The Invisible Costs of Cyber Weapons

Computer Keys

For kinetic weapons like tanks, production costs generally outweigh research and development. For cyber weapons, R&D is almost everything.

Max Smeets’ take on the cost of cyber weapons is a thoughtful piece about the economics of cyber warfare, and the article is a useful point of departure on this topic. However, a few additional points not discussed by Smeets are worth considering, and they all point in the direction of higher costs that his piece might predict.

Begin with the fact that the economics for cyber weapons usable in a military context are fundamentally different than for kinetic weapons. With the latter, military power is highly correlated with number—specifically, the number of identical units of a given weapon. One hundred tanks (with crews, logistics, etc.) provides more military power than one tank. That is, for kinetic weapons, military power accrues as the result of procurement processes.

Not so for cyber weapons. No one would argue that a nation has more cyber power in a military sense if it has 100 identical CD-ROMs with a software-based cyber weapon on it. For cyber weapons, military power accrues as the result of research and development (R&D) processes.

So what? In the weapons acquisition process, R&D costs are amortized over multiple copies of a weapon. The effectiveness of a cyber weapon is a very strong function of the target’s characteristics. For example, the smallest change in configuration of the target can under many circumstances completely negate the effectiveness of a cyber weapon against it. To successfully attack two cyber targets that are almost identical may require two very different cyber weapons employing two different approaches to achieving their destructive effects. The coupling between weapons effectiveness and target characteristics is much weaker for kinetic weapons.

The consequence is that as a general rule, a targetable cyber weapon has to be customized to its target(s) to a much greater degree, and thus any given cyber weapon is likely to be usable over a much smaller target set than for a kinetic weapon. Thus, the cost of a cyber weapon, which is almost entirely in R&D cannot be amortized over as many targets as would be the case for a kinetic weapon. This fact necessarily increases the cost-per-target destroyed.

A second basic point is that the effective use of cyber weapons often requires substantial intelligence support. Under the rubric of operational preparation of the cyber battlefield, access paths to the target must be established in advance of any attack. Since it is not known what targets commanders will seek to attack in the future, access paths must be established over the widest possible scope of potential targets, many of which may never be attacked in the future. The effort to prepare those targets is thus “wasted”, again driving up the effective cost of preparing targets that will be attacked.

When cyber targets are to be attacked in a manner compliant with the laws of armed conflict, the intelligence infrastructure needed is likely to be substantial, because accurate, complete, and timely information about those targets is necessary to ascertain the likely collateral damage that might result from an attack against them. In any estimate of the cost of cyber weapons, the intelligence infrastructure needed to support their use must be included in such estimates. Of course, an intelligence infrastructure supports many national needs—not just those associated with cyberattacks on military targets—and thus apportioning a “fair” percentage of the intelligence budget for this purpose introduces a significant complication into any such calculation.

Lastly, the development of a given cyber weapon may entail specific knowledge the function and behavior of the target. Cyberattacks on electric grids will almost surely require specialized knowledge about the equipment controlled by the targeted computers (e.g., their programming, their vulnerabilities). In some cases, test facilities may need to be constructed to allow operators to test their weapons before they are used operationally. Accounting for the cost of acquiring specialized non-cyber knowledge and test facilities will drive up cost estimates as well.

The next steps in determining the true cost of cyber weapons are to find usable numbers for the various cost drivers (which neither this piece nor Smeets original article do) and then doing an apples-to-apples comparison to kinetic weapons. But as the discussion above suggests, some of those numbers will be very hard to tease out of infrastructure budgeting that supports the entire national security enterprise.

This post appears courtesy of CFR.org.

Close [ x ] More from DefenseOne
 
 

Thank you for subscribing to newsletters from DefenseOne.com.
We think these reports might interest you:

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • Military Readiness: Ensuring Readiness with Analytic Insight

    To determine military readiness, decision makers in defense organizations must develop an understanding of complex inter-relationships among readiness variables. For example, how will an anticipated change in a readiness input really impact readiness at the unit level and, equally important, how will it impact readiness outside of the unit? Learn how to form a more sophisticated and accurate understanding of readiness and make decisions in a timely and cost-effective manner.

    Download
  • Cyber Risk Report: Cybercrime Trends from 2016

    In our first half 2016 cyber trends report, SurfWatch Labs threat intelligence analysts noted one key theme – the interconnected nature of cybercrime – and the second half of the year saw organizations continuing to struggle with that reality. The number of potential cyber threats, the pool of already compromised information, and the ease of finding increasingly sophisticated cybercriminal tools continued to snowball throughout the year.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Information Operations: Retaking the High Ground

    Today's threats are fluent in rapidly evolving areas of the Internet, especially social media. Learn how military organizations can secure an advantage in this developing arena.

    Download

When you download a report, your information may be shared with the underwriters of that document.