CyberattacksEstimating the best time to launch a cyberattack

Published 14 January 2014

Of the many tricks used by the world’s greatest military strategists, one usually works well — taking the enemy by surprise. It is an approach that goes back to the horse that brought down Troy. But surprise can only be achieved if you get the timing right. Timing which, researchers at the University of Michigan argue, can be calculated using a mathematical model — at least in the case of cyber-wars. “The question of timing is analogous to the question of when to use a double agent to mislead the enemy, where it may be worth waiting for an important event but waiting too long may mean the double agent has been discovered,” the researchers say.

University of Michigan researchers have developed new ways to analyze Internet security risks by creating a mathematical model that can predict when a cyberattack may be launched.

Robert Axelrod, professor of political science and public policy at U-M’s Ford School, and Rumen Iliev, postdoctoral research fellow at the school, created the model to help develop a basis for understanding the strategic implications of cyber technology.

Focusing on the timing of cyber conflict, their model analyzes when an attacker is most motivated to exploit vulnerabilities in a target’s computer system for espionage or disruption.

One of our major contributions is to develop some concepts to deal with this new realm of cyber conflict,” Axelrod said. “It took 15 years in the nuclear world for people to understand the implications of nuclear technology. It is our hope that it won’t take that long to understand the strategic capabilities of cyber technology.”

A University of Michigan release reports that they developed two concepts. One is stealth, which is the ability of a resource to exploit a vulnerability in a target’s computer system to stay undiscovered if it is used. The other is persistence, which is to keep the vulnerability undiscovered if it isn’t used.

A good resource should have both stealth and persistence,” Iliev said. “The less persistent a resource is, the sooner (it should be used) lest the vulnerability is fixed before (there’s) a chance to exploit it.”

They illustrate their model using four case studies, including the Stuxnet attack on Iran’s nuclear program and the Iranian cyberattack on the energy firm Saudi Aramco.

We also hope this will encourage other efforts to study these things in a rigorous way,” Axelrod said. “There’s a lot of discussion about cyber problems, but it’s so new that the language isn’t established. People use the word attack to mean anything from stealing a credit card number to sabotage of an industrial system.”

— Read more in Robert Axelrod and Rumen Iliev, “Timing of cyber conflict,” Proceedings of the National Academy of Sciences(6 December 2013)