Volume 11 | Issue 1 by The Heinz Journal

Editor-in-Chief

Luke D. Taylor

Managing Editor

Amy McCarty

Production Managers

Joe Pulickal Kgolane Thobejane Senior Editors

Alexander Mitchell Bryan Hong Maureen Washburn Matthew DiFiore Steven Davelport Junior Editors

Katy Corella Varshith Pane Anand Sarah Foster Nandini Suresh Kumar Rahul Ladhania Jeremy Osir Sindy Lopez Brittany Gernhard Dini Maghfirra Matthew Lim Forum Director

Kelson Hedderich

Radio Directors

Peter Komfolio Patty Stubel

Volume 11 | Issue 1 | Winter 2014 ARTICLES Bitcoin: Integrity, Availability and Confidentiality Attacks within the Current System Deana Shick

Factors Influencing Overeducation in the Tanzanian Labor Market: Policy Measures Dr. Pius Chaya & Dr. Martha Nhembo

Measuring the Federal Debt: The Cases for Converting to Accrual-Basis of Accounting Elliott Long

Cyber Warfare by Nation-States: What Defensive Hacking Strategies Can We Implement? Joel Lee

DIALOGUE Policy that Matters’ Radio Feature Discussion of Syrian Conflict Co-hosts: Sarah Foster Alex Mitchell

Heinz Voices’ Featured Column How Randomized Control Trials Can Help Solve Africa’s Poverty Trap Nathan Jayappa

The Heinz J ournal is the student-run publication of the H. J ohn Heinz III College, Carnegie Mellon University, dedicated to publishing works that link c ritical and theoretical analysis with polic y implementation.

The Heinz Journal 4800 Forbes Avenue Pittsburgh, PA 15213 http://journal.heinz.cmu.edu

We ac cept submissions from professionals, policy sc hool students, and members of the Pittsburgh c ommunity. E mail submissionas and questions to: heinz-journal@andrew.c mu.edu

CALL FOR SUBMISSIONS GUIDELINES:

ABOUT THJ:

Articles must contain graduate-level research. Submissions accepted from students of any discipline, alumni, and professionals. Co-authorship is welcomed and encouraged. MUST be in Chicago-style format. MUST include an abstract. MUST be in .doc file format. Articles selected based upon originality, relevance, and readability. Policy analysis pieces between 4,000-10,000 words in length are encouraged, but length is not a condition for selection.

THJ is a graduate student conceived and

For more guideline information, please visit our Submission Guidelines page at journal.heinz.cmu.edu The Heinz Journal (THJ) intends to

provide constructive feedback on both style and content to authors. Authors are expected to work with journal editors to edit, revise, add, or otherwise change the piece to improve quality as much as this schedule allows. The author must inform the editorial staff if any manuscript content has already been published or is under consideration for publication elsewhere.

run publication dedicated to publishing works that link theory and implementation. THJ seeks to publish articles relevant and meaningful to both policy professionals and students. THJ offers a unique opportunity to showcase the quality work products of talented scholars in diverse fields. After a selective review and editing process, pieces are published on the web at http:// journal.heinz.cmu.edu.

This is for a rolling submission. We are accepting submissions around the year. Please email your submission to TheHeinzJournal@gmail.com and indicate your affiliations or university.

The Heinz Journal H. John Heinz III College Carnegie Mellon University 5000 Forbes Avenue Pittsburgh, PA 15213

Greetings and welcome to the latest volume of The Heinz Journal (THJ). It is with great excitement that we present to you the fruits of our autumn labors. We trust that you will find it full of thought-provoking and stimulating content on many issues facing contemporary policymakers. Coming into the academic year, as we screen submissions for publication and prepare our final product, our organization is focused on three general qualities. First and foremost, we evaluate the overall quality of a submission. The other two important considerations are the articles’ relevance to current topics and trends, and our commitment to providing a publication that explores a variety of policy topics. Though this can be a difficult task, we are very pleased to be offering this issue because it has so satisfied all our priorities. With that, let me guide you through what is contained within Volume 11. On New Year’s Day of this year, many newspapers and magazines around the world began offering recaps and reflections on 2013’s most notable developments. Among this content are many curious musings about the ascent of the bitcoin. Likewise, you will begin your readings in this issue by deepening your understanding of the phenomenon in terms of its technical details. Writing from an information security policy perspective, Deana Shick makes plain the current security gaps in bitcoin exchange systems employed by bitcoin enthusiasts, followed by offering some specific recommendations to protect users.

FOREWORD

Our 11th volume also includes a healthy portion of articles pertaining to foreign and international concerns. For starters, Drs. Martha Nhembo and Pius Chaya of the Institute of Rural Development Planning in Dodoma, Tanzania report on the relationship between education levels and changing labor demands. Their contribution considers the problem of overeducation in the Tanzanian labor market, paying close attention to its accompanying characteristics within a variety of different contexts. The conclusions of this article are meant to make the case that the current market is suffering from a surplus of the overeducated, and provide support for policies that assist the unemployed in finding the right matches for their skills.

Finally, this volume offers a consideration of two domestic US concerns. Since the summer of 2010, Congress has been sharply divided over the issue of the federal budget and its debt. Breaking from the traditional talking points, Elliot Long discusses the size of the US debt in terms of the accounting method employed by the Treasury Department. Long makes the case that the current cash-basis accounting method does not offer the fullest and truest reporting of the size of the federal debt. He advocates for the adoption of an accrual-basis of accounting to incorporate known future expenses. We also have a contribution from Joel Lee on the issue of cyber warfare among nation states. Lee begins by claiming that, despite the increasing prevalence of a multitude of cyber threats, the US is sorely ill-prepared to defend itself. He supports this claim to begin, followed by an impressive and thoroughgoing suite of both policy recommendations and strategies for adoption in the US. Before you begin reading, let’s take a moment to recognize the great contributors to THJ’s success this past Fall 2013. From our entire organization, we are thankful for the Heinz College’s support of our work, especially as evidenced through the tireless work of Jackie Speedy, Sandy Harris, and Shawneil Capmbell – you all provide the space, resources, and security that we need. We are also extremely grateful for the long hours put into this publication by Joe Pulickal from the production team. A special thanks goes to our outgoing Managing Editor Amy McCarty – the editing process provides that position with a lot to oversee and we appreciate her leadership on this. Thanks also to our faculty advisor and trusty confidante, Dr. Silvia Borzutzky. Finally, of course, this entire project would not be remotely possible if it weren’t for the teams of committed editors who spent many hours scouring and improving the submitted articles. We hope that you find this edition insightful and interesting. Happy reading. Sincerely,

Luke D. Taylor Editor-in-Chief

THE HEINZ J OURNAL

BITCOIN INTEGRITY, AVAILABILITY AND CONFIDENTIALITY ATTACKS WITHIN THE CURRENT SYSTEM DEANA SHICK ABSTRACT Bitcoin is a relatively new term for those outside the IT community, and has large implications for the layman. It is a decentralized, virtual currency grounded in a cryptographic algorithm that is "mined"; for each solution to the algorithm, the user is awarded a virtual coin – a bona fide currency akin to the US Dollar or European Euro. This system relies on trusted peer-to-peer networks and basic cryptology to remain anonymous and secure. In all systems, there are inherent vulnerabilities and risks, and the proliferation of Bitcoin is no different. This paper discusses various types of malicious code. The first, Infostealer.Coinbit steals Bitcoin Wallets from unsuspecting users; the second, Trojan.Badminier and Trojan.DevilRobber, creates a mining botnet to extract more coins from the algorithm. To subdue the attacks upon the wallets and supply, the Bitcoin system must be more centralized in order to enforce practical security policies. Keywords: Information Security, Bitcoin, Mining, Cryptography, Availability, Confidentiality

INTRODUCTION

BITCOIN CRYPTOLOGY

Bitcoin does not represent anything “new” in our society. Human nature looks for an easy, effective way to save as much money as possible, and to achieve the maximum earning potential. Traditionally, this was accomplished by depositing a paycheck through a local bank, or buying a stock in a publicallytraded company. These transactions generally come with a direct cost to consumers in the form of an interest rate or banking fee. An alternative to the traditional system is the Bitcoin, a peer-topeer, crypto-currency that circumvents banks and allows savings and transactions between users. Real people invest in the Bitcoin system to buy and sell goods, which is said to be unobtrusive due to its decentralized nature, secure due to the encryption mechanisms in place, and a cheaper savings alternative due to limited transaction fees.

