Flaws in computer software or hardware that are as yet unknown to the public, known as zero-day vulnerabilities, are an increasingly sought-after resource by actors conducting cyber operations. While the objective pursued is commonly defensive, as in protecting own systems and networks, cyber operations may also involve exploiting identified vulnerabilities for intelligence collection or to produce military effects. The weapon zing and stockpiling of such vulnerabilities by various actors, or even the intentional implantation into cyberspace infrastructure, is a trend that currently resembles an arms race. An open question is how to measure the utility that access to these exploitable vulnerabilities provides for military purposes, and how to contrast and compare this to the possible adverse societal consequences that withholding disclosure of them may result in, such as loss of privacy or impeded freedom of the press. This paper presents a case study focusing on the Heart bleed bug, used as a tool in an offensive cyber operation. We introduce a model to estimate the adoption rate of an implanted flaw in Open SSL, derived by fitting collected real-world data. Our calculations show that reaching a global adoption of at least 50 % would take approximately three years from the time of release, given that the vulnerability remains undiscovered, while surpassing 75 % adoption would take an estimated four years. The paper concludes that while exploiting zero-day vulnerabilities may indeed be of significant military utility, such operations take time. They may also incur non-negligible risks of collateral damage and other societal costs.

Hypertext Transfer Protocol Secure (HTTPS) is the de facto standard for secure end-to-end web communication. However, numerous flaws discovered during recent years, such as Apple’s “goto fail” bug, and cryptographic weaknesses as illustrated by the Poodlebleed vulnerability, have brought the efficiency of the mostly self-regulated web security market into question. In this cross-disciplinary paper, the authors survey some 160.000 HTTPS-enabled servers among popular web sites over a time period of three years. The research question is what effect the introduction of best practices and vulnerability publication have on web server security in the form of protocol support. Main findings include that (i) insecure configurations, although well known, can remain widespread for over a decade, (ii) the introduction of best practices affect the decline of insecure configurations only moderately, whereas highly publicized security flaws have a significant impact, and (iii) economic incentives for website owners to provide secure services are weak, motivating such other levers of influence as legislation or blocking of noncompliant sites.

In this paper we revisit a study presented at MILCOM 2014. Our goal then was to determine the utility of implanting a vulnerability into a cybersecurity software protocol to an actor planning to execute an offensive cyber operation. Based on a case study describing the then recently discovered Heartbleed bug as an offensive cyber operation, a model was devised to estimate the adoption rate of an implanted flaw in OpenSSL. Using the adoption rate of the cryptographic protocol Transport Layer Security version 1.2 as a proxy, we predicted that the global adoption of the vulnerability of at least 50% would take approximately three years, while surpassing 75% adoption would take four years. Compared to subsequently collected real-world data, these forecasts turned out to be surprisingly accurate. An evaluation of our proposed model shows that it yields results with a root-mean-square error of only 1.2% over the forecasting period. Thus, it has a significant degree of predictive power. Although the model may not be generalizable to describe the adoption of any software protocol, the finding helps validate our previously drawn conclusion that exploiting implanted cyber vulnerabilities, in a scenario like the one presented, requires a planning horizon of multiple years. However, as society becomes further dependent on the cyber domain, the utility of intentional vulnerability implantation is likely an exercise in diminishing returns. For a defender, however, our model development process could be useful to forecast the time required for flawed protocols to be phased out.

In the modern era, understanding the costs and implications of conflict extends beyond traditional kinetic boundaries into the cyber realm. While economic analysis has historically been concerned primarily with the state’s ability to sustain and engage in physical warfare, recent research has begun to quantify the additional societal and collateral costs. To shed light on the total costs of the use of cyber weapons and capabilities, we argue that a comprehensive analysis must be done using econometric tools. This paper describes two important tools in this toolkit, counterfactual analysis and bottom-up accounting, in the context of cyber conflict. It discusses how significant collateral costs manifest in the inadvertent aftermath of vulnerability stockpiling for use in cyber weapons, coupled with the losses and thefts of these resources. Such incidents represent not only a direct financial burden but also erode the trust and goodwill of nations who do not disclose the discovered vulnerabilities. Finally, multiple data sources and bottom-up accounting techniques are used to conduct a case study estimating the aggregate societal cost of cyber conflict in the Ukrainian war between late 2013 and 2020. The aggregate cost of the 76 recorded cyberattacks is estimated to be approximately $160M. Finally, counterfactual analysis is concluded to face significant data availability challenges preventing high quality synthesis of the two methods described.