The U.S. Cyber
Consequences Unit (US-CCU) is an independent,
non-profit (501c3) research institute. It
provides assessments of the strategic and
economic consequences of possible cyber-attacks
and cyber-assisted physical attacks. It
also investigates the likelihood of such attacks
and examines the cost-effectiveness of possible
counter-measures.
Although the US-CCU
aims to provide credible estimates of the costs
of ordinary hacker mischief and white collar
crime, its primary concern is the sort of larger
scale attacks that could be mounted by criminal
organizations, terrorist groups, rogue
corporations, and nation states.
The reports and
briefings the US-CCU produces are supplied
directly to the government, to entire critical
infrastructure industries, and to the public.
The US-CCU does not do any private or commercial
work. The US-CCU’s products are all made
available for free. The only limitations
on their release are those due to security
considerations. The mission of the US-CCU
is to provide America and its allies with the
concepts and information necessary for making
sound security decisions in a world where our
physical well-being increasingly depends on
cyber-security.
Key Features of the US-CCU’s Research
• State-of-the-Art Analysis
The
US-CCU, since its inception, has been the leading
source of new concepts and information for
understanding the intersection of cyber, physical,
and economic security. Its
staff includes pioneering cyber-security
theorists and experts on key critical infrastructure
industries. The US-CCU’s director developed the
first cyber-security models to thoroughly integrate
business and economic concepts with security
concepts. Many of the categories and terms that he
introduced to understand cyber-attacks are now
becoming standard in the security field. Each of the
major shifts in cyber-security concerns over the
last few years was anticipated by US-CCU research.
Its investigations into the implications of
cyber-security in critical infrastructure industries
have regularly broken new ground. Its access to
industry data and facilities has been unprecedented.
Among the information tools that the US-CCU has
produced is a comprehensive Cyber-Security Check
List for identifying security vulnerabilities in
information systems. It is updated annually, has
been widely endorsed by cyber-security experts as
the best of its kind, and is now in use worldwide.
•
Scrupulously Neutral
The US-CCU’s research results are generally
accepted as the most objective available. This
objectivity is vital to its work, because the
US-CCU regularly functions as a trusted
processing and consolidating information from
companies that are otherwise competitors. To
maintain its neutral status, the US-CCU goes to
great lengths to avoid any associations that
might bias its outlook. It accepts funding only
from the government, broad-based industry
associations, and the most ubiquitous
information technology corporations. It does not
accept funding from any individual corporations
that derive the greater portion of their profits
from security products or services. It does not
allow its senior personnel to have any business
involvements that might be accused of biasing
their investigations. The US-CCU’s research
results are supplied on an equal basis to all of
the relevant critical infrastructure companies.
No results are supplied to specific companies on
a preferential basis. The US-CCU is also
aggressively neutral when it comes to ideology.
It believes that responsible and sensible
cyber-security should be a priority for every
political party and faction.
•
Utterly Confidential
The reason the US-CCU was set up as an independent,
non-governmental organization was
so it could rigorously
protect the proprietary information of
private sector corporations. This
was necessary because corporations are extremely
reluctant to reveal vulnerabilities to any
government entity that might retain the information
indefinitely, share it at some point with
prosecutors or regulatory agencies, or release it
under the Freedom of Information Act. By operating
outside the government and under stringent legal
safeguards, the US-CCU is able to avoid these
problems. It insulates companies from the
government. It maintains extremely strict
confidentiality and non-disclosure policies. It has
special procedures for rapidly anonymizing
information and securely destroying source
materials, keeping only what is necessary for
auditing its work. It does not reveal the identities
of the corporations that help with its research,
even when communicating with government employees
who have the highest level security clearances. The
US-CCU also takes stringent security precautions in
all its more sensitive research. Care is taken, for
example, to make sure that no single staff member
knows all of the things necessary for carrying out
the more destructive sorts of cyber-attacks.
Critical information is physically divided among
different staff members and distributed across
different physical locations. Government approved
encryption and secure communications are used
wherever appropriate.
•
Real-world Oriented
The
US-CCU is profoundly engaged with operational and
business realities. It carries out nearly all of its
research on-site and in-depth. It does not employ
questionnaires or phone surveys. It conducts its
interviews person-to-person, using flexible formats.
In every industry, the US-CCU consults the actual
users of the information systems—not just the
cyber-security personnel, but the managers,
engineers, technicians, and office staff. It often
gets engineers and managers to “red-team” their own
systems, exploring how they would go about attacking
their organizations if they were a hostile group.
