Search

Begin New Search Topic Cybersecurity Author James Andrew Lewis

1. Cyber War and Ukraine

Author:
James Andrew Lewis
Publication Date:
06-2022
Content Type:
Special Report
Institution:
Center for Strategic and International Studies (CSIS)
Abstract:
This is a preliminary review of cyber operations in the Ukraine conflict based on publicly available information. Ukraine was not the first “cyber war”—the term itself makes little sense—but it was the first major conflict involving large-scale cyber operations. The so-far inept Russian invasion, where cyber operations have provided little benefit, raises questions about the balance between defense and offense in cyberspace, the utility of offensive cyber operations, and the requirements for planning and coordination. Better-than-expected Ukrainian defenses seem to be one hallmark of this invasion and the primary reason why Russian cyber efforts have had limited effect. It is likely that Ukraine, forewarned by Russian cyber actions that began as early as 2014, was better prepared as a result. It was also assisted in its cyber defense by friendly countries and private actors with whom it had developed cooperative relationships before the conflict. This preparation allowed it to deflect many Russian offensive cyber operations, suggesting that a well-prepared and energetic defense can have the advantage over offense in cyberspace. Russia had previously used cyberattacks against Ukraine to destroy or damage infrastructure and data. It attempted to do so again in 2022. Based on publicly available information, Russia launched a broad cyber campaign shortly before the invasion (see the appendix for a list of known events). Some reporting showed a huge increase in exploits on the first day. The intent appears to have been to create disorder and overwhelm Ukrainian defenses. Russia sought to disrupt services and install destructive malware on Ukrainian networks included phishing, denial of service, and taking advantage of software vulnerabilities. One company identified eight different families of destructive software used by Russia in these attacks. The primary targets were Ukrainian government websites, energy and telecom service providers, financial institutions, and media outlets, but the cyberattacks encompassed most critical sectors. This was a wide-ranging attack using the full suite of Russian cyber capabilities to disrupt Ukraine, but it was not a success. Russia’s most significant cyber success so far was the disruption of the Viasat Inc’s KA-SAT satellite. This created significant damage that spread beyond Ukraine but ultimately did not provide military advantage to Russia. The attack may have been intended to be part of a larger, coordinated cyberattack that proved unsuccessful, or the Russians may not have expected the rapid restoration of service that was provided with outside assistance. The metric for Viasat and for other actions is not whether a cyberattack is effective in terms of network penetration or the disruption of services or data, but whether its effect helps achieve in this case, the occupation of Ukraine and the elimination of its elected government. By this metric, the Viasat attack was not a success.
Topic:
Security, Military Strategy, Cybersecurity, and Russia-Ukraine War
Political Geography:
Russia and Ukraine

2. A Shared Responsibility: Public-Private Cooperation for Cybersecurity

Author:
Eugenia Lostri, James Andrew Lewis, and Georgia Wood
Publication Date:
03-2022
Content Type:
Special Report
Institution:
Center for Strategic and International Studies (CSIS)
Abstract:
Cybersecurity is a priority for Congress and for the Biden administration as online crime and espionage reach unparalleled heights. To improve cybersecurity in federal agencies and in critical infrastructure, the administration has built a strong team, elevated the positions of White House officials dealing with the issue, and released a series of policy directives. In Congress, 157 pieces of legislation addressing cybersecurity were introduced during 2021, with proposals ranging from capacity building and workforce development to updating federal policy. Crime and espionage have made cybersecurity a national priority, and action on cybersecurity is more likely than ever in 2022. CSIS convened two private roundtables with senior government officials and senior information security executives from major enterprises in a range of U.S. industry sectors. The goals of the roundtables were to identify common challenges, discuss best practices, and outline avenues for cooperation.
Topic:
Security, Infrastructure, Governance, Cybersecurity, and Public-Private Partnership
Political Geography:
North America and United States of America

