The reaction to flaws in computer software and hardware has traditionally been defensive, seeking to correct errors and protect assets against potential threats. Alternatively, these vulnerabilities can also be exploited for offensive gains in cyber operations. The overall utility of this type of cyber operation must consider the potential benefit relative to the potential costs of not correcting a potentially harmful flaw. These costs can include economic outcomes, as well as impacts on human lives, or political ends, such as the security and stability of states.
Sigholm and Larsson use the Heartbleed vulnerability as a case example and develop the situation as though the vulnerability was intentionally implanted to reach an intended target. Three different scenarios are explored for the rate of adoption of the flawed software, with time to reach global (100%) adoption representing the probability of target compromise. If the vulnerability is adopted by 100% of users, the intended target has been reached, whereas if 50% of users adopt the vulnerability, the probability that the intended target is reached is 50%.
In the first scenario, the rate of adoption of the vulnerability is similar to the actual initial spread of the Heartbleed vulnerability. With that assumption, the vulnerability is adopted by 91% of users within four years. The second scenario assumes a high adoption rate and reaches 100% of users in 39 months. The third scenario, deemed the most realistic, uses an initially high but decreasing rate of adoption, affecting 76% of users at four years. Under all scenarios, more than half of all users will have adopted the vulnerability after three years, and more than three quarters after four years.
Vulnerabilities can be leveraged for military use, but only when time is plentiful. The spread of vulnerabilities is a slow process, so not a viable strategy for time-sensitive operations. The lack of precision results in a large number of potentially critical systems being vulnerable increasing the risk of collateral damage. Before implanting or exploiting a vulnerability, military operations must also consider and mitigate the risks of collateral damage, including to critical infrastructure or services and threats to the general public.
When considering the overall utility of leveraging a cyber vulnerability for military effect, it is important to evaluate ways to mitigate adverse impacts. These impacts should include determining whether deliberately concealing risk to the public will affect other social goals, such as accountability or democratic aims.
Implanted vulnerabilities are a slow and imprecise tool for compromising targets and the use of such tools should be weighed against the increased risk to society.