Last Updated on May 29, 2015

What is a Cyber Weapon? At first glance this seems an immediate question to answer, but should anyone try to analyze the meaning of this term more deeply, probably he would be quite surprised and disappointed in discovering that the answer is not so immediate since an exact definition has not been given (at least so far).

A real paradox in the same days in which The Pentagon, following the Japanese Example, has unveiled its new strategy aimed to dramatically accelerate the development of new Cyber Weapons. And do not think these are isolated, fashion-driven examples (other nations are approaching the same strategy), but rather consider them real needs in the post-Stuxnet age, an age in which more and more government are moving their armies to the fifth domain of war [you will probably remember the (in)famous episode, when F-Secure was able to discover Chinese Government launching online attacks against unidentified U.S. Targets].

Recently Stefano Mele, a friend and a colleague of the Italian Security Professional Group, tried to give an answer to this question in his paper (so far only in Italian but it will be soon translated in English) where he analyzes Cyber Weapons from a legal and strategical perspective.

As he points out “Correctly defining the concept of Cyber Weapon, thus giving a definition also in law, is an urgent and unavoidable task, for being able to assess both the level of threat deriving from a cyber attack, and the consequent political and legal responsibilities attributable to those who performed it”. Maybe this phrase encloses the reason why a coherent definition has not been given so far: a cyber weapon is not only a technological concept, but rather hides behind it complex juridical implications.

Having this in mind, according to Stefano’s definition: a cyber weapon is:

A device or any set of computer instructions intended to unlawfully damage a system acting as a critical infrastructure, its information, the data or programs therein contained or thereto relevant, or even intended to facilitate the interruption, total or partial, or alteration of its operation.

The above definition implies that cyber weapons may span in theory a wide range of possibilities: from (D)DoS attacks (which typically have a low level of penetration since they target the “surface” of their targets), to “tailored” malware like Stuxnet, characterized by a high intrusiveness and a low rate of collateral damages.

One could probably argue whether a cyber weapon must necessarily generate physical damages or not, in which case, probably, Stuxnet, would be the one, so far, to encompass all the requirements. In any case, from my point of view, I believe the effects of a cyber weapon should be evaluated from its domain of relevance, the cyberspace, with the possibility to cross the virtual boundaries and extend to the real world (Stuxnet is a clear example of this, since it inflicted serious damages to Iranian Nuclear Plants, including large-scale accidents and loss of lifes).


With this idea in mind, I tried to build a model to classify the cyber weapons according to four parameters: Precision (that is the capability to target only the specific objective and reduce collateral damages), Intrusion (that is the level of penetration inside the target), Visibility (that is the capability to be undetected), and Easiness to Implement (a measure of the resource needed to develop the specific cyber weapon). The results, ranging from paintball pistols to smart bombs, are summarized in the above chart.

As you may notice, in these terms a DDoS attack is closer to a paintball pistol: the latter has a low level of penetration and the effects are more perceived than real (it shows the holder’s intention to harm the victim rather than constituting a real danger ), nevertheless it may be used to threaten someone, or worst to make a robbery. The same is true for a DDoS, it is often used to threaten the target, its action stops at the surface and usually the effects are more relevant in terms of reputation of the victims than in terms of damages done. Nevertheless, for the targets, it may lead to an interruption of service (albeit with no physical damages) and monetary losses.

On the opposite site there are specific “surgical” APTs: they have a high level of penetration with reduced collateral damages, they are able to go hidden for long time, but require huge investments to be developed, which ultimately make their adoption not so easy.

Of course, in between, there is a broad gray area, where the other Cyber Weapons reside depending on their positioning according to the four classification parameters identified… So, at the end what do you think? Do you agree with this classification?

This Post Has 11 Comments

  1. Mikko Kiviharju

    From your classification it appears you consider “easiness to implement” strongly correlated with “level of intrusion”; likewise with “precision” and “visibility”. While this may well be the case, I would not consider it immediately obvious. Could you elaborate the choices for correlation? Or the parameters themselves, for that matter?

    1. Paolo Passeri

      Ciao Mikko.

      Of course a targeted attack must be higly intrusive, tailored on the target, and able to hide itself for a long period, being subtle and hard to detect (and attracting few undesired attentions). Putting together these factors on a single cyber weapon implies that a huge effort is needed to build it and make it “successful” (forgive me for this term).

      I know, it is an obvious comparison, but think for instance to Stuxnet. It has been higly intrusive (since the targets were not tipically connected to internet, and in fact looks like it was first implanted by a double secret agent), tailored on the target (since it required a deep knowledge of Siemens ICSs and their related vulnerabilities), and able to hide itself as much as possible: specifically, Stuxnet was able to alter the frequencies of centrifuges in a subtle manner so that at the beginning it was easy to mistake the alterations for failures rather than malware-driven alterations.

      In this terms Stuxnet was hard to implement (it is believed it required huge investments and several man-years to be completed), and this is exactly the correlation I meant more in general for Cyber Weapons.

      Maybe “easiness to implement” is not the most appropriate term, but was the term I found which was closer to what I meant (that is the fact the most an attack is targeted, the most is hard and costly to build the Cyber Weapon to make it), and which also fitted correctly the model I had in my mind (which map 4 parameters in a 2-dimensional plot).

      I hope my reply is clear an satisfactory.

  2. David Cenciotti

    Reblogged this on The Aviationist and commented:
    We’ve been taking about Militarisation of cyberspace for some time now. The following interesting article by provides a model to classify cyber weapons in accordance with four parameters.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.