Scientists help hackers pick perfect moment to attack
Researchers have created a mathematical model to help hackers calculate the optimal moment to launch a cyber attack against a victim and inflict the most damage.
The scientists from the University of Michigan claim that many nations are accumulating stockpiles of “zero-day exploits”, which are flaws in computer systems not yet discovered by anyone else, and sitting on them until they are needed. Their research looks at the best moment to use these against an enemy.
“New vulnerabilities in computer systems are constantly being discovered. When an individual, group, or nation has access to means of exploiting such vulnerabilities in a rival’s computer systems, it faces a decision of whether to exploit its capacity immediately or wait for a more propitious time,” says the paper, published in the Proceedings of the National Academy of Sciences of the United States of America.
The model weighs up the risk of using one of these attacks, knowing that this may lead to a patch being developed to render it useless in the future, and waiting until the perfect moment to use it knowing that at any point the vulnerability could be discovered and fixed before it is used.
It is further complicated by the bounties that are offered by software manufacturers for these zero-day exploits to help them improve the security of their code. Although details are often kept secret it is thought that the most valuable of these exploits can earn rewards of up to $100,000.
The model takes all of these factors into account and judges the optimal strategy. Case studies included in the research included the Stuxnet attack on Iran’s nuclear program, the Iranian cyber attack on the energy firm Saudi Aramco and the persistent cyber espionage carried out by the Chinese military. All of these highly organised attacks seemed to exhibit optimal timing, they found.
The paper was written by University of Michigan political scientist Robert Axelrod, who has worked with the UN, the World Bank and the US Department of Defense, and postdoctoral research fellow Rumen Iliev.
"One of our major contributions is to develop some concepts to deal with this new realm of cyber conflict," said Axelrod.
"It took 15 years in the nuclear world for people to understand the implications of nuclear technology. It is our hope that it won't take that long to understand the strategic capabilities of cyber technology.
"We also hope this will encourage other efforts to study these things in a rigorous way. There's a lot of discussion about cyber problems, but it's so new that the language isn't established. People use the word attack to mean anything from stealing a credit card number to sabotage of an industrial system."