TALLINN UNIVERSITY OF TECHNOLOGY Faculty of Information Technology Department of Computer Science Chair of Network Software

ITI70LT

Volunteers and Cyber Security: Options for Georgia

Master Thesis

Student: Mikheil Basilaia Student Code: 106936 IVCM

Supervisor: Rain Ottis, PhD Prof. Tanel Tammet

Tallinn, 2012

Declaration Hereby I declare that this Masters thesis, my investigation and achievement, submitted for the Masters degree at Tallinn University of Technology has not been submitted for any academic degree or examination at any other university. / Mikheil Basilaia /

(Signature and date)

Volunteers and Cyber Security: Options for Georgia

Master Thesis

Annotation
The thesis explores possibilities to develop defensive cyber capabilities of Georgia by finding practical ways to overcome the qualified manpower shortage in the cyber security sector. The work focuses on leveraging the volunteer option. The thesis brings relevant examples of potential solutions from Estonia (Cyber Defense Unit), the UK (Land Information Assurance Group LIAG; Warning, Advice and Reporting Point WARP), the USA (cyber units of Reserve Component of US armed forces), China (cyber militias), Russia (patriotic cyber volunteers) and also discusses possibilities which can arise from the Georgian environment. The thesis will not only discuss probable positive solutions, but also argue why some solutions will not work for Georgia. Potential solutions should be applicable to and implementable in Georgia taking into account its current IT environment, political, economic, social factors and resources that Georgia could realistically allocate for solutions in the coming years. Georgian example can also be useful for other small countries with limited financial and human resources. The sources of the thesis are research papers, books, (independent) experts from Estonia and Georgia, representatives of governmental agencies of Georgia, as well as supporting material from popular media. The thesis is written in English, consists of 72 pages, 6 chapters, 3 figures and 4 tables.

Vabatahtlikud ja kberjulgeolek: valikuvimalused Georgia jaoks

Magistrit

Annotatsioon
Kesolev magistrit uurib vimalusi tsta Georgia kberkaitse alast vimekust. Tpsemalt, t keskendub vabatahtlike kaasamisele, et vhendada kvalifitseeritud tju puudust kberkaitse sektoris. Magistrit toob potentsiaalsete lahendustena vlja asjakohased nited Eestist (Kaitseliidu Kberkaitse ksus), Suurbritanniast (Land Information Assurance Group LIAG; Warning, Advice and Reporting Point WARP), Ameerika hendriikidest (USA relvajudude reservvgede kberkaitse ksused), Hiinast (kberkaitsevgi) ja Venemaalt (patriootilised kbervabatahtlikud) ning htlasi arutleb lahenduste mber, mis vivad tekkida Georgia keskkonnas. T ei arutle ainult vimalike positiivsete lahenduste teemadel, vaid phjendab ka, miks osad lahendused Georgia jaoks eisobi. Toodud nidete phjal pakub t vlja Georgia olude jaoks kohandatud ja sobivad variandid, vttes arvesse riigi hetkelist infotehnoloogia keskkonda, poliitilisi, majanduslikke ja sotsiaalseid faktoreid ning ressursse, mida Georgia viks lhiaastatel reaalselt lahenduste tarbeks tsse rakendada. Georgia nide vib kasulik olla ka teistele piiratud eelarvete ja tjuga vikeriikidele. Antud diplomit allikmaterjalideks on uurimustd, raamatud, Eesti ja Georgia (iseseisvate) ekspertide arvamused, Georgia riiklike asutuste esindajate arvamused ning tugimaterjalid populaarmeediast. Magistrit on kirjutatud inglise keeles, sellel on 72 leheklge, kuus peatkki, kolm joonist ning neli tabelit.

List of Abbreviations
CDU CERT CERT-GE Cyber Defense Unit (Estonia) Computer Emergency Response Team CERT of GRENA (Georgia)

CERT.gov.ge National CERT of Georgia CII CRRC CVHQ DEA EDL ENISA GDP GNCC GRENA GFR GSAC ICT IDS IETF Critical Information Infrastructure Caucasus Research Resource Centers Central Volunteer Headquarters (UK) Data Exchange Agency (Georgia) Estonian Defense League European Network and Information Security Agency Gross Domestic Product Georgian National Communications Commission Georgian Research and Educational Networking Association Ground Forces Reserve (Georgia) (proposed) Georgian Security Analysis Center Information and Communications Technologies Intrusion Detection System Internet Engineering Task Force
5

IMF ISP IT LIAG LICSG LII MCP N/A NGO NSC OPSEC RC SWOT TDR UN WARP

International Monetary Fund Internet Service Provider Information Technology Land Information Assurance Group (UK) Land Information and Communications Services Group (UK) Legal Information Institute (Cornell University Law School) Microsoft Certified Professionals' Club Tbilisi Not Applicable Non-governmental Organization National Security Council of Georgia Operations Security Reserve Component of US armed forces Strengths, Weaknesses, Opportunities, Threats Territorial Defense Reserve (Georgia) (proposed) United Nations Warning, Advice and Reporting Point

Figures
Figure 1 Defacement of website of President of Georgia during cyber attacks of 2008 - - - - - 21 Figure 2 List of Georgian online targets during cyber attacks of 2008 - - - - - - - - - - - - - - - - - 34 Figure 3 A manual how to attack (ping flood) an online target - - - - - - - - - - - - - - - - - - - - - 35

Tables
Table 1 Summary of various cyber volunteer entities - - - - - - - - - - - - - - -- - - - - - - - - - - - - - 36 Table 2 SWOT matrix for a volunteer entity - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 46 Table 3 SWOT matrix for WARPs in Georgia - - - - - - - - - - - - - - - - - -- - - - - - - - - - - - - - - 49 Table 4 SWOT matrix for Reserve Cyber Units - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 52

Table of Contents
1 Introduction - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10 1.1 Problem Statement - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10 1.2 Related work - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 11 1.3 Thesis overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 11 1.4 Acknowledgements - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 11 2 Overview of Georgian ICT sector and current Information Security Environment of Georgia - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 12 2.1 Economic indicators of Georgia - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 13 2.2 Information Security policy formation, legislative framework, main actors and information infrastructure - - - - - - - - - - - - - - - - - - - - - - - - - 14 2.2.1 2.2.2 2.2.3 2.2.4 Policy formation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 14

Legislative Framework - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 14 Main actors - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 16 Information infrastructure - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 16

2.3 Current cyber security capabilities of Georgia - - - - - - - - - - - - - - - - - - - - - - - 18 2.4 Directions for development and overview of problems - - - - - - - - - - - - - - - - - 20 2.4.1 2.4.2 2.4.3 Cyber attacks of 2008 and their impact - - - - - - - - - - - - - - - - - - - - - - 20 Obstacles in IT field - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 22 Volunteerism in Georgia - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 23 25

3 Cyber Volunteerism and Volunteer Cyber Forces - - - - - - - - - - - - - - - - - - - - - - - -

3.1 Volunteer cyber forces at national level - - - - - - - - - - - - - - - - - - - - - - - - - - - 25 3.1.1 3.1.2 Cyber Defense League (Estonia) - - - - - - - - - - - - - - - - - - - - - - - - - - - 26 LIAG, LICSG, 81st Signal Squadron (UK) - - - - - - - - - - - - - - - - - - - - - 27

3.1.3 Warning, Advice and Reporting Point (WARP) (UK) - - - - - - - - - - - - - 29

8

3.1.4

262nd Network Warfare Squadron and other examples from the USA - - - - 30

3.1.5 Cyber militias and patriotic volunteerism (China, India, Japan, Russia) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 32 4 Needs, Limitations, Building Blocks - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 38 5 Proposals and Analysis - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 43 5.1 A voluntary entity proposal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 44 5.2 A WARP Proposal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 47 5.3 Reserve Cyber Units - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 49 5.4 Recommendations for Georgia - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 53 6. Conclusion and Future Research - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 55 References - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 56

1 Introduction
1.1 Problem Statement Developed countries are widely dependant on information systems. Developing countries are catching up in that direction. With all its benefits, technological advancement also brings the need to address security issues. Time by time world gets rude awakenings. Georgia got its cold cyber shower in 2008. The cyber attacks during the Russia-Georgia war of 2008 showed Georgias weaknesses in cyberspace. Georgian information infrastructure was overwhelmed by attacks and both public and private sectors looked helpless. Georgia had to seek immediate help from abroad. Governmental online resources and information assets of private entities were found highly vulnerable and poorly defended. Attacks showed ultimate lack of cyber capabilities there were no entities either in public or in private sector able to defend critical information infrastructure or other information assets of the country. During the last four years Georgias capabilities have advanced. But there is still a long way to go. While upgrading technical cyber capabilities is one issue, available human and financial resources are another. The purpose of my work is to find solutions for the manpower issue, which are not financially demanding, are possible to implement immediately and of course, improve defensive cyber capabilities of Georgia. I consider current Georgian information security environment with its needs and resources and examine possibilities of establishing various entities based on volunteerism. In the frame of the thesis, volunteerism is defined as noncommercial, self-motivated work for shared goals, which in some circumstances can be financially compensated. Throughout the thesis I discuss volunteer cyber capabilities which exist throughout the world. They can be civilian or military, established as a result of a governmental or a private initiative. They will be considered for applicability to Georgia. I take out some of the elements and add new ones to these examples to make them appropriate for Georgias information security environment. Then I analyze possible solutions and according to their relevance, make recommendations to Georgia. My analysis employs a qualitative approach to examine proposed solutions. They are also discussed with SWOT method. The sources of the work are research papers, Estonian and
10

Georgian experts, representatives of the government of Georgia, articles and blog entries from authoritative newspapers, magazines and reviewers. 1.2 Related work Volunteerism in cyber space is not a new topic and there are quite a few academic works which consider various models and examples. But there are not similar riches on the issue of implementing volunteer solutions in Georgia. To be precise, there are none. The aim of my work in not a general discussion of volunteer cyber entities throughout the world, but finding practical solutions for Georgia to advance its defensive cyber capabilities. Ottis (2010) discusses the organization of employing amateur computer users to mount a cyber attack. The real-life example comes from cyber attacks on Georgia in 2008, which is thoroughly described by Grey Goose Project (2008), Tikk et al. (2008), Korns and Kastenberg (2009) and Rios (2009). Klimburg (2011a) and Krekel (2009) look at Chinese cyber capabilities and discuss Chinese cyber militias. A different approach is explained in the ENISA UK country report (2011), and Ellefsen and Van Solms (2010) who discuss the Warning, Advice and Reporting Point system (WARP) established in the UK. Along the key papers mentioned in this section, I consider various other academic works, researches and sources. 1.3 Thesis overview Chapter 2 of the work discusses current state of the Georgian ICT sector. It provides statistical data, economic indicators, and reviews current cyber capabilities and information infrastructure of Georgia, actors, policy and law issues of Georgian information security environment. Chapter 3 is concerned with existing volunteer cyber capability solutions. Examples are taken from various countries from Estonia, the USA, the UK, China, Russia, etc. Chapter 4 is concerned with existing foundations on which future volunteer entities of Georgia can be built. The main contribution of the thesis comes in Chapter 5, which outlines proposals, analyses them and recommends a course of action to Georgia. Conclusions are provided in Chapter 6. 1.4 Acknowledgements First of all, I want to thank Rain Ottis for his outstanding support, for his remarks, comments and insight. I would like to thank Tanel Tammet and Marko Kramees for their help. I am also grateful for my friends for their notes and observations.
11

2 Overview of ICT sector and current Information Security Environment of Georgia

Georgia declared independence from the Soviet Union in 1991. That was the new beginning for Georgia as well as for other 14 post-soviet states. The Internet had a slow start - severe economic and political problems were hindering the spread of new technologies throughout the country. For years, the Internet was luxury of a handful of people in the capital city of Tbilisi. Nowadays more than 1 million people use internet in Georgia, but it still remains inaccessible for a large fraction of population in the countryside. One of the first commercial ISPs in Georgia was Sanet, which showed up in 1993 [Caucasus Online, 2012a]. Another big ISP Caucasus Online entered the market in 1997 [Caucasus Online, 2012b]. However, the market potential remained largely unused until the 2000s. In 2000, Georgia had only 20,000 users online [Internet World Stats, 2010a], and with the population of 4.4 million, the penetration rate was 0.5%. For comparison, Estonia had 370,000 internet users at the same period [Internet World Stats, 2010b] - with the population of 1.3 million people, the penetration rate was about 30%. Currently, Georgia has 1.3 million users online [Internet World Stats, a], with the penetration rate of 29%. As of 2010, 150,000 users had broadband connection [Freedom House, 2011]. Georgian National Communications Commission (GNCC) provides data about the Internet usage based on digital technologies: for October of 2011, there were 115,000 fiber-optic, 200,000 DSL and 50,000 CDMA & EVDO users in Georgia. At the same time, Georgia had more than 3.7 million mobile phone and about 1.3 million fixed telephony users. In addition, there were 36 private radio stations and 52 private TV stations (14 cable and 12 satellite TV channels) [GNCC, 2012]. More than half of Georgian internet users access the Internet from their homes, 21% from their friends computer, 9% from workplace, 6% from mobile phones and another 6% from Internet cafes [Freedom House, 2011]. According to the countrywide study of Caucasus Research Resource Centers (CRRC), in 2010 18% of Georgians used the Internet everyday, 9% - at least once a week, 3% - once a month and 54% did not accessed the Internet at all [CRRC, 2011]. For April 1st of 2012 there were 22 ISPs on Georgian market. Silknet had around 45% of the market
12

share, Caucasus Online was second with 32% and Egrisi was third with 11%. From mobile operators, Magticom possesses 2.7% (5th place overall) of internet service market, Geocell 0.5% (9th) and Beeline 0.03% (18th) [Karchava, 2012]. The average internet connection speed in Georgia is 6.94 Mbps and with that score the country is on the 61th place in the world [Net Index, 2012]. For comparison, Estonia is on 28th place with 15.44 Mbps [Net Index, 2012]. The rapid development of IT sectors in the Baltic States served as an example for Georgia. Development of IT has a high position in internal political agenda and also receives a lot of attention from the Georgian media. Georgia is moving towards implementing e-government [Electronic Government Resources of Georgia, 2012]. For example, the digital ID card was introduced in 2011 [Civil Registry of Georgia, 2012], schools began to teach from the first class with laptops [Buki Project, 2012], since February 2012 it is possible to pass driving license practical tests in computerized environment (with sensors and software) without a human tester [Netgazeti, 2012]). In May 2012, The Society for Computer Knowledge Dissemination was established in Georgia [Ministry of Justice of Georgia, 2012]. The Society aims to bring IT knowledge to the regions of the country [Ministry of Justice of Georgia, 2012]. With the help of Estonian experts, educational institution for cyber security will be established in August, 2012 [Ministry of Education and Science of Georgia, 2012b]. 2.1 Economic indicators of Georgia According to IMF estimation, Nominal GDP of Georgia in 2011 was around 13 billion US dollars [IMF, 2012]. For comparison, Estonian GDP for the same period was more than 20 billion USD [IMF, 2012]. GDP of Georgia per capita was around 3,000 USD and the same indicator for Estonia was more than 15,000 USD [IMF, 2012]. National Statistics Office of Georgia estimated the share of communications sector in countrys GDP as 2.7% and financial services had share of 2.3% in 2011 [National Statistics Office of Georgia, 2012b]. Compared to 2010, share of communications sector increased by 8% and of financial services - by 24% [National Statistics Office of Georgia, 2012b]. Unfortunately the document does not provide any data concretely on IT sector [National Statistics Office of Georgia, 2012b].
13

Budget of Georgia was 7 billion GEL (around 4.1 billion USD) for 2011 [Corso, 2010; Ministry of Finance of Georgia, 2012a]. Ministry of Defense got around 400 million USD [Ministry of Finance of Georgia, 2012b]. 2.2 Information security policy formation, legislative framework, main actors and information infrastructure 2.2.1 Policy formation National Security Council of Georgia (NSC) is the main advisory body to President of Georgia [NSC, 2012a]. One of the responsibilities of NSC is to define security policy of the country including information security and cyber security [NSC, 2012a]. It is the author of National Security Concept of Georgia [2011]; it took part in elaboration of Draft Law of Georgia on Information Security [NSC, 2012b]; and it is working on National Cyber Security Concept of the country too [NSC, 2012c]. GNCC and Ministry of Economy and Sustainable Development are also concerned with ICT policy formation. GNCC is a regulatory body for electronic communications field, its main responsibilities are creating fair environment in ICT sector and defending lawful interests of the users [GNCC, 2005]. There is the department of Communications, Informational Technologies and Innovation at the Ministry of Economy [Ministry of Economy and Sustainable Development, 2012]. Some of the responsibilities of the Department are defining and monitoring main directions for ICT development and elaboration of Georgian e-government concept [Ministry of Economy and Sustainable Development, 2012]. 2.2.2 Legislative framework Georgian information security legal environment is under development. Various laws are being under consideration in correspondence with European Union regulations and standards. Cyber security has its place in national conceptual and strategic documents of Georgia. The National Security Concept names strengthening cyber security as one of the 14 national interests of the country [National Security Concept of Georgia, 2011]. The Document for Threat Assessment of Georgia for 2010-2013 declares security of Georgian cyberspace of the same
14

importance as security of Land, Sea and Air spaces of the country [Threat Assessment for 20102013, 2010]. In addition, National Security Council is working on the national cyber security strategy of Georgia [NSC, 2012c]. Georgia is a signatory to Cybercrime Convention of Council of Europe, but has not yet ratified it [Council of Europe, 2012]. For the moment there is no statistical data available about cyber crime volume in the official crime statistics of Georgia [National Statistics Office of Georgia, 2012a]. There is the Law of Georgia on Digital Signature and Digital Document [2010]. In the beginning of 2012, Law of Georgia on Protection of Personal Data was enacted [2012]. Cyber crime and cyber terrorism were defined in Criminal Code of Georgia also in 2012 [Matsne, 2012; Criminal Code of Georgia, 2012], but the major legislative shifts are still to come. Law of Georgia on Information Security, which was drafted to parliament in February, 2012, will be a step ahead for development of Georgian information security environment [Draft of Law of Georgia on Information Security, 2012; NSC, 2012e]. The law will define Critical Information Infrastructure (CII) as entities and their activities which are vital for the security and economy of the country, for normal functioning of the government and the society of Georgia [Draft of Law of Georgia on Information Security, 2012, p. 2]. The list of the critical infrastructure will be compiled by the National Security Council of Georgia within 6 months after the enforcement of the Law on Information Security [Draft of Law of Georgia on Information Security, 2012]. The law also sets 3 levels of information classification (confidential, restricted, public) for critical infrastructure entities [Natroshvili, 2012], obliges the entities to introduce the position of Information Security Officer and to have personnel dedicated to information security [Draft of Law of Georgia on Information Security, 2012]. The law will grant rights to set countrywide information security standards to Data Exchange Agency (DEA) [Draft of Law of Georgia on Information Security, 2012].

15

2.2.3 Main Actors Data Exchange Agency (legal entity of Georgian Public Law, established under the auspices of Ministry of Justice [Ministry of Justice, 2010]) can be considered as a main executive body in information security and cyber security field in Georgia. At the same time it has limited power to influence policy formation. DEAs rights and responsibilities are outlined in the Law of Georgia on Creation of a Legal Entity of Public Law Data Exchange Agency [2009]. According to this legal document, DEA is responsible for supporting the development and coordinating united national policy for IT development, implementing the electronic governance system, elaborating information security policy standards and supporting its implementation, setting standards for data preservation and exchange [Law of Georgia on Creation of DEA, 2009]. DEA is supposed to play a more active role in Georgian information security environment after the Draft Law on Information Security will be adopted by the Georgian Parliament [Draft of Law of Georgia on Information Security, 2012]. National CERT of Georgia (CERT.gov.ge) is part of DEA [DEA, 2011a). Law on Information Security will widen its rights and responsibilities too [Draft of Law of Georgia on Information Security, 2012]. CERT.gov.ges main task will be defending critical information infrastructure of Georgia [Draft of Law of Georgia on Information Security, 2012]. There are some other entities, which play their role in Georgian information security environment and they will be discussed in the Section 2.3 concerning current cyber security capabilities of Georgia. 2.2.4 Information Infrastructure Currently one of the most influential public projects is implementation of electronic government [Electronic Government Resources of Georgia, 2012]. E-governance is one of the priorities of the government and the working processes of various ministries are being digitalized [Civil Service Bureau, 2012]. One of the main achievements of the e-governance reform is the adoption of the digital ID card. It was introduced in 2011 and can be considered as information infrastructure asset for the
16

country [Civil Registry, 2012]. Some of the functions of the digital ID card are identifying a person online, providing digital signature and facilitate the use of various services from online banking to public transport [Civil Registry, 2012]. First digital ID card was issued in August 2011 and as of February, 2012 Georgia had more than 160,000 digital ID card holders [Navigator, 2012a]. Georgian government announced the tender to create the Georgian Governmental Network (GGN) in 2007 [Magticom, 2008; Navigator, 2007]. The idea was to develop a network (based on VPN) which would cover the whole country and include governmental agencies and other public institutions to facilitate data exchange [Navigator, 2007]. Mobile communications company Magticom won the tender and by 2009 the GGN was created [Magticom, 2008; Navigator, 2007]. The communications infrastructure is centralized to Tbilisi. Georgian ISPs get the Internet connection from Turkey and Russia by land based cables and from Bulgaria via the fiber-optic cable under the Black Sea [GNCC, 2008]. The Black Sea fiber-optic cable is operated solely by one of the Georgian ISPs Caucasus Online [Liberali, 2011; Caucasus Online, 2012b]. From a countrywide perspective, dependency on Russian and Turkish upstream providers was reduced after the Black Sea fiber-optic cable become operational. The importance of having duplicating connections was well demonstrated in 2011, when an old Georgian woman, who was digging for scrap, accidentally cut the cable and left almost all of Armenia without Internet connection for several hours [Parfitt, 2011]. All major banks in Georgia offer online banking (internet banking) service to their customers. During cyber attacks of 2008 (which are discussed in more detail in Section 2.4.1), Georgian banks were not able to provide their online services for 10 days [Tikk, et al. 2008]. It should also be mentioned that banks do not provide their online banking statistics. For example, TBC Bank considers it confidential information [TBC].

17

2.3 Current cyber security capabilities of Georgia The cornerstone of Georgian cyber defense capabilities is DEA, which is part Ministry of Justice of Georgia (therefore it is a completely civilian entity). By legal status, DEA is a legal entity of public law [Law of Georgia on Creation of DEA, 2009]. It was established in 2010 [Ministry of Justice of Georgia, 2010]. DEA develops and maintains data exchange capacity between different governmental agencies and ensures information security of the critical information infrastructure [Law of Georgia on Creation of DEA, 2009]. From information security point of view, DEA is only concerned with public entities and critical information infrastructure [Draft of Law of Georgia on Information Security, 2012]. The legal basis for DEA as a main pillar of information security of Georgia is outlined in the Draft of Law of Georgia on Information Security [2012]. It will give DEA the responsibilities to set the information security standards and if needed, audit, test and monitor the information systems of critical infrastructure (upon their request and in correspondence of the standards set by DEA itself) [Draft of Law of Georgia on Information Security, 2012]. In case of cyber attack, DEA will be able mobilize all information security personnel who work in critical infrastructure entities [Draft of Law of Georgia on Information Security, 2012]. Arguably the main cyber capability asset of Georgia is the National CERT of Georgia CERT.gov.ge. It is created under the auspices of DEA and became operational about a year ago [DEA, 2011a]. Its main responsibility is reacting to cyber incidents [DEA, 2011a]. CERT.gov.ge is part of Trusted Introducer (European network of CERTs) and a member of International Telecommunication Unions (ITU) IMPACT agency formal cyber security executive arm of the United Nations [DEA, 2011b; Navigator, 2012]. The Law on Information Security will give CERT.gov.ge more rights and responsibilities - one of them will be responding to cyber attacks [Draft of Law of Georgia on Information Security, 2012]. CERT.gov.ge is supposed to be concerned, first of all, with critical information infrastructure of the country [Draft of Law of Georgia on Information Security, 2012]. During cyber attacks CERT.gov.ge will have the power to request any information from critical infrastructure entities about their attacked systems if this information is needed to repulse/stop the attack [Draft of Law of Georgia on Information Security, 2012].
18

According to the head of analytical department of National Security Council Lasha Darsalia Ministry of Internal Affairs of Georgia is developing some capabilities too, but their aim is to fight cyber crime [Darsalia, 2012]. From non-governmental capabilities CERT-GE can be distinguished. It was established in 2006 [Tabatadze, 2010]. CERT-GE is hosted by Georgian Research and Educational Networking Association (GRENA) [GRENA, 2012a]. It is part of Trusted Introducer [GRENA, 2012a]. CERT-GE offers various services to GRENAs customers: implementation and maintenance of Intrusion Detection Systems (IDS), incident coordination, vulnerability announcement, IP monitoring [GRENA, 2012a]. CERT-GE is oriented only on NGOs and commercial entities [GRENA, 2012b]. There are some think tanks working in the area of information security/cyber security. One of them is Information Security Studies and Analysis Center (ISSAC). It was established in 2010 and has some educational and certification programs in information security. It also offers information security consulting and software solutions to its customers [ISSAC, 2012]. Another think tank is Georgian Security Analysis Center (GSAC), which was established at another think tank - Georgian Foundation for Strategic and International Studies (GFSIS) [GSAC, 2012a]. GSAC is focused on research of current problems in information security and cyber security of Georgia. They have a cyber security awareness project [GSAC, 2012b]. Within the project, they try to raise various global or local cyber security issues via articles published online or in printed newspapers/magazines [GSAC, 2012b]. The Club of Microsoft Certified Professionals can be counted as cyber capability [MCP, 2012]. Another informal group is overclockers. They run website and forum and often meet to discuss various computer related issues [Overclockers, 2012]. The now-defunct site hacking.ge could be also considered as cyber capability. Its members ran popular forum topics about cyber defense issues (steps to enhance IT security, manuals for defense against various attacks, etc). The site was one of the early targets of August 2008 cyber attacks on Georgia [Tikk et al, 2008; Grey Goose, 2008].

19

2.4 Directions for development and overview of problems 2.4.1 Cyber attacks of 2008 and their impact The problems of Georgian cyberspace were brought to the surface during the war between Russia and Georgia in August, 2008. Conventional warfare was accompanied by cyber attacks on Georgian information infrastructure. On the other hand, Grey Goose project understood that cyber attacks on Georgian web resources began even earlier - in July [Tikk, et al., 2008; Grey Goose, 2008; Rios, 2009; Nazario and DiMino, 2008; Hollis, 2011]. During actual military confrontation various kinds of cyber attacks occurred more actively used methods were Distributed Denial of Service (DDoS) attacks with botnets and SQL injections [Tikk, et al., 2008; Rios, 2009; Danchev, 2008; Gray Goose, 2008]. Website of President of Georgia Mikheil Saakashvili was defaced and instead of original content a propaganda poster (Figure 1 [Tikk, et al., 2008]) was placed [Tikk, et al., 2008; Markoff, 2008]. Georgian fragile cyber capabilities were overstretched as they had to cope with various threats. Georgian side was dictated the terms of conflict and by having to respond to different attacks, their chances for success diminished [Rios, 2009; Grey Goose, 2008]. Georgian government had to move its web resources to other servers. Websites of President of Georgia and Ministry of Defense were moved to the servers of Tulip Systems to the USA [Korns and Kastenberg, 2009; Tikk, et al,. 2008]. Website of Ministry of Foreign Affairs was moved to Estonian servers [Tikk, et al., 2008], but to disseminate press releases and news updates the Ministry had to use Blogspot blogging service (website still available at http://georgiamfa.blogspot.com ) [Korns and Kastenberg, 2009; Tikk, et al., 2008]. Website of President of Poland (www.president.pl) helped Georgian government with posting news and press releases on their site [Tikk, et al., 2008]. Non-governmental sites (news portals, online forums, banks) were also targeted. News site Civil.ge moved to Blogspot [Tikk, et al., 2008]. National Bank of Georgia ordered private banks to stop providing their online services and they only resumed their operations in 10 days [Tikk, et al., 2008].

20

Georgia did not have national CERT in 2008. Its role was assumed by CERT-GE of GRENA [Tikk, et al., 2008]. Georgia needed help in forensics. Polish, French and Estonian CERTs assisted Georgia with their expertise [Tikk, et al., 2008]. Figure 1. Website of President of Georgia was defaced and propaganda poster uploaded.

