The U.S. Cyber
Consequences Unit (US-CCU) is an independent,
non-profit (501c3) research institute. It
provides assessments of the strategic and
economic consequences of possible cyber-attacks
and cyber-assisted physical attacks. It also
investigates the likelihood of such attacks and
examines the cost-effectiveness of possible
counter-measures.
Although the US-CCU
aims to provide credible estimates of the costs
of ordinary hacker mischief and white collar
crime, its primary concern is the sort of larger
scale attacks that could be mounted by criminal
organizations, terrorist groups, rogue
corporations, and nation states.
The mission of the US-CCU is to provide America and its allies with the concepts
and information necessary for making sound security decisions in a world where our physical well-being increasingly depends on cyber-security. The reports
and briefings the US-CCU produces are supplied without charge to the government, to entire critical infrastructure industries, and to the public.
Intensive, Day-Long Courses
For over a decade, the US-CCU has been the world leader in anticipating new cyber threats, quantifying their consequences, demonstrating the ROI for counter-measures, and, in general, showing how to implement a quantitative, risk-based approach to cyber security. In response to many requests, we are now offering courses to teach as much as we can of what we have discovered over our years of research.
Cyber Security for Senior Management
Learn: Which cyber risks are real and which are mostly hype. How computers and networks actually operate, without the usual technical gobbledygook. What questions to ask cyber security professionals. How to take account of cyber-security in the initial planning of new operations and systems, in order to avoid large costs later. How to tell whether a given cyber-security strategy makes sense.
[Detailed description]
Dates: To be announced.
Cyber Threat Analysis
Learn: How to anticipate what kinds of cyber attacks are coming, even when they haven’t been seen them yet. How to analyze and model cyber attackers and the way they are developing. What things to watch for and how to understand what they mean. How to estimate how soon or how frequently a given attack will occur. Strategies for threat reduction.
[Detailed description]
Dates: To be announced.
Cyber Consequence Analysis
Learn: How to estimate the costs of cyber attacks, even when those costs do not take the form of immediate expenditures. In particular, how to estimate the costs of damage to customer relationships,damage to brand, and theft of technical or business information. Strategies for increasing resilience and reducing consequences.
[Detailed description]
Dates: To be announced.
Cyber Vulnerability Analysis
Learn: How to see the full range of vulnerabilities from both an offensive and a defensive perspective. How to evaluate vulnerabilities collectively and quantitatively. How to estimate the collective effect of vulnerabilities on prospective losses. Understanding the effects of defensive measures on the expenditures and skill levels needed by attackers.
Dates:To be announced.
Cyber Policy Analysis
Learn: How to estimate the return on investment for different security policies. The reasons for market failures in cyber security and what can be done about them. The reasons for administrative failures in cyber security and what could be done about those. The implications of cyber attacks for corporate, national, and military strategic planning.
Dates:To be announced.
Practical Cyber Intelligence
Learn: How to use sources that are readily available, but under-utilized. How to tie together threat intelligence from difference sources. How to see cyber-attack developments in relation to other kinds of events. Finding the real affiliations of groups that are falsifying their identities. Deducing their technical capabilities. Analyzing probes, scans, and criminal offerings to make counter-moves before the associated attacks.
Dates: To be announced.
Key Features of the US-CCU’s Research
• State-of-the-Art Analysis
The US-CCU, since its inception, has been the leading source of new concepts and information
for understanding the intersection of cyber, physical, and economic security. Its staff includes
pioneering . . .
cyber-security theorists and experts on key critical infrastructure industries. The US-CCU’s director developed the first cyber-security models to thoroughly integrate
business and economic concepts with security concepts. Many of the categories and terms that he introduced to understand cyber-attacks are
now becoming standard in the security field. Each of the major shifts in cyber-security concerns over the last few years was anticipated
by US-CCU research. Its investigations into the implications of cyber-security in critical infrastructure industries have regularly broken new ground.
Its access to industry data and facilities has been unprecedented. Among the information tools that the US-CCU has produced is a comprehensive Cyber-Security
Check List for identifying security vulnerabilities in information systems.
• Scrupulously Neutral
The US-CCU’s research results are generally accepted as the most objective available. This objectivity is vital to its work, because the
US-CCU regularly functions as a trusted third party, processing . . .
and consolidating information from companies that are otherwise competitors.
To maintain its neutral status, the US-CCU goes to great lengths to avoid any associations that might bias its outlook.
It does not sell or promote any specific security products or commercial services. It does not provide information or aid to any companies without making that same information or aid available to the other American companies in the same industry.
The US-CCU is also aggressively neutral when it comes to ideology.
It believes that responsible and sensible cyber-security should be a priority for every political party and faction.
• Utterly Confidential
The reason the US-CCU was set up as an independent, non-governmental organization was so it could rigorously protect the proprietary information of private sector corporations.
This . . .
was necessary because corporations are extremely reluctant to reveal vulnerabilities to any government
entity that might retain the information indefinitely, share it at some point with prosecutors or
regulatory agencies, or release it under the Freedom of Information Act. By operating outside the
government and under stringent legal safeguards, the US-CCU is able to avoid these problems.
It insulates companies from the government. It maintains extremely strict confidentiality
and non-disclosure policies. It has special procedures for rapidly anonymizing information and securely
destroying source materials, keeping only what is necessary for auditing its work. It does not reveal the
identities of the corporations that help with its research, even when communicating with government
employees who have the highest level security clearances. The US-CCU also takes stringent security
precautions in all its more sensitive research. Care is taken, for example, to make sure that no single
staff member knows all of the things necessary for carrying out the more destructive sorts of cyber-attacks.
Critical information is physically divided among different staff members and distributed across different physical locations.
Government approved encryption and secure communications are used wherever appropriate.
• Real-world Oriented
The US-CCU is profoundly engaged with operational and business realities. It carries out nearly
all of its research on-site and in-depth. It does
not employ questionnaires or phone surveys. It
conducts . . .
its interviews person-to-person, using flexible formats. In every industry, the US-CCU consults the actual users of the information systems—not
just the cyber-security personnel, but the managers, engineers, technicians, and office staff. It often gets engineers and managers
to “red-team” their own systems, exploring how they would go about attacking their organizations if they were a hostile group.
These field investigations are a key part of the US-CCU’s research contributions. In many industrial categories, the US-CCU is the
only organization that has had researchers actually out in the field, visiting critical infrastructure facilities. The US-CCU
constantly examines how systems are installed and configured in practice, not how they would be installed and configured in some optimum world.
It investigates how systems actually work, not how they are supposed to work in theory. Perhaps most important, the US-CCU looks constantly
at what the systems are supposed to accomplish and how they create value. This gives the US-CCU an unusually realistic picture of how businesses
function and of what security measures would be practical and cost-effective to implement. It also makes the US-CCU aware of the hidden costs of
government regulation.
• Interdisciplinary Expertise
In order to understand the role of cyber-security in business and operational contexts, the US-CCU
makes use of a much wider range of expertise than has usually been employed in the
security . . .
arena. The staff members and outside associates
contributing to US-CCU research include not only experts in cyber-security and physical security, but also experts in economics,
business, engineering, game theory, electronics, chemistry, government policy, anthropology, psychology, mathematics, and statistics.
In addition to people knowledgeable in these academic and practical disciplines, the US-CCU also enlists people who are deeply familiar with
individual critical infrastructure industries. This includes people who are familiar with the specific industrial and business processes
employed in these industries. Finally, and perhaps most significant, the US-CCU has recruited senior staff who have a gift for crossing disciplines.
These are people who not only have a solid background in science, engineering, and business, but who welcome the opportunity to trace processes and
interactions across a number of contrasting disciplines.
• Highly Influential
One of the reasons that many corporations are happy to cooperate with the US-CCU’s research is that
it helps government policy makers to take better account of their concerns. The US-CCU
provides . . .
regular briefings to the highest levels
of government concerned with cyber-security. It has been in frequent communication with senior officials at the Department of Defense,
the Department of Homeland Security, the Department of Commerce, the Department of Treasury, the Department of State, the Department of Energy,
the Federal Reserve Board, the national laboratories, and the intelligence community. US-CCU staff members have played leading roles in
the first two congressionally mandated cyber-security exercises, Livewire and Cyber Storm, in the
National Infrastructure Advisory Council (NIAC)
study groups that set Department of Homeland Security policy, in the
NTIA Economic Security Working Group, and in many other forums that shape
cyber-security policy. The US-CCU’s director has addressed the Committee on National Security Systems. The senior staff of the US-CCU are frequently
quoted by informed journalists and regularly cited by other cyber-security experts. Publications by US-CCU staff are required reading in the
cyber-security training programs of leading universities and of government institutes. The US-CCU is in regular communication with senior figures
in nearly all of the critical infrastructure industries. In all of these contexts, the results of the US-CCU research efforts are given considerable weight,
because of the US-CCU’s reputation for thorough and insightful work.
