The evolution of malicious software (“malware”) has proceeded so rapidly since the invention of the first computer virus three decades ago that the question is not whether but when a computer system will face a cyber attack. Such attacks were once masterminded by computer hackers, but mounting evidence suggests nation-states now also conduct cyber attacks and stockpile methods for future cyber incursions. Both to “mitigate the harm” of cyber conflict and “harness the capabilities it can provide,” Robert Axelrod and Rumen Illiev report in an Early Edition PNAS paper their mathematical investigation into the optimal timing of a cyber attack.
Termed “Offensive Cyber Effects Operations” (OCEO) within a classified document that was released by Edward Snowden, published by the Federation of American Scientists, and cited by the study authors, the optimal timing of OCEO is analogous “to the question of when to use a double agent to mislead the enemy,” the authors write. That makes the study relevant both to the attacker and to the defender, the author argue, for estimating “how high the stakes have to be in order for the offense to exploit an unknown vulnerability.”
In their mathematical model, the authors make several assumptions that they admit are limitations and, in turn, suggest their model could be improved by applying a game-theoretic approach. Nevertheless, formalizing the definitions of and relationships between parameters such as stealth, persistence, and the threshold of stakes that prompt a cyber attack, the authors found their model in line with the timing of the Stuxnet attack on Iran’s nuclear enrichment plant at Natanz and the subsequent Iranian attack on Saudi Aramco. The model did not make as much sense of either China’s presumed persistent cyber espionage or China’s economic coercion of Japan—both of which are denied by Chinese officials—but the authors admit that “second-guessing a nation’s choice is always problematic” so there may be other parameters affecting those decisions.
As with other mathematical models of human decision-making, knowledge of the model itself may affect the model’s usefulness because such knowledge and use of the model may inform future decisions. However, the start of such model-making about when to launch cyber attacks may prompt ever more complex models, as the authors note happened regarding strategies surrounding the deployment of nuclear weapons. The end result of such increasing complexity regarding such models may be, then, that as with nuclear weapons, nation-states devise strategies to avoid rather than deploy cyber attacks, focusing instead on harnessing the power of the cyber-warfare technology for peaceful purposes.