Some analysts suggest, that outsourcing of services was a good maneuver from Georgian side [Korns and Kastenberg, 2009], but one may argue that this was an act of desperation. First conclusion to be drawn from 2008 cyber attacks was the inability of the Georgian government to defend (at least in place, without outsourcing) its information infrastructure. At the same time, cyber attacks did not deteriorate only governmental resources, but also online communication capabilities. Korns and Kastenberg note, that Georgia was cyber-locked [2009; p. 1] the government and population of Georgia were not able to communicate online to each other and to the outside world [Tikk, et al., 2008; Grey Goose, 2008; Hollis, 2011; Downing, 2011]. Government was not able to spread its messages and the people of Georgia were left in
21

information vacuum [Tikk, et al., 2008]. Georgian cyberspace was frozen. Civil society and private sector did not have any reasonable response to cyber attacks. In response counterattacks or direct engagement are not meant, but rather finding ways to break the cyber deadlock. In addition to governmental cyber incapability, it can be concluded that private sector and Georgian society in general were not prepared for the scale of cyber aggression of 2008. The cyber attacks showed that Georgia not only needs developing cyber capabilities to defend its governmental resources and critical infrastructure, but private sector is also in need of cyber initiatives. Government can be a leader in developing information security environment in the country. But without cooperation and initiatives from private sector and civil society, Georgian cyber capability development will be full of obstacles. In the Western countries, major part of information infrastructure and moreover of critical information infrastructure falls on private sector, which underlines the importance of public-private partnership on one hand and the power of private sector on another. Cyber attacks of 2008, not surprisingly, had an impact on cyber security perception in the country. Cyber security rose upwards in the internal political agenda. It is named as one of the 14 national interests in the National Security Concept of Georgia [2011], when it was not mentioned in the document of 2005 at all [National Security Concept of Georgia, 2005]. DEA and National CERT (CERT.gov.ge) were established. IT as a field of study and research became one of the top priorities for Ministry of Education of Georgia alongside exact sciences and engineering [Ministry of Education and Science of Georgia, 2012a]. 2.4.2 Obstacles in IT Field Georgia is a developing country, which has to pay attention to a number of economic and social problems. For the moment, the biggest issue on the way of IT development is resources - both human and financial. As Khatuna Mshvidobadze, expert at local think tank GSAC notes, Georgia lacks both quality and quantity of personnel [2012]. After the collapse of the Soviet Union the education system of Georgia also collapsed. The reforms were taken only in 2000s. IT as a study and research field was practically non-existent several years ago in Georgia. To address the problem, Georgia decided to establish a school for cyber security with the help of Estonian
22

expertise [Ministry of Education and Science of Georgia, 2012b]. There are many IT certifications and private IT educational programs available in the country too. One of the solutions to fill the gap between available and needed human resources is volunteerism. Even countries which have much more human and financial resources use volunteers in cyber defense. Exploring volunteerism opportunities will allow Georgia to use its scarce human resources in a more efficient way. 2.4.3 Volunteerism in Georgia1 Volunteerism as self-motivated, non-compensated work is not widespread in Georgia. According to CRRC study, only 4.8% of population of Georgia did volunteer work in 2007 [CRRC, 2008]. In European Union about 90 million people do volunteer work annually [Abashidze and Abashishvili, 2012]. Volunteer inclusiveness of Europeans is average of 22% of the total population of age 15 and more [Abashidze and Abashishvili, 2012]. From 20% to 29% of population volunteer every year in Estonia [Abashidze and Abashishvili, 2012]. UN valued annual planet wide volunteer contribution as 10 billion USD in 2004 [United Nations Volunteers, 2004]. Weak volunteer culture in Georgia is sometimes explained by lack of incentives. Abashidze and Abashishvili note, that volunteerism is not popular in almost every former Warsaw pact country, moreover if it is a collective activity [2012]. Clearly, Soviet times influenced Georgian minds on volunteerism. In Soviet Union volunteer activities were part of communist ideology and in reality were obligatory and forced. This undermined not only the understanding of the term, but also the motivation of people to volunteer [Abashidze and Abashishvili, 2012]. Other than Soviet mentality, Georgian society does not have any objection to volunteerism. Foreign volunteers are welcomed in Georgia and local young people (mainly students) do not refuse opportunities to volunteer (sometimes mixed up with internship [Abashidze and Abashishvili, 2012]).

Please note that in this subchapter volunteerism is considered as self-motivated, non-compensated work.

23

Georgian labor code is flexible. Georgia does not have minimum salary and labor contract can be written as well as oral [Labor Code of Georgia, 2010]. The termination of labor contract is easy and more flexible than in European countries [Abashidze and Abashisvhili, 2012; Labor Code of Georgia, 2010]. In spite of the fact that volunteer and volunteerism are not defined in the labor code of Georgia, it hardly can be considered as an obstacle to volunteer work [Abashidze and Abashishvili, 2012].

24

3 Cyber Volunteerism and Volunteer Cyber Forces

Volunteer, non-profit activism was one of the major drives for the development of global cyberspace. In late 1980s Computer Emergency Response Team Coordination Center (CERTCC) was established at Carnegie Mellon University [Ferwerda, et al., 2010; Killcrece, 2006]. Its creation was motivated by the Morris worm and its responsibilities were to respond to emerging security threats in cyberspace [Killcrece, 2006]. It was volunteer, non-profit organization and for now it has transformed into a coordination point of national CERTs of various countries [Ferwerda, et al., 2010]. Actually there can be several CERTs in a country. Basis for CERT operations is volunteerism and it is non-profit in nature [Ferwerda, et al., 2010]. Internet Engineering Task Force (IETF) is another relevant example for the case. IETF is an open organization, which develops Internet standards and its members are volunteers [IETF, 2012]. As IETF members say, they reject kings, presidents and voting. And believe in rough consensus and running code (the phrase is attributed to American computer scientist David Clarke) [IETF, 2011; Borsook, 1995]. Another example of international cyber volunteerism is Grey Goose a non-profit project of independent cyber security experts, who were interested in 2008 cyber attacks on Georgia [Grey Goose, 2012]. The project researched the attacks and provided two reports about it [Grey Goose, 2012]. The thesis employs the findings of these reports. 3.1 Volunteer cyber forces at national level World gets more and more dependent on information systems and communications. Information security and cyber security are climbing up on the hierarchical tree of political agendas in lots of countries. Human resources are usually scarce in IT field; on the other hand government has to spend millions, sometimes billions of US dollars to implement effective cyber security measures and to boost cyber capabilities. The issue of volunteerism comes forward at this time and there are examples of incorporation of volunteers in cyber defense of several countries.
25

Volunteerism usually means self-motivated, uncompensated work. People volunteer to gain skills and experience or spend their free time doing activities they like. There can be various incentives set (in some circumstances including financial compensation) to attract volunteers. The following sections bring and discuss cyber volunteering examples from Estonia, the UK, the USA, China, Japan, India and Russia. These examples may be based on different understanding of volunteerism, but the differences will be explained in each occasion. 3.1.1 Cyber Defense Unit (Estonia) Estonia provides an example of cyber volunteerism with its Cyber Defense Unit (CDU) of Estonian Defense League (EDL). EDL is a voluntary paramilitary organization and is included in Defense Forces of Estonia [Kaitseliit, 2012d]. Any citizen of Estonia can apply to join EDL. People with IT education and experience can join CDU. The issue of establishing a volunteer cyber entity was raised after the cyber attacks on Estonia in 2007 [Kaitseliit, 2012b]. Creation of CDU was a bottom-up initiative - interested parties found each other and self-organized [Anon. A., 2012; Anon. B., 2012]. Estonian Ministry of Defense decided to make CDU the separate unit of EDL in 2011 [Estonian Ministry of Foreign Affairs, 2011; Gelzis, 2011; Estonian Ministry of Defence, 2011]. CDU aims to bring Estonian volunteer cyber security expertise together both from public and private sectors [e-Estonia, 2012]. Expertise scope of members of CDU spans from programming to information security management and law [e-Estonia, 2012]. Slogan of CDU is Defending Estonias high-tech way of life [Kaitseliit, 2012a]. Its missions include cooperation enhancement and knowledge sharing [Kaitseliit, 2012a]. CDU works in the direction of cyber security awareness rising, has various training programs for members and runs several projects [Kaitseliit, 2012a; Gelzis, 2011].

26

CDU has less than 100 members [Estonian Ministry of Foreign Affairs, 2011; Gelzis, 2011]. It has its own commander and employs military ranks [Gelzis, 2011]. CDU has two sub-units one is based in capital Tallinn and another - in Tartu, second largest city of Estonia [Gelzis, 2011]. In general, CDU members are not paid for their membership, but the CDU has several full-time employees who take care of the administrative details [Anon. A., 2012]. As for incentives, members are encouraged to participate in relevant events, conferences and fairs. Transportation, participation fee (if any) and daily allowance (in case an event is held abroad) are compensated [Anon. A., 2012]. CDU has its own infrastructure. Part of equipment was donated by members, another part by Estonian private companies [Anon. A., 2012; Anon, B, 2012]. This underlines the voluntary value of CDU and the willingness of its members to cooperate for a shared set of goals. 3.1.2 LIAG, LICSG, 81st Signal Squadron (UK) British and American military have advanced cyber capabilities, which include volunteer units. British Central Volunteer Headquarters Royal Signals (CVHQ) [British Army, 2012a] includes 3 volunteer units: Land Information Assurance Group (LIAG) [British Army, 2012b], Land Information and Communications Services Group (LICSG) [British Army 2012c] and 81st Signal Squadron [British Army, 2012d]. LIAG was established in 1999 and provides information assurance expertise to British Army, Air Force and Navy [British Army, 2012b]. LIAG can be called to any place of the world where British military forces conduct operations. Since 1999, LIAG gained working experience in Afghanistan, Iraq, Germany, Kosovo, etc [British Army, 2012b]. LICSG provides management and technical support capability to information infrastructure (including software and network infrastructure and the Internet technologies) of the British army (including Air Force and Navy) [British Army, 2012c]. As the name implies itself, its one of the main area of expertise is communications [British Army 2012c].
27

81st Signal Squadron does not have as much connection to cyber security as LIAG and LICSG. It provides fixed telecoms expertise to British Army. Its members are telecommunications engineers [British Army 2012d]. LIAG and LICSG members are highly qualified, trained IT professionals, who have served in different structures of British military [British Army, 2012b]. Usually they have civilian careers in British ICT sector [British Army, 2012b]. LIAG, LICSG and 81st Signal Squadron are part of British Territorial Army (TA) [British Army, 2012a]. TA is volunteer reserve force of the British Army [British Army, 2012f], but a member of LIAG/LICSG/81st Signal Squadron may also be a regular military serviceman [British Army, 2012b]. When on duty (training or actual military operation), the TA members are paid [British Army, 2012e]. At the same time, they can claim difference between their civilian wages and military allowance [Job Spectrum, 2012]. Therefore LIAG (as well as LICSG and 81st Signal Squadron) members are not volunteers in the strict understanding of the term (self-motivated, non-paid activists), but they fit in the volunteerism definition employed by the thesis for proposals to Georgia: noncommercial, self-motivated work for shared goals, which in some circumstances can be financially compensated. LIAG, LICSG and 81st Signal Squadron members are picked out carefully. For example, a candidate wishing to serve in LIAG should have information assurance qualification and at least 5 years of working experience [British Army, 2012b]. The units have regular meetings and trainings. Serving period is at least 19 days a year [British Army, 2012b]. Civilian careers of the members ensure that they are aware of the new developments in their respective fields. Their qualification suggests that these units may need only specific/focused training for relatively short period of time.

28

3.1.3 Warning, Advice and Reporting Point (WARP) (UK) UK contributes another example of cyber volunteerism with a Warning, Advice and Reporting Point (WARP) an establishment providing early warning, expert advice and incident reporting services to its members. A WARP is a community of 20 to 100 members. Potential members of a WARP are legal entities of both public and private law - local governments, educational or nonprofit entities, commercial companies, etc. [WARP, 2012c]. A WARP can be created by bottomup initiative, by its future members [WARP, 2012a]. The participation in a WARP is voluntary and they are non-profit in nature [WARP, 2012a; Harrison, 2009]. There can be a lot of WARPs in a country. WARPs functioning is based on trust of its participants they share their cyber incidents, IT security problems and other security-related information (anonymity can be ensured) [WARP, 2012a]. A WARP is built around an operator, who is not necessarily a person with IT background [WARP, 2012a]. The operator communicates with WARP members by (as usual) electronic means and shares relevant information (incident reports, threat warnings, advice to mitigate the results of potential/ongoing damages) among the parties. WARPs were introduced as cost-effective solution to mitigate risks from malicious hackers, organized crime, malware and other threats existent in the global cyberspace [WARP, 2012a; Harrison, 2009]. A WARP can be established taking into account administrative division of a country or can be created in a particular business sector. For instance, there is a WARP for North Western Region of the UK (NWWARP), Police WARP (PolWARP), WARP provided by Northumbria University for small and medium sized enterprises (NUWARP) [WARP, 2012c; ENISA, 2011]. There are WARPs for various kinds of communities (WARP for Radio Amateurs) and for international organizations too (IE1WARP for Irish small and medium sized enterprises) [WARP, 2012c; ENISA, 2011]. There are 20 active WARPs and 6 WARPs whose status is pending [WARP, 2012c].

29

The official website for WARP (www.warp.gov.uk) provides case studies, which illustrate how a WARP works and what can be its benefits in various circumstances [WARP, 2012b]. One of the case studies tells a story of a WARP, whose members used the same software to manage housing benefits. One of the workers at a WARP member entity updated software. But the patch caused the software to stop working, which actually resulted in Denial of Service. Other members of the WARP were immediately informed about the issue and the early warning avoided service hindrance at other member entities of the WARP [WARP, 2012b]. 3.1.4 262nd Network Warfare Squadron and other examples from the USA Alongside the UK, the USA possesses advanced military cyber capabilities. In addition to its regular active forces, volunteer cyber personnel and units can be seen in the Reserve Component (RC) of US armed forces. The RC includes Navy, Marine Corps, Army, and Air Force Reserve, as well as the Air and Army National Guard [LII, 2012a]. In spite of billions of financing and professional pool of manpower, US Department of Homeland Security and US Department of Defense have their limitations. Once active duty military personnel gain cyber expertise and security clearances, they often leave the military for high pay in the private sector. National Guard and Reserve cyber units often capture those that leave the military [Evans, 2012]. The RC adds valuable expertise to already existent capabilities and provides services to various military units [Homeland Security NewsWire, 2011; Francis, 2011]. Examples of American volunteer cyber forces include the 175th Network Warfare Squadron (Maryland Air National Guard, Ft. Meade, Maryland), the 166th Network Warfare Squadron (Delaware Air National Guard, Ft. Meade, Maryland), the 262nd Network Warfare Squadron (Washington Air National Guard, McChord AFB, Washington) and Virginia Army National Guard Data Processing Unit [Evans, 2012; Puryear, 2006; Campbell, 2011; Matthews, 2008; Virginia National Guard, 2011]. There can be found other cyber units at National Guard and Land, Air Force and Navy reserve structures [United States Navy, 2012; Matthews, 2008].