These field investigations are a key part of the
US-CCU’s research contributions. In many industrial
categories, the US-CCU is the only organization that
has had researchers actually out in the field,
visiting critical infrastructure facilities. The
US-CCU constantly examines how systems are installed
and configured in practice, not how they would be
installed and configured in some optimum world. It
investigates how systems actually work, not how they
are supposed to work in theory. Perhaps most
important, the US-CCU looks constantly at what the
systems are supposed to accomplish and how they
create value. This gives the US-CCU an unusually
realistic picture of how businesses function and of
what security measures would be practical and
cost-effective to implement. It also makes the
US-CCU aware of the hidden costs of government
regulation.
• Interdisciplinary Expertise
In order
to understand the role of cyber-security in business
and operational contexts, the US-CCU makes use of a
much wider range of expertise than
has usually been employed in
the security arena. The staff members and outside
associates contributing to US-CCU research include
not only experts in cyber-security and physical
security, but also experts in economics, business,
engineering, game theory, electronics, chemistry,
government policy, anthropology, psychology,
mathematics, and statistics. In addition to people
knowledgeable in these academic and practical
disciplines, the US-CCU also enlists people who are
deeply familiar with individual critical
infrastructure industries. This includes people who
are familiar with the specific industrial and
business processes employed in these industries.
Finally, and perhaps most significant, the US-CCU
has recruited senior staff who have a gift for
crossing disciplines. These are people who not only
have a solid background in science, engineering, and
business, but who welcome the opportunity to trace
processes and interactions across a number of
contrasting disciplines.
•
Highly Influential
One of
the reasons that many corporations are happy to
cooperate with the US-CCU’s research is that it
helps government policy makers to take better
account of their concerns. The
US-CCU provides regular briefings to the highest
levels of government concerned with cyber-security.
It has been in frequent communication with senior
officials at the Department of Defense, the
Department of Homeland Security, the Department of
Commerce, the Department of Treasury, the Department
of State, the Department of Energy, the Federal
Reserve Board, the national laboratories, and the
intelligence community. US-CCU staff members have
played leading roles in the first two
congressionally mandated cyber-security exercises,
Livewire and Cyber Storm, in the
National Infrastructure Advisory Council (NIAC)
study groups that set Department of Homeland
Security policy, in the
NTIA Economic Security Working
Group, and in many other forums that
shape cyber-security policy. The US-CCU’s director
has addressed the Committee on National Security
Systems. The senior staff of the US-CCU are
frequently quoted by informed journalists and
regularly cited by other cyber-security experts.
Publications by US-CCU staff are required reading in
the cyber-security training programs of leading
universities and of government institutes. The
US-CCU is in regular communication with senior
figures in nearly all of the critical infrastructure
industries. In all of these contexts, the results of
the US-CCU research efforts are given considerable
weight, because of the US-CCU’s reputation for
thorough and insightful work.
The
US-CCU’s Analytic Method
The primary
analytic method that the US-CCU employs is
called Value Creation Analysis. This method was
first pioneered and applied to information
problems by the US-CCU’s director in the
mid-1990's. It draws on his earlier work in
culture-based economics, on
Harborne Stuart
and
Adam Brandenburger's
work in
value-based business
strategy, and, more broadly,
on
cooperative game theory.
The value-based approach has been part of the
business school curricula at Harvard, Columbia,
Wharton, UCLA, Dartmouth, NYU, and other leading
universities for a number of years. It resulted
in
breakthroughs in pricing
theory and in other areas of
business strategy. It is only recently, however,
that this approach was developed into a theory
of value destruction by the US-CCU’s director
and applied to the analysis of cyber-attacks. As
far as the staff of the US-CCU are aware, this
value creation/value destruction model is
currently the only method for evaluating the
economic consequences of cyber-attacks that can
stand up to critical scrutiny.
Corporate Cyber-Security Exercises
In addition to its
research activities, the US-CCU regularly
conducts cyber-security exercises for critical
infrastructure corporations and other
institutions. These exercises normally consist
of four table-top sessions spread over one to
two days.
The first exercise
is focused on identifying the organization’s key
critical information systems. These include not
only (1) the systems that are most fundamental
and widely used, but also (2) the systems that
are key to value creation, and (3) the systems
that have the potential to create the greatest
liabilities, such as those that regulate
dangerous processes. This exercise draws heavily
on the Value Creation Analysis methods that are
central to the US-CCU’s approach.
