Limiting the Undesired Impact of Cyber Weapons: Technical Requirements and Policy Implications

24 Pages Posted: 15 Jul 2016 Last revised: 9 Aug 2017

Steven M. Bellovin

Columbia University - Department of Computer Science

Susan Landau

Worcester Polytechnic Institute (WPI)

Herbert Lin

Center for International Security and Cooperation; Hoover Institution

Date Written: July 13, 2016


Can cyber weapons be precisely targeted or are they inherently indiscriminate and what are the implications for compliance with international law? This paper hopes to start a public discussion of the question by showing how they should be designed.

We begin by considering what should be done technically and what policy issues should be part of the considerations in the design and deployment of cyber weapons. The fact that cyber weapons can be narrowly targeted is crucial to their use, especially, although not only, outside of a war scenario.

In this paper we examine the technical requirements and policy implications of targeted cyber attacks. Contrary to public perception (as well as statements from some political and military leaders), cyber weapons not only can be targeted, a number of successful ones have already been so. By examining previous attacks so as to discern what technical attributes enables attacks to be targeted, we show that variables include whether the attack is autonomous or manually directed and what level of situation specific information is required for the attack. We next consider technical and policy constraints on cyber weapons that would enable them to be targetable. We examine direct and indirect effects of such weapons, and what variables affect precise targeting.

If "imprecise targeting" includes "other damage traceable to the initial use of a cyberweapon", proliferation becomes an issue. By this definition, if one country's use leads to another country using the same attack or tools, that is itself imprecise targeting. We consider two different types of proliferation: immediate proliferation and a somewhat time-delayed proliferation that could occur through repurposing of the weapon or the weapon's techniques. The nonproliferation objective has a broad meaning, for it includes not only preventing others from using code snippets and information on zero days, but also using profitable attack techniques and new classes of attack. Thus preventing opponents from repurposing cyber weapons is not solely through technical means, such as code obfuscation, but also through such policy measures as disclosure so that those who might be harmed by proliferation will not be. We observe that as a result, while some of the nonproliferation effort falls to the attacker, some must be handled by potential victims, a rather interesting turn of events.

Keywords: cyber target, cyber attack, laws of war, laws of armed conflict, proportionality, collateral damage, indiscriminate weapons Cyber Arms Control

JEL Classification: N4

Suggested Citation

Bellovin, Steven M. and Landau, Susan and Lin, Herbert, Limiting the Undesired Impact of Cyber Weapons: Technical Requirements and Policy Implications (July 13, 2016). Available at SSRN: or

Steven M. Bellovin

Columbia University - Department of Computer Science ( email )

New York, NY 10027
United States

Susan Landau (Contact Author)

Worcester Polytechnic Institute (WPI) ( email )

100 Institute Road
Worchester, MA 01609
United States

Herbert Lin

Center for International Security and Cooperation ( email )

Stanford, CA California 94305
United States
6504978600 (Phone)
6504978600 (Fax)

Hoover Institution ( email )

Stanford, CA 94305-6010
United States
6504978600 (Phone)
6504978600 (Fax)

Register to save articles to
your library


Paper statistics

Abstract Views