30

The first two Network Warfare Squadrons in the Air National Guard conducting national missions include the 175th Network Warfare Squadron and the 166th Network Warfare Squadron [Evans, 2012]. They are part of U.S. Cyber Command and 24th Air Force [Evans, 2012]. Both units conduct Computer Network Operations, including Computer Network Defense and other related activities at the National Level [Evans, 2012; Matthews, 2008]. Many of their members come from civilian governmental agencies, government contractors, the academic community and other highly qualified personnel [Evans, 2012; Matthews, 2008] Another cyber unit is 262nd Network Warfare Unit which is tasked with finding vulnerabilities in Air Force (as the unit is part of Air Force) computer systems and provide OPSEC expertise to Air Force [Bergesen, 2004; Hemstreet, 2010]. The unit includes programming, network security and communications proficiency [Bergesen, 2004]. Virginia Army National Guard Data Processing Unit served in Iraq, Afghanistan and other countries as a mobile CERT providing technical expertise and threat analysis to the army [Virginia National Guard, 2011]. They also monitored official and unofficial army websites for OPSEC breaches [Newborn, 2006]. Usually members of National Guard/Reserve cyber units are IT professionals with respective experience and qualification. For example, 262nd Network Warfare Squadron is made up from employees of Microsoft, Cisco, Adobe and other leading corporations of IT sphere [Lasker, 2007]. Like their British counterparts, American National Guard/Reserve members are not volunteers in its strict sense. They are paid for their service in National Guard or in reserve forces [US Army National Guard, 2012; US Office of Personnel Management, 2012]. Concerning on duty/training period, National Guard and Reserve forces are based on formula one weekend per month and for two weeks a year. Reserve members are required to do at least 35 duty days annually [Evans, 2012; Military.com, 2012]. But serving can go on longer in case of needs defined by the US law [LII, 2012b].

31

Like in British LIAG, LICSG, 81st Signal Squadron case, civilian careers of the American cyber units members ensure that they stay tuned on advancements in their field of expertise. 3.1.5 Cyber militias and patriot volunteers (China, India, Japan, Russia) China, one of the busiest actors of global cyberspace, is rich with cyber capabilities. It reportedly has an (unofficial) group of 30,000 cyber agents [Klimburg, 2011a]. China utilizes its vast human resources to build diverse capabilities. It employs IT professionals both from private and public sectors (also from military) including academia and hi-tech savvy students [Klimburg, 2011a; Krekel, 2009; Carr, 2011; Wittman, 2011]. Chinese government has established cyber capabilities at both federal and local levels of government [Klimburg, 2011a; Krekel, 2009]. Militaries develop their own cyber forces. Government and military are focused on different tasks the former is more oriented on internal politics and censorship, the latter is engaged with attacking operations and tries to obtain military advantage in cyberspace [Carr, 2011]. Chinese cyber units (sometimes called information warfare units in academic works and media) are organized in local militias - usually province, municipality or county administrations/local governments have their own capabilities developed [Krekel, 2009]. They are established around local educational or research institution [Krekel, 2009; Klimburg, 2011]. That can be one reason why some attacks on American federal resources are traced back to universities or other public institutions in various towns throughout China. Concerning cyber militias, it is hard to speak about any kind of volunteerism. China is authoritarian state and its government coerces or co-opts (democratic states mostly convince) cyberspace actors to mobilize and use them [Klimburg, 2011b]. Chinese physically able men between 18 and 35 are supposed to be conscripted either for regular military service or reserve forces [Klimburg, 2011a]. But if a person is not conscripted because of any reason, he is supposed to enter in local militia service [Klimburg, 2011a]. If not conscription, appeal on patriotism can lure people into cyber hacktivism. Academic incentives can be set to incorporate students and they are believed to be actively involved in local cyber militias [Klimburg, 2011a; Krekel, 2009; Carr, 2011].
32

Comparing to American and British military volunteer cyber units, advantage of Chinese counterparts is in numbers. American and British units are comprised of IT professionals, when Chinese militias are more catch-all style entities. IT students, who are going to be drafted for any kind of cyber service, have training sessions for at least a month [Klimburg, 2011a]. Serving period may not be defined at all as cyber militias are of fluid structure; on the other hand, its members may be able to accomplish tasks from their own homes or educational institutions. Chinese cyber militias provide both offensive and defensive capabilities. But Chinese offensives are one of the favorite cyber topics for Western media and academia. Interestingly, McAfee supported report of Brussels based think-tank SDA (Security & Defence Agenda), estimates Chinas cyber-readiness as moderate against high expectations [Grauman, 2012; Lee, 2012; Miks, 2012; Phneah, 2012]. China lags behind the USA, the UK, Estonia and other European countries as well as Japan in cyber-readiness index [Grauman, 2012]. Other than institutionalized cyber units, China has a large pool of hacktivists, who may attack (local or international) targets identified by the government. In exchange, the government turns a blind eye to their (supposedly criminal) activities [Klimburg, 2011a]. Other Asian nations also have patriot hacker groups, for example India and Pakistan [Grey Goose, 2009; Carr, 2011; Dudney, 2011]. Chinese cyber militia model on one hand and their activity in cyberspace on another, serves as an example to other Asian nations. India and Japan are presumed to wish to incorporate their (patriot) hackers in institutionalized units [Segal, 2012]. According to Japanese expert Motohiro Tsuchiya, Japan, closely monitoring cyber capabilities of China, Russia and North Korea, needs cyber experts to boost its own cyber capabilities and feel secure in cyberspace [2012]. India, like China, has vast human resources. In 2010, Indian educational institutions were supposed to produce more than half million graduates and post-graduates with technical background [Times of India, 2010]. In order to enhance cyber capabilities of the country, Indian officials considered granting legislative protection to its cyber recruits [Times of India, 2010]. Besides human resources, India has another advantage American and European tech corporations (Microsoft, Intel, McAfee, etc.) have outsourced part of their services and

33

established Research and Development units there [Times of India, 2010; Hagerty, 2012; MSIDC, 2012]. Along with China and India, Russia provides a prominent example of volunteer, patriot hacktivists [Ottis, 2010; Nazario, 2009]. They do not have institutional organization and their activities are organized ad-hoc [Ottis, 2010]. Their skill levels vary greatly from amateurs/script kiddies to experienced IT professionals [Ottis, 2010]. Targets and manuals to attack are usually posted online. On Figure 2 [Tikk, et al., 2008] and Figure 3 [Gray Goose, 2008] are shown respectively Georgian online targets and manuals. They were hosted on various Russian-language websites and forums alongside vulnerability reports and different hacking tools during 2008 cyber attacks on Georgia [Tikk, et al., 2008; Grey Goose, 2008]. There are doubts but no proof that Russian hacktivists have affiliation to Russian government [Grey Goose, 2008; Grey Goose, 2009; Tikk, et al., 2008]. Figure 2. List of Georgian online targets during 2008 cyber attacks

34

Well-known deeds of Russian cyber volunteers include attacks on Estonia (2007), on Lithuania (2008) and on Georgia (2008) [Dudney, 2011]. In Estonian and Lithuanian cases, cyber attacks coincided with political complications between these countries and Russia. As for Georgia, cyber attacks accompanied conventional warfare between two states. Figure 3. A manual how to ping flood www.parliament.ge

Volunteer hacktivists, who are active in Asia as well as in Russia, can bring short term gains and temporarily increase nations cyber capabilities. It can also reserve some financial resources. But in the long term perspective the issue of controlling these hackers arises. It bears destabilizing power for relations between countries and political complications are already observable in Asia [Segal, 2012]. Playing difficult to attribute (which can be considered one of the advantages of patriotic hacktivism) card can have counterproductive effect. Table 1 briefly summarizes major aspects of various cyber volunteer forces and entities discussed above. There are other examples of cyber volunteerism throughout the world, but the thesis analysis is limited to these instances.

35

Table 1. Summary of various cyber volunteer entities Mission / Responsibilities

Cooperation enhancement between public and private sectors, knowledge sharing, awareness, member training Incident reporting, early warning, expert advice Providing Information Assurance, communications, fixed telecoms expertise to British Army, Air Force, Navy

Entity

Status

Membership

Serving/ Training Period

Depends on members

Cyber Defense Unit (Estonia)

Voluntary; Para-military Professionals2

WARP (UK) LIAG, LICSG, 81st Signal Squadron (UK)

Legal entity of public law (or a NGO) Military Reserve (Territorial Army)

Voluntary membership of entities of both public and private law Voluntary (Paid) Professionals. Picked up with careful examination of experience and skills

N/A

Serving at least 19 days a year

262nd Network Warfare Squadron (USA)

Voluntary (paid) Military (Air National Guard) Professionals from leading IT sector corporations Defense of military infrastructure, OPSEC

At least 35 duty days a year. Can be called on duty for various time spans At least 35 duty days a year. Can be called on duty for various time spans

Virginia Army National Guard Data Processing Unit (USA)

Military (Army National Guard)

Voluntary (paid) Professionals

Supporting various military structures as a mobile CERT

A Professional in the framework of the table means person with IT education and work experience in IT sector

36

175th Network Warfare Squadron and 166th Network Warfare Squadron (USA)

Voluntary (paid) Military (Air National Guard) Professionals from civilian governmental agencies, government contractors and academic community Computer network operation, computer network defense and other related activities at the National level

At least 35 duty days a year. Can be called on duty for various time spans Training for at least 4 weeks;

Local Militias (China)

Organized at province/muni cipality level around educational or research institutions

Voluntary (coercion from government, academic incentives for students); IT savvy students, professionals

Varies from internal political issues (censorship, monitoring) to attacking operations

Possibility to be involved in operations from home or educational institution

Patriot Hacktivists (proposed in India and Japan)

Informal entities / Institutionaliz ed units

Voluntary (incentives and coercion from government); Professionals Voluntary;

Attacking operations, response to attacks

N/A

Russian Cyber Volunteers

Any time; Attacking operations Online manuals

Informal entity

skill levels vary from amateurs to professionals

37

4 Needs, Limitations, Building Blocks

The following passage concerns the applicability of cyber volunteerism examples (discussed in the previous chapter) to Georgia. It reviews needs and limitations for potential solutions and looks at foundations on which the future cyber capabilities can be built, before proceeding to the analysis. At first, it has to be noted that Georgia should have in mind defensive side of cyber capabilities in development of any kind of cyber entity. This thesis explores possibilities to develop cyber capabilities with their institutional structure. Georgia does not need any entity tasked with conducting cyber attacks. If we take into account human and financial resources available to Georgia, need for offensive cyber security organization will be bleaker. Cyber attacks of 2008 showed failure of Georgian side in securing its own information infrastructure. First of all, security of critical information infrastructure and other information systems of the country should be addressed. There are already examples of volunteerism (as non-commercial, self-motivated activities) in the IT field in Georgia. Some interested persons run a website and work together when they have free time - testing computers and overclocking [Overclockers, 2012]. They test on their own hardware or share the price of it. Another community of IT people is MCP club of Microsoft Certified Professional [2012]. They run a blog-type website, organize events and share knowledge. There is a voluntary organization of persons interested in military affairs in Georgia too, although it has no affiliation to Ministry of Defense of Georgia. Its name is Aisi and it has about 100 members [2012]. It is more like a club of similar minded persons. Its members have a website and web-forum, they work to popularize (old) martial arts of Georgia, practice together in military tactics (they use Strike Ball equipment [Aisi, 2012]) and make trips throughout the country to various historic places just for their own interest. Also there is an organization Volunteer Information Center - which works to popularize volunteering culture in Georgia [VIC, 2012]. Examples of overclockers and MCP suggest that there will be interest towards a cyber volunteer entity, modeled on Estonian CDU. Lack of research of Georgian IT sector makes it hard to
38

predict potential expertise pool for Georgian volunteer organization. But in any case, its ultimate value should be creative thinking, promotion of innovative ideas and encouraging interests of its members. It should be distinguished by covering issues outside the attention of governmental agencies. Future volunteer organization should not be supposed to be the front line of information security or cyber security of Georgia and preferably should have responsibilities limited in scope to increase effectiveness. The entity should engage with non-critical infrastructure (as critical infrastructure protection is the responsibility of DEA and CERT.gov.ge). Potential activities of a cyber volunteer entity can cover cyber security awareness rising throughout the country (especially outside the capital city of Tbilisi), knowledge sharing, information exchange and cooperation enhancement within private sector or between public and private sectors. Unlike the Estonian counterpart, Georgian volunteer entity may not necessarily be military or paramilitary institution. One of the reasons is that Ministry of Defense of Georgia has other opportunities to develop cyber capabilities (which will be discussed in the coming passages). At the same time, at the head of military entities stand militaries not IT people, therefore the organization will be more military oriented (concerned with military needs) than answering the needs of (civilian) IT sector. On the other hand, any service related to military is associated to obligations, not volunteerism in Georgian society. Of course, it will only be good if an entity will not have any affiliation to political parties (or youth movements of any political party). Beside Estonian CDU, British WARPs are a credible option for Georgia. They offer insight how to respond to information sharing, incident reporting, expert advice and early warning issues. In Georgia, information sharing problem will be partly solved when the Law on Information Security of Georgia will be enforced. It will oblige critical information infrastructures to report incidents and share other relevant information with DEA and CERT.gov.ge [Draft of Law of Georgia on Information Security, 2012]. As there already is legislative basis for information sharing and incident reporting between DEA and critical infrastructure entities, they can institutionalize the process with the establishment of a WARP. Non-critical infrastructure institutions/private companies can be encouraged, but not obliged to establish WARPs of their own.
39

Unlike WARP and Estonian CDU, Russian example of patriotic cyber volunteers does not represent an acceptable solution for Georgia. First of all, Georgia does not seek offensive cyber capabilities. Secondly, employing patriotic hackers raises the issue of controlling them their actions are unpredictable [Ottis, 2009]. Often patriotic hackers are involved in cyber crime and a government has to cover their wrongdoings, which in turn may result in rise of cyber crime rates [Ottis, 2009]. Using patriotic hacktivists for political aims is a signal to society that cyber attacks are acceptable action; at the same time, it bears the potential to strain political relations with other countries [Ottis, 2009]. Georgia should wish to solve, not to create additional problems in its own cyberspace. Like Russian example of patriotic cyber volunteers, neither Chinese model of local militias is of much use for Georgia. Reasons are similar as in the case of Russian cyber volunteers: Chinese cyber militias are used either for cyber offensive operations or for controlling and monitoring internal cyberspace of the country this is not what Georgia needs. On the other hand, scope of Chinese cyber forces, their activities and goals (as well as funding and resources) are hardly attainable for small countries like Georgia. Issue of controlling vast cyber militias and covering their potential unlawful activities offers one more reason to disregard this suggestion. Georgia should take a closer look at British and American examples of cyber reserve forces as it has its own military reserve system. Potential difference in levels of human resources should be taken into account, but the reserve system offers a valuable opportunity to Georgia to develop and diversify its own (defensive) cyber capabilities. Georgian reserve military system was introduced in 2006, but the war between Russia and Georgia in 2008 proved it unsuccessful [Civil.ge, 2012]. The initial reserve system was modified several times. Currently, military reserve service is compulsory for physically able males between the ages of 27 and 40 [Law of Georgia on Military Reserve Service, 2012; Civil.ge, 2012]. A person aged at least 18 can volunteer for reserve service and there is no upper age limit for a volunteer [Civil.ge, 2012]. Reservists are called up once a year for at most 45 days [Law of Georgia on Military Reserve Service, 2012].
40

In April 2012, parliament of Georgia discussed new concept for military reserve service of Georgia [Tarkhnishvili, 2012]. The Concept of Defense Reserve System of Georgia (Project) outlines the principles for future military reserve of Georgia: it will be divided into two components: Ground Forces Reserve (GFR) and Territorial Defense Reserve (TDR) [2012; Tarkhnishvili, 2012; NSC, 2012e; Civil.ge, 2012]. GFR will be completed by former regular army servicemen on compulsory basis [NSC, 2012e]. There will be possibility to volunteer for GFR [Concept of Defense Reserve System of Georgia (Project), 2012]. It will be under the command of land forces of the Georgian army and will train with them [Concept of Defense Reserve System of Georgia (Project), 2012]. TDR will be based on territorial principle and will be completely voluntary. TDR will be trained by and will be under the command of National Guard Department of Georgia [Concept of Defense Reserve System of Georgia (Project), 2012; Tarkhnishvili, 2012; NSC, 2012e; Civil.ge, 2012]. The project of the concept does not say anything about serving period either in GFR or TDR; though there is no indication to think that current period of service (once a year for at most 45 days) will be changed (at least for GFR). It has to be noted, that the document does not mention information security or cyber security. Georgia can use its current military reserve system to form cyber defense units. On the other hand, proposed reserve concept neither excludes nor diminishes opportunities to develop cyber units. As the concept for future reserve system plans major changes, it will be better to model potential cyber units on future reserve system. In the proposed reserve system, destination for cyber reserve units should be GFR, not TDR. The latter will be created according to administrative division of Georgia [Concept of Defense Reserve System of Georgia (Project), 2012]. TDR subdivisions will be tied to districts of their origin. Their responsibility will be back up operations [Concept of Defense Reserve System of Georgia (Project), 2012]. GFR will be more close to the regular army. Besides training with land forces of the army, tasks of GFR will be supporting regular army units and if necessary replacing them during wartime [Concept of Defense Reserve System of Georgia (Project), 2012]. There are two possibilities to form cyber units both in current reserve system and in GFR: First option is to pick up draftees with IT background to form cyber units. Another option is to make room for volunteerism with announcing competition for cyber units. In the latter case, the
41

draftees will have a choice: to go to regular reserve units or apply for cyber units. Persons with IT education and experience will have an incentive to go for cyber units. With serving in units which are correspondent to their profession, they will get an opportunity to enlarge their knowledge and skills. Additional incentives, for instance, financial compensation during serving period, can be set to attract draftees to cyber units. Supposedly, draftees who will volunteer for cyber units will be more committed than persons who are picked up in a predefined manner. On the other hand, the financial compensation and opportunity for professional growth may attract volunteers to GFR people who do not have to serve in reserve system. Expertise of reserve cyber units should be differentiated. One unit can provide information assurance expertise to the army; another can be tasked with security of communications and military network infrastructure. Units should be formed according to available human resources. The further details about cyber reserve units and other potential solutions will be discussed in the next chapter.

42

5 Proposals and Analysis

The earlier chapters gave overview of Georgias current capabilities, existing problems and available human resources, discussed various examples of defensive cyber capability development and their limitations for Georgias case. Existing foundations for cyber capability development of Georgia were reviewed in the previous chapter. The coming part is the main contribution of the thesis. Taking into account the content of everything previously described in the thesis, I offer and analyze solutions for development of defensive cyber capabilities. After the analysis of the proposals I make recommendations for Georgia. Proposals are based on volunteerism. Resource scarcity for cyber defense is an issue worldwide. Thats why the question of volunteerism raises. It (as self-motivated, non-paid activity) was one of the driving forces of the Internet development in its early years. Nowadays volunteerism (which in concrete occasions can be financially motivated) represents a cost-effective way to fill the holes in cyber defense structure of a country. Georgia and small countries alike should seek to utilize their volunteer potential. Volunteerism, by its widespread understanding, means nonpaid self-motivated work. Though the proposals will imply volunteerism as noncommercial, selfmotivated work for shared goals, which in some circumstances can be financially compensated. Proposals will be analyzed with SWOT (Strengths, Weaknesses, Opportunities, Threats) method. SWOT is qualitative analysis method and as the name implies, helps understanding the advantages (strengths) and disadvantages (weaknesses) of a given choice (policy, business decision, practical solution to a problem, etc.), its potentials for future development (opportunities) and problems (threats) which may arise from them [Berry, 2012; University of Cambridge, 2012]. SWOT is interactive and dynamic it is designed for comparing different solutions, organizing and interpreting all strengths/weaknesses/opportunities/threats of the choices relatively to each other and drafting conclusions upon the comparison [Berry, 2012] [University of Cambridge, 2012]. SWOT matrices will be provided in the analysis.

43

5.1 A volunteer entity proposal My first proposal is to establish volunteer institution modeled on the Estonian CDU. The entity can be created as an extension of DEA or CERT.gov.ge. It can also be established at the Department of Communications, Information Technologies and Innovation at Ministry of Economy and Sustainable Development of Georgia. The department looks after the elaboration and implementation of Georgian e-Governance concept, determines and monitors directions of communications and ICT policies, develops strategy and priorities for communications and ICT networks and applications [Ministry of Economy and Sustainable Development of Georgia, 2012]. The department is not concerned first and foremost with information security and cyber security, but DEA is. So establishing a cyber volunteer entity under the auspices of DEA will be in correspondence with its activities. On the other hand, DEA and CERT.gov.ge will be preoccupied with critical information infrastructure after the enactment of the Law on Information Security and the volunteer entity can free them from other issues. The volunteer organization will be civilian. Its legal status can be defined as a legal entity of Georgian public law (which excludes an entity to be commercial/profit-oriented) [Parliament of Georgia, 1999]. Membership will be totally voluntary. Goals and responsibilities of the entity should be defined taking into account its expertise pool, financial resources and time its members can spare for its activities. Looking at the experience of international organization in IT field, which were created on voluntary basis (for instance, IETF), it would be better if future Georgian cyber volunteer entity will not have a single decision maker person or body. The entity is not meant to be large. It is possible to resolve issues (on activities, projects, directions to work at, etc.) with consensus. In this way, interests of the members will be paid attention and their ideas promoted. The idea behind the entity innovative and creative thinking should not be lost in bureaucratic procedures. The members of the organization are supposed to have IT background. It will be hard to establish regional units or representations because IT sector is concentrated to the capital city of Tbilisi. It is hard to predict whether human resources allow organizing the entity by subgroups based on expertise.
44

Supposedly the volunteer institution will get funding from parent (governmental) agency. At the same time, it can seek funding from (international) NGOs and other potential sources. A budget should be spent on infrastructure and projects, members should be encouraged to participate in relevant (international) events, conferences and fairs by financing participation fees and transportation. Members should not be paid for their membership. Georgian voluntary organization can cover matters of awareness raising, knowledge sharing, information sharing, and cooperation enhancement within private and between public and private sectors. These issues need to be addressed in Georgia. It can also try to eradicate lack of research in Georgian IT sector. In general, the volunteers should focus on areas beyond the reach of DEA, CERT.gov.ge or other governmental entities. The strength of volunteer entity will be its members whoever joins, will have commitment to shared goals. Inclusive character (consensual decision making is part of it) is one of the advantages of the organization. It can attract bright persons. Creative thinking is one of its potential merits. Areas not covered by relevant governmental agencies will be addressed. Establishment and maintenance of the organization needs relatively small amount of finances. Potential lack of (diverse) expertise will be one of the weaknesses - it is questionable whether the organization will be able to attract expertise pool with variety of skills. Part time nature of the organization can be a hindrance too. But this issue can be settled by the quantity (and quality) of members. Projects will have to be planned and implemented according to the time schedule of the participants. Scope of goals and activities should be limited to increase effectiveness. The organization will cover the issues beyond the attention of other actors of Georgian cyberspace. Voluntary organization can also provide possibility to its members to gain additional skills and experience, which will benefit IT sector overall. It can serve as a back-up to CERT.gov.ge in some circumstances (as CERT.gov.ge is supposed to be preoccupied with critical information infrastructure). Voluntary institution can also serve as a talent identification, recruiting and training pool. Theoretically, there can be some threats as well. The entity may not be able to cover every issue their members will raise. Some people can feel themselves as outsiders and lose interest to the
45

organization. High expectations towards the entity (it is not meant to be front line of cyber defense of Georgian cyberspace) can also prove wrong. Table 2 shows SWOT matrix of a cyber voluntary organization. Table 2. SWOT matrix for a volunteer entity Strengths needs relatively small amount of funds will cover issues beyond reach of other cyber entities motivated/committed members creative approach Threats management (hard to satisfy every members interests) high expectations may prove wrong Weaknesses diverse expertise not expected limited in scope of goals and activities dependent members on time schedule of

Opportunities covering issues beyond reach of other entities back-up for CERT.gov.ge Talent identification, recruiting and training

46

5.2 A WARP proposal My another suggestion is to establish WARPs modeled on British counterparts. WARPs will enhance issues of information sharing, incident reporting, expert advice and early warning of threats for their members. They will be designated to receive and analyze incident reports, get and disseminate information about (potential) threats, issue expert advice to members (members will be not persons but legal entities of public and private law). Several WARPs can be created based on geography and business sector. Cooperation and information sharing (at some degree, without abusing any WARP member in any sense) is possible not only within a WARP, but also among WARPs. Establishment of WARPs should boost cooperation among actors of Georgian cyberspace. Formation of a WARP needs legislative basis defining its rights and responsibilities, allocation of personnel (an operator) and finances, developing necessary infrastructure (defining means of communication, developing software if needed, etc.). WARPs legal status can be either legal entity of public law or non-profit NGO. Volunteerism in WARPs case concerns voluntary participation of entities into a WARP. Incentives for actors are clear: early warning, expert advice, information sharing. Incident reporting can be a hindrance because of (business) reputation reasons. Though WARP members may not know each other at all there is room for anonymity. Even if WARP members know which institutions are other members, anonymity can be still secured. WARP is formed around an operator (for other details of WARP activities, please refer to section 2.1.3), which communicates to members so a member can share incident report, but others will not know which one of them had this incident. In Georgia, one WARP should be formed for DEA and critical information infrastructure entities. The Law on Information Security will define critical information infrastructure. The list of CII will be compiled within 6 months after the adoption of the law. CII entities will share incident reports and other relevant information with DEA. The process can be institutionalized with a WARP. Though the WARP cannot be established until there is CII list, DEA should not wait for it as cyber threats will not consider waiting for the law enactment and other procedures.
47

DEA should consider forming a WARP involving (on voluntary basis) parties supposed to be in the CII list. One the one hand time can be saved and on the other hand (if needed) reorganizing a WARP will be easier than establishing a new one. Besides DEA-CII WARP, non-critical information infrastructure entities and private companies should form WARPs of their own. As information security of Georgian cyberspace is the main concern of DEA, it should encourage non-critical infrastructure institutions including governmental agencies (for instance, police or local administrations), public institutions (universities, libraries, etc.), non-governmental organizations and private companies (banks, insurance companies, etc.) to form WARPs for themselves. DEA can encourage them by raising awareness about a WARP model or providing necessary technical or administrative support for formation of WARPs. One of the strengths of a WARP is anonymity, which lays basis for safe incident reporting. Another is low costs of establishment and maintenance. It is also flexible can be formed taking into account geography or business sector. Georgia is a small country and anonymity part for WARP can be undermined. Because Georgian cyberspace is small and arguably not the hottest spot of global cyber net, there may not be a lot of activities for some of Georgian (mainly non-governmental) WARPs. They may lose their momentum. WARPs will support cooperation among Georgian cyberspace actors. It also provides a chance to cover non-critical information infrastructure. The above mentioned flexibility offers inclusiveness. Actors of a given business sector (for instance, media outlets) will be encouraged to join a WARP by the fact that its members will be only from this sector. Information leakage is a threat for reputation of any WARP. Incentives for potential members of a WARP can be a case. Georgian cyberspace actors should be persuaded that they can really benefit from WARP services. Table 3 briefs SWOT analysis for a WARP.

48

Table 3. SWOT matrix for WARPs in Georgia Strengths anonymity low costs of maintenance flexibility Weaknesses small country anonymity can be breached Some WARPs may lose their

momentum Threats to cover non-critical information leakage incentives

Opportunities possibility

infrastructure entities enhance cooperation among various actors inclusiveness

5.3 Reserve Cyber Units My third suggestion will be forming cyber units within military reserve of Georgia. Military reserve system is the most valuable asset for cyber capability development. British LIAG, LICSG and 81st Signal Squadron should be the role models for potential cyber reserve units of Georgia. Both current military reserve system of Georgia and the concept for the future one are described in the previous chapter. Formation of cyber units can be initiated immediately, but structure of the future system should be taken into account. GFR will be completed with former military servicemen on compulsory basis. Among its draftees will be former conscripts. Currently minimal age for a potential reservist is set at 27, therefore candidates for cyber units probably
49

will have IT education and working experience (civilian career). Cyber unit members should be picked up by competition with careful examination of their experience and skills. Draftees will have incentives to apply for reserve cyber units, because they will get an opportunity to enlarge their professional knowledge. As draftees will have to serve as reservists anyway, there is high probability they prefer to be in cyber units rather than in regular units. Cyber alternative can be considered as principal stimulus. Financial compensation during serving period should also be considered. Serving period at reserve currently is at most 45 days a year. British LIAG members serve at least 19 days a year. From training point of view, serving period at Georgian reserve service looks promising. Reserve cyber units will not overlap with their activities with other proposed solutions (a cyber volunteer entity and WARPs). They will be engaged with military, while the voluntary organization and WARPs will operate in civilian sphere. The goals of reserve cyber units will be defense of military information infrastructure and providing specialized services to the armed forces of Georgia. There will be an opportunity to form various units (as available human resources allows) to diversify expertise (like in British CVHQ) one unit can provide information assurance to the army, another - security of communications and military networks, etc. Cyber units created in the framework of reserve military service preferably should stay within military domain. A potential law regulating their rights and responsibilities can give them a role in defense of civilian information infrastructure. But this is not usual practice worldwide. It is desirable that civilian information infrastructure is defended by civilian entities and military and civilian spheres are sharply distinguished from each other to avoid potential legal or political troubles. The rights and responsibilities of Georgian cyber reserve units will be defined in the law on military reserve service and they should be clearly distinguished from rights and responsibilities of CERT.gov.ge and other corresponding governmental (civilian) entities. Cyber units should not be used for countrywide Internet censorship (as it is in case of Chinese cyber militias) or other political purposes.
50

Cyber reserve units will be financed by government (they will get their share from overall reserve service budget). Funding will be needed for infrastructure (including training environment). Financial compensations for members of cyber units and for their companies (where they have civilian careers) should be defined. One of the strengths of cyber reserve units will be its members. They are supposed to have IT education and work experience. Serving period up to 45 days a year looks reliable for training. Possibility of division by expertise is another advantage. Currently military reserve system concerns all the able man of Georgia (with population of 4.5 million people) between the age of 27 and 40. In the future, GFR will include former military servicemen. In any case, there is high probability of availability of human resources. Though diversified and high quality expertise can be just hope. Lack of research of Georgian IT sector makes it impossible to predict the variety and level of expertise for cyber reserve units. GFR will train with land forces of Georgian army. This should help reserve cyber units for coordination and adaptation within overall military system of Georgian armed forces. As Georgian reserve military system is being reformed, it will be difficult to begin formation of cyber units immediately. On the other hand, achieving tangible results will need time anyway. Developing high quality cyber reserve units will take several years. Recruiting and organizing process will be prolonged and complicated, but this issue should be addressed from now with the conceptualization of cyber reserve units in future reserve system. In comparison with other proposals, maintenance of cyber reserve units will need more financial resources. Cyber reserve units will provide lots of opportunities to Georgia. First of all, it will enhance development of IT by supporting knowledge accumulation and expertise dissemination throughout the sector. It will also serve as an indicator of what kind of IT expertise is present in Georgia nowadays, what directions are problematic and need to be addressed. Cyber reserve units will give opportunities to its members too gaining experience and acquiring new skills. Recruitment and organization of cyber reserve units will be difficult. The process should be scrupulous and well-planned. Coordination and inclusion in overall military structure will be another issue. Development of proper training environment is also crucial.
51

Table 4 summarizes the SWOT analysis of cyber reserve solution. Table 4. SWOT matrix for Reserve Cyber Units Strengths serving period (up to 45 days) looks promising for training high probability of availability of human resources can be formed various units based on expertise fields GFR will train with land forces of Georgia it will help coordination and adaptation Opportunities supporting further development of Threats complicated recruitment and Weaknesses diverse/high questionable will need time to bring results more expensive than a cyber volunteer entity and WARPs Georgian military reserve system is being reformed level expertise

cyber capabilities overview of existing expertise in Georgia opportunity for members to gain

organization issues coordination and inclusion in military structure reserve cyber units need proper training environment

addition skills and experience

52

5.4 Recommendations for Georgia The aim of my work was to get over the deficit of human resources in Georgian IT sector and find ways to develop defensive cyber capabilities of the country. The solutions were supposed to be cost-effective and possible to implement immediately. I focused on options based on volunteerism. First I reviewed the needs, limitations and characteristics of Georgian information security environment along with existing foundations on which potential solutions could be built. Hoping to find an applicable solution for Georgia, I brought various examples from Estonia, the UK, the USA, China and Russia. After examination of the examples, formation and analysis of the proposals, I have come to the conclusion that the best option for Georgia is to pursue the implementation of three different solutions. First is the establishment of a volunteer organization modeled on Estonian CDU. Another solution is formation of the WARP for DEA and Georgia CII entities along with establishment of other WARPs organized according to geography and business sector. Third proposal is development of cyber units within the reserve military system of Georgia. These solutions do not compete, but supplement each other. A volunteer organization should be established under the auspices of DEA. It is cost-effective solution and can be implemented immediately. Its practical value will be covering issues beyond the reach of DEA and CERT.gov.ge cyber security awareness rising, cooperation enhancement between public and private sectors, knowledge sharing. On the other hand, it will spare DEA from some of its activities and in some circumstances can cover CERT.gov.ge. Its potential members are people with IT background both from public and private sectors. WARPs are another cost-effective solution. In spite of the fact that the Law of Georgia on Information Security is not adopted for the moment (therefore there is not any CII list yet), DEA should form a WARP to include itself and supposed CII institutions. First of all, this will save time. Secondly, if needed, modifying a WARP will be easier than establishing a new one. Besides DEA should promote WARPs in Georgia with awareness rising and if necessary, provide technical or administrative assistance to interested parties to form WARPs.
53

A WARP is operated by an operator (not necessarily with IT background) and its members are legal entities of both public and private law. A WARP cannot be competitor of the voluntary organization for human resources. WARPs missions are incident reporting, expert advice and early warning. Therefore its goals will not coincide with the objectives of the voluntary entity. If the voluntary organization and WARPs will cover civilian domain, my third proposal concerns military sphere. Reserve cyber units are more expensive solution in comparison with a volunteer organization and WARPs. Meanwhile because Georgian military reserve system is under reform, it will be difficult to immediately form cyber units within the reserve system. But what Georgia needs to do, is to include cyber units in the concept of the future reserve system and as soon as it will be conceptualized, take on the recruitment and organizational issues. The goals of reserve cyber units will be defense of military information infrastructure and providing specialized services to the armed forces of Georgia. So it will not duplicate mission areas of the voluntary organization and WARPs. Reserve cyber units will have their own human resource pool as they will be completed (by competition) by reserve service draftees. Reserve service will be obligatory for former military servicemen. Manpower pool for the volunteer entity will be larger, but there is possibility that some of its potential members may be drafted for the military reserve service. Though it should be noted that there are no obvious reasons why a person, if interested, cannot be a member of both reserve cyber units and the voluntary organization. To sum up, my recommendations to Georgia will be immediate establishment of a voluntary organization; formation of a WARP for DEA and CII entities; tasking DEA with the promotion of a WARP model; including cyber units in the concept of the future reserve system and after conceptualization, organizing recruitment and other logistic issues.

54

6 Conclusion and Future Research

Developing countries get more and more dependent on computer systems. On the other hand, IT advancement brings the security of the vital systems into focus. Governments have to spend time and money to address information security/cyber security issues. Cyber attacks of 2008 showed that Georgia lacked cyber capabilities and was unable to defend its information infrastructure. On the other hand, shortage of human resources in IT sector is an issue not only for Georgia, but for developed countries as well. My work aimed to overcome the manpower issue and to find cost-effective, immediately implementable solutions to develop defensive cyber capabilities of Georgia. Deficit of human and financial resources brings us to volunteerism. Since the first days of the Internet, volunteerism was one of the driving forces for its development. Volunteers are actively involved in cyber defense of Estonia, the UK, the USA and other countries. I explored these examples and analyzed them for applicability to Georgia. Then I constructed 3 proposals based on volunteerism (as noncommercial, self-motivated work for shared goals, which in some circumstances can be financially compensated) for Georgia. First solution was the establishment of a voluntary organization modeled on Estonian CDU. Another was formation of WARPs. And third proposal was developing cyber units within reserve military system of Georgia. All of them are affordable for Georgia and it is possible to begin the implementation of these solutions immediately. The solutions will not compete for human resources and will not duplicate the mission areas of each other. My ultimate conclusion is that volunteerism offers an opportunity to get over the manpower deficit and to find cost-effective ways for defensive cyber capability development. Volunteer option is significant for small countries like Georgia. Volunteerism for cyber security can be further explored. Further search for volunteer examples and analysis of the volunteer solutions in relation to other countries would be crucial for understanding of all potential gains volunteerism offers to cyber defense. The questions about potential legal and political setbacks should be considered. As the countries pay more attention to cyberspace, there will be more empirical data for analysis. Further research should also take into account international volunteer organizations in IT field.
55

References
Abashidze, A., Abashishvili, G. (2012). :

. [State Policy for Volunteerism: Georgian Law and World Practice]. [pdf] Georgian Business and Political Insight. Available at: http://bpi.ge/analytics/volunteerism-kvleva.pdf [Last accessed 2.04.2012]
Aisi. (2012). [About Us]. [online] Available at: http://www.aisiforce.org/word/ [Last Accessed 26.03.2012] Anonymous Source A. (2012). Member of Cyber Defense Unit of Estonia. Personal Communication. May, 2012. Anonymous Source B. (2012b). Member of Cyber Defense Unit of Estonia. Personal Communication, May, 2012. Bergesen, A. (2004). The Fight Goes Hi-Tech. Washington National Guard. [online] (April, 2004). Available at: http://washingtonguard.org/news/archive/fo-262_COC.shtml [Last accessed 26.04.2012] Berry, T. (2012). How to Perform SWOT Analysis. Bplans. [online] Available at: http://articles.bplans.com/business/how-to-perform-swot-analysis/116 [Last Accessed 2.05.2012] Brenner, S. W., Clarke, L. C. (2011). Conscription and Cyber Conflict: Legal Issues. In: C. Czossek, E. Tyugu, T. Wingfield, eds. (2010). 3rd International Conference on Cyber Conflict, 2011. Tallinn: NATO Cooperative Cyber Defence Center of Excellence Publication. pp 1-12 Borsook, P. (1995). How anarchy works. Wired. [online] (October, 1995). Available at: http://www.wired.com/wired/archive/3.10/ietf.html [Last Accessed 21.04.2012] British Army. (2012a). CVHQ ( Royal Signals.) [online] http://www.army.mod.uk/signals/25296.aspx [Last Accessed 21.04.2012] British Army. (2012b). LIAG (V). [online] http://www.army.mod.uk/signals/25564.aspx [Last Accessed 21.04.2012] British Army. (2012c). LICSG(V). [online] http://www.army.mod.uk/signals/25563.aspx [Last Accessed 21.04.2012]
56

Available

at:

Available

at:

Available

at:

British Army. (2012d). 81 Sig Sqn (V). [online] http://www.army.mod.uk/signals/25570.aspx [Last Accessed 21.04.2012]

Available

at:

British Army. (2012e). Territorial Army Pay and Allowances. [online] Available at: http://www.army.mod.uk/join/20241.aspx [Last Accessed 21.04.2012] British Army. (2012f). Territorial and Reserve. [online] http://www.army.mod.uk/territorial/143.aspx [Last Accessed 21.04.2012] Buki Project. (2012). [About http://www.buki.ge/about.html [Last Accessed 27.03.2012] Project].[online] Available at:

Available

at:

Campbell, S. (2011). Data Processing Unit holds change of command ceremony. Virginia National Guard. [online] (April, 2011) Available at: [Last Accessed http://vko.va.ngb.army.mil/virginiaguard/news/aug11/DPUcommand.html 25.03.2012] Carr, J. (2011). Inside Cyber Warfare. 2nd ed. Sebastopol: OReilly Media Caucasus Online. (2012a). [History of the Company]. [online] Available at: http://dsl.online.ge/index.php?page=13&lang=geo [Last Accessed 26.03.2012] Caucasus Online. (2012b). [About Us]. http://www.co.ge/Page.aspx?id=53 [Last Accessed 26.03.2012] [online] Available at:

Civil.ge. (2012). Concept of New Reserve Forces Discussed. [online] Available at: http://civil.ge/eng/article.php?id=24706 [Last Accessed 10.05.2012] Civil Registry of Georgia. (2012). ID Card. [online] Available http://www.cra.gov.ge/index.php?sec_id=2&lang_id=ENG [Last Accessed 26.03.2012] Civil Service Bureau of Georgia. (2012). E-Governance. http://www.csb.gov.ge/en/e-governance [Last Accessed 28.03.2012] [online] Available at:

at:

Corso, M. (2010). Georgia: 2011 Budget Is Big on Bucks, Small on Public Details. Eurasianet. [online] (December, 2010) Available at: http://www.eurasianet.org/node/62604 [Last Accessed 28.03.2012]

57

Council of Europe. (2012). Convention on Cybercrime. Status as of: 8/5/12. [online] Available at: http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=&DF=&CL=ENG [Last Accessed 28.03.2012]

() [Concept of Defense Reserve System of Georgia (Project)]. (2012). [pdf] Available at: http://www.civil.ge/files/files/2012/ReserveForces-draft.pdf [Last Accessed 11.05.2012] [Criminal Code of Georgia]. (2012). Codex Legislative Acts of Georgia. [doc] Available at: http://laws.codexserver.com/226.DOC [Last Accessed 21.04.2012]
CRRC (Caucasus Research Resource Centers). (2008). Comparing civic participation: Caucasus Data 2007. Social Science in the Caucasus [blog] (October, 2008). Available at: http://crrccaucasus.blogspot.com/2008/10/comparing-civic-participation-caucasus.html [Last Accessed 2.04.2012] CRRC (Caucasus Research Resource Centers). (2011). E-transparency in Georgia: A key to faith in Democracy?. Social Science in the Caucasus [blog] (March, 2011). Available at: http://crrccaucasus.blogspot.com/2011/03/e-transparency-in-georgia-key-to-faith.html [Last Accessed 2.04.2012] Danchev. D. (2008). Coordinated Russia vs Georgia cyber attack in progress. ZDNet. [online] (August, 2008). Available at: http://www.zdnet.com/blog/security/coordinated-russia-vs-georgiacyber-attack-in-progress/1670 [Last Accessed 19.04.2012] Darsalia, L. (2012). [Interview by e-mail] (Personal communication. February 7, 2012.) DEA (Data Exchange Agency). (2011). CERT.gov.ge CERT- Trusted Introducer [CERT.gov.ge becomes a member of Trusted Introducer European CERT community]. [online] Available at: http://dea.gov.ge/?action=news&news_id=7&lang=geo [Last Accessed 28.03.2012] DEA (Data Exchange Agency). (2012). [About Us]. [online] Available at: http://dea.gov.ge/?action=page&p_id=5&lang=geo [Last Accessed 28.03.2012] Dogrul, M., Aslan, A., Celik, E. (2011). Developing an International Cooperation on Cyber Defense and Deterrence against Cyber Terrorism. In: C. Czossek, E. Tyugu, T. Wingfield, eds.
58

(2010). 3rd International Conference on Cyber Conflict, 2011. Tallinn: NATO Cooperative Cyber Defence Center of Excellence Publication. pp 29-44. Downing, E. (2011). Cyber Security A new national programme. [pdf] Parliament of the United Kingdom. Available at: http://www.parliament.uk/briefing-papers/SN05832.pdf [Last Accessed 29.03.2012]