The second exercise
explores the likely effects of the four basic
categories of cyber-attacks identified by the
US-CCU’s director. These four categories of
cyber-attacks are those that: 1) interrupt
business operations, 2) cause businesses to
operate defectively, 3) discredit business
operations, and 4) remove the information
differentials that allow businesses to create
value. It’s important during this exercise to
put aside the question of whether a given attack
seems feasible. The point is simply to get some
idea of what would happen if these different
types of attack were run for different lengths
of time on the critical systems identified in
the first exercise. This results in a
preliminary “attacks-to-worry-about” list.
The third exercise
assembles a well-motivated in-house “red team”
and has them devise attacks on their own
systems. This red team makes a special effort to
see whether it can discover ways of
accomplishing the items on the
attacks-to-worry-about list. The methods
discussed are not limited to those that would
use the internet. The attack methods that the
red team comes up with are then rated according
to the levels of expertise they would require in
order to succeed. This provides one indication
of how likely the attacks discussed in the
second exercise might be. In the course of these
discussions, the red team will also usually
identify new attack possibilities that weren’t
spotted in the second exercise.
The fourth exercise brings in the financial and
business operations people to help evaluate what
these various cyber-attacks would cost the
organization. The key to organizing and
quantifying their observations is once again the
Value Creation Analysis method. This results in
a list of cyber-defense priorities that can be
refined further, where necessary, using open
source intelligence.
Altogether, this
set of exercises has proved extremely useful to
all participants. The exercises give
corporations an easy, mutually productive way of
helping the US-CCU with its research. They put
corporations in touch with the latest security
research, often identify places where security
costs can actually be reduced, and provide a
persuasive ways of allocating and defending
cyber-security budgets.
The US-CCU’s Role as a Trend-Setter
The US-CCU director, chief technology officer,
and staff have been among the leaders in each of
the changes in cyber-security focus over the
last several years. They have helped to
shift the focus from cyber-attacks that merely
interrupt services to those that use false
information to do active damage or destroy
trust, from mass attack viruses and worms to
attacks targeted at specific businesses and
processes, from perimeter defense to internal
monitoring and recovery, from cyber-vandalism
and petty theft to large indirect-payoff
cyber-crimes, and from cyber-security as a
separate field to the integration of cyber and
physical security. Almost every recent
trend in cyber-attack strategies and
technologies has been anticipated or identified
in its earliest stages by US-CCU researchers.
Although US-CCU’s
research lays out the possible consequences of
cyber-attacks and the likely effects of
counter-measures in some detail, it does not
make specific recommendations about how to bring
about the needed security reforms.
Instead, the US-CCU attempts to identify the
ways in which counter-measures need to take
account of the special circumstances and
business conditions in specific industries.
Despite the urgency of this subject, it is not
an area in which hasty or one-size-fits-all
solutions are likely to be good solutions.
The US-CCU's International Outreach
International cooperation
is essential if we are to have any chance of
limiting the destruction that can be caused by
cyber-attacks. Cyber-attacks can now
be launched from virtually
anywhere, and their targets
can be virtually anywhere. Most of the systems
and software that are likely to be targeted or
exploited by cyber-attacks are familiar to
engineers around the world. New strategies and
techniques for carrying out cyber-attacks could
be developed in any country. In an age of global
business, cyber-attacks on targets in one
country could seriously damage the economies of
countries thousands of miles away.
Cyber-security concerns are as international as
the internet itself.
To deal with these matters,
the US-CCU tries to stay in regular
communication with leading cyber-security
experts in every part of the world. It exchanges
information on new cyber-attack trends and new
counter-measures with organizations in many
different countries. It makes the US-CCU
Cyber-Security Check List available in other
languages. When it revises the check list, it
takes account of advice from cyber-security
professionals in every part of the world. It
trades briefings on the latest cyber-security
concepts with select groups of security thinkers
from many countries with shared economic and
political interests. To help improve the
cyber-security of America and its allies, the
US-CCU believes it is essential to be engaged
with cyber-security world-wide.
The Urgency of This Cyber-Security Work
Based on the work the
US-CCU has already done, it is evident that the
potential economic and strategic consequences of
cyber-attacks are very great. The US-CCU’s
research has demonstrated that the numbers
widely quoted for the costs of denial-of-service
cyber-attacks lasting up to three days are
actually wildly inflated. But the US-CCU’s
findings show that other types of cyber-attacks
are potentially much more destructive.
Especially worrisome are the cyber-attacks that
would hijack systems with false information in
order to discredit the systems or do lasting
physical damage. At a corporate level,
attacks of this kind have the potential to
create liabilities and losses large enough to
bankrupt most companies. At a national
level, attacks of this kind, directed at
critical infrastructure industries, have the
potential to cause hundreds of billions of
dollars worth of damage and to cause thousands
of deaths.
Some of the attack
scenarios that would produce the most
devastating consequences are now being outlined
on hacker websites and at hacker conventions.
The overall patterns of cyber intrusion
campaigns suggest that a number of potentially
hostile groups and nation states are actively
acquiring the capability to carry out such
attacks. Meanwhile, the many ways in which
criminal organizations could reap huge profits
from highly destructive attacks are also now
being widely discussed. This means that
American corporations and American citizens need
urgently to be informed, not just of their
technical vulnerabilities, but of the economic
and strategic consequences if those
vulnerabilities are exploited. It is only
by basing our cyber-defenses on a comprehensive
assessment of cyber-attack consequences that we
can make sure those defenses are sensible and
adequate.
|
| |
|
|
|
Senior
Personnel
Scott Borg
Director and Chief Economist (CEO)
Scott Borg originated many of the concepts and categories
currently being used to understand the strategic and economic
implications of cyber-attacks. He founded the US-CCU at the
request of senior government officials, who wanted an
independent, economically-oriented source of cyber-security
research. He has lectured at Harvard, Yale, Columbia, London,
and other leading universities.
Warren Axelrod
Research Director for Financial Services
Warren Axelrod is one of the leading authorities on the cyber-security of financial
institutions. He helped create some of the financial industry practices that are now
standard. In addition to his CISSP and other cyber-security qualifications, he has a Ph.D.
in economics from Cornell and degrees in engineering and statistics from the University of Glasgow.
John Bumgarner
Research Director for Security
Technology(CTO)
John Bumgarner is a celebrated “über-hacker” with 18 years of
service in Special Operations and intelligence. His private
sector certifications include CISSP, GIAC (Gold), and duel
Masters degrees in Information Systems Management and Security
Management.
Joel Gordes
Research Director for Electrical Power
Joel Gordes has been a recognized expert on energy policies and
electrical utilities for nearly thirty years, winning respect
from all parties. His interest in security issues dates from his
military days, when after graduating from the U.S. Air Force
Academy, he flew over 130 combat missions, receiving
Distinguished Flying Cross and Air Medal with eight oak leaf
clusters.
Paul Thompson
Research Director for Manufacturing Supply Chains
Paul Thompson is an expert on cognitive hacking and text mining.
He has served on the computer science faculties of Dartmouth
College, the University of Minnesota, and George Mason
University. His Ph.D. is from the University of California at
Berkeley.
Charles Wheeler
Research Director for East Asian Partnerships
Charles Wheeler is an expert on the international activities of East
Asian businesses and on their historical roots. He has served on the
faculty of the University of California at Irvine. His doctorate in
Southeast Asian history is from Yale, and his undergraduate studies in
Chinese were at the University of Washington.
Senior Research Fellows
Harborne Stuart
Consulting Director for Analytic Methods
Gus Stuart is responsible for several of the key concepts in game-theory-based
business strategy, including the rigorous formulation of Added Value. He has a
doctorate in decision science, an MS in engineering sciences, and a BA in
mathematics, all from Harvard. He is currently an Associate Professor in the
Business School of Columbia University.
David Rice
Consulting Director for Policy Reform
Dave Rice is one of the key figures shaping the current discussions of public policies involving cyber security.
His book Geekonomics is central to these discussions. A graduate of the Naval Postgraduate School and the U.S. Naval Academy,
with a CISSP certification, he also teaches technical courses for the SANS Institute.
Senior Research Associates
April Andrews
Consulting Financial Analyst
April Andrews is a Certified Financial Analyst (CFA) who
specializes in matters related to information technology. Her
MBA is from Duke University, and her undergraduate education was
at Amherst College.
Steffani Burd
Steffani Burd is a statistician specializing in homeland
security and cyber-security. She received her Ph.D. from
Columbia University and her undergraduate education at the
University of Chicago.
William Gravell
Consulting Defense Strategist
Bill Gravell is a leading authority on cyber security in military contexts.
As the first Chief of the Joint Staff Information Warfare Division, he created and
led the Pentagon’s entire Joint Staff Information Assurance effort. A retired Navy Captain,
he has a diploma in Russian studies and is a graduate of the U.S. Naval Academy.
Ardith Spence
Consulting Research Economist
Ardith Spence is an economist with special expertise in resource
management, energy, and air transport. She has served on the
faculties of Smith College and the Brookings Institution. She
received her Ph.D. from the University of Chicago and her
undergraduate education at Carleton College.
|