3. The Cybersecurity Workforce Gap

Author:
James Andrew Lewis and William Crumpler
Publication Date:
01-2019
Content Type:
Working Paper
Institution:
Center for Strategic and International Studies (CSIS)
Abstract:
As cyber threats continue to grow in sophistication, organizations face a persistent challenge in recruiting skilled cybersecurity professionals capable of protecting their systems against the threat of malicious actors. With cybercriminals now responsible for billions in losses per year and state-sponsored hacking groups posing an ever-greater threat, the need for individuals capable of securing networks against attackers has never been greater. However, education and training institutions in the United States have so far found it difficult to keep pace with the growing need for cyber talent. This paper highlights the gaps that exist in the nation’s current cybersecurity education and training landscape and identifies several examples of successful programs that hold promise as models for addressing the skills gap. It then highlights recommendations for policymakers, educators, and employers. A recent CSIS survey of IT decisionmakers across eight countries found that 82 percent of employers report a shortage of cybersecurity skills, and 71 percent believe this talent gap causes direct and measurable damage to their organizations.1 According to CyberSeek, an initiative funded by the National Initiative for Cybersecurity Education (NICE), the United States faced a shortfall of almost 314,000 cybersecurity professionals as of January 2019.2 To put this in context, the country’s total employed cybersecurity workforce is just 716,000. According to data derived from job postings, the number of unfilled cybersecurity jobs has grown by more than 50 percent since 2015.3 By 2022, the global cybersecurity workforce shortage has been projected to reach upwards of 1.8 million unfilled positions.4 Workforce shortages exist for almost every position within cybersecurity, but the most acute needs are for highly-skilled technical staff. In 2010, the CSIS report A Human Capital Crisis in Cybersecurity found that the United States “not only [has] a shortage of the highly technically skilled people required to operate and support systems already deployed, but also an even more desperate shortage of people who can design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate and reconstitute from damage due to system failures and malicious acts.”5 At the time, interviews indicated that the United States only had about 1,000 security specialists with skills and abilities to take on these roles, compared to a need for 10,000 to 30,000 personnel. In the nine years since that report, these challenges have persisted. In 2016, CSIS found that IT professionals still considered technical skills like intrusion detection, secure software development, and attack mitigation to be the most difficult to find skills among cybersecurity operators.6 A 2018 survey of California businesses revealed that a lack of required technology skills was one of the greatest challenges facing organizations when hiring cybersecurity candidates.7 These challenges were particularly acute for mission critical job roles, with over a third of organizations reporting a lack of technology skills in candidates for vulnerability assessment analyst positions and half of employers reporting deficiencies for cyber defense infrastructure support candidates. Employers today are in critical need for more cybersecurity professionals, but they do not want more compliance officers or cybersecurity policy planners. What organizations are truly desperate for are graduates who can design secure systems, create new tools for defense, and hunt down hidden vulnerabilities in software and networks.8
Topic:
Security, Science and Technology, Cybersecurity, and Information Technology
Political Geography:
Global Focus

4. Rethinking Cybersecurity Strategy, Mass Effect, and States

Author:
James Andrew Lewis
Publication Date:
01-2018
Content Type:
Working Paper
Institution:
Center for Strategic and International Studies (CSIS)
Abstract:
Despite all the attention, cyberspace is far from secure. Why this is so reflects conceptual weaknesses as much as imperfect technologies. Two questions highlight shortcomings in the discussion of cybersecurity. The first is why, after more than two decades, we have not seen anything like a cyber Pearl Harbor, cyber 9/11, or cyber catastrophe, despite constant warnings. The second is why, despite the increasing quantity of recommendations, there has been so little improvement, even when these recommendations are implemented. These questions share an answer: the concepts underlying cybersecurity are an aggregation of ideas conceived in a different time, based on millennial expectations about governance and international security. Similarly, the internet of the 1990s has become “cyber,” a portmanteau term that encompassed the broad range of global economic, political, and military activities transformed by the revolution created by digital technologies. If our perceptions of the nature of cybersecurity are skewed, so are our defenses. This report examines the accuracy of our perceptions of cybersecurity. It attempts to embed the problem of cyber attack (not crime or espionage) in the context of larger strategic calculations and effects. It argues that policies and perceptions of cybersecurity are determined by factors external to cyberspace, such as political trends affecting relations among states, by thinking on the role of government, and by public attitudes toward risk. We can begin to approach the problem of cybersecurity by defining attack. While public usage calls every malicious action in cyberspace an attack, it is more accurate to define attacks as those actions using cyber techniques or tools for violence or coercion to achieve political effect. This places espionage and crime in a separate discussion (while noting that some states use crime for political ends and rampant espionage creates a deep sense of concern among states). Cyber attack does not threaten crippling surprise or existential risk. This means that the incentives for improvement that might motivate governments and companies are, in fact, much smaller than we assume. Nor is cyber attack random and unpredictable. It reflects national policies for coercion and crime. Grounding policy in a more objective appreciation of risk and intent is a first step toward better security.
Topic:
Science and Technology, Governance, Cybersecurity, and Digital Economy
Political Geography:
Global Focus