Cyber Vulnerability Implantation Revisited

Abstract

In this paper we revisit a study presented at MILCOM 2014. Our goal then was to determine the utility of implanting a vulnerability into a cybersecurity software protocol to an actor planning to execute an offensive cyber operation. Based on a case study describing the then recently discovered Heartbleed bug as an offensive cyber operation, a model was devised to estimate the adoption rate of an implanted flaw in OpenSSL. Using the adoption rate of the cryptographic protocol Transport Layer Security version 1.2 as a proxy, we predicted that the global adoption of the vulnerability of at least 50% would take approximately three years, while surpassing 75% adoption would take four years. Compared to subsequently collected real-world data, these forecasts turned out to be surprisingly accurate. An evaluation of our proposed model shows that it yields results with a root-mean-square error of only 1.2% over the forecasting period. Thus, it has a significant degree of predictive power. Although the model may not be generalizable to describe the adoption of any software protocol, the finding helps validate our previously drawn conclusion that exploiting implanted cyber vulnerabilities, in a scenario like the one presented, requires a planning horizon of multiple years. However, as society becomes further dependent on the cyber domain, the utility of intentional vulnerability implantation is likely an exercise in diminishing returns. For a defender, however, our model development process could be useful to forecast the time required for flawed protocols to be phased out.