[Draft of Law of Georgia on Information Security] (2012). Registration Number #073/550; 03.02.2012. [docx] Available at: http://netgazeti.ge/attachment/101/%E1%83%99%E1%83%90%E1%83%9C%E1%83%9D%E1 %83%9C%E1%83%9E%E1%83%A0%E1%83%9D%E1%83%94%E1%83%A5%E1%83%A2 %E1%83%98%20%E1%83%98%E1%83%9C%E1%83%A4%E1%83%9D%E1%83%A0%E1 %83%9B%E1%83%90%E1%83%AA%E1%83%98%E1%83%A3%E1%83%9A%E1%83%98 %20%E1%83%A3%E1%83%A1%E1%83%90%E1%83%A4%E1%83%A0%E1%83%97%E1 %83%AE%E1%83%9D%E1%83%94%E1%83%91%E1%83%98%E1%83%A1%20%E1%83% A8%E1%83%94%E1%83%A1%E1%83%90%E1%83%AE%E1%83%94%E1%83%91.docx?g _download=1 [Last Accessed 8.05.2012]
Dudney, R. S. (2011). Rise of the Cyber Militias. Air Force Magazine. [pdf] Available at: http://www.airforcemagazine.com/MagazineArchive/Pages/2011/February%202011/0211cyber.aspx [Last Accessed 8.05.2012] e-Estonia. (2012). Cyber Security. [online] Available at: http://e-estonia.com/e-estonia/digitalsociety/cyber-security [Last Accessed 22.04.2012] Electronic Government Resources of Georgia. (2012). Home Page. [online] Available at: http://www.e-government.ge/index.php?lang=4 [Last Accessed 26.03.2012] Ellefsen, I. Von Solms, S. (2010). The Community-Oriented Computer Security, Advisory and Warning Team. IST-Africa 2010 Conference Proceedings. [pdf] University of Johannesburg. Available at: http://ujdigispace.uj.ac.za/bitstream/handle/10210/3543/ISTAfrica_Paper_ref_42_doc_3347.pdf? sequence=1 [Last Accessed 22.04.2012] ENISA (European Network and Information Security Agency). (2011). United Kingdom Country Report. [pdf] ENISA. Available at: http://www.enisa.europa.eu/act/sr/files/countryreports/UK.pdf [Last Accessed 22.04.2012]
59

Estonian Ministry of Defense. (2011). Government formed Cyber Defense Unit of the Defense League. [online] Available at: http://www.kmin.ee/en/government-formed-cyber-defence-unitof-the-defence-league [Last Accessed 22.04.2012] Estonian Ministry of Foreign Affairs. (2011). Around 150 experts associated with Estonias Cyber Defense League. [online] Available at: http://www.vm.ee/?q=en/node/12674 [Last Accessed 22.04.2012] Colonel Timothy J. Evans, Commander of 175th Network Warfare Squadron, USAF. (2012). Comments sent via personal e-mail to the supervisor. May, 2012 Ferwerda, J., Choucri, N., Madnick, S. (2010). Institutional Foundations for Cyber Security: Current Responses and New Challenges. [pdf] Massachusetts Institute of Technology. Available at: http://web.mit.edu/ecir/pdf/madnick-2010-03.pdf [Last Accessed 27.03.2012] Francis, M. (2011) Wash. state military units prepare for cyber war. Komonews. [online] (December, 2011). Available at: http://www.komonews.com/news/tech/Wash-state-militaryunits-prepare-for-cyber-war-135410163.html [Last Accessed 27.03.2012] Freedom House. (2011). Freedom on the Net 2011 Report on Georgia. [pdf] Freedom House. Available at: [Last http://www.freedomhouse.org/sites/default/files/inline_images/Georgia_FOTN2011.pdf Accessed 27.03.2012] Geers, K. (2011). Strategic Cyber Security. Tallinn: NATO Cooperative Cyber Defence Center of Excellence Publication, 2011 Gelzis, G. (2011). Estonian voluntary cyber-soldiers integrated into national guard. Deutsche Welle. [online] (April, 2011]. Available at: http://www.dw.de/dw/article/0,,14968102,00.html [Last Accessed 22.04.2012] Giles, K. (2011). Information Troops A Russian Cyber Command? In: C. Czossek, E. Tyugu, T. Wingfield, eds. (2010). 3rd International Conference on Cyber Conflict, 2011. Tallinn: NATO Cooperative Cyber Defence Center of Excellence Publication. pp 45-60

[About Georgian National Communications Commission]. [online] Available at: http://www.gncc.ge/index.php?lang_id=GEO&sec_id=3051 [Last Accessed 28.03.2012]
GNCC (Georgian National Communications Commission). (2005).
60

GNCC (Georgian National Communications Commission). (2008). [The Internet]. [online] Available at: http://www.gncc.ge/index.php?lang_id=GEO&sec_id=5704&info_id=6429 [Last Accessed 15.05.2012] GNCC (Georgian National Communications Commission). (2012). [Statistics]. [online] Available at: http://www.gncc.ge/index.php?lang_id=GEO&sec_id=5706 [Last Accessed 28.03.2012] Grauman, B. (2012). Cyber-security: The vexed question of global rules. An independent report on cyber-preparedness around the world. Security & Defense Agenda with support of McAfee. [pdf] McAfee. Available at: http://www.mcafee.com/us/resources/reports/rp-sda-cybersecurity.pdf?cid=WBB048 [Last Accessed 28.04.2012] GRENA (Georgian Research and Educational Networking Association). (2012a). Services CERT. [online] Available at: http://grena.ge/eng/services/cert [Last Accessed 27.03.2012] GRENA (Georgian Research and Educational Networking Association). (2012b). Main page. [online]. Available at: http://grena.ge/eng/main [Last Accessed 15.05.2012] Grey Goose Project. (2008). Phase I Report. [online] Available at: http://www.scribd.com/doc/6967393/Project-Grey-Goose-Phase-I-Report [Last Accessed 19.04.2012] Grey Goose Project. (2009). Phase II Report. [online] Available at: http://www.scribd.com/doc/13442963/Project-Grey-Goose-Phase-II-Report [Last Accessed 19.04.2012] Grey Goose Project. (2012). Grey Goose page. Palantir Technologies. [online]. Available at: http://palantir.com/government/cyber/greygoose [Last Accessed 15.05.2012] GSAC (Georgian Security Analysis Center). (2012a). About Us. [online] Available at: http://www.gfsis.org/index.php/activities/projects/view/84 [Last Accessed 27.03.2012] GSAC (Georgian Security Analysis Center). (2012b). Cyber Awareness Project. [online] Available at: http://www.gfsis.org/index.php/activities/projects/view/84/page/165 [Last Accessed 27.03.2012]
61

Hagerty, J. R. (2012). U.S. Loses High-Tech Jobs as R&D Shifts Towards Asia. The Wall Street Journal. [online] (January, 2012). Available at: http://online.wsj.com/article/SB10001424052970204468004577167003809336394.html [Last Accessed 28.04.2012] Hare, F. (2010). The Cyber Threat to National Security: Why Cant We Agree? In: C. Czossek, K. Podins, eds. Conference on Cyber Conflict - Proceedings 2010. Tallinn: NATO Cooperative Cyber Defence Center of Excellence Publication, 2010. pp. 211-226. Harrison, J. (2009). Trusted Information Sharing. ENISA-FORTH Summer School on Network and Information Security, 14-18 September, 2009, Crete, Greece. [pdf] ENISA, FORTH. Available at: http://www.nis-summer-school.eu/nis09/presentations/05-Harrison.pdf [Last Accessed 22.04.2012] Hemstreet, T. (2010). Hi-Tech line of Defense. Northwest Military Community. [online] (January, 2010). Avaiable at: http://www.northwestmilitary.com/news/focus/2010/01/High-techline-of-defense/ [Last Accessed 26.04.2012] Hollis, D. (2011). Cyberwar Case Study: Georgia 2008. [pdf] Small Wars Journal. Available at: http://smallwarsjournal.com/blog/journal/docs-temp/639-hollis.pdf [Last Accessed 19.04.2012] Homeland Security NewsWire. (2011). National Guardsmen, the new front line in cybersecurity. [online] Available at: http://www.homelandsecuritynewswire.com/dr20111219-nationalguardsmen-the-new-front-line-in-cybersecurity [Last Accessed 27.03.2012] IETF (Internet Engineering Task Force). (2011). The Tao of IETF: A Novice's Guide to the Internet Engineering Task Force. [onlinr] Available at: http://www.ietf.org/tao.html [Last Accessed 21.04.2012] IETF (Internet Engineering Task Force). (2012). Mission Statement. [online] Available at: http://www.ietf.org/about/mission.html [Last Accessed 15.05.2012] IMF (International Monetary Fund). (2012). Report on Selected Countries and Subjects. [online] Available at: http://www.imf.org/external/pubs/ft/weo/2011/01/weodata/weorept.aspx?pr.x=52&pr.y=7&sy=2 009&ey=2016&scsm=1&ssd=1&sort=country&ds=.&br=1&c=939%2C915&s=NGDPD%2CN GDPDPC&grp=0&a= [Last Accessed 28.03.2012]

62

Internet World Stats. (2010a). Georgia. [online] http://www.internetworldstats.com/asia/ge.htm [Last Accessed 23.03.2012] Internet World Stats. (2010b). Estonia. [online] http://www.internetworldstats.com/eu/ee.htm [Last Accessed 27.03.2012]

Available

at:

Available

at:

ISSAC (Information Security Studies and Analysis Center). (2012). Mission. [online] Available at: http://issac.ge/us/about-us/mission [Last Accessed 27.03.2012] Joubert, V. (2010). Getting the Essence of Cyberspace; A Theoretical Framework to Face Cyber Issues. In: C. Czossek, K. Podins, eds. Conference on Cyber Conflict - Proceedings 2010. Tallinn: NATO Cooperative Cyber Defence Center of Excellence Publication, 2010. pp. 111128. Job Spectrum. (2012). British Reserve Life changing part time service. [online] Available at: http://www.jobspectrum.org/unemployed/next-job/british-reserve-life-changing-part-timeservice.html [Last Accessed 26.04.2012] Justice Ministry of Georgia. (2010). Presentation of Data Exchange Agency. [online] Available at: http://www.justice.gov.ge/index.php?lang_id=ENG&sec_id=23&info_id=2160 [Last Accessed 27.03.2012] Kaitseliit. (2012a). Kberkaitse ksus [Cyber Defense Unit]. [online] Available at: http://uusweb.kaitseliit.ee/et/kuberkaitse-uksus [Last Accessed 22.04.2012] Kaitseliit. (2012b). Kberkaitse ksuse loomise ajalugu [History of Cyber Defense Unit]. [online] Available at: http://uusweb.kaitseliit.ee/et/kkl-loomise-ajalugu [Last Accessed 22.04.2012] Kaitseliit. (2012c). Kberkaitse ksuse peamised lesanded [Tasks of Cyber Defense Unit]. [online] Available at: http://uusweb.kaitseliit.ee/et/kkl-peamised-ulesanded [Last Accessed 22.04.2012] Kaitseliit. (2012d). Kaitseliit [About Estonian Defense League]. [online] Available at: http://uusweb.kaitseliit.ee/et/kl [Last Accessed 22.04.2012] Karchava, T. (2012). Caucasus Online Lost 3.82 of Market Share Last Year. Georgian Business and Political Insight. [online] Available at:

63

http://www.bpi.ge/index.php?option=com_content&view=article&id=2877%3A------382-&catid=921%3A2011-11-06-16-36-05&lang=ka [Last Accessed 2.04.2012] Killcrece, G. (2006). CERT/CC Overview and CSIRT Development Team Activities. [pdf] Available at: http://www.enisa.europa.eu/activities/cert/events/files/ENISA_An_overview_of_CERTCC_Killcreece.pdf [Last Accessed 15.05.2012] Klimburg, A. (2011a). Mobilising Cyber Power. Survival, vol. 53, no. 1, February-March 2011, 41-60. [pdf] The Austrian Institute for International Affairs (OIIP). Available at: http://www.oiip.ac.at/fileadmin/Unterlagen/Dateien/Publikationen/Klimburg_Author_Proof.pdf [Last Accessed 27.03.2012] Klimburg, A. (2011b). The Whole of Nation in Cyberpower. Georgetown Journal of International Affairs, Special Issue 2011 , International Engagement on Cyber: Establishing International Norms and Improved Cybersecurity, 2011, gj12409. [pdf] The Austrian Institute for International Affairs (OIIP). Available at: http://www.oiip.ac.at/fileadmin/Unterlagen/Dateien/News/The_Whole_of_Nation_in_Cyberpow er_AK.pdf [Last Accessed 25.03.2012] Korns, S. W., Kastenberg, J. E. (2009). Georgias Cyber Left Hook. [pdf] US Army War College. available at: http://www.carlisle.army.mil/usawc/parameters/Articles/08winter/korns.pdf [Last Accessed 27.03.2012] Krekel, B. (2009). Capability of Peoples Republic of China to Conduct Cyber Warfare and Computer Network Exploitation. Prepared for The U.S.-China Economic and Security Review Commission. Northrop Grumman. [pdf] U.S.-China Economic and Security Review Commission. Available at: http://www.uscc.gov/researchpapers/2009/NorthropGrumman_PRC_Cyber_Paper_FINAL_Appr oved%20Report_16Oct2009.pdf [Last Accessed 28.04.2012]

[Labor Code of Georgia]. (2010). Matsne (Database of legal documents of Georgia). [online] Available at: https://www.matsne.gov.ge/index.php?option=com_ldmssearch&view=docView&id=1155567 [Last Accessed 28.03.2012]

64

Lasker, J. (2007). Air Force Draws Weekend Cyberwarriors From Microsoft, Cisco. Wired. [online] (July, 2007). Available at: http://www.wired.com/politics/security/news/2007/08/262nd [Last Accessed 27.03.2012]

[Law of Georgia on Creation of a Legal Entity of Public Law Data Exchange Agency]. (2009.) DEA. [pdf] Available at: http://dea.gov.ge/download.php?id=1&file=monacemta+gacvlis+saaagento_geo.pdf [Last Accessed 28.03.2012] [Law of Georgia on Digital Signature and Digital Document]. (2010). Matsne (Database of legal documents of Georgia). [online]. Available at: https://matsne.gov.ge/index.php?option=com_ldmssearch&view=docView&id=20866 [Last Accessed 28.03.2012] [Law of Georgia on Protection of Personal Data]. (2012). Codex Legislative Acts of Georgia. [online] Available at: http://laws.codexserver.com/5183.DOC [Last Accessed 15.05.2012]
Law of Georgian on Military Reserve Service. (2010). National Guard Department of Georgia. [online] Available at: http://guard.mod.gov.ge/index.php?page=4&lang=1# [Last Accessed 27.03.2012] Lee, D. (2012). Israel tops cyber-readiness poll but China lags behind. BBC [online] (January, 2012). Available at: http://www.bbc.com/news/technology-16787509 [Last Accessed 28.04.2012] LII (Legal Information Institute), Cornell University Law School. (2012a). Reserve Components Named. [online] Available at: http://www.law.cornell.edu/uscode/text/10/10101 [Last Accessed 28.04.2012] LII (Legal Information Institute), Cornell University Law School. (2012b). National Guard in Federal Service: Period of Service; Apportionment. [online] Available at: http://www.law.cornell.edu/uscode/text/10/12407 [Last Accessed 26.04.2012] Liberali. (2011). NET [Internet Bliss]. http://liberali.ge/internetareba [Last Accessed 28.03.2012]
65

[online]

Available

at:

Liles, S. (2010). Cyber warfare: As a form of low-intensity conflict and insurgency. In: C. Czossek, K. Podins, eds. Conference on Cyber Conflict - Proceedings 2010. Tallinn: NATO Cooperative Cyber Defence Center of Excellence Publication, 2010. pp. 47-58. Lorents, P., Ottis, R., Rikk, R. (2009). Cyber Society and Cooperative Cyber Defence. Lecture Notes in Computer Science, 2009, Volume 5623/2009, 180-186 Magticom. (2008). The first phase of implementation of the integrated Georgian Governmental [online] Available at: Network has been completed. [Last Accessed http://www.magticom.ge/index.php?section=27&lang=eng&info_id=315 27.03.2012] Markoff, J. (2008). Before the Gunfire, Cyberattacks. The New York Times. [online] (August, 2013). Available at: http://www.nytimes.com/2008/08/13/technology/13cyber.html?_r=1 [Last Accessed 19.04.2012] Matsne (Database of legal documents of Georgia). (2012).

