James Hasik

Andrew Krepinevich of the CSBA released today a report on cyber warfare, which mostly deals with the question of whether cyber-weapons-of-mass-destruction should be taken as seriously as nukes. His short answer: this is powerful stuff, but not that powerful, which is partly why he thinks we're more likely to have to deal with big cyber attacks than loose nukes. His argument is built on three factors (neatly summarized in his introduction): 

    Attribution is difficult. Cyber weapons are almost never traceable, which complicates the return targeting solution, so to speak. That considerable raises the likelihood that the offending party can get away with it, which in turn can only increase the likelihood of the eventual attack.

    Proliferation is easy. Actually, it's so easy that we're almost surprised when we discover something like Stuxnet, pretty clearly the work of a government, and not just some miscreant gang. So there will be plenty of comers, whether governments, gangs, "cyber patriots" or would-be Bond villains.

    Firebreaks are lacking. With nukes, Herman Kahn's stages of nuclear escalation aside, there's either an explosion or there's not. Whether it's attributable is another question, uless it came on a ballistic missile, but there's definitely a big, smoking hole in the ground somewhere to get one's attention. With cyberweapons, it's a range, really, from some pointless hacking on one end to much worse than some exploding centrifuges on the other. So the point at which you've irritated your opponent to the point of soliciting a vicious beat-down is less clear. Again, that only points to a greater likelihood of attacks meant to cause damage under that threshold, wherever it might be.

Those are some important halmarks of cyber weapons, and Krepinevich's release of the report today reminded me of some advice I had provided earlier this summer for a US congressional committee on the economics of cyber weapons. Knowing what questions to ask the generals, admirals, and air marshals appearing before committees and subcommittees about their tanks, ships, and planes is old hat for parliamentarians everywhere—even if the quality of the answers varies widely across time, space, and technologies. Knowing what to ask the geeks and spooks who show up asking for money for malicious code is rather a newer problem. So I provided some thoughts, the summary of which follows. If I were asking the questions, I'd want to know about the following:

    Testing. If we want to test, say, a precision weapon that will be dropped from an airplane, we can rig up a test on a weapons range. That doesn't effectively simulate an opponent actively jamming and shooting at the ingressing airplane, but there's definitely a hole in the ground, somewhere, afterwards. If you're testing a cyber weapon, in theory you can rig up a synthetic environment to attack, but we'll be wondering for a long time just how much more or less realistic that environment is than the range. So far, I don't expect that anyone has a good answer to that.

    Battlefield Experience. That lack of answers stems partly from the paucity of historical experience with how these things work and don't work. So it's just a big uncheckable box in the analysis plan, and it's likely to remain so for some time. If, however, it was your geeks behind Stuxnet or whatever's next, you can at least ask for their after-action report. The effects on the enemy may or may not be observable, but the effects on everyone else (see below) will have been meticulously documented in the press and by cyber security firms.

    Surgicality. As we saw in the Stuxnet case, cyber weapons can, with enough information, be targeted at individual pieces of equipment within individual facilities. And as we also saw, those things can escape into the wild, given just "one idiot with a thumb drive" (as I read the line once on Ars Technica). It's also notable that the surgicality is likely inversely related to the cost of the weapon: the more targeted, the more expensive (see below for more on costs). This is mostly the reverse from physical weapons—guided bombs and missiles, for example, are more expensive by the round, but by saving on all those unguided rounds that would go astray, and the extra aircraft to deliver them, they actually turn out to be more economical than dumb bombs. It's not necessarily that way with cyber weapons.

    Durability. This could be one of the most notable difference economically between cyber and physical weapons. As frequently as computer operating systems are updated, money sunk into developing a cyber weapon should show a high depreciation rate. That rate can even go stepwise as major desktop and industrial operating system upgrades roll out. Some military aircraft and ships may last for decades, but cyber weapons will likely have much shorter shelf-lives.

    Cost Structure. Consequently, I would want to know the relationship forecast between non-recurring and recurring costs in development of succeeding generations of weapons. Are chunks of code reusable, or does that practice just alert defenses as to what's coming? If it's more the latter, the economics of these things get challenging. Of course, if the budget requested is modest anyway, then paying the costs repeatedly over the years may seem affordable, depending on just what you're trying to do, and when.

    Opponents. The other dramatic difference comes in just whom you're fighting through to your target. It could literally be your own people, depending on just how far that little packet of code travels. During the Stuxnet episode, Symantec was quite clear that it serves its clients, regardless of nationality, against any possible threats, and Kapersky Labs seems to have the same policy. Try to shut down efforts like those, whatever invocations or threats a government might manage, and anonymity is gone for the attacker.

    Safeguards. Given these problems, if I were approving these things, I'd want a whole team of geeks and economists behind me helping get at whether the next new thing is going to melt the brain of my wireless on its way to destroying some gas pipeline. I can imagine that a significant portion of the development cost may be associated with the failsafes around the thing. In this way, the line between weapons of mass and targeted destruction could be thin. 

And yes, you may take this as a transparent plug for my services in this field, but I need to advertise somewhere. If Krepinevich is right, this is a pretty big deal, and if billions will be spent on defenses, at least many millions will go into the weapons themselves. Even forecasting the potential damage is a worthwhile endeavor just for boosting resiliency and responsiveness.

Jim Hasik +1-512-299-1269 www.jameshasik.com