The US-CCU’s Analytic Method
The primary analytic method that the US-CCU employs is called Value Creation Analysis. This method was first pioneered and applied to information problems by the US-CCU’s director in the mid-1990's. It draws on his earlier work in culture-based economics, on
Harborne Stuart and
Adam Brandenburger's work in
value-based business strategy, and, more broadly, on
cooperative game theory. The value-based approach has been part of the business school curricula at Harvard, Columbia, Wharton, UCLA, Dartmouth, NYU, and other leading universities for a number of years. It resulted in
breakthroughs in pricing theory and in other areas of business strategy. It is only recently, however, that this approach was developed into a theory of value destruction by the US-CCU’s director and applied to the analysis of cyber-attacks. As far as the staff of the US-CCU are aware, this value creation/value destruction model is currently the only method for evaluating the economic consequences of cyber-attacks that can stand up to critical scrutiny.
Corporate Cyber-Security Exercises
In addition to its research activities, the US-CCU regularly conducts cyber-security exercises for critical
infrastructure corporations and other institutions. These exercises normally consist of four table-top
sessions . . .
spread over one to two days.
The first exercise is focused on identifying the organization’s key critical information systems. These include not only (1) the systems that are most fundamental and widely used, but also (2) the systems that are key to value creation, and (3) the systems that have the potential to create the greatest liabilities, such as those that regulate dangerous processes. This exercise draws heavily on the Value Creation Analysis methods that are central to the US-CCU’s approach.
The second exercise explores the likely effects of the four basic categories of cyber-attacks identified by the US-CCU’s director. These four categories of cyber-attacks are those that: 1) interrupt business operations, 2) cause businesses to operate defectively, 3) discredit business operations, and 4) remove the information differentials that allow businesses to create value. It’s important during this exercise to put aside the question of whether a given attack seems feasible. The point is simply to get some idea of what would happen if these different types of attack were run for different lengths of time on the critical systems identified in the first exercise. This results in a preliminary “attacks-to-worry-about” list.
The third exercise assembles a well-motivated in-house “red team” and has them devise attacks on their own systems. This red team makes a special effort to see whether it can discover ways of accomplishing the items on the attacks-to-worry-about list. The methods discussed are not limited to those that would use the internet. The attack methods that the red team comes up with are then rated according to the levels of expertise they would require in order to succeed. This provides one indication of how likely the attacks discussed in the second exercise might be. In the course of these discussions, the red team will also usually identify new attack possibilities that weren’t spotted in the second exercise.
The fourth exercise brings in the financial and business operations people to help evaluate what these various cyber-attacks would cost the organization. The key to organizing and quantifying their observations is once again the Value Creation Analysis method. This results in a list of cyber-defense priorities that can be refined further, where necessary, using open source intelligence.
Altogether, this set of exercises has proved extremely useful to all participants. The exercises give corporations an easy, mutually productive way of helping the US-CCU
with its research. They put corporations in
touch with the latest security research, often
identify places where security costs can
actually be reduced, and provide a persuasive
ways of allocating and defending cyber-security
budgets.
The US-CCU’s Role as a Trend-Setter
The US-CCU director, chief technology officer, and staff
have been among the leaders in each of the
changes in cyber-security focus over the last
several years. They have helped to shift the
focus from cyber-attacks that merely interrupt
services to those that use false information to
do active damage or destroy trust, from mass
attack viruses and worms to attacks targeted at
specific businesses and processes, from
perimeter defense to internal monitoring and
recovery, from cyber-vandalism and petty theft
to large indirect-payoff cyber-crimes, and from
cyber-security as a separate field to the
integration of cyber and physical security.
Almost every recent trend in cyber-attack
strategies and technologies has been anticipated
or identified in its earliest stages by US-CCU
researchers.
Although US-CCU’s research lays out the possible consequences of
cyber-attacks and the likely effects of
counter-measures in some detail, it does not
make specific recommendations about how to bring
about the needed security reforms. Instead, the
US-CCU attempts to identify the ways in which
counter-measures need to take account of the
special circumstances and business conditions in
specific industries. Despite the urgency of
this subject, it is not an area in which hasty
or one-size-fits-all solutions are likely to be
good solutions.
The US-CCU's International Outreach
International cooperation is essential if we are to have any chance
of limiting the destruction that can be caused by cyber-attacks. Cyber-attacks can now be launched from virtually anywhere, and their
targets . . .
can be virtually anywhere. Most of the
systems and software that are likely to be targeted or exploited by cyber-attacks are familiar
to engineers around the world. New strategies and techniques for carrying out cyber-attacks
could be developed in any country. In an age of global business, cyber-attacks on targets in
one country could seriously damage the economies of countries thousands of miles away. Cyber-security
concerns are as international as the internet itself.
To deal with these matters, the US-CCU tries to stay in regular communication with
leading cyber-security experts in every part of the world. It exchanges information on new cyber-attack
trends and new counter-measures with organizations in many different countries. It makes the US-CCU Cyber-Security
Check List available in other languages. When it revises the check list, it takes account of advice from cyber-security
professionals in every part of the world. It trades briefings on the latest cyber-security concepts with
select groups of security thinkers from many countries with shared economic and political interests. To help
improve the cyber-security of America and its allies, the US-CCU believes it is essential to be engaged with
cyber-security world-wide.
