New cyber-attack model helps hackers time the next Stuxnet

Disabling a country’s electricity with the click of a button. usairforce

Of the many tricks used by the world’s greatest military strategists, one usually works well – taking the enemy by surprise. It is an approach that goes back to the horse that brought down Troy. But surprise can only be achieved if you get the timing right. Timing which, researchers at the University of Michigan argue, can be calculated using a mathematical model – at least in the case of cyber-wars.

James Clapper, the director of US National Security, said cybersecurity is “first among threats facing America today,” and that’s true for other world powers. In many ways, it is even more threatening than conventional weapons, since attacks can take place in the absence of open conflict. And attacks are waged not just to cause damage to the enemy, but often to steal secrets.

Timing is key for these attacks, as the name of a common vulnerability – the zero-day attack – makes apparent. A zero-day attack refers to attacking a vulnerability in a computer systems on the same day that the vulnerability is recognised, when there is preparedness to defend against attack. That is why cyber-attacks are usually carried out as soon as a cyber-weapon is ready and before an opponent has the time to fix its vulnerabilities.

As Robert Axelrod and Rumen Iliev at the University of Michigan write in a paper just published in the Proceedings of the National Academy of Sciences, “The question of timing is analogous to the question of when to use a double agent to mislead the enemy, where it may be worth waiting for an important event but waiting too long may mean the double agent has been discovered.”

Equations are as good as weapons

Axelrod and Iliev decided the best way to answer the question of timing would be through the use of a simple mathematical model. They built the model using four variables:

  1. Cyber-weapons exploit a specific vulnerability.

  2. Stealth of the weapon measures the chance that an enemy may find out the use of the weapon and take necessary steps to stop its reuse.

  3. Persistence of the weapon measures the chance that a weapon can still be used in the future, if not used now. Or, put another way, the chance that the enemy finds out their own vulnerability and fixes it, which renders the weapon useless.

  4. Threshold which defines the time when the stakes are high enough to risk the use of a weapon. Beyond the threshold you will gain more than you will lose.

Using their model, it is possible to calculate the optimum time of a cyber-attack:

When the persistence of a weapon increases, the optimal threshold increases – that is, the longer a vulnerability exists, the longer one can wait before using it.

When the stealth of a weapon increases, the optimal threshold decreases – the longer a weapon can avoid detection, the better it is to use it quickly.

Based on the stakes of the outcome, weapon must be used soon (if stakes are constant) or later (if the stakes are uneven). In other words, when the gain from an attack is fixed and ramifications are low, it is best to attack as quickly as possible. When the gain is high or low and ramifications are high, it is best to be patient before attacking.

How to plan the next Stuxnet