Cyberwar Threat Assessment Project: Background, Objectives, And Procedures

Cyberwar Threat Assessment Project: Background, Objectives, and Procedures Dr. Sean Lawson ITGC Research Group University of Utah "Whether greater cybersecurity requires a greater sacrifice of our digital freedoms is an important debate that we should be having, preferably with all the facts in front of us." --Evgeny Morozov, "The 0s and 1s of Computer Warfare," The New York Times (16 June 2009); http://www.nytimes.com/2009/07/17/opinion/17ihtedmorozov.html?_r=1&ref=global

Background The year 2009 has seen an increase in the number of reported incidents of "cyberattack" or "cyberwar." Many experts believe that cyberattacks, such as distributed denial of service (DDoS) and web defacement, will be a staple of all future global conflicts. As a result, the President has made cybersecurity a top priority for his new administration, while the military has created the first Cyber Command, which will have the job of carrying out offensive cyberattack missions. Nonetheless, many have raised both doubts about the seriousness of the supposed threat, as well as concerns about what the U.S. military's embrace of offensive cyberwar will mean both for international stability, as well as personal privacy on the Net.

Project Objectives The overall objective of the Cyberwar Threat Assessment Project (CTAP) is to answer the question:

• Based on the reporting available to the citizen decision-maker, what level of threat does cyberattack/cyberwar pose to U.S. national security?

1

The secondary goal of the CTAP is to answer the question:

• Of what quality and how reliable is currently available media reporting on the threat of cyberattack/cyberwar? This project is an effort to address the challenge posed by Evgeny Morozov in the epigraph above. It is based on a number of starting assumptions:

• The average citizen is a decision-maker who must decide for him/herself whether or not cyberattack/cyberwar is something that is a substabtial enough threat to

• •

warrant the spending of time, money, and other resources by his/her elected officials. Effective decision-making requires the collection and analysis of quality intelligence. For the average citizen decision-maker, the main source of "facts" and intelligence comes from media reporting.

Products and Procedures Products Each individual analyst (or group of analysts) will collect and analyze reporting related to an incident of cyberattack/cyberwar occuring over roughly the last two years, beginning with the cyberattacks upon Estonia in 2007 and continuing through the present. For each incident, the analyst(s) will address the following issues in a written Incident Assessment Report (IAR): Overall Assessment and Key Judgments Based on your research, what is your assessment of the seriousness of your incident, the quality of the reporting about it, etc.? Geopolitical Context What were the important geopolitical factors surrounding this event that might give us a clue as to the attacker's motivations and the reasons for the conflict? How does this incident fit into the larger pattern of world affairs immediately preceding and during the time of the attack? Timeline of Events What were the key events making up the incident under question?

1. The goal is not to make an absolute assessment of the threat of cyberattack/cyberwar. The goal is to make the best assessment possible based on the information available. One might also think of the project's main question as, "If all that we know about cyberattack/ cyberwar were provided by media reports (which closely approximates what the average citizen has availabe), then what conclusions could we logically draw about 1) the threat of cyberattack/cyberwar and 2) the quality of media reporting?" For example, reaching the conclusion that cyberattack/cyberwar is not a serious threat to U.S. national security based on media reporting would not necessarily mean that cyberattack/cyberwar is not a threat. The analysis of other sources may lead to the opposite conlcusion. Thus, while concluding that, based on media reporting, cyberattack/cyberwar is not a serious threat would not entirely rule out cyberattack/cyberwar as a potential threat, it would indicate that the average citizen decision-maker should be skeptical and/or that he/she needs more and better intelligence to make an informed decision.

Attacker Who was the perpetrator of the attack? What were the attacker's motives? Targets What were the targets of the attack--e.g. specific websites, information systems, "critical infrastructures" like water or power systems, etc.? Methods of Attack What methods of attack were employed--e.g. denial of service, viruses, defacement, etc.? Effects What were the effects of the attack upon the target--e.g. websites went down, loss of Internet entirely, stolen information, physical damage/destruction, etc.? Responses to Attack How did the target of the attack respond? How did others in the international system respond to the incident? Witnesses/Sources Who are the "witnesses" of the incident cited in the media reports analyzed? What sources do the reports rely upon for their information--i.e. government officials or experts, academics, anonymous sources, experts from private industry, etc.? Procedures The CTAP will follow the procedures outlined below, each of which will have a corresponding work product. Planning and Direction During the Planning and Direction phase of the project, the entire team will work to identify and create a timeline of cyberattack/cyberwar incidents, occuring over the last two years, about which media reports will be collected and analyzed. Regardless of whether analysts ultimately work individually or in teams, during the first phase, each individual analyst will use a combination of Google News and Lexis-Nexis to identify and create a timeline of incidents. Based on these timelines, we will create one master timeline that will be used to assign incidents to analysts.

Work Product: Timeline of cyberattack/cyberwar incidents occuring since the Estonia attack of 2007 with a brief (3 to 5 sentences) description of each incident. Collection During the Collection phase of the project, analysts will identify and gather reports related to the individual incidents to which they have been assigned. Work Product: A list of reports collected, description of collection strategy--i.e. databases searched, search terms used, URLs to search results, criteria for including/exclusing reports (where appropriate, i.e. where there are a great number of reports for an incident), and a preliminary description of sources used in collected reports. Processing During the Processing phase of the project, analysts will extract from collected reports all information relevant to each of the issues to be addressed in the IAR--e.g. attacker, targets, effects, geopolitical context, etc. Work Product: A sample of data segments, organized by issue area, and each with attribution to the report from which it was extracted, based on initial processing of 3 to 5 collected reports. Analysis During the Analysis phase of the project, analysts will use data extracted after processing all collected reports to provide a narrative description and assessment for each issue area covered in the IAR. For example, after extracting all relevant data from all collected reports that addresses the effects of the attack, that data will be used to 1) describe what is known about the effects of the attack and 2) provide an overall assessment of the damage caused. Similarly, for witnesses/sources, the analyst will describe the kinds of sources used by reports covering the incident being analyzed, as well as provide an assessment of the quality and reliability of those sources. Work Product: Assessments/judgments for each issue area--e.g. attacker, targets, effects, geopolitical context, etc. (No more than 2 to 3 sentences for each issue.) Dissemination During the Dissemination phase of the project, analysts will share their findings with other analysts in preparation for making the overall assessment publicly available. Individual IARs will be used to produce an overall assessment that will be made publicly available on the ITGC Research Group website. Work Products: 1) A final IAR document, including overall assessment/judgements of the

incident, specific assessment/judgements in each issue area, narrative description in each issue area, all data segments for each issue area, and a list of reports collected and processed. 2) An oral briefing to the other analysts in the ITGC Research Group.