The Bitcoin relies on asymmetric cryptology to ensure the integrity of the coin itself. Asymmetric cryptology utilizes a keyset containing one public and one private key to encrypt or decrypt data; symmetric cryptology, on the other hand, only uses one key for encryption and decryption. The system relies on Secure Hashing Algorithm 256 bit (SHA256), for hashing power, and Elliptical Curve DSA to create digital signatures.1,2 The Bitcoin is comprised of a “block chain,” which is the transaction history of the coin itself. This block chain consists of many digital signatures to ensure verification purposes for each party. During the transaction, the first user digitally signs the coin’s hash with their private key.3 The second user, the one receiving the coin, verifies the signature with the first user’s public key. The block chain proves to the network that the transaction has transferred ownership to the second user.4 Additionally, this process ensures the integrity of the coin itself by verifying the hash, along with ensuring it came from the correct person. It provides a means of non-repudiation, and makes a transaction history of the coin. Without this block chain, users would be able to “double spend” as there would not be a record of ownership for the coin.5

However, the reason why malicious activity poses such a threat is that real people are investing their earned money into this system, and are relying on third-party clients to keep their investment safe. This system is much like the stock exchange: there is a tangible value connected to pieces of intangible goods that are bought and sold. Because this system is new, there are vulnerabilities that adversaries have exploited for their own financial gain. For this reason, this paper aims to discuss the integrity, availability, and confidentiality attacks upon Bitcoin wallets and exchanges, which may not make it such an ideal system to use. To acquire the best understanding of the Bitcoin, I downloaded the appropriate software, Bitcoin Qt, and utilized the Mt Gox Exchange.

journal.heinz.cmu.edu

The cryptographic principles behind the Bitcoin are sound; SHA256 has not been cracked, and the key distribution method does provide computational security. In this regard, the coin is safe, and would take a very long time to brute force. However, it is the means of storage in the digital wallets, and the network of the exchange that are prone to attack. Rather than an attack on the integrity of the coin itself, the harm manifests itself in the

Winter 2014

BITC OIN SE C URITY

integrity, availability, and confidentiality of the wallets and exchange.

capacity to meet needs, and service is completed in an acceptable period of time.8

MEANS OF TRANSFER

Importance of Confidentiality

There are two ways of transferring Bitcoins between users. The first is a wallet to wallet transfer while the other is through a Bitcoin trading exchange.

Sustaining confidentiality is a critical aspect to preserving information security. Confidentiality suggests that only authorized persons or systems can access protected data.9 Any data that is of value to a user or corporation can be considered confidential in nature. Personal identifiable information, proprietary information, or any files a user considers valuable must be protected. Once a machine has been infected with a worm, virus, or Trojan, this information is at risk. The wallets hold private keys along with the coins that are a symbol of monetary value.10 Additionally, Bitcoin exchanges house much personal information on their internal servers, which are a target of attack for those looking to steal sensitive information. 11

1. Wallet to Wallet Exchange: A user’s Bitcoins are stored in a digital wallet, which acts in the same way a traditional wallet would. It stores coins that are at rest, and allows a user to quickly access the currency. There are browser-based wallets, which allow a user to upload coins into a greater system, and local wallets, which install a program onto a local machine for transfers. I will focus on local wallets for the purposes of this discussion. The original and official wallet client, Bitcoin Qt, is the most popular, and what I used to conduct my own research. 6 I found that the wallet itself comes unencrypted, and saves files onto my machine. I opted into the encryption, which requires a password. At rest, the wallet is encrypted using AES-256.7 The wallet requires a user to have a premade PGP key pair already made, which is imported into the wallet. This is used for direct transfers between users. The wallet is saved as “wallet.dat” on the local host. 2. Trade over an Exchange: Exchanges are a popular means of buying and selling Bitcoins. These are third parties who have made a profit off of transaction fees between users. Many of those wanting to use this currency simply make a profile and log onto the exchange. Traditional currency is transferred into the exchange from bank accounts, which are translated into Bitcoin. A very popular exchange is Mt. Gox hosted out of Japan. http://www.mtgox.com. IMPORTANCE OF SECURITY The Role of data Integrity The issue of integrity is not in the coins themselves, but what they represent to the user. Each coin is worth a value paid in traditional currency. The wallets and exchanges that house Bitcoins need to keep this value safe. Those who make the software for the wallets or create the exchanges must assure their users’ money is safe, cannot be augmented by a third party, free of thieves, and accessible; if two Bitcoins are left in a wallet on a personal computer, the client expects these to be there the next day. Availability is Necessary for the System Major banks across the world assure their clients that any money invested, whether in a savings account, a checking account or as a Certificate of Deposit can be accessed by appropriate personnel. Because there is only a certain amount of tangible cash circulating at any given time, money is translated into a digital number and saved on databases internal to the bank. Availability is overlooked at times, and many do not understand the true impact of not being able to access data. Availability ensures that information is present in a useable form. It is the

journal.heinz.cmu.edu

ATTACK VECTORS OF THE BITCOIN Bitcoin Wallet Client Vulnerability and Trojan Horses Major problems within the Bitcoin community are inherent vulnerabilities in the Bitcoin clients, and the use of Trojan Horses to steal Bitcoin wallets. The first vulnerability, named CVE-2011-4447 by US-CERT (United States Computer Emergency Readiness Team) and NIST (National Institute of Standards and Technology),12 was a bug that left private keys unencrypted in the wallet.dat file.13 This vulnerability was easily exploitable by an adversary who could steal a users wallet full of Bitcoins by obtaining the private key of the key pair. An analogy of this is as follows: “I leave my car keys out, the car doors may be locked, but if you have the keys you can unlock it and steal the car.” This vulnerability is both an integrity and confidentiality issue in the system. The wallets are compromised, and adversaries could potentially have sensitive information about the user. Because of the ease and increasing popularity of Bitcoin transactions, it is not surprising that malicious code to steal coins exists. Symantec posted an alert on June 11, 2011 for a Trojan Horse that has serious implications for Bitcoin users. 14 Infostealer.Coinbit is a Trojan Horse that searches for a Bitcoin wallet on a machine, then uploads it to an attacker’s servers. 15 If the wallet in unencrypted, it is very easy for the adversary to steal the coins; on the other hand, if the wallet is encrypted, it makes it much more difficult, but not impossible. 16 Furthermore, once the wallet is uploaded to another server, a motivated adversary can exploit the CVE-2011-4447 vulnerability within the wallet client. Once the private key is obtained, the coins are gone. Additionally, once this malware infects a machine, other confidential information can be ex-filtrated. Like the first vulnerability, this Trojan poses a breach of integrity and confidentiality of the user. Managing the user experience is a problem for a decentralized system. There are many clients that claim to be secure, but if the user does not understand his or her implication in the system, or discounts various threats, the costs can be devastating. Bitcoin

Winter 2014

BITC OIN SE C URITY

Qt wallet comes unencrypted because users tend to forget passwords, and once the wallet is encrypted and the pass code forgotten, the money is essentially lost. Some users do not want to encrypt their wallets for this reason, but this carries incredible consequences.17 In 2011, the first Bitcoin “heist” happened to a user called “allinvain,” who was reportedly setting up a Bitcoin online auction site. He woke up one morning to 25,000 Bitcoins being stolen from his wallet, which accounted for $500,000 USD.18 Unlike monopoly money that does not carry any real value, these stolen Bitcoins have backing as a bona-fide currency. But here is no auditing system in place to get the coins back. In a traditional market, a person can call the police if their personal stash of money was stolen. There is no police system in place for Bitcoins, which increases the risk. Botnet Implications Botnets are a very popular means for adversaries to take down networks through the use of a Distributed Denial of Service (DDoS) Attack. A botnet is a series of infected computers that range from the hundreds into the thousands. These computers are infected with a particular type of malicious code, which varies depending on the use of the botnet. A malicious person could control the botnet to launch an attack. Depending on the attack, each individual infected machine in the botnet can perform a set of instructions, which could mean attacking a company server by clogging the bandwidth, or using the combined power to mine Bitcoins. Most users do not know that their computer is infected and is participating in one of these attacks. A DDoS causes a large availability attack on a system. Bitcoin mining is done by the use of super computers that crack an algorithm. These miners are rewarded with coins, which are then pushed into the system. These high processing machines are very expensive to run and maintain; for this reason, many botnets have been created to “mine” on a user’s computer ,without the knowledge of the users of the infected computers. The two most popular are the “Trojan.Badminer,”19 which infects Windows 7 and “DevilRobber,”20 which infects Mac OSX. Both hijack the machine, and allow remote command and control of the system while scanning for sensitive information like credit cards.21 Additionally, the botnet can perform a DDoS attack, and cause an availability attack on websites of the controller’s choosing. These botnets pose a confidentiality attack by stealing sensitive information and mining Bitcoins without the consent of the user. Additionally, it is estimated that there is an associated cost to the users due to botnets totaling $100,000, USD.22 Bitcoin Exchange Attacks Attacks are in no way isolated to user machines; the largest reprocutions on the Bitcoin system have come from attacks upon the Bitcoin Exchanges. Instead of a wallet-to-wallet money transfer, users can opt into a Bitcoin exchange, which facilitates the transfer of funds from traditional currencies into Bitcoins. Exchanges are able to earn profits due to the transaction fees, generally much less than banking fees, which are placed on each transaction. Although many exchanges are advertised as being

journal.heinz.cmu.edu

“safe,” historically this has not been true. Exchanges are a prime target for attackers because money is being centralized into one system. Instead of attacking individual wallets, which could range in value and location, the Bitcoin Exchanges have thousands of dollars moving every second. Additionally, users must register with the exchange, or even a third party, like www.dwolla.com23 and provide personal information, which includes names, addresses, phone number, bank account number, etc.24 Aside from being a place where people can swap currencies, the exchanges hold a lot of personal information, which can also be exploited. Http://www.mtgox.com/ is a commonly used exchange, boasting of trade in sixteen currencies worldwide and a “secure vault” for Bitcoins.25 In June 2011, a user was able to steal 25,000 Bitcoins with 400,000 reported as missing from the Mtgox exchange; the company cited that their “database of 61,020 entries” was stolen.26 The user plunged the 100,000 Bitcoins back into the market causing the currency to severely drop in price. The cause of the hack was due to “lax security practices such as failing to use the state of the art hashing methods to protect its database.”27 These attacks upon the Mtgox exchange highlight the need for effective information policy within the company including proper precautions to maintain confidentiality of the users, and the integrity of the user accounts. RECOMMENDATIONS MOVING FORWARD Fixes for Integrity, Availability and Confidentiality Attacks From my understanding of this issue, and working within the system to create my own wallet and invest in an actual exchange, there seems to be a large disconnect between the wallets and exchanges. The wallets do not work within an exchange and vice versa. Whether in the form of weak client software, malicious code, botnets, or poor practices, the integrity of the Bitcoin system is at stake. Theft is a very real problem that has dire consequences. If a person is trading coins in volume in order to maintain their livelihood, integrity and availability are top priorities. Due to the nature of the Bitcoin system, there is no auditing in place from a third party, and it is exponentially harder to track thieves than it would be in the traditional system. With an increased popularity there will be a likely increase of Trojans and viruses that will attempt to steal the Bitcoin. Additionally, with the stolen goods, there is an increased risk of stolen confidential information. If a user’s Bitcoins are stolen, then there is an availability issue of the Bitcoins not being there, and an integrity issue of the file being augmented or taken completely, which are monetarily important to the user. It is key to inform users of the Bitcoin the nature of malicious code and the risks implications of saving coins on a machine. Users must do their due diligence and keep themselves

Winter 2014

BITC OIN SE C URITY

protected. In particular, wallets must remain encrypted while at rest, and users must take responsibility and recall passwords and other means of accessing their data in a safe manner. The proliferation of best practices in regards to passwords and encryption would be of paramount importance for users in the Bitcoin community. If wallet is being stored on a local machine, the user must ensure that an anti-malware system is in place and kept up to date. Additionally, if malware is running on high ports, turn off unnecessary ports to protect sensitive data and investments. Botnets carry large impacts to companies who are affected by a DDoS; an infected user must understand their part in the greater whole, and implement an application level firewall to stop the proliferation of the Trojan along with an antimalware application running on the machine. For the Bitcoin, malicious code carries consequences both at an individual level and for the greater network; it is of utmost important to implement easy fixes. Unfortunately, these are not widely implemented for the Bitcoin due to a lack of education on security. Education is the only way users will know of their responsibilities and ways to protect their investment.

different in this respect, and it possesses the capacity for those to come together to make a standardizing procedure in which all users agree. I believe to hit critical mass, there must be an auditing body in place to ensure the Bitcoin remains safe, users remain confidential, and exchanges and wallets are available. As it stands, once coins are lost or stolen, they cannot be retrieved, which is a huge catalyst for the system. CONCLUSION Although the Bitcoin is still in its infancy, security concerns must be addressed now to streamline transactions down the road. Users must be insured that their investment is safe from thieves, miners, and others who intend to make harm. Education is a paramount step in making an overall better system that provides auditing and best practices. Crypto-currency is an interesting topic that has its place in both policy and technology, and offers a means beyond the banking system to make payments. Bitcoin may be a laughable idea in the future, or it could be the de facto standard for currency. Without these necessary fixes for security, the coin cannot proliferate to its highest potential.

Creating a Centralized Network In the Bitcoin community, there is no central location constantly alerting users where the attacks are coming from and how they manifest. In order to provide best practices, Bitcoin users, in the form of individuals and those running exchanges, must come together to discuss the best ways to operate. The open source community does an excellent job of creating standards and testing them in order to make the best product possible; this must be translated into how to make the best system possible. I believe it would be supremely beneficial to have a committee of those in the system deciding best security practices, and auditing them across the board. This would ensure that exchanges remain safe, and could alert exchanges of possible threats. Perhaps the Bitcoin is not meant to be fully decentralized; but rather, have more centrality from those working from the bottom up instead of the top down. The Internet, in its infancy, was created by a small group of people who wanted to see information proliferate without censorship or boarders. Many standardizing organizations have come together to decide what is or is not proper for the Internet (WC3, IETF, etc.) Bitcoin is not

Deana Shick is a second year graduate student in the Information Security Policy and Management program at the Heinz College. Deana is a Research Assistant with the CERT Program at the Software Engineering Institute (SEI), and has worked closely with the Network Situational Awareness team since May 2013. Deana graduated a BA in International Relations and Political Science from Duquesne University in 2012. She will be working full-time with CERT upon graduation.

journal.heinz.cmu.edu

Winter 2014

BITC OIN SE C URITY

SOURCES 1) Edward Z. Yang, "The Cryptography of Bitcoin," Inside 206105 RSS, accessed November 25, 2012, http://blog.ezyang.com/2011/06/thecryptography-of-bitcoin/. 2) Ibid. 3) Ibid. 4) Moshe Babaioff, Shahar Dobzinski, Sigal Oren, and Aviv Zohar, "On Bitcoin and Red Balloons," Microsoft Research, Microsoft, last modified June 2012, http://research.microsoft.com/apps/pubs/? id=156072. 5) Satoshi Nakamoto, "Bitcoin: A Peer-to-Peer Electronic Cash System," last modified November 1, 2008, http://bitcoin.org/bitcoin.pdf. 6) "Bitcoin P2P Digital Currency," Bitcoin, accessed November 28, 2012, http://bitcoin.org/en/. 7) Edward Z. Yang, "The Cryptography of Bitcoin," Inside 206105 RSS, accessed November 25, 2012, http://blog.ezyang.com/2011/06/thecryptography-of-bitcoin/ 8) Cummings, Adam, and Michael Hanley. Intro to Information Security Policy Managment, Course 95752. Carnegie Mellon University, Heinz College, Pittsburgh, Pennsylvania. 27 Aug. 2012. Class Lecture. 9) Ibid. 10)Kyt Dotson, "Bitcoin Wallet Encryption Bug Discovered in Official Client," SiliconANGLE, accessed November 24, 2012, http:// siliconangle.com/blog/2011/11/14/bitcoin-walletencryption-bug-discovered-in-official-client/.

view/vuln/detail?vulnId=CVE-2011-4447. 13)Kyt Dotson, "Bitcoin Wallet Encryption Bug Discovered in Official Client," SiliconANGLE, accessed November 24, 2012, http:// siliconangle.com/blog/2011/11/14/bitcoin-walletencryption-bug-discovered-in-official-client/. 14)Stephen Doherty, "All Your Bitcoins Are Ours...," Endpoint, Cloud, Mobile & Virtual Security Solutions, Symmantic, accessed November 28, 2012, http:// www.symantec.com/connect/blogs/all-yourbitcoins-are-ours. 15)Stephen Doherty, "Infostealer.Coinbit," Infostealer.Coinbit, Symantec, accessed November 24, 2012, http://www.symantec.com/ security_response/writeup.jsp?docid=2011-061615 -3651-99.

21)Ibid. 22)Jason Mick, "Inside the Mega-Hack of Bitcoin: The Full Story," Daily Tech, last modified June 19, 2011, http://www.dailytech.com/ Inside+the+MegaHack+of+Bitcoin+the+Full+Sto ry/article21942.htm. 23)"No Cards, Just Cash," Dwolla, accessed 28 Nov. 2012, https://www.dwolla.com/. 24)"Start Using Bitcoin, Sign up Today," Mt.Gox, accessed November 28, 2012, https:// www.mtgox.com/signup/.

16)Jason Mick, "Inside the Mega-Hack of Bitcoin: The 25)"Mt.Gox - Bitcoin Exchange," Mt.Gox - Bitcoin Full Story," Daily Tech, last modified June 19, 2011, Exchange, accessed November 28, 2012, https:// http://www.dailytech.com/ www.mtgox.com/about-us. Inside+the+MegaHack+of+Bitcoin+the+Full+Sto ry/article21942.htm. 26)Jason Mick, "Inside the Mega-Hack of Bitcoin: The Full Story," Daily Tech, last modified June 19, 2011, 17)Gavin Anderson, "Why Aren't Bitcoin Wallets http://www.dailytech.com/ Encrypted?" Gavinthink, last modified June 24, Inside+the+MegaHack+of+Bitcoin+the+Full+Sto 2011, http://gavinthink.blogspot.com/2011/06/ ry/article21942.htm. why-arent-bitcoin-wallets-encrypted.html. 18)Keir Thomas, "World's First Virtual Heist? BitCoin 27)Ibid. User Loses $500,000," PCWorld, last modified June 15, 2011, http://www.pcworld.com/ article/230377/ worlds_first_virtual_heist_bitcoin_user_loses_5000 00.html.

