particularly appealing to subnational groups, such as terrorist or criminal organizations, or—in the absence of specific legal prohibitions against such actions—to underfunded government agencies.

  • Availability. The underlying technology for carrying out cyberattacks is widely available, inexpensive, and easy to obtain. Software packages embedding some of the technology for carrying out cyberattacks are available on the Internet, complete with user manuals and point-and-click interfaces. The corollary is that government has no monopoly on cyberweapons or over expertise. Private businesses and private individuals can own or control major cyberweapons with significant capability, but the same tends to be less true of kinetic weapons, citizen-built truck bombs notwithstanding.


The previous section addresses the basic technologies of and approaches to cyberattack. This section considers the operational implications of using cyberattack. Both nation-states and hackers must grapple with these implications, but the scope of these implications is of course much broader for the nation-state than for the hacker.

The Effects of Cyberattack

Although the ultimate objective of using any kind of weapon is to deny the adversary the use of some capability, it is helpful to separate the effects of using a weapon into its direct and its indirect effects (if any). The direct effects of using a weapon are experienced by its immediate target. For example, the user of a kinetic weapon seeks to harm, damage, destroy, or disable a physical entity. The indirect effects of using that weapon are associated with the follow-on consequences of harming, damaging, destroying, or disabling a physical entity, which may include harming, destroying, or disabling other physical entities—a runway may be damaged (the direct effect) so that aircraft cannot land or take off (the indirect effect). This distinction between direct and indirect effects is particularly important in a cyberattack context.
Direct Effects33

By definition, cyberattacks are directed against computers or networks. The range of possible direct targets for a cyberattack is quite broad and includes (but is not limited to) the following:


Much of the discussion in this section is based on National Research Council, Toward a Safer and More Secure Cyberspace, The National Academies Press, Washington D.C., 2007.

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement