August 13, 2008 | WebMemo on National Security and Defense
Bombs and bullets are not the only things flying around in the Russia-Georgia war that broke out over the weekend. There is a flurry of battling electrons as well. According to a news story first reported in The Telegraph, the Georgian Ministry of Foreign Affairs claimed that a "cyberwarfare campaign by Russia is seriously disrupting many Georgian websites, including that of the Ministry of Foreign Affairs." How these contributed to the country's crushing defeat and the extent of deliberate Russian "cyber-warfare" remains to be determined. This incident, however, is the latest reminder that Washington needs to get serious about systematically developing the cyber-strategic leaders in the public and private sector who are skilled in dealing with the complex issues of deliberate attacks in cyberspace.
It has been reported in The New York Times and elsewhere that weeks before the Russian invasion, "denial of service attacks" (where websites are flooded with useless data) and other malicious acts were targeted against Georgian government computer sites. Some speculate these were a prelude to a preplanned assault on Georgian territory. In addition, it is clear that government and business websites were intentionally disrupted during the invasion. How much has been directed by the Russian government, individual hackers, and Russian criminal elements (some with alleged ties to Russian government agencies) remains to be sorted out.
That is not the first time that Russia has been accused of cyberwarfare. A widely publicized cyberassault against Estonia in 2007 increased suspicion that Russia is using online malicious activity as a tool of national policy. The assault disrupted public and private Estonian information networks with massive denial-of-service attacks. The attacks targeted the websites of Estonian banks, telecommunication companies, media outlets, and government agencies. Estonia's defense minister described the attacks as "a national security situation. ... It can effectively be compared to when your ports are shut to the sea." The Estonian and Georgian attacks testify to the disruptive power of a coordinated cyber offensive.
Russia is not the only one threatening other countries. And many countries, including America, are their targets. U.S. government information systems are attacked every day from sources within the country and around the world. China uses "cyber-spying" as a matter of course, and America is one of their prime targets. Some of these intrusions have been extremely serious, compromising security and costing millions of dollars. Penetration of computer networks at the National Defense University proved so pervasive that the university was forced to take the entire computer network offline and install new information system defenses.
These attacks come from states, criminal networks, "hacktivists" (online political activists), and other malicious actors. In addition, bad people exploit the freedom of the Internet--terrorists included. They go online to gather intelligence, raise money, share tradecraft in chat rooms, and coordinate propaganda messages.
Time for Leadership
The lesson for the United States is to take the challenge of cyber threats seriously. The initiatives that will likely best serve the United States and its international partners in the cyber conflicts of the 21st century are those derived from private sector experience, emerging military and intelligence capabilities for conducting information warfare, and law enforcement measures for combating cybercrime.
Cyberwar is like real war, a competition of action and reaction between two thinking, determined enemies. Technology, which evolves every day, is the "wild card" that keeps changing the nature of the battlefield. Like war on an escalator, there is no standing still. Thus, there is no quick fix or "silver bullet" solution that will make America safe. What is called for is dynamic, informed national leadership in the public and private sector that understands how to compete in the cyber-strategic environment. America needs cyber-strategic leaders that know how to:
What is needed, however, is not massive reorganization, massive government bureaucracy, massive infusions of government cash, or massive intrusions into the marketplace and the lives of Americans. What is needed is long-term commitment and sound initiatives based on better and faster acquisition of commercial services; better and smarter management of military, intelligence, and information technology programs; and better and sustained professional development of federal, state, local, and private-sector leaders.
Congress can help develop the leaders America needs to respond to cyber threats. In part this can be accomplished by establishing effective interagency programs for professional development, particularly in regard to cyber skills. Much of this can be accomplished by modest initiatives that require federal interagency education, assignment, and accreditation programs, one that in particular addresses the preparing cyber-strategic leaders. This framework should include:
Critical components of good governance, such as establishing long-term professional programs for developing cyber-strategic leaders, are often shunted aside as important but not pressing--something to be done later. But later never comes. The latest cyberwar should serve as a wake-up call that this is unacceptable for critical national security activities such as cyber-strategic leadership that require building interagency competencies that are not broadly extant in government.
James Jay Carafano, Ph.D., is Assistant Director of the Kathryn and Shelby Cullom Davis Institute for International Studies and Senior Research Fellow for National Security and Homeland Security in the Douglas and Sarah Allison Center for Foreign Policy Studies at The Heritage Foundation.