Skip to main content

Cybersecurity Dilemma in the Context of Game Theory

The constant threat of cyberattacks by other states or state-sponsored actors is forcing countries to reevaluate their national security stances. In an article for the Council on Foreign Relations, Harvard fellow Ben Buchanan formulated what he calls a “cybersecurity dilemma,” a concept that builds upon the infamous security dilemma in international relations. The basic idea of the security dilemma is that countries increase their military capabilities over time, and that causes other states to feel threatened. Even if a state is building up military power for defensive purposes, others may misinterpret and distrust it. They develop a feeling of insecurity that leads them to two options: defense or preemption. In the first case, state A detects that state B is increasing its military strength and responds by strengthening its defenses. In the latter case, state A responds to state B with preemptive (aggressive) actions, which can include mobilization of forces, preemptive air strikes and other actions that further escalate the situation. The key point here is that state A’s reaction is likely to cause a counteraction from the state that began the original process (state B), thus leading to a cycle of escalation and, potentially, war. Ironically, neither state was interested in starting a war, but B’s increasingly defensive posturing led to unintended complications.

According to Buchanan, the same problem now exists in the world of cybersecurity. He prefaces his argument by showing that cyber operations can be both offensive and defensive. The value of adversarial cyberattacks is clear — states can spy, steal information, cause disruptions and combine digital and traditional military actions. The defensive value is performing counterintelligence and, most importantly, getting information on your opponent’s capabilities to prevent intrusions and secure one’s own systems. This is where the “cybersecurity dilemma” really emerges, because “not only might an offensive contingency plan be misinterpreted, but something that is genuinely defensive in intent can be as well.” If a state detects a foreign cyber operation on its network, it may react in an aggressive fashion and cause an aggressive counter-reaction from the intruder-state that may have been doing this for defensive purposes only. “As more nations develop more potent cyber capabilities, the problem will get worse.”

We can look at the problem (and potential solutions) of the cybersecurity dilemma through the lens of Game Theory. Given two states (A and B), and two options (defensive and offensive actions), we can construct a Game Theory table and see why nations get trapped in a cycle of escalation.

D – defensive actions

O – offensive actions

State A (below)/State B (to the right)






O 6,0


If state B chooses defense –> State A chooses offense because 6>5.

State B chooses offense –> State A chooses offense because 1>0.

Similarly, if state A chooses defense –> State B chooses offense because 6>5.

State A chooses offense –> State B chooses offense.

Based on this analysis, both states will consider offense to be their dominant strategy. Regardless of what state B chooses, state A will be better off on offense, and the same case is true from B’s perspective. There is a Nash equilibrium in cell (O, O). The paradox here is that both states would be better off defending, rather than engaging in cyberattacks. When both choose offense (the equilibrium state) thus decimate each other’s payoff to a score of 1, instead of 5.

One potential solution to this problem seems to lie in the power of diplomacy. If state A had a way to verify, or at least trust state B’s actions, then the probability of misinterpretation would decline. Countries that lack trust-based relationships have an incentive to choose offensive actions, because it is their dominant strategy. However, diplomacy can change the payoff matrix. If states can find a way to resolve disputes and verify each other’s actions through diplomatic means, then they improve the (D, D) cell. Moreover, positive diplomatic relations can also decrease the payoff for the (O, O) cell, because both countries would have extensive knowledge of each other’s strengths and weaknesses, as well as strategies. This means that neither country would be able to start a war with the other without tremendous losses. Thus, diplomacy can help shift the Nash equilibrium toward the (D, D) cell. That would lead both states to change their dominant strategy.

Sources: 1) 2)


Leave a Reply

Blogging Calendar

September 2017
« Aug   Oct »