Scott Borg provides some answers to my questions about the US-CCU report

Last Updated on Monday, 24 August 2009 07:45 Written by Jeffreycarr Monday, 24 August 2009 07:45

After I wrote my post on the US-CCU report, I received a very nice e-mail from US-CCU C.E.O Scott Borg who patiently addressed a number of questions that I had raised.

Since then, Scott has given me permission to publish his e-mail in full, which is really the best way to share his position on these questions.

————————————————————————

Subject: US-CCU Georgia Research

From: Scott Borg

Date: 8/23/2009 6:21 AM

To: Jeffrey Carr

My apologies for being slow in responding to recent communications.  We have been receiving many hundreds of e-mails that deserve personal replies and simply do not have the staff required to answer them quickly.

We have been pointing out to everyone that many of the conclusions in our report on the campaign against Georgia are not new.  We have also been saying only nice things about the Grey Goose effort.  We thought the Grey Goose research was really excellent, and one of the effects of our research was to confirm many of the Grey Goose findings.  Since we didn’t use the Grey Goose work at any point as a source, this constitutes an independent confirmation, validating the Grey Goose methods and analysis.

One of the reasons we didn’t release a report on the Georgian conflict back in the fall was that, at that time, we would not have been able to add much to what the Grey Goose Project and others were already reporting.  Although we monitored the cyber campaign while it was being carried out, if it was only gradually that we were able to assemble the range and quantity of data necessary to produce a definitive analysis.  The other reason it took us a while to produce our analysis was that we had no funding for it and had to pay the costs out of our own pockets when we could afford it.  We thought it was our duty to report on this subject, however, because our connections with the events while they were underway gave us a unique vantage point.

We only discussed the cyber campaign against Estonia briefly in our conclusions and highlights document, because this particular report was focused on the cyber campaign against Georgia.  We have not neglected Estonia in our researches.  I have made three separate trips to Estonia, each a week long.  Two of these trips included public speeches announced on the internet.  I have also met with Estonian officials on four occasions when they were visiting America.  I have had numerous phone calls with Estonian officials and exchanged a couple of hundred e-mails with them.  I have personally interviewed the President of Estonia, the Permanent Deputy Minister of Defense for Estonia, Estonia’s national cyber security adviser, the head of Estonia’s CERT, the staff of Estonia’s CERT, the chief information security officers for the two major banks in Estonia, the officials dealing with cyber security issues in Estonia’s Ministry of Economics, the cyber security staff of the Estonian army, the Estonian cyber security researchers who studied the cyber campaign, and many of the Estonian business executives responsible for dealing with the effects of the campaign while it was in progress.  I now count many of these Estonians as personal friends.  Some of my interviews and discussions with them have gone on for many hours and, indeed, in some cases, for many days.  The only American cyber security expert I know of who has dedicated MORE time to Estonia is Kenneth Geers, who works in NATO’s Cooperative Cyber Defense Center in Estonia.

The US-CCU’s primary concern is the consequences of cyber attacks for the American economy and for American national security.  That is why this is the main thing I and my colleagues talk about at conventions and conferences.  The US-CCU investigates other issues and conflicts, because these affect the interests of America and its allies, and because the US-CCU has an international network that is possibly unique among American cyber security organizations.  The chief reason for this international network is that the US-CCU Cyber Security Check List is apparently being used in over eighty countries around the world.  People in over forty of these countries have been providing comments and advice on this check list, and this has led to many international dialogs.  A revised version of the check list, by the way, should be out later this year.

The US-CCU’s research is often highly sensitive, and it tends to be distributed to government officials and industry executives on a need-to-know basis.  The full length version of our report on the cyber campaign against Georgia will be available to people with the appropriate security clearances.  The access details are up to the government.  Since I choose to operate without a clearance, so that my own ability to communicate is not impeded, I myself will not be able to keep a copy of this report, even though I collected some of the information, discussed the work regularly while it was in progress, helped draft the actual report, and wrote the overview document.  It’s a shame that so much of the US-CCU’s work has to be so limited in circulation, but a significant portion of the information we routinely handle is genuinely dangerous.  We salute the ability of the Grey Goose Project to provide information on cyber conflicts that can be distributed publicly.  It is terribly important that the information on cyber security circulating in the media and over the internet be as accurate as possible.

