IT-based applications, and may—or may not—change dramatically in the future, especially in relation to the defensive capabilities available to potential victims. That is, offensive capabilities are likely to grow for all of the reasons described in Section 2.2, but defensive capabilities are also likely to grow because IT vendors are placing more emphasis on security to meet the growing criminal threat.

A second important point is that the security configuration of any given cyber target is also subject to very rapid change, and the vulnerabilities on which cyberattacks depend are sometimes easily fixed by the defender. A system administrator can close down unused access points with a few keystrokes. A patch can repair a security flaw only a few seconds after it is installed. A new security scan can discover and eliminate a malicious software agent in a few minutes. Responding to a security warning, an administrator may choose to strengthen security by deliberately degrading system functionality (e.g., reducing backward compatibility of applications that may also be associated with greater vulnerability).

Even worse from the standpoint of the attacker, all such changes in security configuration can occur without notice. (Such changes are analogous to randomly changing the schedule of a guard.) Thus, if a specific computer system is to be targeted in a cyberattack, the attacker must hope that the access paths and vulnerabilities on which the cyberattack depends are still present at the time of the attack. If they are not, the cyberattack is likely to fail.

(These considerations are less significant for a cyberattack in which the precise computers or networks attacked or compromised are not important. For example, if the intent of the cyberattack is to disable a substantial number of the desktop computer systems in a large organization, it is of little consequence that any given system is invulnerable to that attack—what matters is whether most of the systems within that organization have applied the patches, closed down unneeded access points, and so on.)

Finally, if a cyberattack weapon exploits a vulnerability that is easily closed, a change in security configuration or posture can render the weapon ineffective for subsequent use. This point is significant because it means that an attacker may be able to use a given cyberattack weapon only once or a few times before it is no longer useful. That is, certain cyberweapons may well be fragile.

2.4
CHARACTERIZING AN INCOMING CYBERATTACK

As noted in Chapter 1, the definition of active defense involves launching a cyberattack as a defensive response to an incoming cyberattack.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement