Dr. Herb Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and research fellow at the Hoover Institution, both at Stanford University.
Max Smeets’ take on the cost of cyber weapons is a thoughtful piece about the economics of cyber warfare, and the article is a useful point of departure on this topic. However, a few additional points not discussed by Smeets are worth considering, and they all point in the direction of higher costs that his piece might predict.
Begin with the fact that the economics for cyber weapons usable in a military context are fundamentally different than for kinetic weapons. With the latter, military power is highly correlated with number—specifically, the number of identical units of a given weapon. One hundred tanks (with crews, logistics, etc.) provides more military power than one tank. That is, for kinetic weapons, military power accrues as the result of procurement processes.
Not so for cyber weapons. No one would argue that a nation has more cyber power in a military sense if it has 100 identical CD-ROMs with a software-based cyber weapon on it. For cyber weapons, military power accrues as the result of research and development (R&D) processes.
So what? In the weapons acquisition process, R&D costs are amortized over multiple copies of a weapon. The effectiveness of a cyber weapon is a very strong function of the target’s characteristics. For example, the smallest change in configuration of the target can under many circumstances completely negate the effectiveness of a cyber weapon against it. To successfully attack two cyber targets that are almost identical may require two very different cyber weapons employing two different approaches to achieving their destructive effects. The coupling between weapons effectiveness and target characteristics is much weaker for kinetic weapons.
The consequence is that as a general rule, a targetable cyber weapon has to be customized to its target(s) to a much greater degree, and thus any given cyber weapon is likely to be usable over a much smaller target set than for a kinetic weapon. Thus, the cost of a cyber weapon, which is almost entirely in R&D cannot be amortized over as many targets as would be the case for a kinetic weapon. This fact necessarily increases the cost-per-target destroyed.
A second basic point is that the effective use of cyber weapons often requires substantial intelligence support. Under the rubric of operational preparation of the cyber battlefield, access paths to the target must be established in advance of any attack. Since it is not known what targets commanders will seek to attack in the future, access paths must be established over the widest possible scope of potential targets, many of which may never be attacked in the future. The effort to prepare those targets is thus “wasted”, again driving up the effective cost of preparing targets that will be attacked.
When cyber targets are to be attacked in a manner compliant with the laws of armed conflict, the intelligence infrastructure needed is likely to be substantial, because accurate, complete, and timely information about those targets is necessary to ascertain the likely collateral damage that might result from an attack against them. In any estimate of the cost of cyber weapons, the intelligence infrastructure needed to support their use must be included in such estimates. Of course, an intelligence infrastructure supports many national needs—not just those associated with cyberattacks on military targets—and thus apportioning a “fair” percentage of the intelligence budget for this purpose introduces a significant complication into any such calculation.
Lastly, the development of a given cyber weapon may entail specific knowledge the function and behavior of the target. Cyberattacks on electric grids will almost surely require specialized knowledge about the equipment controlled by the targeted computers (e.g., their programming, their vulnerabilities). In some cases, test facilities may need to be constructed to allow operators to test their weapons before they are used operationally. Accounting for the cost of acquiring specialized non-cyber knowledge and test facilities will drive up cost estimates as well.
The next steps in determining the true cost of cyber weapons are to find usable numbers for the various cost drivers (which neither this piece nor Smeets original article do) and then doing an apples-to-apples comparison to kinetic weapons. But as the discussion above suggests, some of those numbers will be very hard to tease out of infrastructure budgeting that supports the entire national security enterprise.