particularly appealing to subnational groups, such as terrorist or criminal organizations, or—in the absence of specific legal prohibitions against such actions—to underfunded government agencies.
Availability. The underlying technology for carrying out cyberattacks is widely available, inexpensive, and easy to obtain. Software packages embedding some of the technology for carrying out cyberattacks are available on the Internet, complete with user manuals and point-and-click interfaces. The corollary is that government has no monopoly on cyberweapons or over expertise. Private businesses and private individuals can own or control major cyberweapons with significant capability, but the same tends to be less true of kinetic weapons, citizen-built truck bombs notwithstanding.
The previous section addresses the basic technologies of and approaches to cyberattack. This section considers the operational implications of using cyberattack. Both nation-states and hackers must grapple with these implications, but the scope of these implications is of course much broader for the nation-state than for the hacker.
Although the ultimate objective of using any kind of weapon is to deny the adversary the use of some capability, it is helpful to separate the effects of using a weapon into its direct and its indirect effects (if any). The direct effects of using a weapon are experienced by its immediate target. For example, the user of a kinetic weapon seeks to harm, damage, destroy, or disable a physical entity. The indirect effects of using that weapon are associated with the follow-on consequences of harming, damaging, destroying, or disabling a physical entity, which may include harming, destroying, or disabling other physical entities—a runway may be damaged (the direct effect) so that aircraft cannot land or take off (the indirect effect). This distinction between direct and indirect effects is particularly important in a cyberattack context.
By definition, cyberattacks are directed against computers or networks. The range of possible direct targets for a cyberattack is quite broad and includes (but is not limited to) the following: