In a research paper recently published by Proceedings of the National Academy of Sciences (PNAS), Professor of Political Science and Public Policy at the University of Michigan Robert Axelrod and postdoctoral research fellow Rumen Iliev have described the equation they created and the things it takes in consideration:
- The weapon's stealth, i.e. the probability that if you use it now it will not be detected and will still be usable in the next time period
- The weapon's persistence, i.e. the probability that if you refrain from using it now, it will still be useable in the next time period
- The value of the weapon, which is directly tied with its stealth and persistence
- The current and likely future stakes
- The threshold of stakes that will cause you to use the weapon
- The discount rate - a reflection of the fact that a given payoff is less a year from now than it is today.
The equation shows a number of (fairly obvious) things. For one, the more stealthy the weapon, the better is to use it sooner rather than later. Secondly, the more persistent the weapon is, the longer its use can be postponed.
The researchers tested their model on past attacks - Stuxnet, the Iranian attack on Saudi Aramco, and your garden-variety, everyday Chinese cyber espionage - and has proven true, they claim.
The Stuxnet worm had low persistence because it used four different zero-day exploits, and it was designed to be very stealthy. The stakes were high: it was better to delay Iran's ability to attain enough enriched uranium for nuclear weapons that throw wrenches in their plans later.
"Our model predicts that a resource like Stuxnet that was expected to have poor persistence and comparatively good stealth would be used as soon as possible, and certainly in a high-stakes situation. This is apparently just what happened," they pointed out.
In Saudi Aramco's case, they weapon used wasn't stealthy, but the stakes were high enough to warrant swift action, which was, again, what happened.
On the other hand, Chinese cyber espionage campaigns are usually not performed at the optimal moment, but it's difficult to say why. "Second-guessing a nationís choice is always problematic," the researchers noted.
"This paper clarified some of the important considerations that should be taken into account in any decision to use a method of exploiting a targetís vulnerability. The focus has been on optimal timing for such use," they researchers shared.
"This kind of analysis can help users make better choices and help defenders better understand what they are up against. In some situations, one may want to mitigate the potential harm from cyber conflict, and in other situations, one may want to harness the tools of cyber conflict. In some cases, one might want to do both. In any case, an important step is to understand the logic inherent in this new domain."