informa
News

The ROI of Attack

Like defenders, attackers sometimes need to weigh the costs and benefits of their efforts

Recently, there was a report about the sabotage of a computer that supports the International Space Station. The computer, which measures stress on the station, was considered "non-critical" – although I'm not sure how a machine that performs such a function could be non-critical.

The interesting thing about this event was the method used for the sabotage. Apparently, several wires were cut, making the unit non-functional. Pretty effective, right? Well, not really. As my wife pointed out, a software modification to the system would have been much more difficult to detect, and therefore more effective in preventing the system from operating. As it is, NASA can just repair the wires, and it's back to business.

This brings me to an article written by Daniel Geer in a recent edition of ACM Queue. Geer points out that it is not only effectively impossible to reduce our risk level zero – it is not even desirable. The goal is to lower risk to a point where the expense of security and the cost of failure are both at a minimum.

The flip side of this statement is also true – attackers don't have unlimited resources, either. They need to maximize the impact of the attack while minimizing the cost.

What does this have to do with the NASA story? Well, assuming that the saboteur was rational (never a sure thing), the NASA attack may have been a success – in the attacker's eyes. The cost of the attack could have been much higher (buying a person capable of subtly introducing a fatal error in a highly reliable embedded system can’t come cheap).

I think it is safe to assume, based on the system attacked, that the goal here wasn’t to destroy the space station, but to enhance the attacker's reputation. The last thing NASA needed was another negative story, but this sabotage was so blatant that it could not be missed. And the cost was cheap – anybody with physical access to the box and a pair of wire cutters could implement it.

If this was a reputation attack, it was quite a success, even though it didn't have much long-term impact. The value of a reputation is almost impossible to measure. Here in Cambodia, one of the surest ways to get sent to prison (or worse) is to publicly say something that everybody knows is true, but is extremely embarrassing.

The same goes for business – embarrassing a competitor is sometimes worth more than stealing the designs for its new product.

— Nathan Spande has implemented security in medical systems during the dotcom boom and bust, and suffered through federal government security implementations. Special to Dark Reading

Recommended Reading: