When the perpetrators of the Stuxnet worm decided to launch their attack on Iran’s nuclear facilities, timing was everything. Designed to disrupt Iran’s alleged nuclear weapons program, Stuxnet wreaked havoc on the Natanz uranium-enrichment plant, shutting down a fifth of its centrifuges and setting its progress back by several months. But how did the hackers decide when to launch their attack?

Given the urgency of the situation, the Stuxnet creators would have been tempted to launch their attack immediately, but there’s a right time and a wrong time to exploit security vulnerabilities – and according to new research, it’s possible to work out the best possible time to strike via a ‘simple’ mathematical equation.

The research paper, Timing of Cyber Conflict, states that it’s possible to work out the optimum time to launch any cyber-attack using the following equation:

“V = Pr(s≥T) [G(T) + w S V] + [1 – Pr(s≥T)] w P V”

That might seem a bit unwieldy, but apparently it boils down to knowing three crucial facts about any security vulnerability:

Persistence – “the probability that if you refrain from using it now, it will still be useable”, or in other words, how long is the vulnerability likely to remain open.

Stealth – “the probability that if you use it now it will still be usable” in the future – essentially, what are the chances of the vulnerability being detected if you deploy the attack?

Threshold – the conditions under which it’s worthwhile carrying out a particular attack.

“Stealth and persistence determine the minimum stakes required to justify an attack,” writes Robert Axelrod and Rumen Iliev of the Ford School of Public Policy at the University of Michigan.

One of the luxuries of being a cybercriminal is being able to unleash your attacks at the moment of your choosing. The reason for this is that most attacks remain undetected for around 300 days, and less than 5 percent of vulnerabilities are closed within three years. If your cyberattack is likely to remain undetected, it might be worth striking immediately. However, if the vulnerability is likely to remain open for some time, it might be worth biding your time before you launch your attack, keeping it as a kind of cyber trump card, as it were.

In the case of Stuxnet however, where extremely high-stakes are at play, the hackers chose to attack immediately – the reason for doing so, according to the equation – is that the value of the attack was diminished with every second of delay. Even so, it doesn’t always pay to strike so fast.

“Under some circumstances, it might pay to wait,” write the authors. “You might get more value out of [a cyber attack] in a higher-stakes situation.”

Stuxnet was a stealthy attack, remaining undetected for some 17 months, but it was also dependent on no less than four vulnerabilities in the Netanz plant’s computer systems. For the hackers, this meant it was uncertain how long their window of opportunity would remain open, and so the most logical thing step was to launch the attack immediately.

Axelrod and Iliev’s equation might come in handy for hackers, but they also hope it could help to explain past attacks, and perhaps even help government’s plan against them. With cyber-warfare likely to be a key feature of future conflicts, being able to define the ideal time for an attack could possibly help government’s to identify high-risk installations that need special protection, and also guide their own decisions on whether to launch or delay attacks of their own.

photo credit: marsmet526 via photopin cc