HYLAND
the most powerful or insidious. It is helpful to divide cyber-weapons into
complex "high-impact" weapons intended to deliver strategic effect, and
much simpler "low-impact" weapons intended to achieve limited damage
but to cause confusion and reputational damage.
Supply chain: infected components (software or hardware) in the supply
chain of an organization can make that organization vulnerable to cyber-
attack, regardless of how effective an organization's procedures are against
intrusion by hackers.
People: people are perhaps the greatest vulnerability in cyber-security,
whether as insiders within a targeted organization, or (far more frequently)
as loyal members of staff who make mistakes when faced with complex
and incoherent IT security procedures. As mentioned above our lack of
understanding of the psychology of human behavior in cyberspace make
this the most effective area for attack.
e Dynamics of Strategic Cyber Weaponry
An analysis of the emerging first generation of cyber-weapons, and
particularly the STUXNET virus, helps us to identify provisionally some
early characteristics of such weapons.6 Any assessment of STUXNET as a
cyber-weapon will emphasize the subtlety of the software: a huge amount
of intellectual capital went into developing the device. Yet as soon as the
virus was discovered, the brilliant complexity that went into developing
it was compromised; such techniques are unlikely to be effective again.
So if STUXNET is at all typical of high-impact cyber-weapons designed
to achieve strategic effect we can expect second generation high-impact
cyber-weapons to require an intense commitment of intellectual capital,
with the expectation of terminal compromise of those techniques when
the system is deployed. It is worth noting, as Barzashka observes,7 that
