When we talk about cyber weapons a point that often gets missed is that because cyber is a domain there are many forms weapons can take. There is an inherent tendency to focus on the muskets of cyber. The virus, trojan, and other network delivered tools. There is also a tendency to focus on the tactics that are the World War 1 trench warfare version of cyber conflict. Specifically, the development of a wedge through the use of a zero day exploit, expending that exploit against a target creating an access, and then operationalizing that exploited adversaries systems. Cyber is a domain, and should reflect a much more varied set of weapons and techniques.
I’ve talked at other times about cyber weapons and how there are three generations of them. I want to focus on what they look like in a spectrum. Much like the land domain there are weapon systems that are basically a form of rifled munitions. They come in sizes wholly inadequate for waging war like a .25 caliber pea shooter. And there is nearly theater spanning German Krupp Railway gun. These are both weapons but with radically differing kinetic effects. Similarly we should see a difference in cyber weaponry and this gets lost in the policy discussion.
Every one of the domains has a particular flavor for conflict, but in cyber the technologies of weapons development are almost as arcane as the concepts of gun-smithing were for the land domain. Rifled munitions were part of the land domain, and similarly they also were used in the domain of the sea. Once again we shouldn’t be surprised to see similar weapons systems being used in multiple domains. I think cyber weapons most assuredly will span multiple domains too. Or, at least the effects will.
Earlier I referred to the idea of the virus and trojan as the muskets of the cyber domain. They are easily countered once detected. They represent the first step in many forms of cyber engagement. The are likely the earliest cyber weapon developed. After the virus and trojan we start discussing systems of systems analysis. The use of vulnerabilities within systems such as cross-site scripting, or SQL injection represent systems of systems analysis. The exploit in these cases is how the system was designed more than what it was designed with. The system is being used exactly as it was designed for a purpose nobody realized was possible.
We can quibble over the accuracy of the depiction but what we’re building is a weapons hierarchy. DLL injection used without a virus would be an example of a direct attack against the processing elements of a computer system. At some point we start breaking these attacks down to the trajectory (network) the bullet (storage) and the charge/powder (processing) requirements. This isn’t an elegant discussion of the issues, but it is a necessary discussion.
There are real and significant differences between types of weapons. There is a serious level of conflation that occurs by pundits stating that cyber weapons are like nuclear weapons, but though in a few cases that might true it is not likely true in a multitude of cases. As the Internet of Things and hyper connectivity in general take shape there will be new undiscovered attack paths not currently even being considered. A topic for another time perhaps. What is obvious at this time is that there is a predominant focus on the transport (trajectory) rather than the bullet or target. There is a less concern for the difference between a club and howitzer and more concern that they are both on land. This is a serious issue for consideration of the strategic impacts of cyber weapons. The map is not the terrain and the target is not the weapon.