Intelligence and impact contests in systems with redundancy, false targets, and partial protection

Abstract

The paper considers a system consisting of identical elements that can be intentionally attacked. The cumulative performance of the system elements should meet a demand. To prevent loss of demand the defender provides system redundancy (deploying genuine system elements (GEs) with cumulative performance exceeding the demand); deploys false elements (FEs), and protects the GEs. If the attacker cannot distinguish GEs and FEs, he chooses the number of elements to attack and attacks at random these elements distributing his resource evenly among the attacked elements. In order to get the information about the system the attacker allocates a part of his resource into the intelligence activity. Analogously, the defender allocates a part of his resource into the counter-intelligence activity. The attacker's strategy presumes distribution of his resource among the intelligence and attack effort and choice of the number of attacked elements. If the attacker wins the intelligence contest, he can identify both FEs and unprotected GEs ignoring the former ones and destroying the latter ones with negligible effort. The defender's strategy presumes distribution of his resource among the counter-intelligence and the three defensive actions. The paper considers a three-period non-cooperative minmax game between the defender and the attacker and presents an algorithm for determining the agents’ optimal strategies.

Introduction

Improving the reliability of system elements to enhance system reliability, and providing the redundancy by increasing the number of elements have been the main two ingredients of classical reliability theory. Safeguarding against external impacts, and especially against intentional external impacts, becomes increasingly important in system survivability and defense theory. The defender's objective for a system is that it survives and functions reliably under all circumstances. This paper provides the defender with three defense measures to reach this objective. First, the defender can provide system redundancy by deploying separated redundant genuine system elements (GEs) with cumulative performance greater than a demand. This provides the system with the ability to perform its task (meet the demand) when some of the elements are destroyed by an attack. Second, the defender can deploy false elements (FEs) attracting the attacker. The attacker may not have resources to attack all elements, but can be expected to expend resources on both GEs and FEs. The FEs thus reduce the probability that the GEs are attacked. Third, the defender can choose to protect a subset of the GEs, e.g. strengthening the outer shields or providing an antimissile system which reduces the probability of GE destruction given it is attacked. The protected GEs are protected equally much.

It is assumed that both the attacker and the defender have limited and fixed resources. The defender's strategic decision is how to allocate his resource between these three defense measures. The attacker's strategic decision is how many elements to attack. He is assumed to attack each element equally much. He may use his resource to attack few elements, which means much of his resource to each element, or many elements which means less of his resource to each element.

A successful attack on an element destroys this element totally. The destruction of GEs reduces the cumulative system performance. The damage is caused when the cumulative performance decreases below the demand. The destruction of FEs causes no damage. Only damage caused by the attack is considered without taking into account elements’ failures. This simplification allows clearly understanding the interrelation between the redundancy, protection, and deployment the FEs.

In this paper we consider the most conservative minmax defender's strategy that minimizes the maximal possible expected damage assuming that the attacker chooses the most harmful strategy in response to any defender's strategy. This is not the only possible approach, but it is considered “particularly appropriate in the design of robust military systems” [1].

The total number of system elements (GEs and FEs) is usually easily observable for the attacker. The attacker can know or correctly guess the numbers of FEs and protected GEs and optimize his attack strategy (number of randomly chosen elements to attack). On the other hand the attacker can choose the most harmful strategy at random. According the minmax approach the defender assumes that the attacker always chooses strategy that maximizes the expected damage.

If the attacker cannot distinguish GEs and FEs, he chooses the number of elements Q to attack and attacks at random Q elements distributing his resource evenly among the attacked elements. However, by obtaining intelligence data the attacker can get full information about the system structure. In this case he can identify both FEs and unprotected GEs ignoring the former ones and destroying the latter ones with negligible effort. In order to get the information about the system the attacker allocates a part of his resource into the intelligence activity. Analogously, the defender allocates a part of his resource into the counter-intelligence activity. The attacker's strategy presumes distribution of his resource among the intelligence and attack effort and choice of the number of attacked elements. The defender's strategy presumes distribution of his resource among the counter-intelligence and the three defensive actions. We consider a three period game where the defender moves in the first period and the attacker in the second and third periods. Aside from the attacker's inability to distinguish protected and unprotected GEs and FEs, we assume that the attacker and the defender have complete information about the game including strategy sets and parameters.

