Just in:
Simplified Business Moves for Al Reem Island Firms // Following the Money Trail: US and UK Investigate $20 Billion in USDT Transfers Tied to Sanctioned Russian Exchange // Sharjah Chamber Breaks Ground on Final Expansion with New HQ Pact // Infineon and HD Korea Shipbuilding & Offshore Engineering jointly develop ship electrification technology // Digital Hub Unveiled: Xposure Launches Platform for Global Photography Community // Emirati Aid Reaches Ukraine as Food Shortages Bite // New Nylon Constant Torque Hinge From Southco Provides Position Control In A Compact Package // Experience Ultimate Shopping Freedom at 4.4 Shopee Spree: Don’t Worry, Shop Shopee! // First-Ever Fortune Innovation Forum Draws Top Global Leaders to Hong Kong, Promoting Agendas On Collective Cross-Sector Advancement // Universal Language for Healthcare: General Authority Embraces Global Coding System // U.S. Compliance Takes Center Stage at OKX Following Industry Jitters // Saudi Arabia Unveils Green Financing Tool to Achieve Net-Zero Goals // TUMI Hosts Global Launch Event in Singapore to Unveil Women’s Asra Collection and Announce Global Ambassador, Mun Ka Young // Melco Style Presents “SANRIO CHARACTERS STUDIO CITY CARNIVAL” – Explore a SANRIO World of Unlimited Love and Cuteness // Samsung Electronics Launches 2024 Neo QLED 8K, Neo QLED, and OLED Displays to Spark the AI Screen Era // Global Audience to Witness Thrill of Dubai World Cup // Andertoons by Mark Anderson for Thu, 28 Mar 2024 // Hong Kong Crypto Exchange Application Stalled by US Lawsuit // US reiterates concern over Kejriwal arrest, Cong accounts // French Leaders Gather for Interfaith Iftar Dinner //
HomeBiz TechHow Much Does a Cyber Weapon Cost? Nobody Knows

How Much Does a Cyber Weapon Cost? Nobody Knows

1480431358 RTR4RMW1 RPG

CFR Cyber RPG Net Politics
People have a general idea of how much a rocket-propelled grenade costs. What about a cyber weapon? (Baz Ratner/Reuters),

Max Smeets is a D.Phil candidate and research affiliate of the Cyber Studies Programme at the University of Oxford. His work analyzes the proliferation of cyber weapons.

Can a non-state actor take down critical infrastructure with a cyberattack? If it is not possible today, will it be possible in the future? Experts disagree about the capabilities of non-state actors in cyberspace, let alone agree on their future capability.

ADVERTISEMENT

There is debate within cybersecurity community and academia whether cyber weapons are getting cheaper and thus within the reach of the self-proclaimed Islamic State or other non-state groups. Although there is some general consensus that offensive cyber operations will be less expensive in the future, there is very little understanding of what influences the cost of a cyber weapon. Making sense of the inputs and defensive environment that drive the cost of a cyber weapon is essential to understanding what actors—whether state, non-state, or criminal—will attain what kinds of cyber capability in the future.

There are four processes that make cyber weapons cheaper. First, labor becomes more efficient; attackers become more dexterous in that they spend less time learning, experimenting, and making mistakes in writing code. The observation has been made that Iranian cyber activities are not necessarily the most sophisticated. Yet, since the Shamoon virus wiped the hard drives of 30,000 workstations at Saudi Aramco in 2012, there have been significant improvements in their coding. Whereas Shamoon contained at least four significant coding errors, newer malware seems to be more carefully designed.

Second, developers standardize their malware development process and become more specialized. Some parts of cyber weapons have become increasingly standardized, such as exploit tool kits, leading to an increase in efficiency. The growth of offensive cyber capabilities in militaries allows for greater specialization in cyber weapon production. The U.S. Cyber Command now has 133 teams in operation, making it easier to dedicate specialized units to specific types of cyber operations—even if these units need to be integrated within a general force structure. According to one report, Russia was able to do the same thing for its cyber campaigns against Ukraine.

Third, reusing and building upon existing malware tools allows attackers to learn to produce cyber weapons more cost effectively. The wiper cases Groovemonitor (2012), Dark Seoul (2013), and Destover (2014) are illustrative of this process. Actors who seem to have relatively limited resources have in recent years been getting more bang for their buck.

Fourth, there are shared experience effects, which allow lessons from one piece of malware to shed light on other offensive capabilities. Cyber weapons are generally part of a large collection of capabilities—sharing vulnerability, exploits, propagation techniques, and other features. Stuxnet’s ‘father’, for example, is thought to be USB worm Fanny, and Stuxnet has also been linked to espionage platforms like Duqu, Flame, miniFlame, Gauss, and Duqu 2.0.

ADVERTISEMENT

In sum, many of the drivers that can make cyber weapons cheaper come from ‘experience’ and ‘learning curve’ effects, where malware developers learn from the work of others.

Although attackers might rejoice at the prospect of weapons getting cheaper, there are significant barriers that can hamper the cost reduction. The defensive measures put in place as a result of advanced persistent threats have forced attackers to develop more complex capabilities to remain effective. Although it is still the case that most computer breaches could have been avoided by simple patching, basic measures such as network segmentation, firewall implementation, and the use of secure remote access methods are becoming increasingly common. Furthermore, IT security professionals communicate more regularly with management about cyber threats than they did a decade ago.

At a recent Royal United Services Institute conference, a military cyber commander clearly stated that the main problem for conducting effective operations is “people, people, people.” For a government, attracting the brightest minds does not come cheap—especially when a person has the opportunity to work in the private sector for a much higher salary. Historically, foreign intelligence agencies have needed foreign language professionals. Today, they need people able to interpret and write code. However, since coding is a highly transferable skill, these people are able to switch to the private sector easily—making the government’s job of retaining them much harder.

Finally, a cyber weapon program requires continuous production, not just intermittent projects. The malleability of cyberspace gives these weapons a highly transitory nature; they’re only effective for a short while. Therefore, the development of cyber weapons must be unceasing and resources must be constantly available. Ideally, cyber weapons would be produced on an assembly line, ensuring that when one weapon becomes ineffective, the next can be put to use. However, it is hard to estimate the costs of maintaining a cyber capability. Because vulnerabilities can be patched, cyber weapons can suddenly lose their effectiveness, unlike traditional weapons where their effectiveness decays over time.

In 2006, sixty-one years after the first atomic bomb was dropped on Hiroshima, Robert Harney and his colleagues published “Anatomy of a Project to Produce a First Nuclear Weapon.” They outlined almost 200 tasks required to produce a nuclear weapon. Undertaking a similar exercise to identify the costs and barriers to the development of a cyber weapon may be challenging considering the rapid pace of technological change, but it should be done nonetheless. Until military strategists, policymakers and intelligence officials understand the cost drivers for cyber weapons, they will not have any basis to claim whether cyber tools are getting cheaper or who can access them. In other words, unless policymakers have a better understanding of the cost of a cyber weapon, they won’t be able to know whether the Islamic State has the capability to develop and deploy one.

CFR seeks to foster civil and informed discussion of foreign policy issues. Opinions expressed on CFR blogs are solely those of the author or commenter, not of CFR, which takes no institutional positions. All comments must abide by CFR’s guidelines and will be moderated prior to posting.

Source link

ADVERTISEMENT

ADVERTISEMENT