How States Drive the Diffusion of Cyber Capabilities

Amid the raging debate on cryptography, Apple CEO Tim Cook insisted, “You can’t have a backdoor that’s only for the good guys.” In other words, security sometimes means denying yourself a capability so that adversaries are less likely to gain it. Some policy options, such as unlocking the phone of a suspect, are blocked in order to preserve a more secure computing ecosystem.

This dynamic is familiar to most who follow the encryption debate, but much less attention is paid to the way it plays out more generally in cyber operations. In a recent academic study in Survival, I offer a framework for understanding the diffusion of cyber capabilities and tactics — how states and non-state actors borrow techniques or technology pioneered by other actors. As several recent examples illustrate, this diffusion is a defining trait of many cyber operations. It will not always be possible to avoid this diffusion, but states should, whenever possible, give preference to operations that minimize the risk.

Diffusion of Capabilities

Many cyber operations rely on exploits, code that takes advantage of a vulnerability in a targeted system to gain unauthorized access. These exploits have a way of spreading. For example, in 2013, a reasonably sophisticated intruder broke into the computer networks of the United States Department of Labor. Some analysts concluded that that the activity was sponsored or carried out by a state rather than by a criminal actor seeking financial gain. In particular, the intruders targeted a web page visited frequently by Department of Energy employees whose work focused on nuclear-related illnesses.

The intruders used an exploit that targeted a previously unknown vulnerability formally known as CVE-2013-1347, which relates to how Internet Explorer 8 handles memory allocation. When the intruders exploited this vulnerability to target visitors to the site, the result, according to one analysis, was “total compromise of system integrity” and “total information disclosure” that revealed all of the visitors’ files. In terms of severity, the analysis scored the vulnerability as a 9.3 out of 10 — serious business.

Yet as bad as the situation was for the targets of this operation, the follow-on damage was much broader. In time, the operation and the vulnerability were discovered and made public. Once spotted, the exploit code was added to exploit kits — software packages that make it easier to deploy known exploits against a target. These kits have a legitimate and vital purpose in network defense — they enable defenders to test their own network’s security — but they also enable less sophisticated actors to carry out effective operations. Microsoft put out a software patch to remedy the issue, but because individuals and organizations are often slow to apply security updates, many vulnerable targets remained.

In short, a state-sponsored actor developed a capability, used it to carry out an effective operation, and then watched as the capability diffused to many other actors, some of whom could well have used them in operations against the originating state. This was far from an isolated incident. One major empirical study found that once effective vulnerabilities are discovered in public, they are targeted five times more frequently. As a result, the vulnerabilities states choose to exploit, even in covert cyber operations, can quickly have an impact on the broader computing ecosystem — and even on the security of the originating state.

Diffusion of Tactics

This diffusion isn’t limited to specific cyber capabilities. Indeed, tactics in cyber operations can follow the same framework. By watching how more sophisticated actors carry out their cyber operations, lesser states and non-state actors can learn and adapt techniques to their own needs.

Developing persistence on a network is a good example. The idea of persistence is simple: A network intruder wants the ability to maintain a presence inside the target network that is difficult to remove. Such a presence is akin to a virtual agent-in-place: capable of hiding until needed, sometimes passing along valuable information all the while.

In cyber operations, this kind of persistence can be achieved in a variety of ways. One method is to try to establish a broad presence in a targeted network by implanting a variety of pieces of malicious code in a variety of machines. Even if some are discovered and rooted out, others will persist. More advanced methods include burrowing beneath the operating system of the computer, either into the BIOS — software that helps the computer boot up with a proper configuration — or into the firmware that enables a computer’s hardware to function. These methods take more technical skill to implement, but they are also very difficult to detect.

As a result, achieving deep network persistence was solely within the purview of states for a long time. During the 2000s, the United States, for example, likely developed powerful means of achieving persistence in its most sensitive operations. In contrast, criminal actors frequently did not have the patience, the motive, or the skill to establish a deeply persistent presence. Instead, these actors came in quickly, often against soft targets with minimal defenses or monitoring, and tried to take whatever was of value, much like burglars in a jewel shop.

But this, too, has begun to change. One major cybersecurity industry report highlights that “cyber cash outs are no longer dominated by smash-and-grabs … financial actors have increasingly shown their ability to maintain a low profile.” Some of these actors are deploying a variety of methods in order to achieve a persistent presence over time. Even if their tactics do not always match states in sophistication, the report notes they are learning and stealing “a page from the playbook” of more advanced actors.

It’s a trend that seems likely to continue.

Exceptions to Diffusion and Policy Implications

Nevertheless, a small subset cyber capabilities and tactics do not diffuse nearly as much. For example, some especially powerful intelligence operations require the actor to have a significant partnership with telecommunications providers, a relationship likely only enjoyed by states. Also included in this category are operations, likely including Stuxnet, that require a physical test bed to develop and configure the attack code. This kind of code, or parts of it, can sometimes be so finely tuned as to be practically useful for only one operation, which limits its diffusion. Still other operations require coordination with well-trained human assets on the ground, something usually beyond the reach of less-capable actors.

This dynamic — many capabilities and tactics diffuse, but some don’t — has clear and underappreciated policy implications. While there are often many factors in play, if all else is equal, a state whose security and economy depend heavily on computers should give preference to cyber operations that do not use capabilities and tactics likely to diffuse to adversaries and non-state actors. States can strengthen general cybersecurity by relying on these kinds of operations and potentially by undermining the effectiveness of operational elements that do diffuse. This course of action, though in some cases not practical, benefits both the state and the ecosystem.

Global health is a helpful analogy. As modern states carry out their intelligence and military operations, they usually try to do so in such a way that protects long-term goals in disease prevention, an area of common security interest around the world. The flouting of this norm is one of the reasons that made the Central Intelligence Agency’s fake vaccination program in Pakistan prior to the Osama bin Laden raid controversial and, to some, even outright dangerous. The suspicion that particular operation cast upon many other legitimate current and future public efforts sets back vital attempts to eradicate disease.

In time, a similar view might take hold in cyber operations. Facilitating the long-term spread of more effective capabilities and tactics may sometimes be too high a price to pay for short-term operational gains. Yet states may in some cases choose to deploy technologies or tactics that will diffuse to other actors, bearing whatever long-term risk results. Regardless of policy outcome, the choice should always be an informed one.

This article was originally published at War on the Rocks.