The probability of success of an attack on a protected element is determined by a contest success function, which depends on the relative efforts of the defender and attacker allocated to that element. Intelligence and impact contests can in our view be analyzed as rent-seeking models since high vulnerability and high information about the system structure are objects of value, expressed as rents, which the attacker seeks to obtain, and which the defender seeks to prevent that the attacker obtains. Higher effort yields a larger fraction of the rent, but is also costly.

Rent seeking is different from profit seeking, where agents engage in mutually beneficial transactions to extract value. Rent seeking is also different from joint production and conflict [2] where the rent has to be produced, so the agents allocate resources between production and competing to secure a fraction of their production. This means that this paper does not perceive vulnerability and information as public goods defined as goods that are non-rival (so that consumption by one agent does not reduce consumption by others) and non-excludable (so that no one can be excluded from consumption of the good). Public goods induce incentives for free riding where some agents may be reluctant to incur the costs of ensuring their obtainment. As an example, Sandler [3] describes preemption of terrorism as a public good, since “proactive measures (e.g., preemptive strikes) against terrorists create external benefits for all at-risk nations.” In contrast, we consider the defender and attacker as unitary actors and abstract from the collective action problem associated with the production of public goods.

Contests have variable intensity. Low intensity means that neither the defender nor the attacker can easily get the upper hand. This may be due to lack of decisiveness, fierceness, ability, resources, competence, and due to factors outside the defender's and attacker's control (weather, chance etc.). High intensity gives significant advantage of slight force superiority over one's opponent, which is a characteristic of “winner-take-all” contests. Assuming that the contest intensity may change through the process of separating elements to provide redundancy, Hausken and Levitin [4] determine criteria for how the defender distributes its resource between separation and protecting the elements from outside attacks.

The defender builds the system over time. The attacker takes it as given when he chooses his strategy. Therefore, we analyze a three-period game where the defender moves in the first period allocating his resource and building the system. In the second period the attacker distributes his resource between the intelligence and attack efforts which determines the intelligence contest. In the third period the attacker chooses the number of elements to attack, which determines the impact contest based on the outcomes of the first and second-periods.

Examples of systems considered are military facilities such as missile launch systems, installations which may or may not produce Weapons of Mass Destruction or nuclear power, headquarters or branch offices for decision making and coordination, power generators, water supply systems, telecommunications centers, or more generally any system which is valuable to a defender. The defender prefers the system to survive. The attacker prefers the system to be destroyed.

The theory of defense against intentional attacks has attracted modest efforts over the last years. It has been common to consider a non-strategic attacker, either by assuming a fixed attack or a fixed attack probability. However, a few contributions have been made. Azaiez and Bier [5] consider the optimal resource allocation for security in reliability systems. They determine closed-form results for moderately general systems, assuming that the cost of an attack against any given component increases linearly in the amount of defensive investment in that component. Bier et al. [6] and Bier and Abhichandani [7] assume that the defender minimizes the success probability and expected damage of an attack. Bier et al. [6] analyze the protection of series and parallel systems with components of different values. They specify optimal defenses against intentional threats to system reliability, focusing on the tradeoff between investment cost and security. The optimal defense allocation depends on the structure of the system, the cost-effectiveness of infrastructure protection investments, and the adversary's goals and constraints.

Bier et al. [8] assume that a defender allocates defense to a collection of locations while an attacker chooses a location to attack. They show that the defender allocates resources in a centralized, rather than decentralized, manner, that the optimal allocation of resources can be non-monotonic in the value of the attacker's outside option. Furthermore, the defender prefers its defense to be public rather than secret. Also, the defender sometimes leaves a location undefended and sometimes prefers a higher vulnerability at a particular location even if a lower risk could be achieved at zero cost. Dighe et al. [9] consider secrecy in defensive allocations as a strategy for achieving more cost-effective attacker deterrence. See also [6], [10], [11], [12], [13], [14], [15], [16].

Accounting more fully for strategic interaction, Enders and Sandler [17] provide an overview of the nature of terrorism, and Sandler and Enders [18] evaluate policy effectiveness and quantifies the economic impact of terrorism. More specifically, Arce and Sandler [19] present a model of terrorist attacks as signals where the government is uncertain about whether it faces a politically motivated or militant opponent. They determine two types of ex post regret: P-regret, where the government concedes to political types that would not subsequently attack; and M-regret, where the government does not concede to militant types that subsequently attack at greater levels. They then define a measure of the value of intelligence based on avoiding such regret. Counter-terrorism policy involves whether a government should focus on increased intelligence versus increased security defined as hardening targets. They evaluate the use of asset freezing in terms of the resources required by terrorists to reach objectives. Their article supports the empirical finding of intertemporal substitution of resources by terrorists.

