The US-CCU has issued a superb report on its year long analysis of the 2008 Russian Cyber Campaign against Georgia that accompanied their kinetic military assault into Ossetia. The full report has a great deal of detail on IP addresses and other essentially proprietary information, and therefore has not yet been released to the public.
They have offered a very good nine page summary that hits all the key issues, but without the detailed technical analysis of the attack methods and scripts. Everyone will be clamoring for the full report soon, as this analysis has relevance to everyone hooked up to the Internet. John Bumgarner, US-CCU’s CTO and Director of Research makes the point that this is not just a new way to wage war, but one that allows for a larger audience to be targeted. The analysis in the summary sticks to broad bush level, but none the less is filled with excellent insights. Anyone in this business, in government, or in business would do well to read the nine pages and work to understand the implications.
The cyber part of the Russia operation appears to have been executed solely by non-government civilians he calls “foot soldiers in the cyber conflict.” This is not to say that the “power that be” were not involved. Bumgarner does comment that the civilians were fed the time table, the targets, and the tools to make their efforts as effective as possible. He also notes that these civilian recruits were surprisingly easy to muster together, and, more importantly, that their tools they were given were clearly developed long before the actual attacks.
Several things stand out to me after reading this report. One is that cyber attacks are now becoming the simple equivalent of kinetic artillery preparation or preparatory airstrikes. Though it is unlikely that anyone will refrain from using this very inexpensive methodology in future conflicts. The second is that the “world” has not yet figured out how to react to this sort of action, and therefore has done nothing when it occurs. Bumgarner makes this point for Estonia (2007), Georgia (2008), Lithuania (2008), and Kazakhstan (2009). If civilians execute it, and those provoking the action cover their tracks, they can expect little international response. The final point was the prominent role of organized criminal elements in the effort. These cyber “ronin” are out there for the hiring, and we have no assurance that they work for anything other than profit. That puts their capabilities within reach of elements besides nation states. These lessons will not be lost on future enemies, but will be studied and absorbed by all.
The report summary goes on the call for international entities to monitor the cyber realm in order to give warning of coming attacks, and to provide advice and direct assistance to those counties which may be attacked. The US-CCU is 100% on the mark here. However, if we in the US are not adequately organized, how can we effectively push the international community to do so?
The Obama Administration must take heed of this report, and speed up its efforts to organize our Cyber Defense efforts. Clearly our peer competitors and enemies are moving ahead. Why are we dawdling?
The US-CCU and John Bumgarner in particular has done us all a great service. Their analysis is practical, measured, and useful. It now remains to be seen if the US Government will utilize it, or put it on the shelf with all the other “warnings” we have been given of late.
