Building Cyber Security Leadership for the 21st Century

Report Defense

Building Cyber Security Leadership for the 21st Century

December 16, 2008 18 min read Download Report

Authors: James Carafano and Eric Sayers

The issue of cyber security, cyber competitiveness, and cyberwarfare has weighed heavily on the minds of policymakers as the severity and complexity of mali­cious cyber attacks have intensified over the past decade. These attacks, directed against both the public and private sectors, are the product of a heterogeneous network of state and non-state actors whose actions are motivated by a host of factors. Helping to ensure that the federal government achieves a high level of competency on cyber security issues is an imperative for the next Congress.

Indicative of how important cyber security has become, Director of National Intelligence Mike McConnell raised this issue for the first time this past February as part of his testimony on the 2008 Annual Threat Assessment. When asked if he believed the United States was prepared to deal with cyber-secu­rity threats to the civilian and military infrastructure, McConnell noted that the country is "not prepared to deal with it. The military is probably the best pro­tected, the federal government is not well protected, and the private sector is not well protected. So the question is: How do we take some of the things that we've developed for the military side, scale them across the federal government? And then the key question will be: How do we interact with the private sector?" Properly answering these questions begins with developing cyber-strategic leadership skills in the U.S. government and private sector.

Even as Washington wrestles with issues concern­ing organization, authorities, responsibilities, and programs to deal with cyber competition, it must place more emphasis on developing leaders who are competent to engage in these issues. This will require a professional development system that can provide a program of education, assignment, and accreditation to develop a corps of experienced, dedicated service professionals who have an exper­tise in the breadth of issues related to the cyber environment. This program must be backed by effective public-private partnerships that produce cutting-edge research, development, and capabili­ties to operate with freedom, safety, and security in the cyber world.

What's at Stake: The Heartbeat of America

Over the past quarter century, the cyberspace domain has rapidly expanded to dominate almost every aspect of human interaction. Americans now depend on cyberspace more then ever to manage their banking transactions, investments, work and personal communication, shopping, travel, utilities, news, and even social networking. Indeed, the glo­bal online networks that carry people, goods, infor­mation, and services make the world what it is today. With this growing dependence inevitably comes an increased vulnerability. A massive inter­ference with global trade, travel, communications, and access to databases caused by a worldwide Internet crash would create an unprecedented chal­lenge, particularly if it occurred concurrently with any requirement to deploy U.S. forces.[1] Addition­ally, an attack aimed solely at the U.S., similar in scope to the cyber attacks suffered by Estonia in April and May 2007, could severely disrupt the U.S. economy and increase Americans' concerns regard­ing their vulnerability.

How to Think About the Problem: It's a Competition

Addressing cyber issues begins with the premise that all national security challenges are a series of actions and counteractions between competitors, and inquiring how these competitions might progress in the future. Looking for single "silver-bullet" solu­tions will not work. There is no technology, govern­ment policy, law, treaty, or program that can stop the acceleration of competition in the cyber universe.

Accepting this premise (that an evolving cyber competition is a permanent character of the global environment) requires responses that offer a com­prehensive, multi-disciplinary approach to analy­sis: looking at the full range of factors that shape and alter the security environment of the future including social, political, technological, and eco­nomic trends, as well as dynamic responses that eschew one-time or simple technical fixes to secu­rity challenges.

Required--Strategies of Resiliency

Strategies must be national in character and international in scope. Nearly every domestic cyber program--from managing movement of goods, people, services, and ideas to controlling a border to investigating terrorist groups--requires interna­tional cooperation. This dimension of safeguarding the home front is nowhere more important than in addressing national infrastructure, supply-chain issues, and public-private partnerships. America is part of a global marketplace with a global industrial base. Virtually no nation is self-sufficient.[2]

Efforts to safeguard the homeland tend to focus solely on the unrealistic task of protecting infra­structure. However, the politically charged "failure is not an option" approach to classify all infrastruc­ture as "critical" is detrimental to prioritizing national security missions.

Instead, the U.S. needs leaders who understand the need for creating and implementing strategies of resiliency, or methods for ensuring that basic struc­tures and systems of global, national, and local economies remain strong even after a cyber attack or other malicious acts or acts of war.[3]

A strategy of resiliency does not mean abandon­ment of preventive measures. At its core, resiliency is far more complex--and effective--than simply protecting critical infrastructure against natural and man-made threats. Protection alone cedes the initia­tive to the enemy.

Required: Cyber-Strategic Leaders

Due to the vulnerability of cyberspace, one ini­tiative that should be prominent in constructing a resiliency strategy for the 21st century is a cyber-strategic leadership program. Cyber-strategic lead­ership is not a specific technical skill or person, but a set of knowledge, skills, and attributes essential to all leaders at all levels of government and in the pri­vate sector.

The recipe of education, assignment, and accred­itation that worked so successfully following the Goldwater-Nichols Act of 1986 can also be used to foster critical interagency skills among national secu­rity professionals. No institutions are currently designed in Washington, academia, or elsewhere to carry out such a task. A national effort with national standards should be initiated along with a new gov­ernment institution to help foster interagency learn­ing should be built in Washington, D.C. This professional development program could integrate a shared body of common knowledge, practices, and experiences, as well as trust and confidence among practitioners. Amongst the skills and attributes this institution could provide would be an expertise in the cyber environment, risk management, best prac­tices, effective interagency cooperation, and public-private partnerships. Just as senior leaders in gov­ernment and the private sectorare expected to have an understanding of accounting and informational technology (IT), a working knowledge of cyber security must also become commonplace.

Knowledge, Skills, and Attributes for Cyber-Strategic Leaders

Understand the Cyber Environment. Begin­ning in 1988 with the infamous "Morris Worm" attack, cyber security has grown in importance along with the degree of reliability the United States and other nations have placed on the cyber domain.

The effectiveness of cyberwarfare stems from its dynamic characteristics. In addition to low costs to entry, making it more attractive to terrorists and other non-state actors inclined to pursue low-end asymmetric strategies, the historical boundaries of warfare do not apply to the cyber realm.

Although decentralized, cyberspace remains dependent on the physical network of computer servers, fiber-optic cables, and the immense system of cables that have been laid across the world's oceans. A familiarity with the physical aspects of cyberspace forms the foundation of a larger educa­tion on the topic.

The complexities of cyberspace begin with the distinction between its two existing theaters. First, the commercial Internet. Reserved for the day-to-day activities of the public, and traditionally the tar­get of non-state actors, the vulnerability of this the­ater has been magnified in the wake of the Estonia and Georgia cyber attacks that occurred in April and May 2007 and August 2008, respectively. Second, the military network. Over the past two decades, as the military has attempted to enhance its warfight­ing capabilities through network-centric warfare, an increased reliability on information technology has had the cumulative effect of ensuring a growing lia­bility should the network fall under attack.[4]

There are various types of actors that may pose a threat to the commercial and military cyber net­works. First, individuals acting on their own to exploit security gaps or commit cyber crimes, such as identify theft. These hackers are commonly referred to as "Black Hats." Second, cyber terrorists attempting to manipulate the cyber environment to advance political or social objectives.[5] Islamist hackers took their fight to the target-rich environ­ment of the Internet years ago. Thanks to its low barriers to entry, the cyber environment has proven itself to be one of the most efficient asymmetric tools for Islamist terrorists to incite hatred, violence, and plan and carry out attacks.

Finally, nation-states are increasingly employ­ing cyberwarfare to attack other states or entities, either solely in the cyber domain or as part of a full-spectrum military maneuver.[6] Specifically, states like China and Russia, which remain infe­rior to the United States militarily, have identified America's cyberspace vulnerability and worked diligently to exploit it.[7] As we have learned from Chinese military journals, the People's Liberation Army (PLA) has focused intensely on attacking the U.S. military's C4ISR network with a variety of weapons, including anti-satellite (ASAT) weapons and cyberwarfare.[8]

The predominant tool used for cyber attacks are botnets. A botnet is a network of computers that have been compromised by malicious code and may be remotely controlled by a single computer, called a "bot herder" or "bot master." When the power of thousands of computers is combined, it can be used to launch denial-of-service attacks to shut down desired Web sites. Due to the rapidly changing nature of software, including improved commercially available security programs, the dis­semination of botnet code has evolved from using e-mail attachments to pop-up spam messages and even silent uploads that take advantage of vulnera­bilities in Internet browsers.[9]

