Software as a weapon: concepts, perceptions, and motivations in pursuit of a new technology of conflict

<p>This thesis addresses the topic of ‘Software as a Weapon’ (SaaW) using a mixed-methods approach, bringing together elements of Computer Science, International Relations, and Strategic Studies.</p><br> <p>The thesis therefore first addresses the nature of software, malware, and weaponised software via questionnaire-based public solicitation, with three groups of respondents: military officers, academics, and others. The results show that there is consensus among participants regarding the importance of defensive software capabilities for state security. However, depending on the training and background of respondents, questions pertaining to the nature of software exhibit statistically significant differences. For example, when deciding whether software should be treated like a physical object, or whether malware is a weapon. Yet, there is also consensus, such as that defensive software capabilities are vital to a state’s security.</p><br> <p>The second part of the thesis investigates the factors that contribute to an actor pursuing SaaW. It explores the proliferation debate and examines similarities and differences to traditional weapon groups, including nuclear, biological, and chemical weapons, as well as small arms and light weapons. These factors are then used to create a Bayesian Network model representing an actor’s source of impetus. From such a model, it is possible to reason about the interplay of complementary and competing forces. By accounting for restraining and motivating elements, the model introduces objectivity to the debate on actor motivation in the cyber domain, giving a variety of stakeholders a tool to evaluate actors’ software weaponisation probabilities.</p><br> <p>To showcase and evaluate this model, three different actors are used, representing terrorists, state powers, and generic attackers. Quantitative data is combined with qualitative interviews, populating network nodes with prior probabilities and relative weightings of observed dependencies. An approach of weighting relative parent-nodes’ influence strength is implemented, creating a linearly growing set of probability distributions. The results show that the probability of the generic actor pursuing SaaW is uncertain, which captures the nature of this scenario well. The state actor also shows ambivalence, but in this case high restraints are being countered by almost equally high capabilities, whilst motivating forces are low. The terrorist actor on the other hand has a medium to low probability, driven by a lack of capabilities and limited motivations despite very low retraining factors.</p><br> <p>Overall, this thesis emphasises the interdisciplinary nature of cyber security, and provides novel tools and concepts from Computer Science, International Relations, and Strategic Studies to understand SaaW.</p>