Logo: to the web site of the Swedish Defence University

fhs.se
Planned maintenance
A system upgrade is planned for 10/12-2024, at 12:00-13:00. During this time DiVA will be unavailable.
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard-cite-them-right
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Determining the Utility of Cyber Vulnerability Implantation: The Heartbleed Bug as a Cyber Operation
Swedish Defence University, Department of Military Studies, Military-Technology Division.ORCID iD: 0000-0002-4376-9800
Svenska Dagbladet, Stockholm, Sweden.
2014 (English)In: Military Communications Conference (MILCOM), 2014 IEEE, IEEE conference proceedings, 2014, p. 110-116Conference paper, Published paper (Refereed)
Abstract [en]

Flaws in computer software or hardware that are as yet unknown to the public, known as zero-day vulnerabilities, are an increasingly sought-after resource by actors conducting cyber operations. While the objective pursued is commonly defensive, as in protecting own systems and networks, cyber operations may also involve exploiting identified vulnerabilities for intelligence collection or to produce military effects. The weapon zing and stockpiling of such vulnerabilities by various actors, or even the intentional implantation into cyberspace infrastructure, is a trend that currently resembles an arms race. An open question is how to measure the utility that access to these exploitable vulnerabilities provides for military purposes, and how to contrast and compare this to the possible adverse societal consequences that withholding disclosure of them may result in, such as loss of privacy or impeded freedom of the press. This paper presents a case study focusing on the Heart bleed bug, used as a tool in an offensive cyber operation. We introduce a model to estimate the adoption rate of an implanted flaw in Open SSL, derived by fitting collected real-world data. Our calculations show that reaching a global adoption of at least 50 % would take approximately three years from the time of release, given that the vulnerability remains undiscovered, while surpassing 75 % adoption would take an estimated four years. The paper concludes that while exploiting zero-day vulnerabilities may indeed be of significant military utility, such operations take time. They may also incur non-negligible risks of collateral damage and other societal costs.

Place, publisher, year, edition, pages
IEEE conference proceedings, 2014. p. 110-116
Series
MILCOM IEEE Military Communications Conference, ISSN 2155-7578 ; 6-8 Oct. 2014
National Category
Aerospace Engineering
Research subject
Military Technology
Identifiers
URN: urn:nbn:se:fhs:diva-5011DOI: 10.1109/MILCOM.2014.25OAI: oai:DiVA.org:fhs-5011DiVA, id: diva2:766613
Conference
Military Communications Conference (MILCOM), 2014 IEEE, Baltimore, MD, USA, 6-8 October 2014
Available from: 2014-11-27 Created: 2014-11-27 Last updated: 2019-08-26Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full text

Authority records

Sigholm, Johan

Search in DiVA

By author/editor
Sigholm, Johan
By organisation
Military-Technology Division
Aerospace Engineering

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 429 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard-cite-them-right
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf