# Equation determines the optimal moment for a cyber attack

Two researchers have developed a mathematical model for discovering the optimal moment to deploy specific cyber weapons in their arsenal.

In a research paper recently published by Proceedings of the National Academy of Sciences (PNAS), Professor of Political Science and Public Policy at the University of Michigan Robert Axelrod and postdoctoral research fellow Rumen Iliev have described the equation they created and the things it takes in consideration:

• The weapon’s stealth, i.e. the probability that if you use it now it will not be detected and will still be usable in the next time period
• The weapon’s persistence, i.e. the probability that if you refrain from using it now, it will still be useable in the next time period
• The value of the weapon, which is directly tied with its stealth and persistence
• The current and likely future stakes
• The threshold of stakes that will cause you to use the weapon
• The discount rate – a reflection of the fact that a given payoff is less a year from now than it is today.

“Both stealth and persistence depend not only on the resource itself, but also on the capacity and vigilance of the intended target,” they explained. “The stealth of resource used against a well-protected target is likely to be less than the stealth of the same resource against a target that is not particularly security conscientious. Likewise, a resource will typically have less persistence against a target that keeps up-to-date on security patches than one that does not.”

The equation shows a number of (fairly obvious) things. For one, the more stealthy the weapon, the better is to use it sooner rather than later. Secondly, the more persistent the weapon is, the longer its use can be postponed.

The researchers tested their model on past attacks – Stuxnet, the Iranian attack on Saudi Aramco, and your garden-variety, everyday Chinese cyber espionage – and has proven true, they claim.

The Stuxnet worm had low persistence because it used four different zero-day exploits, and it was designed to be very stealthy. The stakes were high: it was better to delay Iran’s ability to attain enough enriched uranium for nuclear weapons that throw wrenches in their plans later.

“Our model predicts that a resource like Stuxnet that was expected to have poor persistence and comparatively good stealth would be used as soon as possible, and certainly in a high-stakes situation. This is apparently just what happened,” they pointed out.

In Saudi Aramco’s case, they weapon used wasn’t stealthy, but the stakes were high enough to warrant swift action, which was, again, what happened.

On the other hand, Chinese cyber espionage campaigns are usually not performed at the optimal moment, but it’s difficult to say why. “Second-guessing a nation’s choice is always problematic,” the researchers noted.

“This paper clarified some of the important considerations that should be taken into account in any decision to use a method of exploiting a target’s vulnerability. The focus has been on optimal timing for such use,” they researchers shared.

“This kind of analysis can help users make better choices and help defenders better understand what they are up against. In some situations, one may want to mitigate the potential harm from cyber conflict, and in other situations, one may want to harness the tools of cyber conflict. In some cases, one might want to do both. In any case, an important step is to understand the logic inherent in this new domain.”