Sociotechnical Cybersecurity Speaker Series: Coercion in Cyberspace: A Model of Extortion via Encryption
Event Start Date: Wednesday, March 15, 2023 - 4:00 pm
Event End Date: Wednesday, March 15, 2023 - 5:00 pm
Location: Hybrid: UMCP Campus (Hornbake South, Room 2119) + Online EST
Coercion using cyber capabilities is often thought to be difficult due to a severe tradeoff between the need to credibly demonstrate capability versus the need to maintain a covert presence until the final payload is dropped. I argue that such assessments may be premature considering the logic behind the success of ransomware, which extorts victims by using encryption to deny access to critical systems or information. The coercive logic of ransomware does not come from the power to hurt held in reserve, but from the application of costs up front followed by a promise to stop. At the same time, ransomware contains distinguishing features such as reversibility and backups that depart from models of torture or bombing campaigns that similarly rely on flow costs. I present a formal model of coercion via encryption based on a modified attacker-defender game. Under complete information, the defender always acquiesces given the demand is priced optimally, but the probability of attack is decreasing in the amount of demand that can be extracted in the mixed-strategy equilibrium. All else equal, backups favor the defender by reducing equilibrium demand. An extension concerning a bombing campaign scenario shows that the ability of encryption to reverse damage rather than to destroy the defender’s asset increases equilibrium demand that can be extracted and resolves credibility concerns. Features such as costless and automatic application of flow costs and resolution of the hostage’s commitment problem after release enhances credibility. This discussion will provide a counterexample to the claim that cyber weapons are poor tools of coercion, and that cyber coercion depends on situational variables rather than universal features of the cyber domain itself.
Jenny Jun is a Research Fellow at the Center for Security and Emerging Technology (CSET) and Ph.D. Candidate in the Department of Political Science at Columbia University. She also serves as a Nonresident Fellow at the Atlantic Council’s Cyber Statecraft Initiative. Her current research explores the dynamics of how coercion works in cyberspace. Her broader interests include cyber conflict, North Korea, and security issues in East Asia. Jenny is a co-author of the 2015 Center for Strategic and International Studies (CSIS) report North Korea’s Cyber Operations: Strategy and Responses, published by Rowman & Littlefield. She has presented her work on North Korea’s cyber operations at various panels and has provided multiple government briefings and media interviews on the topic. She received her M.A. and B.S. each from the Security Studies Program (SSP) and the School of Foreign Service (SFS) at Georgetown University.