Methods of Analyzing the Threat posed by Cyberwarfare Probability vs. Possibility

Scott Reutter

The two quotes above, supported by a study by Ponemon Institute demonstrate how widespread cyberattack s have become to the point of where it is essentially guaranteed that an organization will eventually become the target of a cyberattack (3). Probability analysis  on whether an attack will take place will therefore yield unhelpful results. As stated earlier, an effective attack on CNI requires a highly skilled team of computer scientists with vast resources, thus implying that only a small percentage of the global population has the capability to perform such an attack, which in turn skews any probability assessment regarding cyberwarfare (4).

Furthermore, the lack of available information concerning the origin of a cyberattack makes probability analysis useless. First, attack numbers are broadly estimated, to the point of demonstrating only the immensity of the threat, not the actual attack volume. Second, determination of the origin of sophisticated attacks (which goes towards identifying the type of attack) requires exhaustive computer forensics, often reaching a dead end and leaving investigators with no clear indication as to who perpetrated the attack

Probability theory is useful and appropriate for various types of cybercrime – for instance, carding schemes, and spoofing and phishing attacks against people and corporations all occur with regularity, allowing a probability- based analytical framework to properly address these threats. However, other phenomena, such as cyberwarfare, occur infrequently, and can be executed with little warning if properly prepared. Cyberwarfare attacks require a high degree of training, sophistication, and dedication to execute the attack, as well as sufficient resources. As a result, the perpe- trators and acts of cyberwarfare fall into the low-percentage segment of total cyberattacks, being far more advanced that the average cybercriminal and cyberattack, thus distorting any probability analysis (6). Finally, as put forth by Baskerville and Sainsbury, “random events are better modeled by probability theory, where the data and calculations are based on random distributions. Directed attacks are not randomly distributed and are usually designed to be new or different in order to increase the chance of success.”(7) Sophisticated cyberattacks, like those of cyberwarfare, are far from random, and hence cannot properly be analyzed using probability analysis.

Historic data on [directed] attacks will be very limited and hard to obtain, if any exists at all. The lack of past occurrences makes probability theory unusable, as it relies on historic, frequency data to inform decisions. But evidence of new types and forms of attack can be found throughout an organization and the community. By building on the evidence available, possibility theory is able to make valid inferences about rare attacks, and even attacks that have not yet occurred. While new attacks are rare, they can also be the most harmful and must be prepared for (Baskerville & Sainsbury, Analyzing Risk of Improbable Events: Managing Business Continuity and Information Warfare, 2006, p. 20)

Possibility Theory

Possibility theory permits us to model our uncertain judgments and beliefs, without unnaturally rigidifying the relationship between our estimates. In this situation the notion of probability seems less flexible than that of possibility. (8)

This [possibility-based] approach originates in the recognition that the safety of all infor- mation resources in an organization is only an opinion [author’s emphasis] of officials respon- sible for information security…. A risk-averse person in this position would be inclined to exaggerate the dangers and to introduce much more security than necessary. (9)

As previously stated, the information concerning cyberwarfare is insufficient, even for government agencies. An attack is often credited to one source, but many times, respon- sibility cannot be unambiguously proven. This makes probability analysis inappropriate, for it relies on hard, clear data; possibility analysis, however, does not. “From its basis in fuzzy set theory, possibility theory can operate with partial information about multiple outcomes and incorporate confidence factors making it suitable for a process of theoretical structures dealing with the sequences of conditions that characterize the logical structure of the above paradigm.”(10) Therefore, to analyze America’s risk of falling victim to cyberwarfare, a possi- bility analysis model must be used. Baskerville and Portougal offer further insight:

Persistent, well-supported, and highly professional intrusion attacks will have a higher possibility of success. If we operate against the possibility of intrusion, we find ourselves in a theoretical framework more suitable for the protection of complex national information infrastructures…. (11)

Baskerville and Portougal’s proposal of a possibility theory framework for evaluating risks to critical national infrastructure addresses the low-probability, high-risk possi- bility of a directed cyberattack committed by skilled agents with detailed knowledge of their target or targets and vast resources.

“With the essential geometric shape of the possibility function, any security measure operating during an unrestricted time interval will produce (sooner or later) a possibility of compromise that approaches absolute certainty. In other words, if it can be compro- mised, it will be compromised.”(12) Echoing Glenny’s remarks at a 2011 Technology, Entertainment, Design (TED) conference, this further reduces the effectiveness of a probability-based risk analysis of whether a cyberattack will occur, as well as if a specific cyberphenomena will occur. (13) Therefore, the question becomes not about how probable an attack is, but how possible it is.

Baskerville and Portougal offer a possi- bility analysis concerning an agent hacking into a computer system. Their normative function expresses a hacker without any time-short- ening resources. Their exponential function expresses a hacker with time-shortening resources, like one of any number of methods of obtaining one’s passwords (keylogging programs, phishing attacks, etc.). This same model can be used to analyze the possibility of a cyberattack. The normative function would express the possibility of a single hacker, with average resources, penetrating a system and causing damage. Multiple exponential functions can be used to express variance in resources (skills of hacker, resilience of intent, time allotted by hacker, funds, number of hackers, etc.), allowing one to model the various cyberphenomena together against one specific system. Such a model would display a normative function that could potentially remain near 0 (no possibility of successful attack); however, as one adds more resources, the exponential function would grow closer to 1 (full possibility of successful attack) with each addition.

