Bombs and bullets are not the only
things flying around in the Russia-Georgia war that broke out over the weekend.
There is a flurry of battling electrons as well. According to a news story
first reported in The Telegraph, the Georgian Ministry of Foreign
Affairs claimed that a "cyberwarfare campaign by Russia is seriously
disrupting many Georgian websites, including that of the Ministry of Foreign
Affairs." How these contributed to the country's crushing defeat and the
extent of deliberate Russian "cyber-warfare" remains to be
determined. This incident, however, is the latest reminder that Washington
needs to get serious about systematically developing the cyber-strategic
leaders in the public and private sector who are skilled in dealing with the
complex issues of deliberate attacks in cyberspace.
It has been reported in The New
York Times and elsewhere that weeks before the Russian invasion,
"denial of service attacks" (where websites are flooded with useless
data) and other malicious acts were targeted against Georgian government
computer sites. Some speculate these were a prelude to a preplanned assault on
Georgian territory. In addition, it is clear that government and business
websites were intentionally disrupted during the invasion. How much has been
directed by the Russian government, individual hackers, and Russian criminal
elements (some with alleged ties to Russian government agencies) remains to be
That is not the first time that
Russia has been accused of cyberwarfare. A widely publicized cyberassault
against Estonia in 2007 increased suspicion that Russia is using online
malicious activity as a tool of national policy. The assault disrupted public
and private Estonian information networks with massive denial-of-service
attacks. The attacks targeted the websites of Estonian banks, telecommunication
companies, media outlets, and government agencies. Estonia's defense minister
described the attacks as "a national security situation. ... It can
effectively be compared to when your ports are shut to the sea." The
Estonian and Georgian attacks testify to the disruptive power of a coordinated
Russia is not the only one
threatening other countries. And many countries, including America, are their
targets. U.S. government information systems are attacked every day from
sources within the country and around the world. China uses
"cyber-spying" as a matter of course, and America is one of their
prime targets. Some of these intrusions have been extremely serious,
compromising security and costing millions of dollars. Penetration of computer
networks at the National Defense University proved so pervasive that the
university was forced to take the entire computer network offline and install
new information system defenses.
These attacks come from states,
criminal networks, "hacktivists" (online political activists), and
other malicious actors. In addition, bad people exploit the freedom of the
Internet--terrorists included. They go online to gather intelligence, raise
money, share tradecraft in chat rooms, and coordinate propaganda messages.
Time for Leadership
The lesson for the United States is
to take the challenge of cyber threats seriously. The initiatives that will
likely best serve the United States and its international partners in the cyber
conflicts of the 21st century are those derived from private sector experience,
emerging military and intelligence capabilities for conducting information
warfare, and law enforcement measures for combating cybercrime.
Cyberwar is like real war, a
competition of action and reaction between two thinking, determined enemies.
Technology, which evolves every day, is the "wild card" that
keeps changing the nature of the battlefield. Like war on an escalator, there
is no standing still. Thus, there is no quick fix or "silver bullet"
solution that will make America safe. What is called for is dynamic, informed
national leadership in the public and private sector that understands how to
compete in the cyber-strategic environment. America needs cyber-strategic
leaders that know how to:
- Ensure adoption of best practices. Ensuring that these are refreshed and applied should
be a priority.
- Know how to employ risk-based approaches. All information programs must include assessments of
criticality, threat, and vulnerability as well as measures to efficiently
and effectively reduce risks.
- Foster teamwork.
Cybersecurity is a national responsibility requiring international
cooperation. The United States must maintain effective bilateral and
multinational partnerships to combat cyber threats.
- Exploit emergent private sector capabilities. Government and industry must become more agile
consumers of cutting-edge commercial capabilities.
- Manage cyber systems.
Most programs underperform because, due to inattentive senior leadership,
they lack clear requirements and hold unrealistic projections of the
resources required to implement those requirements.
- Know how to protect, defend, and respond to cyber
threats. Targets of malicious acts by
either state or non-state threats should respond by using the full range
of military, intelligence, law enforcement, diplomatic, and economic
What is needed, however, is not
massive reorganization, massive government bureaucracy, massive infusions of
government cash, or massive intrusions into the marketplace and the lives of
Americans. What is needed is long-term commitment and sound initiatives based
on better and faster acquisition of commercial services; better and smarter
management of military, intelligence, and information technology programs; and
better and sustained professional development of federal, state, local, and
Congress can help develop the
leaders America needs to respond to cyber threats. In part this can be
accomplished by establishing effective interagency programs for professional
development, particularly in regard to cyber skills. Much of this can be accomplished
by modest initiatives that require federal interagency education, assignment,
and accreditation programs, one that in particular addresses the preparing
cyber-strategic leaders. This framework should include:
A program of education, assignment, and accreditation that cuts across all
levels of government and the private sector with national and homeland
security responsibilities (especially cyber security) has to start with
professional schools specifically designed to teach interagency skills. No
suitable institutions exist in Washington, academia, or elsewhere. The
government will have to establish them.
Qualification will also require interagency assignments in which
individuals can practice and hone their skills. These assignments should
be at the "operational" level where leaders learn how to make
things happen, not just set policies. Identifying the right organizations
and assignments and ensuring that they are filled by promising leaders
should be a priority.
Accreditation and congressional involvement are crucial to ensuring that
programs are successful and sustainable. Before leaders are selected for
critical (non-politically appointed) positions in national and homeland
security, they should be accredited by a board of professionals in
accordance with broad guidelines established by Congress.
Critical components of good
governance, such as establishing long-term professional programs for developing
cyber-strategic leaders, are often shunted aside as important but not
pressing--something to be done later. But later never comes. The latest
cyberwar should serve as a wake-up call that this is unacceptable for critical
national security activities such as cyber-strategic leadership that require
building interagency competencies that are not broadly extant in government.