19)"GPU Roaring? You May Be Infected With a Bitcoin Trojan Says Symantec," Daily Tech, last 11)Jason Mick, "Inside the Mega-Hack of Bitcoin: The modified August 17 2011, http:// Full Story," Daily Tech, last modified June 19, 2011, www.dailytech.com/ http://www.dailytech.com/ GPU+Roaring++You+May+Be+Infected+With+ Inside+the+MegaHack+of+Bitcoin+the+Full+Sto a+Bitcoin+Trojan+Says+Symantec/ ry/article21942.htm. article22474.htm. 12)"Vulnerability Survey for CVE-2011-4447," National Vulnerability Database (NVD), accessed November 28, 2012, http://web.nvd.nist.gov/

www.dailytech.com/ Devil+Robber+Trojan+Infects+Macs+Leeches+T heir+GPUs+for+Bitcoin+Profit/article23161.htm.

20)Jason Mick, ""Devil Robber" Trojan Infects Macs, Leeches Their GPUs for Bitcoin Profit," Daily Tech, last modified November 1, 2011, http://

journal.heinz.cmu.edu

Winter 2014

THE HEINZ J OURNAL

FACTORS INFLUENCING OVEREDUCATION IN THE TANZANIAN LABOR MARKET POLICY MEASURES DR. PIUS CHAYA & DR. MARTHA NHEMBO ABSTRACT The formal labour markets in the world face serious over-education. This paper thus provides evidence on the factors driving the existence of over-education in Tanzania, with reference to the formal sectors in Dodoma and Dar es Salaam regions. The study used multinomial logit model analysis and employed cross sectional and Worker Self Assessment (WSA) techniques. Interviews were conducted to collect data from 319 employees and SPSS-16 was used for data analysis. Results reveal that workers in the formal sector aged between 29 and 50 years and with access to transport were likely to be over educated (p<0.05). Similarly, workers in the private sector have more chance of being over educated (p<0.05). Workers in urban areas are likely to be over educated (p<0.05). Thus, harmonisation of labor policies should be given due weight and employers who violate the human resource practices should be dealt legally. Key words: over-education, under-education, labor policy, formal sector, logit model, Tanzania INTRODUCTION The aim of this paper is to provide evidence on the factors influencing the incidence of overeducation in the Tanzanian labor market. Thus, the problems of overeducation and undereducation, collectively referred to as either education mismatch or educationâ&#x20AC;&#x201C;job mismatch, are becoming policy issues in many labor markets around the world, and are influenced by multiple factors.1,2,3 Overeducation describes a situation in which a worker has a higher level of education level than his is required by his job,4,5 and the converse situation describes to undereducation.6,7 Thus, labor markets that have experienced overeducation and undereducation suffer from low worker morale, high probability to quit jobs, low capacity of workers to produce and deliver services and hence low contribution to economic growth.8 Countries are now experiencing overeducation and undereducation differently and thus the plethora of studies such as in Italia,9 Australia10 and EUs11 provides evidence of the problems. In addition, both overeducation and undereducation have been overwhelmingly studied from the angle of career mobility, educational returns and spatial mobility,12 and the inequality of the match between jobs and workers.13 There is evidence that overeducation and undereducation is due to mismatch between education levels and occupations 14,15. Furthermore, fiscal austerity and economic uncertainty have been found to be among the key determinants of mismatch between education and occupation.16 A p a r t from the aforementioned determinants, the issues of poorly designed labor and education policies and laws, as well as changes in technologies,17 have tended to make education mismatch more prominent.18 Similarly, inadequate data on education and

journal.heinz.cmu.edu

demand for various jobs is a problem in many labor markets. A good example of education mismatch is when a PhD recipient is employed in work more closely befitting an undergraduate.19 The factors for overeducation and undereducation are multiple and have economic implications. Studies on individual characteristics reveal that the incidence of overeducation is lower among females than it is among males due to their tendency to hesitate taking high-level positions in the labor market.20 In addition, overeducation among females tends to increase with the degree of remoteness of the local labor market.21 Linsley further contends that married women experience higher rates of undereducation and lower rates of overeducation. More importantly, married women are more susceptible to undereducation due to burdens of family care and reproductive roles. The incidence of overeducation tends to decrease by age while that of undereducation increases by age. Incidence of overeducation also has a direct, positive relationship with the number of children in a family. This implies that women who are old and who have more children are more likely to be over educated than young women with fewer children.22,23 Job characteristics are reported to influence overeducation and undereducation. Linsley24 studied overeducation in Australia and reported that nature of the sector (private or public) has no influence on education mismatch. According to the studies of Deville25 and Nordin26 et al in the private sector, workers are more likely to be over educated than workers with less experience. This is because employers provide extensive training in order to avoid having their workers become under educated.27,28 In most cases, poor career planning and training can increase the risk of overeducation.

Winter 2014

OVE RE DUC ATION IN TANZANIA

In Tanzania, the labor market is made up of more than 20.6 million people who are currently in the labor force.29 In addition, an average of 700,000 new entrants and re-entrants join the Tanzanian labor force every year including those in the informal sector.30 Therefore, more than 18.3 million people are estimated to be employed in a number of sectors including the informal sector.31 The current unemployment rate in Tanzania stands at 12.9 percent.32 The formal labor market of Tanzania has a private and public sector. It is also characterised by high wages, good working conditions, high job security, employment stability and opportunities for career advancement.33 Likewise, the formal sector of Tanzania consists of the following number of workers: about 344,839 persons are in central, local and regional governments; 78,270 are in the parastatal enterprises; and 682,118 are in the private sector. According to the 2005/06 Integrated Labor Force Survey (ILFS) of Tanzania, the Public Formal Sector (PFS) accounts for 2.7 percent of the total employed workers (i.e. 2.2 percent in central and local governments and 0.5 percent in the parastatals).34 Again, there are notable efforts made by the government of Tanzania and other stakeholders in improving the labor market and the economy at large. These efforts have been successful through reforms such as Investment Reform and Privatisation (1980s), Public Sector Reforms Program (PSRP, 1990s) and Civil Service Reforms Program–CSRP (1993).35 In addition, the National Employment Policy of 2008,36 the National Strategy for Growth and Reduction of Poverty (NSGRP II)37 and the Tanzania Long Term Plan (2010-2026)38 have measures to address overeducation and undereducation. That apart, the Tanzania Employment Law and Labor Relations Act of 2004 39 provides for legal and strategic advice in all areas of the employment and industrial relations in both private and public sectors across a broad scope of policy implementation. In addition, Tanzania, through the President’s Office, Planning Commission (PO-PC), is currently undertaking a study on skills development in Tanzania.40 Despite the indicated progress, the Tanzania labor market still faces a number of challenges including how to strike a balance between supply and demand for education levels. Thus, the key focus of this study is to determine whether incidences of overeducation is driven by individual factors (sex, age, marital status, and number of children), spatial factors (access to transport, location), education characteristics (actual levels of education, years on schooling) job requirements (tenure, chance to get job, information about jobs), and which policy solutions are best suited to address the incidence of overeducation. THEORETICAL FRAMEWORK This study has reviewed theories for building the research framework and constructed labor economics models. Some parameters from these theories have been adopted and others developed as to develop the conceptual framework and further enrich the theories. Human Capital Theory (HCT) The use of HCT in labor market analysis is common as it

journal.heinz.cmu.edu

analyzes how investment in education has effect on workers ability to produce.41 Since its postulation, it has been widely applied in the sense that workers with more education have a high chance of being skilled, and this observation is positively correlated with wage rate.42,43 In the same analysis, more years of schooling have a positive effect on earning potentials.44,45 However, the theory is not free from critiques since overeducation can sometimes lead to a worker earning less, and an under educated worker can earn job security at the expense of overall performance of the economy. In addition, a worker with overeducation might be placed in a job that he does not match well.46 Studies by Becker47 and Mincer48 argue that overeducation can be estimated through the equality between the return to years of schooling and return to years required for a job. Moreover49 in his study on the contribution of human capital investment in Nigeria, while supporting the human capital theory, found out that education has not had the positive impact on economic growth that was expected because educational capital has gone into privately remunerative but socially unproductive activities. Thus, this study uses the human capital theory (HCT) to understand how years of schooling and opportunity costs of going to school and not going to school have an effect on over and undereducation Career Mobility Theory (CMT) The CMT postulates how incidence of overeducation and undereducation among workers can be reduced through career mobility.50 The theory assumes that workers get in service training and hence they grow when they are working.51 In other words, either organizations or institutions where the worker is employed act as a center of excellence and a vehicle for increasing career mobility. Deville’s analysis suggests that education mismatch may be a result of having poor mobility in the labor market.52 Nordin et al suggests that both overeducation and undereducation are temporary phenomena, 53 since people get nurtured within the new positions as they progress in their careers. Therefore, this study has adopted the career mobility theory to analyze the way overeducation and undereducation is affected by the tenure of workers and the nature of labor markets (i.e. private or public; small or large) as well as the chance to secure jobs. Spatial Mobility Theory (SMT) Spatial mobility theory focuses on how workers are capable of moving from one labor market to another based on geographical location. Linsley54 found out that workers in local markets that are also far from urban markets (i.e. markets which are not organized such as those in the rural areas) have high chance of education mismatch. Frank55 and Büchel and van Ham56 contend that workers tend to face education mismatch since they are located in labor markets that do not guarantee a matching mechanism. Hofmeister57 argues that, in America, the problem of education mismatch has been aggravated by difficulties to move from home to working stations. He pointed out further that by 1990, American workers spent about 40 minutes travelling to and from work every day, which amounts to nearly a week of 24-hour days per year per worker, and this is a serious

