The US-CCU issues a report on a one year old cyber war because …

Last Updated on Sunday, 23 August 2009 07:37 Written by Jeffreycarr Friday, 21 August 2009 01:53

This week saw a lot of media attention focusing on the release of a report by the US Cyber Consequences Unit (US-CCU) on the cyber component of the 5 day war between Russia and Georgia in August, 2008.

Naturally, I immediately emailed Scott Borg, the CEO of US-CCU and requested a copy of the full report. I was really interested in what Scott and John Bumgarner, the report’s principal researcher, could possibly have been working on that would take an entire year to investigate. The Project Grey Goose Phase I report took us six weeks to research, write, and publish, and we were just a dozen volunteers working part-time using donated tools. US-CCU is affiliated with a major university, has a dozen or more employees, income (according to an old DnB report), and they needed a year?

Combine that with the fact that they don’t seem to want to communicate with the people whose work they apparently used in the preparation of their own report (I wasn’t the only researcher whose emails went unanswered by Scott and John), and I decided to do some digging into the provenance of this organization that no one had ever heard of.

The US-CCU.US domain was registered in 2005 by Scott Borg, the CEO. It’s business category is Educational Research. It’s only products appear to be the US-CCU Cyber Security Check List 2006 and the US-CCU Cyber Security Check List 2007.

Surely, the outfit that has dedicated 12 months to the RU/Georgia cyber conflict would have been all over Estonia in 2007, right?

Wrong. There’s absolutely no evidence that the US Cyber Consequences Unit dedicated any time at all to Estonia, even though it’s a landmark event in cyber warfare. In fact, both Borg and Bumgarner spoke at the GovSec, U.S. Law and Ready Conference and Exposition on May 22, 2008 (a few weeks past the one year anniversay of the Estonian attack) and focused their talk almost exclusively on warning attendees about a cyber doomsday scenario for the U.S. Borg said, “We are talking about consequences that are only exceeded by the use of nuclear weapons”.

This, in fact, is the drum that Scott Borg has been beating for some time and continues to evangelize even in 2009 while he was apparently co-authoring this mysterious year-long investigation into Russia-Georgia 2008.

Here is the presentation deck he used at NDU this past January. Page 3 of his deck begins “The sheer scale of economic damage that could be done by cyber attacks on critical infrastructure industries is not being taken seriously enough.”

Borg is an accomplished economist who, according to his bio, “was one of the principal developers of Value Creation Analysis, a set of business strategy models for understanding how much value can be created by various types and components of value chains” so perhaps that explains his focus on the economic implications of a Cyber Armageddon.

I did obtain a copy of the public version of their report and failed to read anything new; certainly nothing that would justify such a long development cycle. I did note, however, a surprising lack of awareness of Russian cyber strategies and a pretty hefty dose of hype regarding the role of Russian organized crime in the attacks.

UPDATE: (23 AUG 09): I just received a personal email from Scott Borg in which he expressed his regret for running behind on answering the many hundreds of emails that he has received since the US-CCU announcement was made. He also expressed his admiration for the work of Project Grey Goose, and wrote that the US-CCU findings were the result of research that did not include PGG research material, so the US-SSC report findings acted as independent corroboration of our report, which was nice to hear.

Unfortunately, without reading their research findings, which according to Scott is only going to cleared government employees who have a need to know, I have no way of confirming what the US-CCU found nor the process they used that would help explain the year-long effort. Nevertheless, Scott seems like a good guy and I wish him and his organization well.

The Friday Brief

Last Updated on Friday, 22 May 2009 08:18 Written by admin Friday, 22 May 2009 08:18

It’s been awhile since I did one of these but I hope to get back into the habit starting today.

• This is a surprisingly detailed description of an offensive cyber weapon under development.
• I’m astounded that this is what passes for sound research, particularly when its presented before the U.S. – China Economic and Security Review Commission.
• US Marshalls service, FBI, and other agencies shut down their network to stop the spread of the Neeris worm. Much worse than that is the finding that the US Marshalls hadn’t updated their AV software in 3 years!
• Microsoft loses its second patent infringement case in as many months.
• Remember Gia Krialashvili from my Loot a Burning House post? He was one of the ringleaders of an attempted coup against the President of Georgia. Georgian police just killed him in a shoot-out.
• Michael Brown (aka Doin’ a heck of a job, Brownie), former disgraced head of FEMA is attempting to reinvent himself as a (drumroll) cyber security expert. OMFG.

Enjoy the weekend, everyone.

Loot a Burning House: A Lesson for Georgia from Russia via China

Last Updated on Wednesday, 20 May 2009 07:33 Written by admin Wednesday, 20 May 2009 07:33

Stratagem #5: Chèn huǒ dǎ jié (Loot a Burning House)

“When a country is beset by internal conflicts, when disease and famine ravage the population, when corruption and crime are rampant, then it will be unable to deal with an outside threat. This is the time to attack.” (The 36 Strategems)

The Russian Federation just released its National Security Strategy until 2020 document via its Security Council Web site. In it is a very clear tenet which emphasizes the importance of creating “high tech and multi-function border complexes, especially on the borders of the Republic of Kazakhstan, Ukraine, Georgia, and the Azerbaijani Republic“.

‘High tech and multi-function” sounds like code for forward operation centers to me, but it gets much, much better than that.

Change has been slow to come in that part of the world and conditions in Georgia, in particular, continue to make it ripe for an internal coup, even after this last failed attempt by Giya Gvaladze, Koba Kobaladze and Giya Karkarashvili. According to the Moscow Times, Gvaladze was the former head of Georgia’s Delta Special Forces unit and a reported the shaky state of Saakashvili’s regime to Moscow. Although the coup attempt failed, Moscow has not failed to take notice of the tottering structure that continues to be the Georgian government.

Tbilisi cannot reasonably expect the EU to do much to intercept Russia’s plans either. The EU has not welcomed any of breakaway States into its sphere of influence and protection for fear of alienating Russia. The global economic crisis has wiped away much of the enthusiasm of European banks operating in the area; most notably in the Ukraine.

NATO membership is still nothing more than a glimmer in Georgia and the Ukraine’s eye, while the Organization for Security and Cooperation in Europe (OSCE) has suspended negotiations on the continuation of its presence in Georgia thanks to a blocking move by Russia.

The Russian army has taken up positions on Georgia’s border with South Ossetia and Abkhazia with military hardware that isn’t typically seen in border operation deployments according to Denis Corboy, former European Commission ambassador to Georgia.

In my opinion, this is not a question of whether Dmitry Medvedev and Vladimir Putin will loot Georgia’s burning house. It’s just a question of when.