The PrEP Model: Cyber Weapons

By Trey Herr

Within PrEP, malware that have a payload designed to create destructive physical OR digital effects can be classified as a weapon.


Digital effects damage the integrity or availability of an information system - deleting data or disrupting a network service. These could be short term, as with a brief denial of service attack, or near permanent, where a payload is designed to wipe the boot layer of a hard disk. Physical effects manipulate a piece of equipment, like a centrifuge or generator, causing it to damage or destroy itself. The Aurora test at Idaho national labs, deployed a cyber weapon into the industrial control system of a multiton generator, causing it to jump and shake on its foundations, eventually destroying the machine. Destruction can amount to physical damage or loss of data integrity such as deletion or corruption. This still requires the combination of the three components, a propagation method, exploit, and payload, but is differentiated from malware by the effects produced by the payload.

There are several key definitional concerns involved in defining a cyber weapon:

  • Cyber Weapons are digital objects and depend on the use of information systems, but they can have both digital and physical effects. Categorizing everything from cell-phones to wire cutters as cyber weapons expands the definition so far it ceases to be useful.
  • Cyber Weapons create both digital and physical effects. Physical effects are more readily apparent – something that can damage equipment or objects in the real world should readily fall under the category of weapon. Digital effects are more contentious however as some, including the authors of the Tallinn Manual, argue that code which can degrade or damage information or computer systems shouldn’t count as a weapon. But this misunderstands the role of data in contemporary society; where data has intrinsic value, cybersecurity is as much about protecting the integrity of data objects as the computer systems and equipment that house them. We rely on information systems in almost every facet of personal, commercial, and public life and digital effects that violate the integrity or availability of data (rather than its confidentiality) are reasonably considered weapons for the degree of disruption and damage they may cause.
  • Cyber Weapons aren’t tools of espionage. While the internet and networked information systems have proven a tremendous boon for intelligence collection and information theft, using software to compromise and steal data is no more the use of a weapon than stealing hard copy files. Including espionage in any weapons definition creates something so broad and unwieldy as to be of little use.
  • Cyber Weapons aren’t shaped by perception. Defining a cyber weapon should be based on observable features or function of the code, not a developer’s intent or target’s perception of a threat. Code, whose functional properties are not revealed until execution, cannot be used to threaten in the same manner as a tangible object. This problem of brandishing cyber weapons is more fully developed elsewhere but it remains that a knife’s properties to injure or kill are much more readily apparent than those of software.[1]

Comparing cyber weapons to physical (kinetic) weapons like air dropped bombs is problematic, mainly because of the unique nature of code. First, cyber weapons are dependent on their target system to function. Where kinetic weapons are expected to break their target, to impart physical damage so as to disrupt or destroy, software requires an operating host so destroying a machine’s motherboard as a kinetic weapon might, would make executing a cyber weapon impossible. In this way, cyber weapons are typically not trying to ‘break’ their targets, as that would render the weapons ineffective, but instead manipulate the system into doing something unintended by the owners. Second, cyber weapons are specific to their target. This means that it’s difficult to take a weapon designed to, for example, target the industrial control systems of a nuclear enrichment facilities, and use that same code to attack the switching substations of an electrical grid. It also means that the exploits used in a cyber weapon will only work against the software their vulnerability exists in. If a cyber weapon written to corrupt or delete data depends on a vulnerability in the Chrome browser to propagate to the target and the browser is updated, that vulnerability may no longer be present, rendering the weapon of little use without a new exploit.

Ultimately, what a cyber weapon is under the PrEP model is a combination of three types of code: a propagation method, exploits, and a payload designed to create destructive physical or digital effects. Developing such a weapon can be difficult – it takes more time, technical expertise, and target intelligence than non-destructive malware. Defending against cyber weapons may not be as difficult as once thought though, as information security professionals can target different components of a weapon – patching against a particular weapon vs. interdicting its propagation method. Emphasizing target intelligence may help eliminate individuals willing to write weapons payloads or regularly updating major software packages could eliminate exploitable vulnerabilities before the threat has a chance to update their weapon. Classifying weapons as the combination of these three components might provide a basis for regulating a marketplace for these tools (difficult because of the low marginal cost of reproduction and transmission of data) or their exchange through export control arrangements.

[1] Libicki, M.C., 2013. Brandishing Cyberattack Capabilities. 1200 South Hayes Street, Arlington, VA 22202-5050: RAND.