The Perfect Time for Cyber Attacks: In a Mathematic Formula
Researchers at the University of Michigan have come up with a mathematical model that they say determines the most advantageous time for hackers to launch a cyber attack. The research could be used to help cybersecurity be on the alert at the right time and prepare for future attacks.
The study, published as "The Timing of Cyber Conflict," in the Proceedings of the National Academy of Sciences, details the precise timing needed to take advantage of so-called "zero-day exploits," which are flaws in the data security systems of computer software and networks that are not publicly known.
"The world's economy and international security have come to depend upon a secure internet," states the researchers. "International rivalries and conflicts have already proven challenges to Internet security in the form of espionage, sabotage, and denial of service," or DDOS, attacks. "New vulnerabilities in computer systems are constantly being discovered," continued the researchers. "When an individual, group or nation has access to means of exploiting such vulnerabilities in a rival's computer systems, it faces a decision of whether to exploit its capacity immediately or wait for a more propitious time."
That timing is what coauthors Robert Axelrod and Rumen Iliev believe they have uncovered in a formula. The formula looks like this: "V = Pr(s≥T) [G(T) + w S V] + [1 - Pr(s≥T)] w P V." Translated into English, it says that the (V) value of a cyber attack actually occurring is based on the stealth of an attack on a vulnerability, how likely that vulnerability is to continue, the reusability of the attack, and the threshold for use (the total gain, or damage, the attack could bring.) "Stealth and persistence determine the minimum stakes required to justify an attack," said Axelrod to Popular Mechanics.
This means that if a hacker finds a vulnerability that can be exploited without being detected, he may immediately attack. He's also more likely to attack sooner if the vulnerability is likely to be discovered and fixed. But if a cyber bug is likely to cause a long-term vulnerability, the hacker may wait until the most opportune situation to use it.
Outside factors can play a role in the timing of a cyber attack as well, as the researchers cited the Stuxnet worm attack on the nuclear facilities of Iran. Those attacks, though made rather immediately without the need for an outside international crisis to sanction it, were still perfectly rationally timed, according to the formula. In that case, the Stuxnet attack required several different vulnerabilities to be in place, and while it was quite sophisticated and difficult to detect, the most rational decision was to attack as soon as possible - especially with the prospect of impeding enriched arms-grade nuclear material from making it in the hands of the Iranian government as the payoff.
But in other cases, it might be more rational to wait and therefore get more value out of an attack after the stakes grow. That prospect is something that Axelrod and Iliev's formula haunts us with, because you never know what bugs might be buried deep in the system.