Logo: to the web site of the Swedish Defence University

fhs.se
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard-cite-them-right
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Cyber Vulnerability Implantation Revisited
Swedish Defence University, Department of Military Studies, Science of Command and Control and Military Technology Division, Military Technology Systems Section.ORCID iD: 0000-0002-4376-9800
Assemblin, (SWE).
2021 (English)In: 2021 IEEE Military Communications Conference (MILCOM), San Diego, November 29-December 2, 2021., Institute of Electrical and Electronics Engineers (IEEE), 2021, p. 464-469Conference paper, Published paper (Refereed)
Abstract [en]

In this paper we revisit a study presented at MILCOM 2014. Our goal then was to determine the utility of implanting a vulnerability into a cybersecurity software protocol to an actor planning to execute an offensive cyber operation. Based on a case study describing the then recently discovered Heartbleed bug as an offensive cyber operation, a model was devised to estimate the adoption rate of an implanted flaw in OpenSSL. Using the adoption rate of the cryptographic protocol Transport Layer Security version 1.2 as a proxy, we predicted that the global adoption of the vulnerability of at least 50% would take approximately three years, while surpassing 75% adoption would take four years. Compared to subsequently collected real-world data, these forecasts turned out to be surprisingly accurate. An evaluation of our proposed model shows that it yields results with a root-mean-square error of only 1.2% over the forecasting period. Thus, it has a significant degree of predictive power. Although the model may not be generalizable to describe the adoption of any software protocol, the finding helps validate our previously drawn conclusion that exploiting implanted cyber vulnerabilities, in a scenario like the one presented, requires a planning horizon of multiple years. However, as society becomes further dependent on the cyber domain, the utility of intentional vulnerability implantation is likely an exercise in diminishing returns. For a defender, however, our model development process could be useful to forecast the time required for flawed protocols to be phased out.

Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2021. p. 464-469
Series
MILCOM IEEE Military Communications Conference, ISSN 2155-7578, E-ISSN 2155-7586
Keywords [en]
cyber operations, cybercrime, vulnerabilities, exploitation, intelligence, cyber insurance
National Category
Information Systems
Research subject
Systems science for defence and security
Identifiers
URN: urn:nbn:se:fhs:diva-10554DOI: 10.1109/MILCOM52596.2021.9652921ISBN: 978-1-6654-3972-5 (print)ISBN: 978-1-6654-3956-5 (electronic)OAI: oai:DiVA.org:fhs-10554DiVA, id: diva2:1624204
Conference
2021 IEEE Military Communications Conference (MILCOM)
Available from: 2022-01-03 Created: 2022-01-03 Last updated: 2022-01-05Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full text

Authority records

Sigholm, Johan

Search in DiVA

By author/editor
Sigholm, Johan
By organisation
Military Technology Systems Section
Information Systems

Search outside of DiVA

GoogleGoogle Scholar

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 462 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard-cite-them-right
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf