The United States Cyber Consequences Unit

The U.S. Cyber Consequences Unit


The U.S. Cyber Consequences Unit (US-CCU) is an independent, non-profit (501c3) research institute.  It provides assessments of the strategic and economic consequences of possible cyber-attacks and cyber-assisted physical attacks.  It also investigates the likelihood of such attacks and examines the cost-effectiveness of possible counter-measures.

Although the US-CCU aims to provide credible estimates of the costs of ordinary hacker mischief and white collar crime, its primary concern is the sort of larger scale attacks that could be mounted by criminal organizations, terrorist groups, rogue corporations, and nation states.

The reports and briefings the US-CCU produces are supplied directly to the government, to entire critical infrastructure industries, and to the public.  The US-CCU does not do any private or commercial work.  The US-CCU’s products are all made available for free.  The only limitations on their release are those due to security considerations.  The mission of the US-CCU is to provide America and its allies with the concepts and information necessary for making sound security decisions in a world where our physical well-being increasingly depends on cyber-security.

Key Features of the US-CCU’s Research  Top of Page 

   • State-of-the-Art Analysis  Top of Page

The US-CCU, since its inception, has been the leading source of new concepts and information for understanding the intersection of cyber, physical,  and  economic  security.   Its  staff  includes  pioneering cyber-security theorists and experts on key critical infrastructure industries. The US-CCU’s director developed the first cyber-security models to thoroughly integrate business and economic concepts with security concepts. Many of the categories and terms that he introduced to understand cyber-attacks are now becoming standard in the security field. Each of the major shifts in cyber-security concerns over the last few years was anticipated by US-CCU research. Its investigations into the implications of cyber-security in critical infrastructure industries have regularly broken new ground. Its access to industry data and facilities has been unprecedented. Among the information tools that the US-CCU has produced is a comprehensive Cyber-Security Check List for identifying security vulnerabilities in information systems. It is updated annually, has been widely endorsed by cyber-security experts as the best of its kind, and is now in use worldwide.

   • Scrupulously Neutral  Top of Page

The US-CCU’s research results are generally accepted as the most objective available. This objectivity is vital to its work, because the US-CCU regularly functions as a  trusted processing and consolidating information from companies that are otherwise competitors. To maintain its neutral status, the US-CCU goes to great lengths to avoid any associations that might bias its outlook. It accepts funding only from the government, broad-based industry associations, and the most ubiquitous information technology corporations. It does not accept funding from any individual corporations that derive the greater portion of their profits from security products or services. It does not allow its senior personnel to have any business involvements that might be accused of biasing their investigations. The US-CCU’s research results are supplied on an equal basis to all of the relevant critical infrastructure companies. No results are supplied to specific companies on a preferential basis. The US-CCU is also aggressively neutral when it comes to ideology. It believes that responsible and sensible cyber-security should be a priority for every political party and faction.

   • Utterly Confidential  Top of Page

The reason the US-CCU was set up as an independent, non-governmental  organization  was  so  it  could  rigorously  protect  the proprietary information  of  private  sector  corporations.  This was necessary because corporations are extremely reluctant to reveal vulnerabilities to any government entity that might retain the information indefinitely, share it at some point with prosecutors or regulatory agencies, or release it under the Freedom of Information Act. By operating outside the government and under stringent legal safeguards, the US-CCU is able to avoid these problems. It insulates companies from the government. It maintains extremely strict confidentiality and non-disclosure policies. It has special procedures for rapidly anonymizing information and securely destroying source materials, keeping only what is necessary for auditing its work. It does not reveal the identities of the corporations that help with its research, even when communicating with government employees who have the highest level security clearances. The US-CCU also takes stringent security precautions in all its more sensitive research. Care is taken, for example, to make sure that no single staff member knows all of the things necessary for carrying out the more destructive sorts of cyber-attacks. Critical information is physically divided among different staff members and distributed across different physical locations. Government approved encryption and secure communications are used wherever appropriate.

   • Real-world Oriented  Top of Page

The US-CCU is profoundly engaged with operational and business realities. It carries out nearly all of its research on-site and in-depth. It does not employ questionnaires or phone surveys. It conducts its interviews person-to-person, using flexible formats. In every industry, the US-CCU consults the actual users of the information systems—not just the cyber-security personnel, but the managers, engineers, technicians, and office staff. It often gets engineers and managers to “red-team” their own systems, exploring how they would go about attacking their organizations if they were a hostile group. These field investigations are a key part of the US-CCU’s research contributions. In many industrial categories, the US-CCU is the only organization that has had researchers actually out in the field, visiting critical infrastructure facilities. The US-CCU constantly examines how systems are installed and configured in practice, not how they would be installed and configured in some optimum world. It investigates how systems actually work, not how they are supposed to work in theory. Perhaps most important, the US-CCU looks constantly at what the systems are supposed to accomplish and how they create value. This gives the US-CCU an unusually realistic picture of how businesses function and of what security measures would be practical and cost-effective to implement. It also makes the US-CCU aware of the hidden costs of government regulation.

   • Interdisciplinary Expertise  Top of Page

In order to understand the role of cyber-security in business and operational contexts, the US-CCU makes use of a much wider range of  expertise  than  has  usually  been  employed  in  the security arena. The staff members and outside associates contributing to US-CCU research include not only experts in cyber-security and physical security, but also experts in economics, business, engineering, game theory, electronics, chemistry, government policy, anthropology, psychology, mathematics, and statistics. In addition to people knowledgeable in these academic and practical disciplines, the US-CCU also enlists people who are deeply familiar with individual critical infrastructure industries. This includes people who are familiar with the specific industrial and business processes employed in these industries. Finally, and perhaps most significant, the US-CCU has recruited senior staff who have a gift for crossing disciplines. These are people who not only have a solid background in science, engineering, and business, but who welcome the opportunity to trace processes and interactions across a number of contrasting disciplines.

   • Highly Influential  Top of Page

One of the reasons that many corporations are happy to cooperate with the US-CCU’s research is that it helps government policy makers to take better account of their  concerns.   The  US-CCU provides regular briefings to the highest levels of government concerned with cyber-security. It has been in frequent communication with senior officials at the Department of Defense, the Department of Homeland Security, the Department of Commerce, the Department of Treasury, the Department of State, the Department of Energy, the Federal Reserve Board, the national laboratories, and the intelligence community. US-CCU staff members have played leading roles in the first two congressionally mandated cyber-security exercises, Livewire and Cyber Storm, in the National Infrastructure Advisory Council (NIAC) study groups that set Department of Homeland Security policy, in the NTIA Economic Security Working Group, and in many other forums that shape cyber-security policy. The US-CCU’s director has addressed the Committee on National Security Systems. The senior staff of the US-CCU are frequently quoted by informed journalists and regularly cited by other cyber-security experts. Publications by US-CCU staff are required reading in the cyber-security training programs of leading universities and of government institutes. The US-CCU is in regular communication with senior figures in nearly all of the critical infrastructure industries. In all of these contexts, the results of the US-CCU research efforts are given considerable weight, because of the US-CCU’s reputation for thorough and insightful work.

The US-CCU’s Analytic Method Top of Page

The primary analytic method that the US-CCU employs is called Value Creation Analysis. This method was first pioneered and applied to information problems by the US-CCU’s director in the mid-1990's. It draws on his earlier work in culture-based economics, on Harborne Stuart and Adam Brandenburger's work in value-based business strategy, and, more broadly, on cooperative game theory. The value-based approach has been part of the business school curricula at Harvard, Columbia, Wharton, UCLA, Dartmouth, NYU, and other leading universities for a number of years. It resulted in breakthroughs in pricing theory and in other areas of business strategy. It is only recently, however, that this approach was developed into a theory of value destruction by the US-CCU’s director and applied to the analysis of cyber-attacks. As far as the staff of the US-CCU are aware, this value creation/value destruction model is currently the only method for evaluating the economic consequences of cyber-attacks that can stand up to critical scrutiny.

Corporate Cyber-Security Exercises Top of Page

In addition to its research activities, the US-CCU regularly conducts cyber-security exercises for critical infrastructure corporations and other institutions. These exercises normally consist of four table-top sessions spread over one to two days.

The first exercise is focused on identifying the organization’s key critical information systems.  These include not only (1) the systems that are most fundamental and widely used, but also (2) the systems that are key to value creation, and (3) the systems that have the potential to create the greatest liabilities, such as those that regulate dangerous processes. This exercise draws heavily on the Value Creation Analysis methods that are central to the US-CCU’s approach.

The second exercise explores the likely effects of the four basic categories of cyber-attacks identified by the US-CCU’s director. These four categories of cyber-attacks are those that: 1) interrupt business operations, 2) cause businesses to operate defectively, 3) discredit business operations, and 4) remove the information differentials that allow businesses to create value. It’s important during this exercise to put aside the question of whether a given attack seems feasible. The point is simply to get some idea of what would happen if these different types of attack were run for different lengths of time on the critical systems identified in the first exercise.  This results in a preliminary “attacks-to-worry-about” list.

The third exercise assembles a well-motivated in-house “red team” and has them devise attacks on their own systems. This red team makes a special effort to see whether it can discover ways of accomplishing the items on the attacks-to-worry-about list. The methods discussed are not limited to those that would use the internet. The attack methods that the red team comes up with are then rated according to the levels of expertise they would require in order to succeed. This provides one indication of how likely the attacks discussed in the second exercise might be. In the course of these discussions, the red team will also usually identify new attack possibilities that weren’t spotted in the second exercise.

The fourth exercise brings in the financial and business operations people to help evaluate what these various cyber-attacks would cost the organization. The key to organizing and quantifying their observations is once again the Value Creation Analysis method. This results in a list of cyber-defense priorities that can be refined further, where necessary, using open source intelligence.

Altogether, this set of exercises has proved extremely useful to all participants. The exercises give corporations an easy, mutually productive way of helping the US-CCU with its research. They put corporations in touch with the latest security research, often identify places where security costs can actually be reduced, and provide a persuasive ways of allocating and defending cyber-security budgets.

The US-CCU’s Role as a Trend-Setter Top of Page

The US-CCU director, chief technology officer, and staff have been among the leaders in each of the changes in cyber-security focus over the last several years.  They have helped to shift the focus from cyber-attacks that merely interrupt services to those that use false information to do active damage or destroy trust, from mass attack viruses and worms to attacks targeted at specific businesses and processes, from perimeter defense to internal monitoring and recovery, from cyber-vandalism and petty theft to large indirect-payoff cyber-crimes, and from cyber-security as a separate field to the integration of cyber and physical security.  Almost every recent trend in cyber-attack strategies and technologies has been anticipated or identified in its earliest stages by US-CCU researchers.

Although US-CCU’s research lays out the possible consequences of cyber-attacks and the likely effects of counter-measures in some detail, it does not make specific recommendations about how to bring about the needed security reforms.  Instead, the US-CCU attempts to identify the ways in which counter-measures need to take account of the special circumstances and business conditions in specific industries.  Despite the urgency of this subject, it is not an area in which hasty or one-size-fits-all solutions are likely to be good solutions.

The US-CCU's International Outreach Top of Page

International cooperation is essential if we are to have any chance of limiting the destruction that can be caused by cyber-attacks. Cyber-attacks can  now  be  launched  from  virtually  anywhere,  and  their  targets can be virtually anywhere. Most of the systems and software that are likely to be targeted or exploited by cyber-attacks are familiar to engineers around the world. New strategies and techniques for carrying out cyber-attacks could be developed in any country. In an age of global business, cyber-attacks on targets in one country could seriously damage the economies of countries thousands of miles away. Cyber-security concerns are as international as the internet itself.

To deal with these matters, the US-CCU tries to stay in regular communication with leading cyber-security experts in every part of the world. It exchanges information on new cyber-attack trends and new counter-measures with organizations in many different countries. It makes the US-CCU Cyber-Security Check List available in other languages. When it revises the check list, it takes account of advice from cyber-security professionals in every part of the world. It trades briefings on the latest cyber-security concepts with select groups of security thinkers from many countries with shared economic and political interests. To help improve the cyber-security of America and its allies, the US-CCU believes it is essential to be engaged with cyber-security world-wide.

The Urgency of This Cyber-Security Work Top of Page

Based on the work the US-CCU has already done, it is evident that the potential economic and strategic consequences of cyber-attacks are very great.  The US-CCU’s research has demonstrated that the numbers widely quoted for the costs of denial-of-service cyber-attacks lasting up to three days are actually wildly inflated.  But the US-CCU’s findings show that other types of cyber-attacks are potentially much more destructive.  Especially worrisome are the cyber-attacks that would hijack systems with false information in order to discredit the systems or do lasting physical damage.  At a corporate level, attacks of this kind have the potential to create liabilities and losses large enough to bankrupt most companies.  At a national level, attacks of this kind, directed at critical infrastructure industries, have the potential to cause hundreds of billions of dollars worth of damage and to cause thousands of deaths.

Some of the attack scenarios that would produce the most devastating consequences are now being outlined on hacker websites and at hacker conventions.  The overall patterns of cyber intrusion campaigns suggest that a number of potentially hostile groups and nation states are actively acquiring the capability to carry out such attacks.  Meanwhile, the many ways in which criminal organizations could reap huge profits from highly destructive attacks are also now being widely discussed.  This means that American corporations and American citizens need urgently to be informed, not just of their technical vulnerabilities, but of the economic and strategic consequences if those vulnerabilities are exploited.  It is only by basing our cyber-defenses on a comprehensive assessment of cyber-attack consequences that we can make sure those defenses are sensible and adequate.

Top of Page
Senior Personnel

Photo of Scott Borg

Scott Borg

Director and Chief Economist (CEO)

Scott Borg originated many of the concepts and categories currently being used to understand the strategic and economic implications of cyber-attacks. He founded the US-CCU at the request of senior government officials, who wanted an independent, economically-oriented source of cyber-security research. He has lectured at Harvard, Yale, Columbia, London, and other leading universities.

Photo of Warren Axelrod

Warren Axelrod

Research Director for Financial Services

Warren Axelrod is one of the leading authorities on the cyber-security of financial institutions. He helped create some of the financial industry practices that are now standard. In addition to his CISSP and other cyber-security qualifications, he has a Ph.D. in economics from Cornell and degrees in engineering and statistics from the University of Glasgow.

Photo of John Bumgarner

John Bumgarner

Research Director for Security Technology(CTO)

John Bumgarner is a celebrated “über-hacker” with 18 years of service in Special Operations and intelligence. His private sector certifications include CISSP, GIAC (Gold), and duel Masters degrees in Information Systems Management and Security Management.

Photo of Joel Gordes

Joel Gordes

Research Director for Electrical Power

Joel Gordes has been a recognized expert on energy policies and electrical utilities for nearly thirty years, winning respect from all parties. His interest in security issues dates from his military days, when after graduating from the U.S. Air Force Academy, he flew over 130 combat missions, receiving Distinguished Flying Cross and Air Medal with eight oak leaf clusters.

Photo of Paul Thompson

Paul Thompson

Research Director for Manufacturing Supply Chains

Paul Thompson is an expert on cognitive hacking and text mining. He has served on the computer science faculties of Dartmouth College, the University of Minnesota, and George Mason University. His Ph.D. is from the University of California at Berkeley.

Photo of Charles Wheeler

Charles Wheeler

Research Director for East Asian Partnerships

Charles Wheeler is an expert on the international activities of East Asian businesses and on their historical roots. He has served on the faculty of the University of California at Irvine. His doctorate in Southeast Asian history is from Yale, and his undergraduate studies in Chinese were at the University of Washington.

Senior Research Fellows

Photo of Harborne Stuart

Harborne Stuart

Consulting Director for Analytic Methods

Gus Stuart is responsible for several of the key concepts in game-theory-based business strategy, including the rigorous formulation of Added Value. He has a doctorate in decision science, an MS in engineering sciences, and a BA in mathematics, all from Harvard. He is currently an Associate Professor in the Business School of Columbia University.


Photo of David Rice

David Rice

Consulting Director for Policy Reform

Dave Rice is one of the key figures shaping the current discussions of public policies involving cyber security. His book Geekonomics is central to these discussions. A graduate of the Naval Postgraduate School and the U.S. Naval Academy, with a CISSP certification, he also teaches technical courses for the SANS Institute.

Senior Research Associates


April Andrews

Consulting Financial Analyst

April Andrews is a Certified Financial Analyst (CFA) who specializes in matters related to information technology. Her MBA is from Duke University, and her undergraduate education was at Amherst College.

Photo of Steffani Burd

Steffani Burd

Consulting Statistician

Steffani Burd is a statistician specializing in homeland security and cyber-security. She received her Ph.D. from Columbia University and her undergraduate education at the University of Chicago.

William Gravell

Consulting Defense Strategist

Bill Gravell is a leading authority on cyber security in military contexts. As the first Chief of the Joint Staff Information Warfare Division, he created and led the Pentagon’s entire Joint Staff Information Assurance effort. A retired Navy Captain, he has a diploma in Russian studies and is a graduate of the U.S. Naval Academy.

Ardith Spence

Consulting Research Economist

Ardith Spence is an economist with special expertise in resource management, energy, and air transport. She has served on the faculties of Smith College and the Brookings Institution. She received her Ph.D. from the University of Chicago and her undergraduate education at Carleton College.

  Copyright © 2004-2009 U.S. Cyber Consequences Unit. All Rights Reserved.