Bombs and bullets are not the only things flying around in the
Russia-Georgia war that broke out over the weekend. There is a
flurry of battling electrons as well. According to a news story
first reported in The Telegraph, the Georgian Ministry of
Foreign Affairs claimed that a "cyberwarfare campaign by Russia is
seriously disrupting many Georgian websites, including that of the
Ministry of Foreign Affairs." How these contributed to the
country's crushing defeat and the extent of deliberate Russian
"cyber-warfare" remains to be determined. This incident, however,
is the latest reminder that Washington needs to get serious about
systematically developing the cyber-strategic leaders in the public
and private sector who are skilled in dealing with the complex
issues of deliberate attacks in cyberspace.
It has been reported in The New York Times and elsewhere
that weeks before the Russian invasion, "denial of service attacks"
(where websites are flooded with useless data) and other malicious
acts were targeted against Georgian government computer sites. Some
speculate these were a prelude to a preplanned assault on Georgian
territory. In addition, it is clear that government and business
websites were intentionally disrupted during the invasion. How much
has been directed by the Russian government, individual hackers,
and Russian criminal elements (some with alleged ties to Russian
government agencies) remains to be sorted out.
That is not the first time that Russia has been accused of
cyberwarfare. A widely publicized cyberassault against Estonia in
2007 increased suspicion that Russia is using online malicious
activity as a tool of national policy. The assault disrupted public
and private Estonian information networks with massive
denial-of-service attacks. The attacks targeted the websites of
Estonian banks, telecommunication companies, media outlets, and
government agencies. Estonia's defense minister described the
attacks as "a national security situation. ... It can effectively
be compared to when your ports are shut to the sea." The Estonian
and Georgian attacks testify to the disruptive power of a
coordinated cyber offensive.
Russia is not the only one threatening other countries. And many
countries, including America, are their targets. U.S. government
information systems are attacked every day from sources within the
country and around the world. China uses "cyber-spying" as a matter
of course, and America is one of their prime targets. Some of these
intrusions have been extremely serious, compromising security and
costing millions of dollars. Penetration of computer networks at
the National Defense University proved so pervasive that the
university was forced to take the entire computer network offline
and install new information system defenses.
These attacks come from states, criminal networks, "hacktivists"
(online political activists), and other malicious actors. In
addition, bad people exploit the freedom of the
Internet--terrorists included. They go online to gather
intelligence, raise money, share tradecraft in chat rooms, and
coordinate propaganda messages.
Time for Leadership
The lesson for the United States is to take the challenge of
cyber threats seriously. The initiatives that will likely best
serve the United States and its international partners in the cyber
conflicts of the 21st century are those derived from private sector
experience, emerging military and intelligence capabilities for
conducting information warfare, and law enforcement measures for
Cyberwar is like real war, a competition of action and reaction
between two thinking, determined enemies. Technology, which evolves
every day, is the "wild card" that keeps changing the nature
of the battlefield. Like war on an escalator, there is no standing
still. Thus, there is no quick fix or "silver bullet" solution that
will make America safe. What is called for is dynamic, informed
national leadership in the public and private sector that
understands how to compete in the cyber-strategic environment.
America needs cyber-strategic leaders that know how to:
- Ensure adoption of best practices. Ensuring that these
are refreshed and applied should be a priority.
- Know how to employ risk-based approaches. All
information programs must include assessments of criticality,
threat, and vulnerability as well as measures to efficiently and
effectively reduce risks.
- Foster teamwork. Cybersecurity is a national
responsibility requiring international cooperation. The United
States must maintain effective bilateral and multinational
partnerships to combat cyber threats.
- Exploit emergent private sector capabilities. Government
and industry must become more agile consumers of cutting-edge
- Manage cyber systems. Most programs underperform
because, due to inattentive senior leadership, they lack clear
requirements and hold unrealistic projections of the resources
required to implement those requirements.
- Know how to protect, defend, and respond to cyber
threats. Targets of malicious acts by either state or non-state
threats should respond by using the full range of military,
intelligence, law enforcement, diplomatic, and economic means.
What is needed, however, is not massive reorganization, massive
government bureaucracy, massive infusions of government cash, or
massive intrusions into the marketplace and the lives of Americans.
What is needed is long-term commitment and sound initiatives based
on better and faster acquisition of commercial services; better and
smarter management of military, intelligence, and information
technology programs; and better and sustained professional
development of federal, state, local, and private-sector
Congress can help develop the leaders America needs to respond
to cyber threats. In part this can be accomplished by establishing
effective interagency programs for professional development,
particularly in regard to cyber skills. Much of this can be
accomplished by modest initiatives that require federal interagency
education, assignment, and accreditation programs, one that in
particular addresses the preparing cyber-strategic leaders. This
framework should include:
- Education. A program of education, assignment, and
accreditation that cuts across all levels of government and the
private sector with national and homeland security responsibilities
(especially cyber security) has to start with professional schools
specifically designed to teach interagency skills. No suitable
institutions exist in Washington, academia, or elsewhere. The
government will have to establish them.
- Assignment. Qualification will also require interagency
assignments in which individuals can practice and hone their
skills. These assignments should be at the "operational" level
where leaders learn how to make things happen, not just set
policies. Identifying the right organizations and assignments and
ensuring that they are filled by promising leaders should be a
- Accreditation. Accreditation and congressional
involvement are crucial to ensuring that programs are successful
and sustainable. Before leaders are selected for critical
(non-politically appointed) positions in national and homeland
security, they should be accredited by a board of professionals in
accordance with broad guidelines established by Congress.
Critical components of good governance, such as establishing
long-term professional programs for developing cyber-strategic
leaders, are often shunted aside as important but not
pressing--something to be done later. But later never comes. The
latest cyberwar should serve as a wake-up call that this is
unacceptable for critical national security activities such as
cyber-strategic leadership that require building interagency
competencies that are not broadly extant in government.
James Jay Carafano,
Ph.D., is Assistant Director of the Kathryn and Shelby Cullom
Davis Institute for International Studies and Senior Research
Fellow for National Security and Homeland Security in the Douglas
and Sarah Allison Center for Foreign Policy Studies at The Heritage