Winter 2014

OVE RE DUC ATION IN TANZANIA

problem of spatial mobility. Thus, this study intends to uncover how overeducation and undereducation vary with working location Job Signaling Theory (JST) This theory as postulated by Spence58 assumes that information asymmetry on the quality and ability of a worker compels an employer to have adverse selection. Linsley59 and Kucel and Vilalta-BufĂ60 point out that employers use the level of education of an employee as a signal of competence. This occurrence happens because of the difficulty of gauging worker competence and ability based upon a first encounter. This results in the employer adopting an adverse selection process. Dolton and Vignoles61 found that a person who has been over educated in one country in their last job and has decided to move to another country is likely to be over educated in the new country as well. This was proven in Australia where over educated, foreign migrants who went to work in Australia became over educated by about 45 percent.62 The focus of use of this theory is on whether using only the level of education suffices to justify the competence of workers and hence be a tool for eliminating mismatch in the labor market. Search Theory (ST) Desjardins and Rubenson63 employed the Search Theory (ST) in their study on the analysis of skills mismatch using direct measures of skills in OECD countries. They further pointed out that ST is relevant in the context of mismatch since it is used to understand how either imperfect or perfect information has influenced education mismatch. Thus the use of ST is common in particular when job-seeking workers have inaccurate or imperfect information about the positionâ&#x20AC;&#x2122;s required tasks or duties. As a result, they may accept a job offer in which the job tasks are not commensurate with their qualifications or skills. 64 This study acknowledges that the use of ST in the study of overeducation and undereducation is limited. Despite this limitation, the study employs this theory to better understand how information asymmetry is common in the graduate labor markets. Kalleberg used this theory in the context of employees, but this study will use this theory to ask respondents (workers) what were the barriers to getting jobs in light of the information asymmetry encountered while they were seeking jobs. METHODOLOGY Study Area, Sampling Procedures and Data collection methods The study was carried out in the Dar es Salaam and Dodoma regions of Tanzania and targeted workers from both the formal public and private sectors. The choice of the regions is based on the fact that Dar es Salaam leads Tanzania in its contribution of office workers to the labor market, accounting for 33.6 percent of all workers in the formal sector.65 The choice of Dodoma region was mainly due to its emphasis on government work, since it was promoted to a capital city and is a fast growing city with many offices relocating to its region from all over

journal.heinz.cmu.edu

Tanzania.66 The study also selected the formal sector as a reference sub sector. This was chosen because of its importance in growth through service delivery and job creation, the fact that there are limited studies on over and undereducation. The study used cross-sectional and case study approaches. The Workers Self Assessment (WSA) approach was employed as part of the job analysis to get data from workers, 67,68 since this is widely used and it is up-to-date.69 However, through this approach, workers can over or under estimate their status of education levels.70 The study employed a survey interview method to collect primary data on factors of incidence of overeducation and undereducation, including job characteristics, individual characteristics, job education requirements and spatial mobility characteristics. The data were collected using a structured questionnaire and were administered to workers at all levels. The study included all municipals from the Dar es Salaam region, namely Ilala, Temeke and Kinondoni. This method was employed to increase the chance of getting enough data from offices. On the other hand, four councils out of six were randomly selected from the Dodoma region. These include the Dodoma municipals, Bahi district, Chamwino district and Kondoa district. There were many workers in Dar es Salaam because the region has many offices. Workers from each of the sampled councils were selected as follows: Dodoma municipal (72), Kondoa (3), Bahi (31), Temeke (6), Kinondoni (152), Ilala (38) and Chamwino (17). The majority of the workers were from Kinondoni because this is a city with many private sector offices. There were few people from Kondoa due to poor response of workers, as well as poor communication where few questionnaires were returned. However, since the analysis could not determine the level of impact districts had on the data, its presence could not affect the analysis. The categorization of rural or urban were based on the location of labor market, such that markets which were located on the peripheral of the district were regarded to be of the same category as that district, rural based markets and vice versa. Thus, the sampling of offices was based on location and convenience. The first case was when many offices were located in the same locality (clustered). In such cases simple random sampling was used. (This was commonly employed for the case of urban areas like Dodoma municipal, Temeke, Kinondoni and Ilala councils.) The second case was where the offices were so scattered, thus the snowball sampling was used. In some areas, private organizations were fewer than public organizations. This disrupted the trend of selecting respondents since an extra public organization had to be added to the study to make up for the missing origination from the private sector. Thus, the choice of offices was based on whether or not an organization was public or private. The sampling for the offices was a bit tedious since in some cases office location was not clearly known, and one category of offices was located in the same place (either all private offices or all public offices). The study sampled organizations by skipping one interval, implying that when the first office was public, the second selection was supposed to be private. This was meant to ensure there was equal representation of both the public and private formal workers. The study thus employed the Multistage Cluster Sampling (MCS) method to

Winter 2014

OVE RE DUC ATION IN TANZANIA

sample workers. The choice of this method was made because of difficulties in getting the exact sampling frame of all workers in the formal sector, particularly in the Dar es Salaam and Dodoma regions. Schmidt71 and Kothari72 recommend an MCS method based on the fact that it increases validity of data. Using this sampling method, workers were sampled in clusters so as to get a rational composition of workers in terms of departments, sex and education levels. Thereafter, simple random sampling was used to get respondents. In addition, the sample size of the study was based on the theory of central limit of normal distribution curve.73,74 Thus, this study sampled 177 workers from the private sector and 142 from the public sector. The sampled respondents consisted of 201 male workers and 118 female workers. Sampling ensured that when the first respondent was male, the second selection was female. (This was possible with offices with high female representation.) Model Estimation The study employed the Multinomial Logit Model (MLM). This model was used to determine the incidence of overeducation and undereducation among workers. The model is in popular use by different scholars such as Linsley75 and Battu and Sloane.76 It is therefore capable of detecting the likelihood of mismatch due to having a dependent variable that is multi categorical and independent variables that are made up of dummy variables.

 INDCji = Individual characteristics for worker j with some other sub-characteristics i (sex, age, marital status, nationality, number of children)  SPATji = Spatial mobility characteristics for worker j with some other sub-characteristics i (access to transport, location (rural, urban).)  JOBRji = Job Requirements characteristics for worker j with some other sub-characteristics i ( private/public sector, time to secure job and chance to secure job, terms of employment, trade union, access to job information, contract, work experience.)  EDUCji = Education characteristics for worker j with some other sub-characteristics i (actual/required level, PhD, masters/PGD, degree, adv diploma, diploma, certificate, std 7).  β1 ----- β4 = coefficients of estimates  Єji = Random error term or disturbance term  Education Mismatch (EM) = 1 – Overeducation (OE) = 2 – Undereducation (UE) = 3 – Perfect Match (PME) The probability (Pr) that individual j is likely to fall into either overeducation, undereducation or perfect match education due to i characteristics. That is the probability that the worker is OE is the odd of the UE and is given as follows:

Assumptions of the MLM i.

