transferred), the behavior of individuals and groups — from terrorists to ordinary citizens — may be observed tightly, and military operations with potentially decisive results may be executed is now well understood.
This leads to the insight that nation states cannot ignore the cyber domain in the pursuit of expanding their power. I define cyber power as follows:
Cyber power is the organized capability to use cyber means of exploitation or extortion coercion in international conflict.
Conflict is understood here in the tradition of Thomas Schelling, who viewed conflict as something that should be taken for granted, rather than a pathological state. Exploitation of other nations could then be achieved by stealing intellectual property, which is occurring at a large scale, and coercion could be achieved by threatening or actually executing destructive cyber attacks. Certainly the prerequisite is that targets exist where marketable intellectual property can be stolen from (such as the United States as opposed to countries like Afghanistan or Yemen), and/or the possibility of destructive cyber attacks pose a significant threat. The latter will only be the case in industrialized countries where economies, civilian and military infrastructure rely on cyber systems. Threatening a destructive cyber attack also is not quite credible if the threat actor is dependent in some way on the threatened systems, like China is dependent on the US economy.
When trying to apply the Nash equilibrium to cyber conflict I believe it’s mostly on identifying the sweet spots, or red lines. As I see it, the major problem with these red lines is created by the following characteristics of our field:
- Espionage is an internationally accepted activity.
- The attack in the cyber domain is a lesser included case of the reconnaissance.
Both statements are actually quotes from Gen. Michael Hayden, one of the founding fathers of cyber warfare.
These two characteristics have the following implications. Since cyber espionage — no matter if on military, civilian, or economical targets — is so much more powerful and cheaper than its pre-digital version, a boost in cyber espionage, or cyber intrusions to be more specific, is bound to occur. What we are presently seeing is that pretty much every nation state (and their dogs) is investing in some kind of hacker army, targeting everything from defense contractors to the most obvious honeypots. For a nation state, it must appear like a no-brainer to invest small change for hacking what may turn out to be juicy targets. After all, it’s an internationally accepted activity. Everybody is doing it, and now even countries with low defense budgets can do it. Actually even non-state players such as the Islamic State and other well-funded terrorist organizations if they chose to.
The second implication is a bit more lucid and alludes to deterrence as explained by Thomas Schelling. And here we get to the point where I believe Nash’s work actually explains what we’re presently seeing in respect to critical infrastructure cyber security. Some aspects of the recent high-profile cyber campaigns against energy infrastructure such as Energetic Bear and Black Energy cannot be explained by the motivation to exploit intellectual property. Au contraire, they can only be explained as a preparation for destruction.
But we haven’t seen such destruction yet. And this is the crucial point. Applying Nash’s theory, it is just not in the best interest of the usual suspects to pull off a cyber strike against US (or European) critical infrastructure. The predictable reaction of the US would be a kinetic counter strike. That given, the most rational behavior of adversaries is to stretch the given constraints just to the red line (application of force) but achieve a deterrent capability (threat of force) within internationally accepted limits.
In a 2011 article, Peter Singer and Noah Shachtman convincingly compared cyber conflict to piracy. Today, I tend to compare it to colonization. Rather than sending a fleet of ships to exploit and extort coerce foreign nations, today we see cyber intruders being sent out virtually and project cyber power. It doesn’t take much to grasp and use the concept, neither intellectually nor technically. Therefore, it’s use is not limited to potent players such as China and Russia. In the 21st century, it’s the technologically most advanced nations that become digitally colonized by less capable contesters.
And all this is, coming back to Nash, going on in an equilibrium. We are watching intrusions of our most critical systems and extrusions of substantial intellectual property with no good response. Calling cyber intrusions unacceptable would be pretty silly for countries well known for perfecting this very art. So a policy response would have to define a red line for IP theft (such as, stealing the recipe for the Coke sirup is ok, but stealing the whole design of the F-35 fighter jet is not), and another red line for intrusions with destructive potential (such as, intrusions of electrical substations in Cheyenne/WY is tolerable, but in DC it’s not). I believe that there are no practical solutions for this.
But should the present digital colonization continue in this kind of Nash’s equilibrium, the following is most likely going to happen. While there is no good red line for the exploitation of intellectual property, the deterrent created by our adversaries to potentially disrupt critical infrastructure and degrade military capabilities by cyber attacks will gradually and in small increments reach a critical threshold just like in the metaphor of boiling a frog. The frog will realize the rise in temperature only when it’s already too late to jump out of the boiling water. The best description of this red line that I have found is by Richard Danzig: “a point where weaknesses in those [critical cyber] systems would likely render the United States unwilling to make a decision or unable to act on a decision fundamental to our national security”.
A rational adversary will attempt to slowly push the US (and other countries as well) just beyond that threshold, leveraging the stability that Nash’s equilibrium provides. The insight to be gained by this thought experiment is pretty clear: The long game will be won by defense.
Ralph Langner