Limiting the Undesired Impact of Cyber Weapons: Technical Requirements and Policy Implications

Abstract

Can cyber weapons be precisely targeted or are they inherently indiscriminate and what are the implications for compliance with international law? This paper hopes to start a public discussion of the question by showing how they should be designed.We begin by considering what should be done technically and what policy issues should be part of the considerations in the design and deployment of cyber weapons. The fact that cyber weapons can be narrowly targeted is crucial to their use, especially, although not only, outside of a war scenario. In this paper we examine the technical requirements and policy implications of targeted cyber attacks. Contrary to public perception (as well as statements from some political and military leaders), cyber weapons not only can be targeted, a number of successful ones have already been so. By examining previous attacks so as to discern what technical attributes enables attacks to be targeted, we show that variables include whether the attack is autonomous or manually directed and what level of situation specific information is required for the attack. We next consider technical and policy constraints on cyber weapons that would enable them to be targetable. We examine direct and indirect effects of such weapons, and what variables affect precise targeting.If targeting includes other damage traceable to the initial use of a cyberweapon, proliferation becomes an issue. By this definition, if one country's use leads to another country using the same attack or tools, that is itself imprecise targeting. We consider two different types of proliferation: immediate proliferation and a somewhat time-delayed proliferation that could occur through repurposing of the weapon or the weapon's techniques. The nonproliferation objective has a broad meaning, for it includes not only preventing others from using code snippets and information on zero days, but also using profitable attack techniques and new classes of attack. Thus preventing opponents from repurposing cyber weapons is not solely through technical means, such as code obfuscation, but also through such policy measures as disclosure so that those who might be harmed by proliferation will not be. We observe that as a result, while some of the nonproliferation effort falls to the attacker, some must be handled by potential victims, a rather interesting turn of events.