The model assumes that the that influence the probability that a worker is over educated or under educated, and yet has a perfect match, obeys the Multinomial Logit Model (MLM) ii. The model assumes that the dependent variable of education mismatch (EM) is categorical and has more than two values iii. The dummy dependent variable for education mismatch is 1 when there is overeducation, 2 when there is undereducation, and 3 when there is a perfect match iv. The logistic distribution is wider with a higher standard deviation (i.e.1.81) and hence provide more accurate prediction of the problem in question v. The error term takes logistic distribution whose Probability Density Function (PDF) is approximately normal due to a large sample used in this study with standard deviation and mean, that is, ε ~N (0, σ2). vi. The explanatory variables (Xs) are vectors and categorical with dummy characteristics Estimation of the Model The incidence of EM for a worker “j” who can either be over educated, under educated or perfectly matched while behaving with i characteristics in the labor market can be estimated by using the probability multiple regression model as derived below: ..(1) where:

journal.heinz.cmu.edu

Where Prji = denotes as the probability of mismatch of an individual j due to influence of i characteristics. Thus, the Maximum Likelihood Estimation (MLE) for each parameter (B) of the model with respect to education mismatch when OE=1, UE=2 and PME=3 is given as follows:

Where L(B)= Likelihood of B and LogL(B) is the logarithmic livelihood of B. Data Analysis Prior to data analysis, the collected data were edited and coded and entered into the software called Statistical Package for Social Science (SPSS-15). The common problems of multicollinearity were critically examined. Diagnostic tests to detect the presence of the preceding problems were performed by using Multinomial Likelihood Estimation method and in most cases indicated the absence of serious multicollinearity. The goodness-of-fit of the multinomial logit model was measured by Chi square and Log-

Winter 2014

OVE RE DUC ATION IN TANZANIA

likelihood value as the basis of inference.77,78 Moreover, the following criteria were also employed to verify the goodness-offit of the model: (i) statistical tests of significance (p value), (ii) inspection of the signs of the estimated parameters to verify whether they agreed with expectations, (iii) values of the standard errors of the variables included in the model and, (iv) whether the empirical model was correctly predicted. On the basis of these criteria, the empirical models used in this study was thus checked for econometric errors and found to be free from such errors. The processed data were thereafter analysed using SPSS software. Hypothesis Testing The hypotheses were tested at 1%, 5% and 10% levels of significance (α) to increase the chance to capture all needful factors for the incidence of overeducation. These levels were appropriate to provide accurate confidence intervals in relation to prediction of the influence of explanatory variables such as individual job characteristics, education, and spatial characteristics on overeducation, undereducation, and perfect match as proposed by Sincich et al79 and Schmidt.80 The computed probability (p) values were compared thereafter with the alpha (µ). In addition, the coefficients of estimates from the models were used to interpret the findings based on their magnitudes and direction of effects. The acceptance of the alternate hypothesis was based on the fact that the p-value could be less than the level of significance (µ). Thus, the hypotheses tested in this study are as follows:

Hypothesis III Ho: Workers in the private sector had less overeducation and undereducation than those in sector Ha: Workers in the private sector had more overeducation and undereducation than those in sector

chance of the public chance of the public

Measurable variables Dependent variables: overeducation, undereducation and a perfect match Independent Variables: sector – private or public Decision Rule: Reject Ho: when p value (p) < α and use coefficients estimates from the regression model to analyze the magnitude of influence. Hypothesis IV Ho: More years in schooling cannot increase overeducation and undereducation among workers Ha: More years in schooling can increase overeducation and undereducation among workers Measurable variables Dependent variables: overeducation, undereducation and a perfect match Independent Variables: years in schooling-interval Decision Rule: Reject Ho: when p value (p) < α and use coefficients estimates from the regression model to analyze the magnitude of influence.

Hypothesis I Ho: Workers in urban areas were not likely to be more over educated or under educated than workers in rural areas. Ha: Workers in urban areas were likely to be more over educated or undereducation than workers in rural areas.

Hypothesis V Ho: More years of experience cannot increase overeducation and undereducation among workers Ha: More years of experience can increase overeducation and undereducation among workers

Measurable indicators Dependent variable: overeducation, undereducation and a perfect match Independent variable: Working place—rural or urban (dummy), Decision Rule: Reject Ho: when p value (p) <α and use coefficients estimates from the regression model to analyze the magnitude of influence.

Measurable variables Dependent variables: overeducation, undereducation and a perfect match Independent Variables: years of experience Decision Rule: Reject Ho: when p value (p) < α and use coefficients estimates from the regression model to analyze the magnitude of influence.

Hypothesis II Ho: Workers who had access to job information had a high chance of overeducation and undereducation Ha: Workers who had access to job information had a low chance of overeducation and undereducation

RESULTS AND DISCUSSION

Measurable variables Dependent variables: overeducation, undereducation and a perfect match Independent Variables: perfect information, imperfect information Decision Rule: Reject Ho: when p value (p) < α and use coefficients estimates from the regression model to analyze the magnitude of influence.

journal.heinz.cmu.edu

Influence of Individual Factors on OE and UE Table 1 presents findings on the influence of individual characteristics on overeducation (OE) and undereducation (UE). Four variables related to individual characteristics have been tested, namely sex, age, marital status and number of children. Influence of Sex on Overeducation and Undereducation The results suggest that being a male worker bears a significant negative (i.e. p = 0.01 and B = -2.098) influence on overeducation. However, the chance to experience overeducation had a tendency to decline significantly, making

Winter 2014

OVE RE DUC ATION IN TANZANIA

the worker less susceptible to the problem of overeducation (see Table 1). This shows that there is a change in relation to traditional perception on highly educated workers, and thus most of them now are becoming aggressive to secure jobs that match their levels. This in specific terms has helped to reduce their incidence of overeducation. These findings are also in contrast with Linsley’s findings in his study on overeducation in Australia,81 which reported that gender has no statistical influence on the incidence of both under and overeducation. Influence of Marital Status on overeducation and undereducation The results show that single workers have a higher chance (p=0.069 and B=1.954) of being over educated than their counterparts. This is believed to result from the increased likelihood of single workers to have fewer family ties and a greater desire for pursuing higher education without focusing on future employment prospects. If not well controlled and managed, these will end up creating a group of workers who exceed the education level required by an employer for a position, and are consequently over educated. Furthermore, in most cases, new entrants in the formal labor market are single graduates whose level of education requires higher salaries, although few of these graduates have the required level of education. This situation and the fact that there is a shortage of job opportunities make the job seekers vulnerable, thus, accepting any job regardless of the level of education, and, at times, making them over educated. In most cases, single youths have been facing overeducation since they cannot find other jobs that match their actual levels of education. Such workers tend to face vertical mismatch where the level of education of the worker is more than what is required, and in some cases, the type of education possessed by the worker is different from what is required by the job. These findings were different from the theory of overeducation by Frank82 which suggests that married women in small local labor markets are likely to be over educated since they could not find the right jobs that matched their level of education. Other studies such as by Linsley83 revealed that married workers were more likely to be under educated than single workers. Influence of Age on Overeducation and Undereducation Workers between 29 and 39 years of age were likely to be less under educated at p=0.051 and B= -2.809. Similarly, workers between the ages of 40 and 50 were also likely to be less under educated at p= 0.017 and B= -3.356 (see also Table 1). These findings imply that in such ages, most of the workers would have gained more experience by pursuing higher levels of education. With a shortage of jobs, age minimizes chances of being under educated. In addition, lack of jobs spurs the growth of education mismatch such that highly educated workers take posts which were previously occupied by less educated workers. In this case, a bumping effect is created and the problem of unemployment is exacerbated for under educated workers. Influence of Number of children on Overeducation and Undereducation This study has discovered that workers with between 0 and 5

journal.heinz.cmu.edu

children are disproportionately at risk (p=0.08 and B=2.783) of undereducation (see Table 1). This is “the more children a respondent has, the greater chance the respondent has of being under educated with respect to perfect match as a matter of opportunity costs, where parents spend more on their children’s education rather than maximizing their education utility. In addition, an increase in the incidence of undereducation among workers with many children also has different dimensions in regards to other financial obligations that are not tied to education. These include health as well as social and financial obligations. Influence of Spatial Mobility Characteristics on over and undereducation This study used the spatial mobility theory that was intended to find out the influence of access to transport and location of respondents on over or undereducation. The findings are presented in Table 2. Influence of Access to Transport on overeducation and undereducation The results in table 2 show that workers who had no access to transport services had a higher chance of being over educated (i.e. B=2.057; p= 0.004) at 5 percent level of significance. This means that lack of transport services influenced workers to find jobs in small markets and of which are near their places of living. As a result, workers with higher levels of education get employed in inferior jobs and since they have low bargaining power, they opt for such jobs to be able to earn a living. This has been common in Dar es Salaam city where transport services is a problem, such that workers with high levels of education decide to find jobs in the areas where they can minimize transport cost and save time regardless of whether or not the jobs match with their levels of education. These findings are in contrast to Linsley’s findings in Australia84 that access to transport does not have significant influence on education mismatch. On the other hand, the findings of the current study are similar to the findings by Battu and Sloane85 and Blazquez and Malo,86 which revealed that lack of transport facilities and ability to commute can force a worker to take any position so long as he earns a living; thus he becomes involuntarily subjected to overeducation. Influence of Location of the market on overeducation and undereducation The results in Table 2 show that working in urban areas is statistically significant and has a positive influence (i.e. B=5.054; p=0.0021) on overeducation at a 5 percent significance level. This is due to the fact that urban areas have the necessary working facilities for workers. This concentration of people in a single area has created pressure on workers for getting jobs in the urban areas due to stiff competition in the labor market. All these eventually compel job seekers to accept any job regardless of the post, wage and level of education. This coupled with the idling educated labor force make the employers change their taste and preferences with regard to recruiting workers and without taking into account the consequences of their decisions. This does not only increase the incidence of the overeducation