The Urgency of This Cyber-Security Work
Based on the work
the US-CCU has already done, it is evident that
the potential economic and strategic
consequences of cyber-attacks are very great.
The US-CCU’s research has demonstrated that the
numbers widely quoted for the costs of
denial-of-service cyber-attacks lasting up to
three days are actually wildly inflated. But
the US-CCU’s findings show that other types of
cyber-attacks are potentially much more
destructive. Especially worrisome are the
cyber-attacks that would hijack systems with
false information in order to discredit the
systems or do lasting physical damage. At a
corporate level, attacks of this kind have the
potential to create liabilities and losses large
enough to bankrupt most companies. At a
national level, attacks of this kind, directed
at critical infrastructure industries, have the
potential to cause hundreds of billions of
dollars worth of damage and to cause thousands
of deaths.
Some of the attack scenarios that would produce the most
devastating consequences are now being outlined
on hacker websites and at hacker conventions.
The overall patterns of cyber intrusion
campaigns suggest that a number of potentially
hostile groups and nation states are actively
acquiring the capability to carry out such
attacks. Meanwhile, the many ways in which
criminal organizations could reap huge profits
from highly destructive attacks are also now
being widely discussed. This means that
American corporations and American citizens need
urgently to be informed, not just of their
technical vulnerabilities, but of the economic
and strategic consequences if those
vulnerabilities are exploited. It is only by
basing our cyber-defenses on a comprehensive
assessment of cyber-attack consequences that we
can make sure those defenses are sensible and
adequate.
|
| |
|
|
|
Scott Borg
Director and Chief Economist (CEO)
Scott Borg originated many of the concepts and categories currently being used to understand the strategic and economic implications of cyber-attacks. He founded the US-CCU at the request of senior government officials, who wanted an independent, economically-oriented source of cyber-security research. He has lectured at Harvard, Yale, Columbia, London, and other leading universities.
Warren Axelrod
Research Director for Financial Services
Warren Axelrod is one of the leading authorities on the cyber-security of financial institutions. He helped create some of the financial industry practices that are now standard. In addition to his CISSP and other cyber-security qualifications, he has a Ph.D. in economics from Cornell and degrees in engineering and statistics from the University of Glasgow.
John Bumgarner
Research Director for Security Technology(CTO)
John Bumgarner is a celebrated “über-hacker” with 18 years of service in Special Operations and intelligence. His private sector certifications include CISSP, GIAC (Gold), and duel Masters degrees in Information Systems Management and Security Management.
Joel Gordes
Research Director for Electrical Power
Joel Gordes has been a recognized expert on energy policies and electrical utilities for nearly thirty years, winning respect from all parties. His interest in security issues dates from his military days, when after graduating from the U.S. Air Force Academy, he flew over 130 combat missions, receiving Distinguished Flying Cross and Air Medal with eight oak leaf clusters.
Paul Thompson
Research Director for Manufacturing Supply Chains
Paul Thompson is an expert on cognitive hacking and text mining. He has served on the computer science faculties of Dartmouth College, the University of Minnesota, and George Mason University. His Ph.D. is from the University of California at Berkeley.
Charles Wheeler
Research Director for East Asian Partnerships
Charles Wheeler is an expert on the international activities of East Asian businesses and on their historical roots. He has served on the faculty of the University of California at Irvine. His doctorate in Southeast Asian history is from Yale, and his undergraduate studies in Chinese were at the University of Washington.
Senior Research Fellows
Harborne Stuart
Consulting Director for Analytic Methods
Gus Stuart is responsible for several of the key concepts in game-theory-based business strategy, including the rigorous formulation of Added Value. He has a doctorate in decision science, an MS in engineering sciences, and a BA in mathematics, all from Harvard. He is currently an Associate Professor in the Business School of Columbia University.
Senior Research Associates
April Andrews
Consulting Financial Analyst
April Andrews is a Certified Financial Analyst (CFA) who specializes in matters related to information technology. Her MBA is from Duke University, and her undergraduate education was at Amherst College.
Steffani Burd
Steffani Burd is a statistician specializing in homeland security and cyber-security. She received her Ph.D. from Columbia University and her undergraduate education at the University of Chicago.
Ardith Spence
Consulting Research Economist
Ardith Spence is an economist with special expertise in resource management, energy, and air transport. She has served on the faculties of Smith College and the Brookings Institution. She received her Ph.D. from the University of Chicago and her undergraduate education at Carleton College.
|