Sandler and Siqueira [20] analyze two anti-terrorism policies when a nation is at risk at home and abroad. The deterrence decision involves external benefits and costs, while preemption typically gives external benefits when the threat is reduced for all potential targets. They show that with damages limited to home interests, a country overdeters. In contrast, for globalized terror, a country underdeters. Furthermore, pre-emption is usually undersupplied. They show that leader–follower behavior decreases deterrence inefficiency, but worsens pre-emption inefficiency, compared with simultaneous-choice allocations. Finally, targeted nations can never achieve the proper counterterrorism policy through leadership.

Siqueira and Sandler [21] analyze a three-stage proactive game with terrorists, elected policymakers, and voters. In each of two countries, a representative voter chooses an elected policymaker who determines proactive countermeasures to reduce a transnational terrorist threat. The voters’ strategic choice is influenced by free riding on the other countries’ countermeasures, and limiting a reprisal terrorist attack. The free riding causes low proactive countermeasures which benefit the terrorists. This gives a delegation problem where leadership by voters has a detrimental consequence on the well-being of targeted countries. The authors finally consider how domestic politics impacts how a terrorist threat is addressed.

Powell [22] shows that in many resources-allocation problems, strategic adversaries move sequentially and are likely to have private information about the effectiveness of their spending. It argues, as the current paper also does, that a defender often has to determine its defensive before an attacker decides where to attack. Defenders are also likely to have private information about the vulnerability of the assets they protect. The author argues that sequential decisions and private information about effectiveness causes a dilemma for the defender. Allocating more to a highly vulnerable site reduces the expected losses if that site is attacked, but also draws the attacker's attention which increases the probability of an attack. Modeling as a signaling game, the analysis shows that secrecy concerns are generally stronger than vulnerability concerns when more vulnerable sites are weakly harder to protect on the margin. This causes the defender to allocate its resources independently of vulnerability. In contrast, if more vulnerable sites are easier to protect on the margin, vulnerability concerns may be stronger than secrecy concerns.

Powell [23] considers a defender's resource distribution against a strategic adversary in four settings. In the first, resources allocated to protecting one site have as a benchmark no effect on other sites. Second, the defender can allocate resources to border defense, intelligence, or counterterrorist operations which may protect all sites. Third, threats can have strategic and nonstrategic components. Fourth, the defender can be unsure of the terrorists’ preferred targets. The author determines the optimal defense allocation in these four settings.

Realizing that all potential targets cannot be defended, Powell [24] analyzes a defense allocation across multiple sites before an attacker chooses where to attack. As also done in this paper, the defender allocates its resource to minimize the attacker's maximum payoff. The author finds that this defense allocation is unique regardless of whether the game is zero- or nonzero-sum or is static or dynamic.

Levitin and Hausken [25] first considered the optimal resource distribution between providing redundancy and protecting the system elements. Levitin and Hausken [26] considered the efficiency of FEs deployment in systems without redundancy. In Levitin and Hausken [27] the optimal resource distribution among all three defense measures was studied), however the intelligence and counter-intelligence activity was not analyzed. In Levitin and Hausken [28] the simplest problem with intelligence contest was studied in which the only decision variables were the parts of the agents’ resources allocated to the intelligence contest. This paper makes a step further by allowing the defender to allocate the defense resources freely between the counterintelligence and defense and among all the three defensive measures. The attacker may also not only decide how to distribute the resources between the intelligence effort and the impact, but freely choose the number of attacked elements. This formulation makes the model very close to the realistic situations.

The paper makes the simplifying assumption that a system is described as a collection of identical elements. In real world situations, systems usually consist of different elements placed at different locations, which makes the vulnerabilities of the elements also different (the problem of optimal allocation of the defense resources for non-homogeneous systems has been addressed by Hausken and Levitin [29]). However to elicit most general conclusions about the interrelation between the intelligence and impact contests we make here a non-realistic assumption about system homogeneity.

Section 2 presents the model. Section 3 determines the expected damage in the case when the attacker cannot identify the system elements and chooses elements for the attack at random. Section 4 determines the expected damage in the case when the attacker identifies the system elements and chooses elements for the attack optimally. Section 5 determines the minmax defender's strategy. Section 6 concludes.