Winter 2014

OVE RE DUC ATION IN TANZANIA

problem, but it may also magnify the problem of unemployment in urban areas. However, the situation in rural and peri-urban areas is different. The analysis shows that workers in the rural areas have a high probability (i.e. B=4.114; p=0.064) of becoming under educated (see Table 2). Thus, lack of qualifications as well as having a high unemployment rate in the labor urban labor market compel job seekers, who have been neglected by the labor market in urban areas, to apply for positions located in rural areas. Thus, employers out of desperation, resulting from short supply of educated labor, decide to employ individuals regardless of their levels of education. In turn, the decision to employ less educated personnel has the effect on their ability to deliver services and the wage to be paid. These findings are in contrast with Linsley’s findings87 indicating no significant spatial influence of location on education mismatch. However, the findings of this study are supported by Blaquez and Malo,88 findings which show that spatial mobility in a particular location has a significant influence on education mismatch, despite the fact that Blaquez and Malo were not specific on which variables in terms of location were significant. Their conclusion on the spatial mobility theory was therefore weak. Influence of Job Characteristics on overeducation and undereducation This study further analysed the influence of job characteristics (i.e. sector of the economy, access to job advertisement, the chance of securing jobs, nature of contract, tenure and duration taken to secure current job) on overeducation and undereducation. The results are presented in Table 3 and its discussion follows below. Influence of sector of the economy on overeducation and undereducation This study also tested the hypothesis that workers in the private sector have a higher incidence of both undereducation and overeducation than workers in the public sector. The results in Table 3 show that employment in the private sector increases a worker’s chance (i.e. B=2.603; p= 0.018) of being over educated. The explanation for this result is that the private sector attracts more over educated workers than the public sector does since the motives for private sector is profit maximisation. In addition, the private sector believes in employing more educated workers who are efficient and can deliver services. In addition, the sector takes advantage of the competitive labor market with high unemployment rate to employ over educated workers in inferior jobs. Note that, even though they employ more educated workers, in some cases they don’t pay them the equivalent wage rate. Subsequently, this ends up creating a high turnover rate among workers and few opportunities for promotion. Influence of Job information and chance to secure job on overeducation and undereducation In addition, this study tested the hypothesis that in the context of job characteristics, lack of access to information about jobs has a positive significant influence on overeducation and

journal.heinz.cmu.edu

undereducation. The results in Table 3 reveal that high access to information on job availability had no statistical influence on the incidence of both overeducation and undereducation. Furthermore, results show that workers with a job seeking chance of between 41 and 60 percent had more chance to be over educated (i.e. B=-3.638; p=0.002). This implies that as the chances of securing a job fall to average, the greater the likelihood of getting a perfect match and the lesser the chance of overeducation. The chance of between 0-40 percent gives the worker the likelihood of becoming more under educated (i.e. B=2.1.4, p=0. 006); thus the lower the chance of securing jobs is associated with labor market imperfections, and this eventually forces workers to get into the job that does not match their education. Thus, employment mismatch is exacerbated by high levels of competition, corruption and nepotism in the labor market. Influence of Type of Contract on overeducation and undereducation Analysis of the influence of the type of contract on the likelihood of being over educated or under educated. Table 3 shows that workers who had contracts have a higher chance of being under educated (B=2.465; p=0.003). Having contracts makes workers to relax for further training, since contracts gives workers more security about their job, thus sometimes these contracts enable workers to neglect seeking higher levels of education. However, such workers are likely to be negatively affected by the changes in the world, in terms of emerging technology, increased production and shifts in management. Job Education Characteristics (JEC) and over and undereducation The study also examined the influence of education characteristics such as the actual level of education, tenure and years spent on schooling on education mismatch. The study uses human capital theory and schooling theory. The hypothesis tested includes whether more years of schooling can increase the chances of being over educated. Table 4 summarises the results from the analysis. Influence of Years of Schooling on overeducation and undereducation The schooling and human capital theory were tested to ascertain whether years spent in schooling have an influence on overeducation and undereducation. The results in Table 4 show that there is statistically significant positive relationship between the increase in years of schooling and overeducation. Among workers with a minimum of 11 years of schooling, the risk of overeducation was greatly increased. This is inconsistent with the human capital and schooling theory. The overeducation is thus due to an imperfect labor market, which is associated with high unemployment rate. Influence of Tenure on overeducation and undereducation The results in Table 4 show that workers with more experience have low chance of being under educated. This is because, when

Winter 2014

OVE RE DUC ATION IN TANZANIA

workers have accumulated years of experience, they are likely to be exposed to reasonable training opportunities, which in one way or the other have improved the quality of job and education matching. In turn, the more the worker is exposed to refresher courses while working, as proposed by career mobility theory, the more they reduce their risk factor for education mismatch. This supports career mobility theory, which says workers will decrease the degree of mismatch with increasing years of working. The findings of this study support what was observed by Linsley that education mismatches can be minimized by experience and training,89 which have a positive correlation with productivity and earnings. Nordin et al suggests further that both overeducation and undereducation are temporary phenomena, 90 since people are nurtured within their new positions as they progress in their careers, however, this might be a specific to some occupations only. Similarly, Korpi and TĂĽhlinâ&#x20AC;&#x2122;s findings91 match with the current findings that a person who is over educated may hold jobs offering extensive on the job-training or superior promotion prospects, which in turn minimize the effects and longevity of mismatch. Some subsequent longitudinal studies on the same theory have reached the same conclusion. 92 CONCLUSION AND RECOMMENDATIONS

terms and have contracts expressed no significant influence on both under and overeducation. Policy Recommendations This paper recommends that fresh graduates should be sensitized to the importance of being aggressive and prompt in finding jobs in any labor market and how to find jobs to avoid mismatch. In addition, job seekers need to develop a job seeking behaviour and be aggressive to search for information on jobs as well as register with job searching centres such as the Tanzania Employment Service Agency (TAESA) and other registered labor market associations. There is an urgent need to encourage and support training institutions and the National Bureau of Statistics (NBS) to carry out research on labor market regularly. Acknowledgment We thank the Higher Education Student Loan Board of Tanzania, University of Dodoma, Institute of Rural Development Planning for financial support. We thank also the University of Dodoma for hosting the PhD student. We thank the employers who allowed the data collection to take place in their offices.

Conclusion Overeducation in the Tanzanian formal labor market is a common problem. In terms of marital status, single workers have a higher chance of being over educated than their counterparts. Workers in the formal sector with age between 29 and 50 years and who had access to transport services were likely to be over educated. Similarly, workers in the private sector had more chance of being over educated. Lack of access to information on jobs provided no influence on overeducation. Working in urban areas has significant influence on overeducation. Workers who are employed based on permanent

Dr. Pius Chaya is a lecturer of Economics and Public Policy at the Institute of Rural Development Planning (IRDP) in Tanzania. His areas of research include labour markets, welfare economics, general public policy, and public finance.

Dr. Martha Nhembo is a lecturer and Coordinator of Postgraduate Diploma Studies at the Institute of Rural Development Planning - Dodoma. Her areas of interest include public sector management and development, and the linkages of demography to labour markets, gender, and employment mechanisms.

journal.heinz.cmu.edu

Winter 2014

OVE RE DUC ATION IN TANZANIA

SOURCES 1) Kenneth J. Arrow and William M. Capron, “Dynamic Shortages and Price Rises: the Engineer Scientific Case,” Quarterly Journal of Economics 73, no. 2 (1959): 292-308. 2) Ingrid Linsley, Overeducation in the Australia Labor Market: Its Incidence and Effects (Melbourne: University of Melbourne, Australia, 2005).

tion in Sweden, 1974 – 2000,” Working Paper 10/2007 (Stockholm: Swedish Institute for Social Research, 2006). 20) Linsley, “Overeducation in the Australian Labour Market.” 21) Ibid.

3) Giorgio Di Pietro and Peter Urwin, “Education and 22) Bárcena-Martín, Budría and Moro-Egido, “Skill Skills Mismatch in the Italian Graduate Labor Mismatches and Wages.” Market,” Applied Economics 38, no. 1 (2006): 79-93. 23) Robert H. Frank, “Why Women Earn Less: The 4) Elena Bárcena-Martín, Santiago Budría and Ana Theory and Estimation of Differential OverqualiIsabel Moro-Egido, “Skill Mismatches and Wages fication,” American Economic Review 68, no. 3 among European University Graduates,” Working (1978): 360-373. Paper 33673 (MPRA, 2011). 24) Linsley, “Overeducation in the Australian Labour 5) Ingrid Linsley, “Overeducation in the Australian Market.” Labour Market: its Incidence and Effects,” Department of Economics Working Paper Series 939 25) H. Deville, “Unemployment in Brussels: Between (University of Melbourne, 2005). Skills Mismatch and Job Competition,” Brussels Studies 14 (2008). 6) Ibid. 26) Martin Nordin, Inga Persson, and Dan-Olof 7) European Centre for the Development of VocaRooth, “Education-Occupation Mismatch: Is tional Training (CEDEFOP), Skills Supply and there an Income Penalty?” Discussion Paper Demand in Europe Medium-term Forecast up to 2020 No.3806 (IZA, 2008). (Luxembourg: Publications Office of the European), 2010. 27) Deville, “Unemployment in Brussels."

