Dr James Jay Carafano
Cyber Security Concerns in the U.S.
Sep 15, 2008

On August 13, 2008, in an article entitled: “When Electrons Attack: Cyber-Strikes on Georgia a Wake-Up Call for Congress” Dr. James Jay Carafano wrote:

Bombs and bullets are not the only things flying around in the Russia-Georgia war over the week-end. There is a flurry of battling electrons as well. According to a news story first reported in The Telegraph, the Georgian Ministry of Foreign Affairs claimed that a “cyber warfare campaign by Russia is seriously disrupting many Georgian websites, including that of the Ministry of Foreign Affairs.” How these contributed to the country’s crushing defeat and the extent of deliberate Russian “cyber-warfare” remains to be determined. This incident, however, is the latest reminder that Washington needs to get serious about systematically developing the cyber-strategic leaders in the public and private sector who are skilled in dealing with the complex issues of deliberate attacks in cyberspace.

War Online
It has been reported in The New York Times and elsewhere that weeks before the Russian invasion, “denial of service attacks” (where websites are flooded with useless data) and other malicious acts were targeted against Georgian government computer sites. Some speculate these were a prelude to a preplanned assault on Georgian territory. In addition, it is clear that government and business websites were intentionally disrupted during the invasion. How much has been directed by the Russian government, individual hackers, and Russian criminal elements (some with alleged ties to Russian government agencies) remains to be sorted out.

That is not the first time that Russia has been accused of cyber warfare. A widely publicized cyber assault against Estonia in 2007 increased suspicion that Russia is using online malicious activity as a tool of national policy. The assault disrupted public and private Estonian information networks with massive denial-of-service attacks. The attacks targeted the websites of Estonian banks, telecommunication companies, media outlets, and government agencies. Estonia’s defense minister described the attacks as “a national security situation... It can effectively be compared to when your ports are shut to the sea.” The Estonian and Georgian attacks testify to the disruptive power of a coordinated cyber offensive.

Russia is not the only [nation] threatening other countries. And many countries, including America, are their targets. U.S. government information systems are attacked every day from sources within the country and around the world. China [allegedly] uses “cyber-spying” as a matter of course, and America is one of their prime targets. Some of these intrusions have been extremely serious, compromising ­security and costing millions of dollars. Penetration of ­computer networks at the National Defense University proved so pervasive that the university was forced to take the entire computer ­network offline and install new information system defenses.

These attacks come from states, criminal networks, “hacktivists” (online political activists), and other malicious actors. In addition, bad people exploit the freedom of the Internet – terrorists included. They go online to gather intelligence, raise money, share tradecraft in chat rooms, and coordinate ­propaganda messages.

Q:Dr. Carafano, you view this as a broad, all en­com­pas­s­ing and constantly evolving national threat, not only to government, but to industry as well. Many leaders in both of these sectors tend to leave it to the other to handle, or they pass it on as a purely technical task for their Chief Information Officer. What do you suggest is the level of concern that should be involved in each sector?

It is indeed time for leadership to get involved. The lesson for the United States, and probably applicable in large measure to Canada as well, is that we must take the challenge of cyber threats seriously. The initiatives that will likely best serve us and our international partners in the cyber conflicts of the 21st century, are those derived from private sector experience, emerging military and intelligence capabilities for conducting information warfare, and law enforcement measures for combating cyber-crime.

Cyber-war, like real war, is a competition of action and reaction between two determined enemies. Technology, which evolves every day, is the “wild card” that keeps changing the nature of the battlefield. Like war on an escalator, there is no standing still. Thus, there is no quick fix or “silver bullet” solution that will make us immune to these threats. The situation calls for dynamic, informed national leadership (in both the public and private sector) that understands how to compete in the cyber-strategic environment. We need cyber-strategic leaders that can:

  • Ensure adoption of best pra­ct­ices. They must ensure the priority of con­stantly refreshing and re-applying current knowledge.
  • Employ risk-based approaches.  All information programs must include assessments of criticality, threat, and vulnerability as well as measures to efficiently and effectively reduce risks.
  • Foster teamwork. Cyber security is a national responsibility requiring international cooperation. We must maintain effective bilateral and multinational partnerships to combat cyber threats.
  • Exploit emergent private sector capabilities. Government and industry must become more agile consumers of cutting-edge commercial capabilities.
  • Manage cyber systems. Most programs under-perform because, due to inattentive senior leadership, they lack clear requirements and hold unrealistic projections of the resources required to implement those requirements.
  • Protect, defend, and respond to cyber threats. Targets of malicious acts by either state or non-state threats should respond by using the full range of military, intelligence, law enforcement, diplomatic, and economic means.

Q:How do you see this occurring and what counsel would you offer to leaders, both public and private, as you see them attempting to respond effectively to these cyber threats?

First what we do not need is massive reorganization, massive government bureaucracy, massive infusions of government cash, or massive intrusions into the marketplace and the lives of our citizens.

What is needed are long-term commitment and sound initiatives based on better and faster acquisition of commercial services; better and smarter management of military, intelligence, and information technology programs; and better and sustained professional development of federal, state (or provincial in your case), local, and ­private-sector leaders.

Federal governments can help develop the needed leaders to respond to cyber threats. This can be accomplished in part by establishing effective interagency programs for professional development, particularly in regard to cyber skills. Much of this can be done through modest initiatives that require federal interagency education, assignment, and accreditation programs, one that in particular addresses the preparing of cyber-strategic leaders. This framework should include:

  • Education. A program of education, assignment, and accreditation that cuts across all levels of government and the private sector with national and homeland security responsibilities (especially cyber security) has to start with professional schools specifically designed to teach interagency skills. In the U.S., no suitable institutions exist in Washington, academia, or elsewhere – the gov­ernment will have to establish them. I do not know about Canada.
  • Assignment. Qualification will also require interagency assignments in which individuals can practice and hone their skills. These assignments should be at the “operational” level where leaders learn how to make things happen, not just set policies. Identifying the right organizations and assignments and ensuring that they are filled by promising leaders should be a business and government priority.
  • Accreditation. This is vital in the U.S. and, I suggest, in Canada as well. Here, accreditation and congressional involvement are crucial to ensuring that our programs are successful and sustainable. Before leaders are selected for critical (non-politically appointed) positions in national and homeland security, they should be accredited by a board of professionals in accordance with broad guidelines established by Congress. Perhaps corresponding measures should be considered in Canada.

Critical components of good governance, such as establishing long-term professional programs for developing cyber-strategic leaders, are often shunted aside as important but not pressing – something to be done later. But later never comes. The latest real cyber war threats should serve as a wake-up call that this is unacceptable for critical national security activities such as cyber-strategic leadership that require building interagency competencies that are not broadly extant in government.

Q:What sort of feedback have you had or do you expect from these observations and proposals for training and selecting future business and government leaders?

Surprisingly little. People are our greatest asset. There are hundreds of volumes on leadership published every year  and people snap them up. Yet, when it actually comes to focusing on leader development it is amazing how most just give it lip service. Cyber-strategic leadership has proved no different. The problem here is that there is such a great shortfall in qualified strategic leaders that the lack of human capital investment puts us at great risk.

James Jay Carafano, Ph.D., is Assistant Director of the Kathryn and Shelby Cullom Davis Institute for International Studies and Senior Research Fellow for National Security and Homeland Security in the Douglas and Sarah Allison Center for Foreign Policy Studies at The Heritage Foundation in Washington.
© FrontLine Security 2008