Is Finding Security Holes a Good Idea?
IEEE Security and Privacy
Trends in Process Control Systems Security
IEEE Security and Privacy
An inquiry into the nature and causes of the wealth of internet miscreants
Proceedings of the 14th ACM conference on Computer and communications security
Optimal Policy for Software Vulnerability Disclosure
Management Science
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities
The security cost of cheap user interaction
Proceedings of the 2011 workshop on New security paradigms workshop
Proceedings of the 2011 workshop on New security paradigms workshop
| Hi-index | 0.00 |
As information security shifts from the realm of computer science to national security, the priority for safe and secure systems will be balanced against the appeal of using information insecurity as a strategic asset. In "cyber war", those tasked with defending friendly computer networks are also expected to exploit enemy networks. This paper presents two game-theoretic models of vulnerability discovery and exploitation, where nations must choose between protecting themselves by sharing vulnerability information with vendors or pursuing an offensive advantage while remaining at risk. One game describes a cold war of stockpiling, the other allows for actual attack. In both models, we predict that at least one state will have an incentive to pursue an aggressive cyber war posture, rather than secure its own systems. This finding -- that a mutually defensive approach to security is not a stable equilibrium -- holds up under a range of assumptions about social risk of cybercrime, technical sophistication, military aggressiveness and the likelihood of vulnerability rediscovery. We conclude with a discussion of the security policy implications of a militarized cyberspace