Media contact: Alexander Furnas,, 734-239-5505

When Chinese hackers stole information about 21 million federal employees, how did the United States decide how to respond? What factors did they consider when Russians dove into Democratic National Committee servers and leaked information during the U.S. presidential campaign?

A new study by U-M political scientists uses game theory to model how countries decide to respond to cyber attacks-- that is, whether it’s best to attribute blame, to retaliate, or to just keep quiet.

Although we are often easily able to trace the area of origin of a cyber attack, determining whether the hackers were acting on behalf of their nation or on their own is much more difficult, say reachers Alexander Furnas and Robert Axelrod of U-M, along with Benjamin Edwards of IBM Research and Stephanie Forrest at University of New Mexico. This uncertainty makes it difficult for the victim to decide how to respond: Should they blame the other country and risk making a mistaken accusation, which might further inflame tensions? Or should they let the action go, and risk emboldening the attackers?

The research, which is published this month in Proceedings of the National Academy of Sciences, helps determine when it’s rational to attribute blame--and when it’s better to let the attack go. To determine this, researchers set up a game theory model pitting two kinds of attackers against two kinds of victims. The attackers are either vulnerable or not vulnerable. A vulnerable actor has a more tenuous position in the world, and their reputation would be damaged if their attack came to light. A non-vulnerable actor is either sophisticated enough to escape detection, or powerful enough that their global position is secure. The victims in the model either know the attacker is vulnerable or they don’t.

Using this model, Furnas and his team concluded that if an attacker is not vulnerable, there is little that the victim can do to prevent the attack. However, if the attacker is vulnerable, retaliating by attacking in kind or simply by assigning blame publicly could prevent future attacks.

For example, the United States chose to publicly call out the Chinese hackers who compromised federal employees’ data, possibly because it didn’t want to respond in kind but still wanted to decrease the possibility of a future attack.

The game theory model also predicts that in a case where the attacker is not vulnerable and public outcry is low, the victim might choose to remain quiet about a hack, so as to avoid revealing information about its own technical abilities--which could make it look weak or ineffectual to its citizens or other nations.

“The difficulty of attribution in cyber conflict calls into question our prior understanding of effective deterrence,” says Furnas. “In contrast to conventional or nuclear conflict, where the attacker is clearly observable, in cyber conflict, uncertainty over the identity of an attacker and the cost of mistaken blame or reprisal can lower countries’ effective deterrence abilities. Our model identifies key parameters of the technical, political and strategic environment that foreign policy and cyber defense decisionmakers must consider when determining a response to an attack. One important implication of our model is that the more the attribution environment of cyber conflict can be made to mimic that of conventional kinetic conflict, the more effectively actors will be able to engage in mutual deterrence.”

Read the full paper at Proceedings of the National Academy of Sciences.