Cyber espionage constitutes another threat. Not only are such tactics being used to advance the interest of private corporations as they work to compete in the global market, but states have also employed this tool to both monitor the capabilities of adversaries and steal valuable, top secret, and proprietary information. Everything from the Pen­tagon's most sensitive plans to invaluable intellec­tual property is at risk. Many officials have identified China as the main culprit in this effort, citing numerous major attacks against the Depart­ment of Defense and defense contractors that origi­nated from the Chinese mainland.[10]

Finally, international legal mechanisms that gov­ern cyber activity remain wanting. This is due in part to the decentralized nature of cyber attacks. During the Estonia attacks, for instance, although the perpetrator was believed to be the Russian gov­ernment, and many computers that assisted in the attack were located in Russia, computers all over the world were used to launch the attack. Any direct evidence linking the attacks to Russia was thus highly circumstantial. During the crisis, questions lingered regarding what magnitude of cyber attack or evidence of perpetrators was necessary to invoke an Article V response under the auspices of NATO. Additionally, questions were asked regarding what constituted an appropriate response from Estonia and other NATO members. NATO Secretary Gen­eral Jaap de Hoop Scheffer largely summarized the prevailing answers to these questions when he stated that "no member state is protected from cyber attacks."[11] Efforts to construct a framework to help guide the activities of varying actors in cyberspace remain essential.

Think Strategically. There are many "first order" questions that deserve serious thought as the nation considers the next steps in keeping the "cyber commons" open to the free flow of services and ideas while thwarting the activities of mali­cious actors. These include everything from defin­ing how "deterrence" works in cyberspace to understanding the realistic application of the "rule of law" in a place that in many ways is still lawless. Strategic thinkers must understand the costs and benefits of operating in cyberspace, the nature of the actors, the character of the environment, and how traditional concepts of security and war and peace translate to the cyber world.

Understand Risk and Risk Management. Quantifying and determining optimal responses to risk is a process called risk management. Prop­erly assessing and reducing risk is central to a resiliency strategy. There are three types of risk assessment methodologies, all consisting of simi­lar components.[12]

  • Threat assessment: Examines what an adver­sary can accomplish and with what degree of lethality or effect.
  • Criticality assessment: Evaluates the effect that will be achieved if the adversary accomplishes his goals. This examines both physical conse­quences, social and economic disruption, and psychological effects. Not all consequences can be prevented. In order to assist in prioritization, there is a process designed to identify the critical­ity of various assets: What is the asset's function or mission and how significant is it?
  • Vulnerability assessment: Studies a country's vulnerabilities and how they can be mitigated, including weaknesses in structures (both physical and cyber) and other systems and processes that could be exploited by terrorists. It then asks what options are available to reduce the vulnerabilities identified or, if feasible, to eliminate them.

Adapt Best Practices. Best practices and lessons learned can be effective tools. Ensuring that these are updated and applied should be government's first priority. Only programs that establish clear tasks, conditions, and standards and ensure that they are rigorously applied will keep pace with determined and willful efforts to overcome security efforts. This is especially true in the cyber domain, where the center of gravity is persistently shifting as the rapid evolution of technology and skills pull it in new directions.

Understand Effective Interagency and Public-Private Cooperation. Properly understanding the performance of the interagency process requires dividing it into three components.

  • Policy: The highest level of the interagency pro­cess. At this level, policymakers make broad agreements about how they will support overall U.S. policy. Improvements in this area require a renewed focus on the qualities and competencies of executive leadership, and an intelligence capa­bility and information-sharing culture that allows leaders to obtain the highest-quality infor­mation available so that they are positioned to make the best-informed decisions.
  • Operations: It is at this level where the record of government is mixed. While the Department of Defense's Combatant Command structure has proven itself capable ofmanaging military oper­ations at the regional level, there are very few other established bodies that are able to monitor and manage operations over a geographical area.
  • Field activities: Interagency cooperation on the ground has generally been effective. The country teams led by U.S. ambassadors around the world offer a strong example. However, when chal­lenges grow beyond the control of the local gov­ernment apparatus, robust support mechanisms are normally lacking. Attention to improved doc­trine (how to best conduct joint planning and response during a cyber crisis), sufficient invest­ment in human capital, and appropriate decision making are required in such situations. Effective interagency cooperation does not begin at the policy level, but requires a more responsive operational environment that can meet the chal­lenges of local leadership.[13]

While it is the responsibility of government to prevent terrorist attacks, determining the criticality of assets should be a shared public-private activity. This starts by establishing a common appreciation of roles and responsibilities for the public-private partnership.

