I found a thought-provoking new paper by Robert Axelrod and Rumen Iliev thanks to a tweet by @ironfog:
Nations are accumulating cyber resources in the form of stockpiles of zero-day exploits as well as other novel methods of engaging in future cyber conflict against selected targets. This paper analyzes the optimal timing for the use of such cyber resources. A simple mathematical model is offered to clarify how the timing of such a choice can depend on the stakes involved in the present situation, as well as the characteristics of the resource for exploitation. The model deals with the question of when the resource should be used given that its use today may well prevent it from being available for use later. The analysis provides concepts, theory, applications, and distinctions to promote the understanding strategy aspects of cyber conflict.
While there are some maths in it, it’s very approachable and would be a good starter paper for those not used to reading academic articles and it’s has a great walkthrough of the problem domain and the development of the model.
The authors use Stuxnet as a case study along with the Iranian Attack on Saudi Aramco and also posits a bit on China’s use of “cyber weapons”.
Hackers (whether criminials, governments or individuals) and security professionals still rely quite a bit on experience-driven intuition to make the vast majority of decisions, but the “cyber” world is getting more complex for all sides and the development of data-driven security models such as the one outlined in the paper will become increasingly prevalent. This means it’s even more vital for defenders to understand all the factors involved, making gatherings such as Workshop on the Economics of Information Security (WEIS) almost “must attend” events.
As the paper quoted, “”it took a decade and a half after nuclear weapons were first used before a complex strategy for employing them, and better yet, for not using them, was articulated and implemented.” Hopefully we can compress those time frames substantially when it comes to “cyber”.Tweet