Change search
ReferencesLink to record
Permanent link

Direct link
Determining the Utility of Cyber Vulnerability Implantation: The Heartbleed Bug as a Cyber Operation
Swedish National Defence College, Department of Military Studies, Military-Technology Division.ORCID iD: 0000-0002-4376-9800
2014 (English)In: Military Communications Conference (MILCOM), 2014 IEEE, IEEE conference proceedings, 2014, 110-116 p.Conference paper (Refereed)
Abstract [en]

Flaws in computer software or hardware that are as yet unknown to the public, known as zero-day vulnerabilities, are an increasingly sought-after resource by actors conducting cyber operations. While the objective pursued is commonly defensive, as in protecting own systems and networks, cyber operations may also involve exploiting identified vulnerabilities for intelligence collection or to produce military effects. The weapon zing and stockpiling of such vulnerabilities by various actors, or even the intentional implantation into cyberspace infrastructure, is a trend that currently resembles an arms race. An open question is how to measure the utility that access to these exploitable vulnerabilities provides for military purposes, and how to contrast and compare this to the possible adverse societal consequences that withholding disclosure of them may result in, such as loss of privacy or impeded freedom of the press. This paper presents a case study focusing on the Heart bleed bug, used as a tool in an offensive cyber operation. We introduce a model to estimate the adoption rate of an implanted flaw in Open SSL, derived by fitting collected real-world data. Our calculations show that reaching a global adoption of at least 50 % would take approximately three years from the time of release, given that the vulnerability remains undiscovered, while surpassing 75 % adoption would take an estimated four years. The paper concludes that while exploiting zero-day vulnerabilities may indeed be of significant military utility, such operations take time. They may also incur non-negligible risks of collateral damage and other societal costs.

Place, publisher, year, edition, pages
IEEE conference proceedings, 2014. 110-116 p.
, MILCOM IEEE Military Communications Conference, ISSN 2155-7578 ; 6-8 Oct. 2014
National Category
Aerospace Engineering
Research subject
URN: urn:nbn:se:fhs:diva-5011DOI: 10.1109/MILCOM.2014.25OAI: diva2:766613
Military Communications Conference (MILCOM), 2014 IEEE, Baltimore, MD, USA, 6-8 October 2014
Available from: 2014-11-27 Created: 2014-11-27 Last updated: 2017-01-04Bibliographically approved

Open Access in DiVA

No full text

Other links

Publisher's full text

Search in DiVA

By author/editor
Sigholm, Johan
By organisation
Military-Technology Division
Aerospace Engineering

Search outside of DiVA

GoogleGoogle Scholar

Altmetric score

Total: 150 hits
ReferencesLink to record
Permanent link

Direct link