Because vulnerability should be the primary responsibility of the partner that owns, manages, and uses the infrastructure, it is largely the private sector's duty to address vulnerability by taking rea­sonable precautions in much the same way that soci­ety expects the private sector to take reasonable measures for safety and environmental protection.[14]

An Agenda for the New Administration

Step 1: Facilitate Cross-Talk. There is a pleth­ora of ongoing cyber security and cyberwarfare ini­tiatives. The tendency of any new Administration is to conduct grand reviews of existing efforts, issue sweeping strategies, centralize management, and reorganize operations and responsibilities. That is a mistake. Such moves are as likely to stunt momen­tum and slow innovation as they are to achieve any efficiencies of operation. Instead, the Obama Administration's first priority must be to facilitate cross-talk between the members of the national "cyber team."

Today, those responsible for "offensive" cyber-security measures (for example, identifying and countering malicious actors) have little contact, familiarity, or collaboration with those working on "defensive" measures, and vice versa. Likewise, agencies and organizations conducting "covert" activities have scant interaction with those engaged in "public" programs. This must change. To close gaps, minimize duplication and overlap, facilitate joint action, and build trust and confidence between members of the public-private team, establishing routine and consistent dialogue must be an immediate priority. This is a vital first step in building a community of professional cyber-strategic leaders.

Step 2: Research, Research, Research. Build­ing cyber-strategic leaders will be like building cas­tles on sand unless the knowledge and skills imparted to them is based on comprehensive, prac­tical, and unbiased research. As a 2007 Computer Science and Telecommunications Board research report concluded, however, the national research and development program is wholly inadequate:

[B]oth traditional and unorthodox approaches will be necessary. Traditional research is problem-specific, and there are many cybersecurity problems for which good solutions are not known.... Research is and will be needed to address these prob­lems. But problem-by-problem solutions, or even problem-class by problem-class solu­tions, are highly unlikely to be sufficient to close the gap by themselves. Unorthodox, clean-slate approaches will also be needed to deal with what might be called a structural problem in cybersecurity research now, and these approaches will entail the develop­ment of new ideas and new points of view that revisit the basic foundations and implicit assumptions of security research. Addressing both of these reasons for the lack of security in cyberspace is important, but it is the second--closing the knowledge gap-- that is the primary goal of cybersecurity research..."[15]

The report goes on to lay out an appropriate research agenda including such issues as deterring would-be attackers and managing the degradation and reconstitution of systems in the face of con­certed attacks.

Step 3: Get Safe. Encouraging innovation is perhaps the quickest and most effective way to promote public-private engagement and build a national ability to mitigate and respond to cyber threats. Providing liability protection is one proven means of promoting private-sector innovation.

Since 9/11, Congress has acted decisively and to good effect in one area of liability protection: The Support Anti-Terrorism by Fostering Effective Tech­nologies (SAFETY) Act lowered the liability risks of manufacturers that provide products and services used in combating terrorism. The act, passed in 2002, protects the incentive to produce products that the Secretary of Homeland Security designates as "Qualified Anti-Terrorism Technologies." The Department of Homeland Security has made a con­certed effort to implement the program, and about 200 companies have obtained SAFETY Act certifica­tion.[16] This program should be used to accelerate the fielding of commercial products and services for cyber security.

Step 4: Implement the National Security Pro­fessional Development Program. The Obama Administration should build on the National Secu­rity Professional Development, a process to educate,certify, and track national security professionals.[17] This program should be modified based on the experience of the last two years in attempting to implement the program and be used to develop leaders skilled in cyber-strategic leadership and other critical national security missions.[18]

The First Step on a Long Road

Efforts to use the cyber domain for malicious purposes have matured in scope and sophistication over the past two decades. This threat will only intensify as terrorists continue to embrace its low costs to entry and states operationalize its power as a new domain of 21st-century warfare. Meeting this challenge in both the public and private sectors will require careful planning and consideration in the coming years. Initiating a professional-develop­ment, cyber-strategic leadership program to begin training future leaders in the complexities of the cyberspace arena is imperative to the future security of America's cyber infrastructure.