Referencing the possibility model, while the possibility of an inexperienced hacker (the normative function) penetrating the Department of Defense’s classified network would remain low, the possibility of Russian or Chinese agents (exponential functions) – who have vast amounts of all aforemen- tioned resources at their disposal – would grow closer to 1 at an accelerated rate, much greater than that of any other exponential function. While the probability that one of millions of cyberattacks will succeed against a state’s military and/or critical national infra- structure is incredibly low, the possibility of one succeeding grows correspondingly as the resources of state actors grow. Therefore, the goal should not be to lower the probability of the success of an attack; rather, it should be to lower the possibility of the success of an attack.

One final thought on probability theory and possibility theory:

Probability theory induces us to believe that one cannot totally rule out an intrusion. This resignation is based on probability thinking that is productive for multiple repeatable events. However, in the case of national infrastructure protection, a major harm may be done by a single intrusion or other unique event. Such framework is not covered by probability theory. (14)

The threat of cyberwarfare cannot be assessed using traditional risk analysis; thus, a different model, such as possibility theory, is needed. Cybersecurity officials disagree on the risk it poses to the United States; cybersecurity academics have differing views on the subject as well. By using the possibility framework, one can determine that as time progresses and vulnerabilities remain unaddressed, the threat continues to increase. Therefore, in order to reduce the severity of the threat, America’s cybervulnerabilities must be addressed.

Footnotes
1. Glenny, M. (2011, September). Hire the hackers! Retrieved February 18, 2012, from TED: http://www.ted.com/talks/ misha_glenny_hire_the_hackers.html?quote=1062.
2. Baskerville, R. L., & Portougal, V. (2003). A Possibility Theory Framework for Security Evaluation in National Infrastructure Protection. Journal of Database Management, 1-13, p. 5.
3. Ponemon Institute LLC. (2010). First Annual Cost of Cyber Crime Study: Benchmark Study of U.S. Companies. Traverse City, Michigan: Ponemon Institute LLC.
4. Baskerville, R. L., & Portougal, V. (2003). A Possibility Theory Framework for Security Evaluation in National Infrastructure Protection. Journal of Database Management, 1-13, p. 4.
5. Refer to Section C of this chapter for more on this issue.
6. Baskerville, R. L., & Portougal, V. (2003). A Possibility Theory Framework for Security Evaluation in National Infrastructure Protection. Journal of Database Management, 1-13, pp. 4-5; Glenny, M. (2009, June 25). Cyber armies are gearing up in the cold war of the web. Retrieved February 24, 2012, from The Guardian: http://www.guardian.co.uk/ commentisfree/2009/jun/25/cybercrime-nato-cold-war.
7. Baskerville, R., & Sainsbury, R. (2006). Analyzing Risk of Improbable Events: Managing Business Continuity and Information Warfare. International Conference on i-Warfare and Security 2006 (pp. 13-22). Baltimore: Academic Conferences Limited, 2006, p. 20.
8. Baskerville, R. L., & Portougal, V. (2003). A Possibility Theory Framework for Security Evaluation in National Infrastructure Protection. Journal of Database Management, 1-13, p. 6.
9. Richard Clarke, for example; Baskerville, R. L., & Portougal, V. (2003). A Possibility Theory Framework for Security Evaluation in National Infrastructure Protection. Journal of Database Management, 1-13, p. 4.
10. Baskerville, R., & Sainsbury, R. (2006). Analyzing Risk of Improbable Events: Managing Business Continuity and Information Warfare. International Conference on i-Warfare and Security 2006 (pp. 13-22). Baltimore: Academic Conferences Limited, 2006, p. 19.
11. Baskerville, R. L., & Portougal, V. (2003). A Possibility Theory Framework for Security Evaluation in National Infrastructure Protection. Journal of Database Management, 1-13, p. 3.
12. Baskerville, R. L., & Portougal, V. (2003). A Possibility Theory Framework for Security Evaluation in National Infrastructure Protection. Journal of Database Management, 1-13, p. 7.
13. Glenny, M. (2011, September). Hire the hackers! Retrieved February 18, 2012, from TED: http://www.ted.com/talks/ misha_glenny_hire_the_hackers.html?quote=1062.
14. Baskerville, R. L., & Portougal, V. (2003). A Possibility Theory Framework for Security Evaluation in National Infrastructure Protection. Journal of Database Management, 1-13, p. 3.

BIO: Scott Reutter is a graduate of New York University’s Center for Global Affairs, where he earned his Masters of Science with concentrations in inter- national relations and transnational security. His primary areas of interest are counterterrorism, cyber- security, and the Middle East. Previously, he studied government and politics at St. John’s University. Reutter’s thesis analyzed the severity of the threat posed by cyberwarfare to the security of the United States. He can be reached at sdr310@nyu.edu.

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s