In the hopes of helping defend against national security threats, the National Academy of Sciences may have brought us one step closer to developing a formula that can be used to determine when a target is most vulnerable to a cyber-attack.
This is the latest development in an escalating digital arms race between nations, hackers, and private companies. The research paper is entitled "Timing Of Cyber Conflict," and the formula is as follows:
V = Pr(s≥T) [G(T) + w S V] + [1 - Pr(s≥T)] w P V
Simple enough, right? According to authors Robert Axelrod and Rumen Iliev of the University of Michigan, the formula hinges on three basic variables:
- Persistence: the probability of a given exploit remaining viable if an attacker refrains from using it.
- Stealth: the probability of an exploit remaining usable after it’s used.
- Threshold: the conditions under which it is worthwhile to carry out an attack.
But the paper isn’t just a breakdown of mathematics and case studies. Axelrod and Rumen allude to the stockpiling of zero-day exploits and other cyber resources being conducted by nations—a practice we know the U.S. government to engage in, thanks to NSA documents leaked by Edward Snowden.
In fact, Stuxnet, the 2010 virus used in an attack designed to delay Iran’s nuclear program—and reported to be developed jointly by the United States and Israel—could arguably mark the moment the new digital Cold War went public. Now, digital stockpiles are being built up instead of nuclear ones, but this time it’s different: Anyone can potentially have an arsenal of exploits at their command, not just the world’s superpowers. And as the world economy increasingly relies on a secure Internet, mutually assured destruction has taken on a devastating new meaning.
To that end, there are a number of businesses that thrive on finding and selling exploits to interested parties. Security expert and former Washington Post reporter Brian Krebs cites Stephen Frei, research director of information security company NSS Labs, whose work is instructive in the proliferation of zero-day exploits:
According to Frei, if we accept that the average zero-day exploit persists for about 312 days before it is detected (an estimate made by researchers at Symantec Research Labs), this means that these firms probably provide access to at least 85 zero-day exploits on any given day of the year. These companies all say they reserve the right to restrict which organizations, individuals, and nation states may purchase their products, but they all expressly do not share information about exploits and flaws with the affected software vendors."
Frei’s research resulted in a study called "The Known Unknowns", in which he finds evidence that "privileged groups have the ability to compromise all vulnerable systems without the public ever being aware of the threats."
And that’s before you even start to consider the criminal element.
Ultimately, according to Frei’s work, a formula for calculating when an attack is most likely to happen won’t do much to upset the balance of power. Because we’re already compromised, the only way to be truly secure is by assuming we never will be—we just need to get better at discovering when we’ve been exploited.
And so the arms race continues.