James Jay Carafano, Ph.D., is Assistant Director of the Kathryn and Shelby Cullom Davis Institute for International Studies and Senior Research Fellow for National Security and Homeland Security in the Douglas and Sarah Allison Center for Foreign Policy Studies, a division of the Davis Institute, at The Heritage Foundation. Eric Sayers is a Research Assistant in the Allison Center.

[1]See, for example, Madeline Drexler, Secret Agents: The Menace of Emerging Infections (Washington, D.C.: John Henry Press, 2001), pp. 158-200.

[2]See, for example, James Jay Carafano and Richard Weitz, "Enhancing International Collaboration for Homeland Security and Counterterrorism," Heritage Foundation Backgrounder No. 2078, October 18, 2007, at

[3]James Jay Carafano, "Resiliency and Public-Private Partnerships to Enhance Homeland Security," Heritage Foundation Backgrounder No. 2150, June 24, 2008, at

[4]Rebecca Grant, "Victory in Cyberspace," The Air Force Association, October 2007, at /static/reportimages/79FE28EC4FB1250695DB566BFFA9E1FF.pdf (December 2, 2008).

[5]James Jay Carafano and Richard Weitz, "Combating Enemies Online: State-Sponsored and Terrorist Use of the Internet," Heritage Foundation Backgrounder No. 2105, February 8, 2008, pp. 3-4, at

[6]Ibid., pp. 1-3.

[7]See John J. Tkacik, Jr., "Trojan Dragons: China's International Cyber Warriors," Heritage Foundation WebMemo No. 1735, December 12, 2007, at, and James Jay Carafano, "When Electrons Attack: Cyber-Strikes on Georgia a Wake-Up Call for Congress," Heritage Foundation WebMemo No. 2022, August 13, 2008, at

[8]Roger Cliff, Mark Burles, Michael S. Chase, Derek Eaton, and Kevin L. Pollpeter,"Entering the Dragon's Lair: Chinese Antiaccess Strategies and Their Implications for the UnitedStates," RAND Corporation, 2007, p. 18, at /static/reportimages/0722E6D307C1BF85056781AAE3757215.pdf(December 2, 2008).

[9]Clay Wilson, "Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress," Congressional Research Service, January 29, 2008, at /static/reportimages/BB361D08B21470867DF79287866FC738.pdf(December 2, 2008).

[10]Josh Rogin, "Cyber Officials: Chinese Hackers Attack 'Anything and Everything,'", February 13, 2007, at 4, 2008).

[11]Tony Halpin, "Putin Accused of Launching Cyber War," May 18, 2007, Times Online, at
(December 2, 2008).

[12]James Jay Carafano, "Risk and Resiliency: Developing the Right Homeland Security Public Policies for the Post-Bush Era," testimony before the Subcommittee on Transportation Security and Infrastructure Protection, Committee on Homeland Security, United States House of Representatives, June 24, 2008, at

[13]James Jay Carafano, "Managing Mayhem: The Future of Interagency," March 1, 2008, at

[14]Carafano, "Resiliency and Public-Private Partnerships to Enhance Homeland Security."

[15]Computer Science and Telecommunications Board, Toward A Safer and More Secure Cyberspace (Washington, DC: National Academies Press, 2007), p. 61.

[16]James Jay Carafano, "Fighting Terrorism, Addressing Liability: A Global Proposal," Heritage Foundation Backgrounder No. 2138, May 21, 2008, at

[17]The White House, "Executive Order: National Security Professional Development," May 2007, at
(December 2, 2008).

[18]James Jay Carafano, "Missing Pieces in Homeland Security: Interagency Education, Assignments, and Professional Accreditation," Executive Memorandum No. 1013, October 16, 2006, at


Jim Carafano
James Carafano

Vice President, Kathryn and Shelby Cullom Davis Institute

Eric Sayers

Health Policy Fellow