Cyberwar Threat Assessment Project:

Background, Objectives, and Procedures

Dr. Sean Lawson

ITGC Research Group
University of Utah

"Whether greater cybersecurity requires a greater sacrifice of our digital freedoms is an

important debate that we should be having, preferably with all the facts in front of us."

--Evgeny Morozov, "The 0s and 1s of Computer Warfare," The New York Times (16 June
2009); http://www.nytimes.com/2009/07/17/opinion/17iht-
edmorozov.html?_r=1&ref=global

Background

The year 2009 has seen an increase in the number of reported incidents of "cyberattack" or
"cyberwar." Many experts believe that cyberattacks, such as distributed denial of service
(DDoS) and web defacement, will be a staple of all future global conflicts. As a result, the
President has made cybersecurity a top priority for his new administration, while the
military has created the first Cyber Command, which will have the job of carrying out
offensive cyberattack missions. Nonetheless, many have raised both doubts about the
seriousness of the supposed threat, as well as concerns about what the U.S. military's
embrace of offensive cyberwar will mean both for international stability, as well as personal
privacy on the Net.

Project Objectives

The overall objective of the Cyberwar Threat Assessment Project (CTAP) is to answer the
question:

• Based on the reporting available to the citizen decision-maker, what level

1
of threat does cyberattack/cyberwar pose to U.S. national security?

The secondary goal of the CTAP is to answer the question:

• Of what quality and how reliable is currently available media reporting on

the threat of cyberattack/cyberwar?

This project is an effort to address the challenge posed by Evgeny Morozov in the epigraph
above. It is based on a number of starting assumptions:

• The average citizen is a decision-maker who must decide for him/herself whether or
not cyberattack/cyberwar is something that is a substabtial enough threat to
 warrant the spending of time, money, and other resources by his/her elected
officials.
• Effective decision-making requires the collection and analysis of quality intelligence.
• For the average citizen decision-maker, the main source of "facts" and intelligence
comes from media reporting.

Products and Procedures

Products

Each individual analyst (or group of analysts) will collect and analyze reporting related to an
incident of cyberattack/cyberwar occuring over roughly the last two years, beginning with
the cyberattacks upon Estonia in 2007 and continuing through the present. For each
incident, the analyst(s) will address the following issues in a written Incident Assessment
Report (IAR):

Overall Assessment and Key Judgments

Based on your research, what is your assessment of the seriousness of your incident, the
quality of the reporting about it, etc.?

Geopolitical Context

What were the important geopolitical factors surrounding this event that might give us a
clue as to the attacker's motivations and the reasons for the conflict? How does this
incident fit into the larger pattern of world affairs immediately preceding and during the
time of the attack?

Timeline of Events

What were the key events making up the incident under question?

1. The goal is not to make an absolute assessment of the threat of cyberattack/cyberwar.

The goal is to make the best assessment possible based on the information available. One
might also think of the project's main question as, "If all that we know about cyberattack/
cyberwar were provided by media reports (which closely approximates what the average
citizen has availabe), then what conclusions could we logically draw about 1) the threat of
cyberattack/cyberwar and 2) the quality of media reporting?" For example, reaching the
conclusion that cyberattack/cyberwar is not a serious threat to U.S. national security based
on media reporting would not necessarily mean that cyberattack/cyberwar is not a threat.
The analysis of other sources may lead to the opposite conlcusion. Thus, while concluding
that, based on media reporting, cyberattack/cyberwar is not a serious threat would not
entirely rule out cyberattack/cyberwar as a potential threat, it would indicate that the
average citizen decision-maker should be skeptical and/or that he/she needs more and
better intelligence to make an informed decision.
Attacker

Who was the perpetrator of the attack? What were the attacker's motives?

Targets

What were the targets of the attack--e.g. specific websites, information systems, "critical
infrastructures" like water or power systems, etc.?

Methods of Attack

What methods of attack were employed--e.g. denial of service, viruses, defacement, etc.?

Effects

What were the effects of the attack upon the target--e.g. websites went down, loss of
Internet entirely, stolen information, physical damage/destruction, etc.?

Responses to Attack

How did the target of the attack respond? How did others in the international system
respond to the incident?

Witnesses/Sources

Who are the "witnesses" of the incident cited in the media reports analyzed? What sources
do the reports rely upon for their information--i.e. government officials or experts,
academics, anonymous sources, experts from private industry, etc.?

Procedures

The CTAP will follow the procedures outlined below, each of which will have a corresponding
work product.

Planning and Direction

During the Planning and Direction phase of the project, the entire team will work to identify
and create a timeline of cyberattack/cyberwar incidents, occuring over the last two years,
about which media reports will be collected and analyzed. Regardless of whether analysts
ultimately work individually or in teams, during the first phase, each individual analyst will
use a combination of Google News and Lexis-Nexis to identify and create a timeline of
incidents. Based on these timelines, we will create one master timeline that will be used to
assign incidents to analysts.
Work Product: Timeline of cyberattack/cyberwar incidents occuring since the Estonia attack
of 2007 with a brief (3 to 5 sentences) description of each incident.

Collection

During the Collection phase of the project, analysts will identify and gather reports related
to the individual incidents to which they have been assigned.

Work Product: A list of reports collected, description of collection strategy--i.e. databases

searched, search terms used, URLs to search results, criteria for including/exclusing reports
(where appropriate, i.e. where there are a great number of reports for an incident), and a
preliminary description of sources used in collected reports.

Processing

During the Processing phase of the project, analysts will extract from collected reports all
information relevant to each of the issues to be addressed in the IAR--e.g. attacker, targets,
effects, geopolitical context, etc.

Work Product: A sample of data segments, organized by issue area, and each with
attribution to the report from which it was extracted, based on initial processing of 3 to 5
collected reports.

Analysis

During the Analysis phase of the project, analysts will use data extracted after processing all
collected reports to provide a narrative description and assessment for each issue area
covered in the IAR. For example, after extracting all relevant data from all collected reports
that addresses the effects of the attack, that data will be used to 1) describe what is known
about the effects of the attack and 2) provide an overall assessment of the damage caused.
Similarly, for witnesses/sources, the analyst will describe the kinds of sources used by
reports covering the incident being analyzed, as well as provide an assessment of the
quality and reliability of those sources.

Work Product: Assessments/judgments for each issue area--e.g. attacker, targets, effects,
geopolitical context, etc. (No more than 2 to 3 sentences for each issue.)

Dissemination

During the Dissemination phase of the project, analysts will share their findings with other
analysts in preparation for making the overall assessment publicly available. Individual
IARs will be used to produce an overall assessment that will be made publicly available on
the ITGC Research Group website.

Work Products: 1) A final IAR document, including overall assessment/judgements of the

incident, specific assessment/judgements in each issue area, narrative description in each
issue area, all data segments for each issue area, and a list of reports collected and
processed. 2) An oral briefing to the other analysts in the ITGC Research Group.