Monday, June 25, 2012

The U.S. Cyber Consequences Unit

The U.S. Cyber Consequences Unit

One of the reasons that many corporations are happy to cooperate with the US-CCU’s research is that it helps government policy makers to take better account of their concerns. The US-CCU provides . . .

The US-CCU’s Analytic Method

The primary analytic method that the US-CCU employs is called Value Creation Analysis. This method was first pioneered and applied to information problems by the US-CCU’s director in the mid-1990's. It draws on his earlier work in culture-based economics, on Harborne Stuart and Adam Brandenburger's work in value-based business strategy, and, more broadly, on cooperative game theory. The value-based approach has been part of the business school curricula at Harvard, Columbia, Wharton, UCLA, Dartmouth, NYU, and other leading universities for a number of years. It resulted in breakthroughs in pricing theory and in other areas of business strategy. It is only recently, however, that this approach was developed into a theory of value destruction by the US-CCU’s director and applied to the analysis of cyber-attacks. As far as the staff of the US-CCU are aware, this value creation/value destruction model is currently the only method for evaluating the economic consequences of cyber-attacks that can stand up to critical scrutiny.

Corporate Cyber-Security Exercises

In addition to its research activities, the US-CCU regularly conducts cyber-security exercises for critical infrastructure corporations and other institutions. These exercises normally consist of four table-top sessions . . .

The US-CCU’s Role as a Trend-Setter

The US-CCU director, chief technology officer, and staff have been among the leaders in each of the changes in cyber-security focus over the last several years. They have helped to shift the focus from cyber-attacks that merely interrupt services to those that use false information to do active damage or destroy trust, from mass attack viruses and worms to attacks targeted at specific businesses and processes, from perimeter defense to internal monitoring and recovery, from cyber-vandalism and petty theft to large indirect-payoff cyber-crimes, and from cyber-security as a separate field to the integration of cyber and physical security. Almost every recent trend in cyber-attack strategies and technologies has been anticipated or identified in its earliest stages by US-CCU researchers.

Although US-CCU’s research lays out the possible consequences of cyber-attacks and the likely effects of counter-measures in some detail, it does not make specific recommendations about how to bring about the needed security reforms. Instead, the US-CCU attempts to identify the ways in which counter-measures need to take account of the special circumstances and business conditions in specific industries. Despite the urgency of this subject, it is not an area in which hasty or one-size-fits-all solutions are likely to be good solutions.

The US-CCU's International Outreach

International cooperation is essential if we are to have any chance of limiting the destruction that can be caused by cyber-attacks. Cyber-attacks can now be launched from virtually anywhere, and their targets . . .

The Urgency of This Cyber-Security Work

Based on the work the US-CCU has already done, it is evident that the potential economic and strategic consequences of cyber-attacks are very great. The US-CCU’s research has demonstrated that the numbers widely quoted for the costs of denial-of-service cyber-attacks lasting up to three days are actually wildly inflated. But the US-CCU’s findings show that other types of cyber-attacks are potentially much more destructive. Especially worrisome are the cyber-attacks that would hijack systems with false information in order to discredit the systems or do lasting physical damage. At a corporate level, attacks of this kind have the potential to create liabilities and losses large enough to bankrupt most companies. At a national level, attacks of this kind, directed at critical infrastructure industries, have the potential to cause hundreds of billions of dollars worth of damage and to cause thousands of deaths.

Some of the attack scenarios that would produce the most devastating consequences are now being outlined on hacker websites and at hacker conventions. The overall patterns of cyber intrusion campaigns suggest that a number of potentially hostile groups and nation states are actively acquiring the capability to carry out such attacks. Meanwhile, the many ways in which criminal organizations could reap huge profits from highly destructive attacks are also now being widely discussed. This means that American corporations and American citizens need urgently to be informed, not just of their technical vulnerabilities, but of the economic and strategic consequences if those vulnerabilities are exploited. It is only by basing our cyber-defenses on a comprehensive assessment of cyber-attack consequences that we can make sure those defenses are sensible and adequate.

Original Page:

Shared from Read It Later


No comments:

Post a Comment