Limiting the undesired impact of cyber weapons: technical requirements and policy implications.

There has been much public rhetoric on the widespread devastation of cyber weapons. We show that contrary to the public perception - and statements from some political and military leaders cyber weapons not only can be targeted, they have been used in just such a manner in recent years. We examine the technical requirements and policy implications of targeted cyberattacks, discussing which variables enable targeting and what level of situation-specific information is required for such attacks. We also consider technical and policy constraints on cyber weapons that would enable them to be targetable. Precise targeting requires good technical design. The weapon must be capable of precise aim, rather than affecting any computer within reach. Precise targeting also requires good intelligence. The attacker must have sufficiently detailed knowledge of the target's environment to avoid accidental damage to other machines, including ones that depend indirectly on the targeted ones. To avoid accidental damage to other machines, including machines that depend indirectly on those targeted, the attacker must have highly detailed knowledge of the target's environment. If imprecise targeting is defined to include other damage ultimately traceable to the initial use of a cyber weapon, proliferation becomes an issue. We consider proliferation in two ways: immediate and time-delayed (the latter could occur through repurposing of the weapon or the weapon's techniques). The nonproliferation objective has a broad meaning, for it includes not only preventing others from using code snippets and information on zero days, but also preventing the employment of useful attack techniques and new classes of attack. Preventing opponents from repurposing cyber weapons is not solely through technical means, such as code obfuscation, but also through policy measures such as disclosure. As a result, while some of the nonproliferation effort falls to the attacker, some must be handled by potential victims.