Imagine for a moment, that you are a top security officer in the US government, a real Bourne trilogy villain type. You’ve just been handed a briefing on a newly developed cyber weapon. It is specially designed to work its way into the weapons systems of a particularly rambunctious nation and gather valuable intel on their weapons stockpiles and capabilities. The rub? It’s only good for one use. So when do you use this wonder weapon? Well, a new paper out of the Ford School of Policy at the University of Michigan is crossing political and computer science to help you make those tough decisions.
The article, published this week in Proceedings of the National Academy of Sciences, proposes a model to predict when to best deploy a novel cyber attack.
The director of US National Security, James Clapper, said that cyber security is “first among threats facing America today.” Ongoing cyber conflicts with China led Obama’s National Security Adviser, Tom Donilon, to say that resolving issues of cyber security were the “key to the future” of US-China relations. So understanding what all factors into the decision to use a new cyber weapon is integral to diffusing potentially catastrophic situations and protecting nations against possible attacks.
The group designed a formula to help policy makers decide when would be best to use what they call a “zero day exploit.” A zero day exploit is a cyber weapon that makes use of a previously unknown weakness in software or programming. According to the authors, the decision about when to unleash the next Stuxnet (I’ll get to that later) on the world will inevitably come down to a human mind rather than straight number crunching, but their work is meant to “help in making informed choices about the trade-offs involved in such a judgment.”
So what are these trade-offs? The authors used four variables to determine when an attack became viable: the cyber weapons involved, the stealth of each, the persistence of each, and the threshold at which they become acceptable to use.
If a weapon exploits four different weaknesses towards a single end, the threshold will increase, since if the target discovers it, that’s four weaknesses out the window right there.
Stealth refers to how long or how many times a weapon can be used. If you’re worm can function unseen for months on end, there’s no reason not to use it now, so the threshold drops. If it’s more like a double agent though, where once it’s been used its cover is blown, the threshold shoots up.
Persistence on the other hand refers to how long a weapon will stay viable if it’s not used. How long will that programming backdoor remain unnoticed and unpatched? Will your weapon be useable in a month? A year? Five years? The longer a weapon stays viable, the less the incentive to use it, so as persistence goes up, the threshold goes up too.
When you put all your variables together and run the formula, you end up with a value for your specific situation which you then compare to your pre-established threshold, the point at which the need for action outweighs the risks.
To test their formula, the group looked at four case studies of recent cyber attacks: the Stuxnet attack on the Iranian nuclear program, the Iranian attack on Saudi Aramco, everyday cyber espionage from China, and then an economic attack on Japan by China. I’ll just look at two.
Testing 1, 2, 3: Predicting Stuxnet and Saudi Aramco
The Stuxnet incident boils down to a fairly simple narrative: a worm, uploaded through a flash drive at an Iranian nuclear enrichment facility and passed to multiple computers through a shared printer, allowed US programmers to control Iranian centrifuges, damaging 1,000 out of the total 5,000 centrifuges in the plant.
The worm was able to function unseen for 17 months, causing progressive damage rather than widespread immediate damage, meaning it had a high stealth value. But its reliance on multiple weaknesses, any of which could easily be patched before the weapon was used, means it had a low persistence. Combine both of those factors with the fact that the goal of the operation was to stop Iran from obtaining enough enriched uranium to assemble nuclear weapons (so very high stakes), and the model would predict that the Stuxnet worm should have been used as soon as possible. Which is precisely what happened.
The attacks on Saudi Aramco were more or less an Iranian response to the Stuxnet incident, and featured a hasty attack on Saudi and US data, seeking to destroy and manipulate resources to interrupt oil pipelines. While the US Secretary of Defense Leon Panetta called the attack the most destructive cyber attack to the private sector to date, its damage was actually fairly modest. It was not a very stealthy move and as a result cleanup efforts were already in place within four days.
According to the model, this immediate use of a cyber weapon makes sense, as Iran would have seen this as a situation with very high stakes. Following the Stuxnet attack, Iran needed to make it clear that they would not simply passively accept cyber attacks. Their international reputation was on the line, so immediate action was necessary. The efficacy of their response does undermine the message a bit, but according to the model these mistakes would be acceptable given the situation.
The group’s model could also be used to help design cyber defense strategies. Understanding when stakes are high enough to make risky, one-time cyber attacks could help governments know when to beef up security or keep an eye out (or maybe even start making peace or whatever). According to the authors, their work can also be repurposed towards analyzing economic sanctions and other military operations.