Would a 'Cyber Warrior' Protect Us? Exploring Trade-Offs Between Attack and Defense of Information Systems

"Recent reports to address cybersecurity risks have focused on leveraging the immense technical capacity of the American intelligence community to protect the nation's information technology infrastructure, and to project power in a new domain. This creates a potential conflict of interest: the joint duties of breaking into foreign systems while securing our own raises questions about competing goals. This paper highlights that tension, and introduces two game-theoretic models of the strategic decisions faced in security vulnerability discovery and disclosure. The country must both protect itself in the new domain and pursue an offensive advantage while still remaining at risk. One game describes a cold war of stockpiling, while the other allows for actual attack. In both models, we predict that at least one state will have an incentive to pursue an aggressive cyber war posture, rather than secure its own systems."