[Criminal Code of Georgia [online] Available at: amendments of 2012]. https://matsne.gov.ge/index.php?option=com_ldmssearch&view=docView&id=1611391 [Last Accessed 28.03.2012]
Matthews, W. (2008). US Military is increasingly turning to the Guard to protect critical networks and computer systems. [pdf] The National Guard Association of the United States. Available at: http://www.ngaus.org/ngaus/files/ccLibraryFiles/Filename/000000004212/cyber0908.pdf [Last Accessed 26.04.2012] MCP (Microsoft Certified Professionals Club). (2012). Home page. [online] Available at: www.mcp.community.ge/ [Last Accessed 28.03.2012] Military.com. (2012). Joining the Army National Guard. [online] Available at: http://www.military.com/join-armed-forces/join-army-national-guard-enlist.html [Last Accessed 26.04.2012] Miks, J. (2012). Israel, China and Cyber Security. The Diplomat. [online] Available at: http://the-diplomat.com/the-editor/2012/02/02/israel-china-and-cyber-security/ [Last Accessed 28.04.2012]

66

Ministry of Economy and Sustainable Development of Georgia. (2012). Department of Communications, Informational Technologies and Innovation. [online] Available at: http://economy.ge/?category=20&lang=eng [Last Accessed 22.04.2012] Ministry of Education and Science of Georgia. (2012a). MA Programs Abroad. [online] Available at: http://mes.gov.ge/content.php?id=667&lang=eng [Last Accessed 19.04.2012] Ministry of Education and Science of Georgia. (2012b). A School of Cyber Security will be launched in Georgia. [online] Available at: http://mes.gov.ge/content.php?id=3940&lang=eng [Last Accessed 19.04.2012] Ministry of Finances of Georgia. (2012a).

[Assignments of Budget of Georgia]. http://www.mof.ge/Budget [Last Accessed 28.03.2012]

[online]

Available

at:

Ministry of Finances of Georgia. (2012b). 2011

[State Budget of Georgia for 2011 Fiscal Year]. [xls] Available at: http://www.mof.ge/common/get_doc.aspx?id=8661 [Last Accessed 28.03.2012]
Ministry of Justice of Georgia. (2010). Presentation of data Exchange Agency. [online] Available at: http://www.justice.gov.ge/index.php?lang_id=ENG&sec_id=23&info_id=2160 [Last Accessed 19.04.2012] Ministry of Justice of Georgia. (2012).

[The Society for Computer Knowledge Dissemination was established]. [online] Available at: http://justice.gov.ge/index.php?lang_id=GEO&sec_id=23&info_id=4390 [Last Accessed 15.05.2012]
Mshvidzobadze, K. (2012). [Interview by Facebook] (Personal Communication. February 26, 2012) MSIDC (Microsoft India Development Center). (2012). Home page. [online] Available at: http://www.microsoft.com/en-in/msidc/default.aspx [Last Accessed 28.04.2012]

[National Security Concept of Georgia]. (2005). Matsne (Database of legal documents of Georgia). [online] Available at:
67

https://www.matsne.gov.ge/index.php?option=com_ldmssearch&view=docView&id=43156 [Last Accessed 15.05.2012] National Security Concept of Georgia (2011). [pdf] Available at: http://www.nsc.gov.ge/files/files/National%20Security%20Concept.pdf [Last Accessed 27.03.2012] National Statistics Office of Georgia (2012a). Criminal Justice Statistics. [online] Available at: http://www.geostat.ge/index.php?action=page&p_id=602&lang=eng [Last Accessed 27.03.2012] National Statistics Office of Georgia (2012b). 2011 [GDP of Georgia in 2011]. [pdf] Available at: http://geostat.ge/cms/site_images/_files/georgian/nad/GDP_2011__press-release__Geo1.pdf [Last Accessed 27.03.2012] Natroshvili, Nino. (2012). . [Does security mean restraints]. Liberali. [online] (April, 2012) Available at: http://liberali.ge/statia/ninonatroshvili/nishnavs [Last Accessed 2.05.2012] Navigator. (2007). [Magticom will create Georgian Governmental Network]. [online] Available at: http://navigator.biometrics.ge/index.php?lang_id=GEO&sec_id=27&info_id=2095 [Last Accessed 15.05.2012] Navigator. (2012a). ID [Demand on Digital ID card raises]. [online] Available at: http://www.navigator.ge/ArticleView.aspx?Id=1359 [Last Accessed 28.03.2012]

[Georgian cyber security field lacks human resources] [online] Available at: http://www.navigator.ge/ArticleView.aspx?Id=1083 [Last Accessed 28.03.2012]
Navigator. (2012b). Nazario, J. (2009). Politically Motivated Denial of Service Attacks. [pdf] NATO Cooperative Cyber Defence Center of Excellence. Available at: http://www.ccdcoe.org/publications/virtualbattlefield/12_NAZARIO%20Politically%20Motivate d%20DDoS.pdf [Last Accessed 19.04.2012]

68

Nazario, J. DiMino, A. (2008). An In-Depth Look at the Georgia-Russia Cyber Conflict of 2008. [pdf] Shadowserver Foundation. Available at: http://www.shadowserver.org/wiki/uploads/Shadowserver/BTF8_RU_GE_DDOS.pdf [Last Accessed 19.04.2012] Netgazeti. (2012). [Driving license tests without human testers]. [online] Available at: http://netgazeti.ge/GE/93/News/8307/.htm [Last Accessed 27.03.2012] Net Index by Ookla. (2012). Household Download Index. [online] Available at: http://www.netindex.com/download/allcountries/ [Last Accessed 1.05.2012] Newborn, P. (2006) Virginia National Guard eyes Web sites, blogs. The Official Homepage of the United States Army. [online] (October, 2006). Available at: [Last http://www.army.mil/article/315/Virginia_National_Guard_eyes_Web_sites__blogs/ Accessed 27.03.2012] NSC (National Security Council of Georgia). (2012a). Mission. [online] Available at: http://www.nsc.gov.ge/eng/Mission.php [Last Accessed 27.03.2012] NSC (National Security Council of Georgia). (2012b). Draft Information Security Law to Be Discussed in Parliament. [online] Available at: http://www.nsc.gov.ge/eng/news.php?id=6163 [Last Accessed 27.03.2012] NSC (National Security Council of Georgia). (2012c). Cyber Security. [online] Available at: http://www.nsc.gov.ge/eng/Cybersecurity.php [Last Accessed 27.03.2012] NSC (National Security Council of Georgia). (2012d). Public discussion of the draft Concept on Georgias Defense Reserve System Continues. [online] Available at: http://nsc.gov.ge/eng/news.php?id=6181 [Last Accessed 10.05.2012] Nye, J. S. (2010). Cyber Power. [pdf] Belfer Center for for Science and International Affairs, John F. Kennedy School of Government, Harvard University. Available at: http://belfercenter.ksg.harvard.edu/files/cyber-power.pdf [Last Accessed 27.03.2012] Ottis, R. (2009). Theoretical Model for Creating a Nation-State Level Offensive Cyber Capability. In H. Santos, ed. 8th European Conference on Information Warfare and Security. Academic Publishing Limited, pp. 177-182.
69

Ottis, R. (2010). From Pitchforks to Laptops: Volunteers in Cyber Conflicts. In: C. Czossek, K. Podins, eds. Conference on Cyber Conflict - Proceedings 2010. Tallinn: NATO Cooperative Cyber Defence Center of Excellence Publication, 2010. pp. 97-110. Ottis, R, Lorents, P. (2010). Cyberspace: Definition and Implications. [pdf] NATO Cooperative Cyber Defence Center of Excellence. Available at: http://www.ccdcoe.org/articles/2010/Ottis_Lorents_CyberspaceDefinition.pdf [Last Accessed 29.03.2012] Overclockers. (2012). Home Page. [online] Available at: www.overcklockers.ge [Last Accessed 27.03.2012] Parfitt, T. (2011). Georgian woman cuts off web access to whole of Armenia. The Guardian. [online] (April, 2011). Available at: http://www.guardian.co.uk/world/2011/apr/06/georgianwoman-cuts-web-access [Last Accessed 27.03.2012] Parliament of Georgia. (1999). [On Legal Entity of Public Law]. [online] Available at: http://www.parliament.ge/index.php?kan_det=det&kan_id=198&lang_id=GEO&sec_id=69 [Last Accessed 2.05.2012] Phneah, E. (2012). China, India lag in cyber-readiness. ZDNet. [online] (January, 2012). Available at: http://www.zdnetasia.com/china-india-lag-in-cyber-readiness-62303654.htm [Last Accessed 28.04.2012] Puryear, C. (2009) Virginia Guard network defenders welcomed home. Virginia National Guard. [online] (August, 2011). Available at: http://vko.va.ngb.army.mil/VirginiaGuard/news/aug2009/DPUhomecoming.html [Last Accessed 25.03.2012] Rios, B. K. (2009). Sun Tzu was a Hacker: An Examination of the Tactics and Operations from a Real World Cyber Attack. [pdf] NATO Cooperative Cyber Defence Center of Excellence. Available at: http://www.ccdcoe.org/publications/virtualbattlefield/10_RIOS_Sun_Tzu_was_a_hacker.pdf [Last Accessed 28.03.2012] Segal, A. (2012) Beware the Patriotic Geek: The Risk of Cyber Militias in Asia. Council on Foreign Relations, Asia Unbound blog [blog] (February, 2012).
70

http://blogs.cfr.org/asia/2012/02/22/beware-the-patriotic-geek-the-risk-of-cyber-militias-inasia/?cid=oth_partner_site-atlantic [Last Accessed 27.03.2012] Starr, S., Kuehl, D., Pudas, T. (2010). Perspectives on Bulding a Cyber Force Structure. In: C. Czossek, K. Podins, eds. Conference on Cyber Conflict - Proceedings 2010. Tallinn: NATO Cooperative Cyber Defence Center of Excellence Publication, 2010. pp. 163-182 Tabatadze, D. (2010). GRENA CERT Activities during Cyber Attacks against Georgia. Electronic Governmental Resources [online] Available at: http://www.egovernment.ge/uploads/library/1.%20GRENA%20CERT%20presentation%20at%20GITI.pdf [Last Accessed 28.03.2012] Tarkhnishvili, Nino. (2012). [Parliament Discussed Concept of Reserve System]. Radio Free Europe/Radio Libertys Georgian Service. [online] Available at: http://www.radiotavisupleba.ge/content/article/24563094.html [Last Accessed 10.05.2012] TBC Bank. Public Relations Office. (2012). [e-mail] Personal Communication. March 3, 2012 Threat Assessment for 2010-2013. (2010). National Security Council of Georgia (NSC). [pdf] Available at: http://nsc.gov.ge/files/files/legislations/policy/threatassessment2010_2013.pdf [Last Accessed 15.05.2012] Tikk, et al. (2008). Cyber Attacks Against Georgia: Legal Lessons Identified. NATO Unclassified Document. [pdf] US Army War College. Available at: http://www.carlisle.army.mil/DIME/documents/Georgia%201%200.pdf [Last Accessed 19.04.2012] Times of India. (2010). Desi hackers join Indian cyber army!. [online] (August, 2010) Available at: http://articles.timesofindia.indiatimes.com/2010-08-05/job-trends/28309456_1_indian-cyberarmy-hackers-computer-systems [Last Accessed 28.04.2012] Tsuchiya, M. (2012). Patriotic Geeks Wanted to Counter a Cyber Militia. The Association of Japanese Institute of Strategic Studies. [online] (February, 2012). Available at: http://www.jiia.or.jp/en_commentary/201202/17-1.html [Last Accessed 27.04.2012] United Nations Volunteers. (2004). Volunteering for development. [online] (October, 2007). Available at: http://www.unv.org/en/news-resources/archive/unv-news/unv-news-october2004/doc/volunteering-for-development.html [Last Accessed 2.04.2012]
71

University of Cambridge. Institute of Manufacturing. (2012). SWOT (Strengths, Weaknesses, Opportunities, Threats). [online] Available at: http://www.ifm.eng.cam.ac.uk/dstools/paradigm/swot.html [Last Accessed 2.05.2012] US Army National Guard. (2012). Guard Pay. [online] Available at: http://www.nationalguard.com/benefits/guard-pay?icid=meganav_benefits-guard-pay_20110720 [Last Accessed 26.04.2012] US Navy (Official website). (2011). Navy Reserve U.S. 10th Fleet Holds Change of Command Ceremony. [online] Available at: http://www.navy.mil/search/display.asp?story_id=64276 [Last Accessed 28.03.2012] US Office of Personnel Management. (2012). Reservist Differential. [online] Available at: http://www.opm.gov/reservist/summary/ [Last Accessed 26.04.2012] VIC (Volunteer Information Center). (2012). Home page. [online] Available at: http://volunteering.ge/index.php?option=com_content&view=frontpage&Itemid=1&lang=en [Last Accessed 14.05.2012] Virginia National Guard. (2011). Virginia Guard Mobilization Overview. [online] (June, 2011). http://vko.va.ngb.army.mil/VirginiaGuard/media/MOBoverview.html [Last Accessed 25.03.2012] WARP (Warning, Advice and Reporting Point). (2012a). WARP Background. [online] Available at: http://www.warp.gov.uk/background.html [Last Accessed 25.03.2012] WARP (Warning, Advice and Reporting Point). (2012b). Case Studies. [online] Available at: http://www.warp.gov.uk/case-studies.html [Last Accessed 25.03.2012] WARP (Warning, Advice and Reporting Point). (2012c). Directory of WARPs. [online] Available at: http://www.warp.gov.uk/directory.html [Last Accessed 25.03.2012] Washington Air National Guard. (2012). 194th Regional Support Wing. [online] Available at: http://washingtonairguard.org/194rsw/ [Last Accessed 25.03.2012] Wittman, George H. (2011). Chinas Cyber Militia. The American Spectator. [online] Available at: http://spectator.org/archives/2011/10/21/chinas-cyber-militia [Last Accessed 15.05.2012]

72