Scott Borg
Director and Chief Economist
U.S. Cyber Consequences Unit
www.usccu.us

The US-CCU issues a report on a one year old cyber war because …

Last Updated on Sunday, 23 August 2009 07:37 Written by Jeffreycarr Friday, 21 August 2009 01:53

This week saw a lot of media attention focusing on the release of a report by the US Cyber Consequences Unit (US-CCU) on the cyber component of the 5 day war between Russia and Georgia in August, 2008.

Naturally, I immediately emailed Scott Borg, the CEO of US-CCU and requested a copy of the full report. I was really interested in what Scott and John Bumgarner, the report’s principal researcher, could possibly have been working on that would take an entire year to investigate. The Project Grey Goose Phase I report took us six weeks to research, write, and publish, and we were just a dozen volunteers working part-time using donated tools. US-CCU is affiliated with a major university, has a dozen or more employees, income (according to an old DnB report), and they needed a year?

Combine that with the fact that they don’t seem to want to communicate with the people whose work they apparently used in the preparation of their own report (I wasn’t the only researcher whose emails went unanswered by Scott and John), and I decided to do some digging into the provenance of this organization that no one had ever heard of.

The US-CCU.US domain was registered in 2005 by Scott Borg, the CEO. It’s business category is Educational Research. It’s only products appear to be the US-CCU Cyber Security Check List 2006 and the US-CCU Cyber Security Check List 2007.

Surely, the outfit that has dedicated 12 months to the RU/Georgia cyber conflict would have been all over Estonia in 2007, right?

Wrong. There’s absolutely no evidence that the US Cyber Consequences Unit dedicated any time at all to Estonia, even though it’s a landmark event in cyber warfare. In fact, both Borg and Bumgarner spoke at the GovSec, U.S. Law and Ready Conference and Exposition on May 22, 2008 (a few weeks past the one year anniversay of the Estonian attack) and focused their talk almost exclusively on warning attendees about a cyber doomsday scenario for the U.S. Borg said, “We are talking about consequences that are only exceeded by the use of nuclear weapons”.

This, in fact, is the drum that Scott Borg has been beating for some time and continues to evangelize even in 2009 while he was apparently co-authoring this mysterious year-long investigation into Russia-Georgia 2008.

Here is the presentation deck he used at NDU this past January. Page 3 of his deck begins “The sheer scale of economic damage that could be done by cyber attacks on critical infrastructure industries is not being taken seriously enough.”

Borg is an accomplished economist who, according to his bio, “was one of the principal developers of Value Creation Analysis, a set of business strategy models for understanding how much value can be created by various types and components of value chains” so perhaps that explains his focus on the economic implications of a Cyber Armageddon.

I did obtain a copy of the public version of their report and failed to read anything new; certainly nothing that would justify such a long development cycle. I did note, however, a surprising lack of awareness of Russian cyber strategies and a pretty hefty dose of hype regarding the role of Russian organized crime in the attacks.

UPDATE: (23 AUG 09): I just received a personal email from Scott Borg in which he expressed his regret for running behind on answering the many hundreds of emails that he has received since the US-CCU announcement was made. He also expressed his admiration for the work of Project Grey Goose, and wrote that the US-CCU findings were the result of research that did not include PGG research material, so the US-SSC report findings acted as independent corroboration of our report, which was nice to hear.

Unfortunately, without reading their research findings, which according to Scott is only going to cleared government employees who have a need to know, I have no way of confirming what the US-CCU found nor the process they used that would help explain the year-long effort. Nevertheless, Scott seems like a good guy and I wish him and his organization well.