122. 42) Olivier Jean Blanchard, Macroeconomics, 4th ed (Upper Saddle River, NJ: Prentice Hall, 2006). 43) George J. Borjas, Labor Economics, 2nd ed (New York City, NY: McGraw-Hill Education, 2006). 44) Ibid. 45) E. Walterskitchen, “The Relationship Between Growth, Employment and Unemployment in the EU,” Austrian Institute of Economic Research Workshop in Barcelona, September 16-18, 1999. 46) Linsley, “Overeducation in the Australian Labour Market.” 47) Gary S. Becker, Human Capital: a Theoretical and Empirical Analysis with Special Reference to Education (New York: National Bureau of Economic Research, 1964). 48) Jacob Mincer, Schooling, Experience and Earnings (New York: Columbia University Press, 1974). 49) David Umoru and Olohitare P. Odjegba, “Human Capital Development and the Nigerian Economy: A Dynamic Specification,” Developing Country Studies 3, No. 12 (2013).

8) Linsley, “Overeducation in the Australian Labour Market.”

28) Nordin, Persson and Rooth, “EducationOccupation Mismatch.”

50) Linsley, “Overeducation in the Australian Labour Market.”

9) Di Pietro and Urwin, “Education and Skills Mismatch.”

29) United Republic of Tanzania (URT), Integrated Labor Force Survey 2005/2006 (Dar es Salaam: NBS, 2006).

51) Ibid.

30) Ibid.

53) Nordin, Persson and Rooth, “EducationOccupation Mismatch.”

10)Linsley, “Overeducation in the Australian Labour Market.” 11)CEDEFOP, Skills Supply and Demand.

31) Ibid.

12)Viktor Andreas Venhorst, Jouke Van Dijk, and Leo 32) United Republic of Tanzania (URT), Employment Van Wissen, “Do the Best Graduates Leave the and Earning Survey (Dar es Salaam: NBS, 2012). Peripheral Areas in The Netherlands?” Journal of Economic and Social Geography 101, no. 5 (2010). 33) URT, Integrated Labor Force Survey. 13) Linsley, “Overeducation in the Australian Labour Market.”

34) Ibid.

35) 14) Peter John Dolton and Anna Vignoles, “The Incidence and the Effects of Overeducation in the UK Graduate Labor Market,” Economics of Education Review 19, no. 2 (2000): 179. 36)

LO/FTF Council, Profile of the Labour Market and Trade Unions in Tanzania. Project No. 036/002/01 (Copenhagen: LO/FTF, 2003). URT, National Employment Policy (Dar es Salaam: NBS, 2008).

15) Ying Chu Ng, “Overeducation and Undereducation and their Effects on Earnings: Evidence from 37) URT, Tanzania Long Term Plan Perspective (2010Hong Kong 1986-1996,” Pacific Economic Review 6, 2025) (Dar es Salaam: NBS, 2010). no. 3 (2001): 401-418. 38) Ibid. 16) CEDEFOP, Skills Supply and Demand. 39) URT, Tanzania Employment Law and Labor Relations 17) Ibid. Act of 2004. 18) Jack Keating, Matching Supply and Demand for Skills, International Perspectives (Adelaide: National Centre for Vocational Education Research (NCVER) ), 2008.

40) URT, President’s Office Planning Commission. The Study on Skills Development to Facilitate Tanzania Becoming a Strong Competitive Economy by 2025 (Dar es Salaam: NBS, 2012).

19) Tomas Korpi and Michael Tåhlin, “Educational 41) Nachum Sicherman, “Overeducation in the Labor Mismatch, Wages, and Wage Growth: OvereducaMarket,” Journal of Labor Economics 9 (1991): 101-

journal.heinz.cmu.edu

Winter 2014

52) Deville, “Unemployment in Brussels.”

54) Linsley, “Overeducation in the Australian Labour Market.” 55) Frank, “Why Women Earn Less.” 56) Felix Büchel and Maarten van Ham, “Overeducation, Regional Labor Markets, and Spatial Flexibility,” Journal of Urban Economics 53 (2003): 482-493. 57) Heather Hofmeister, “Literature on Job Mobility in the United States,” Chapter 9 in “State-of-theArt of Mobility Research,” Job Mobilities Working Paper No. 06-01 (European Commission, 2006). 58) Michael Spence, “Job Market Signalling,” Quarterly Journal of Economics (1973): 355-374. 59) Linsley, “Overeducation in the Australian Labour Market.” 60) Aleksander Kucel and Montserrat Vilalta-Bufí, Graduate Job Satisfaction: Comparing Spain, the Netherlands and Norway (Barcelona: Universitat Pompeu Fabra, 2011). 61) Dolton and Vignoles, “Overeducation in the UK Graduate Labor Market.”

OVE RE DUC ATION IN TANZANIA

62) Linsley, “Overeducation in the Australian Labour Market.”

72) C. R. Kothari, Research Methodology, Methods and 83) Linsley, “Overeducation in the Australian LaTechniques (Wishwa Prakashan: New Delhi, 2007). bour Market.”

63) Richard Desjardins and Kjell Rubenson, “An Analysis of Skill Mismatch Using Direct Measures of Skills,” Education Working Paper No. 63 (OECD, 2011).

73) Ibid.

64) Arne L. Kalleberg, The Mismatched Worker (New York: Norton, 2006). 65) URT, Employment and Earning Survey. 66) Ibid. 67) Linsley, “Overeducation in the Australian Labour Market.” 68) Sicherman, “Overeducation in the labor market.” 69) John Robst, “Career mobility, Job Match, and Overeducation,” Eastern Economic Journal (1995): 539-550. 70) Joop Hartog, “Overeducation and Earnings: Where are we, where should we go?” Economics of Education Review (2002): 131-147. 71) S. J. Schmidt, Econometrics (New York: McGrawHill, 2007).

84) Linsley, “Overeducation in the Australian Labour Market.”

74) Schmidt, Econometrics. 75) Linsley, “Overeducation in the Australian Labour Market.” 76) Harminder Battu and Peter James Sloane, “How well can we measure graduate over-education and its effects?’” National Institute Economic Review 171 no. 1 (2000): 82-93. 77) Ibid.

85) Battu and Sloane, “How well can we measure graduate over-education?” 86) Maite Blazquez and Miguel A. Malo, “Educational Mismatch and Labor Mobility of People with Disabilities: The Spanish Case,” Revista de Econo Economía Laboral 2 (2005): 31-55. 87) Linsley, “Overeducation in the Australian Labour Market.”

78) Terry Sincich, P. George Benson and James T. McClave, Statistics for Business and Economics (Upper Saddle River: Pearson Prentice Hall, 2005).

88) Blazquez and Malo, “The Spanish Case.”

79) Ibid.

90) Nordin, Persson and Rooth, “EducationOccupation Mismatch.”

80) Schmidt, Econometrics. 81) Linsley, “Overeducation in the Australian Labour Market.” 82) Frank, “Why Women Earn Less.”

journal.heinz.cmu.edu

Winter 2014

89) Linsley, “Overeducation in the Australian Labour Market.”

91) Korpi and Tåhlin, “Overeducation in Sweden.” 92) Robst, “Career Mobility, Job Match, and Overeducation.”

OVE RE DUC ATION IN TANZANIA

APPENDIX TABLE 1. Influence of individual factors on over and undereducation: MLM.

VARIABLES

COEFFICIENT (B)

STANDARD ERROR

P-VALUE

-1.540

12,909.140

1.000

-2.098

0.820

0.010**

18-28years

-1.640

1.784

0.358

29-39 years

-0.933

1.530

0.542

40-50 years

0.283

1.579

0.858

1.954

1.073

0.069*

0.583

1.925

0.762

8.321

3.658

0.023

-0.435

0.523

0.406

18-28years

-2.456

1.528

0.108

29-39 years

-2.809

1.436

0.051**

40-50 years

-3.356

1.412

0.017**

-0.388

0.580

0.504

2.783

1.589

0.080*

Overeducation Intercept Individual Characteristics Sex Male Age

Marital Single Number of Children 0-5 years Undereducation Intercept Sex Male Age

Marital Single Number of Children 0-5 years MLM summary -2log likelihood value

520

Pearson Chi Square

241.442

Constant

278

Observation â&#x20AC;&#x201C;N

299

Reference Category

PME

journal.heinz.cmu.edu

Winter 2014

OVE RE DUC ATION IN TANZANIA

TABLE 2. Influence of SMCs on overeducation and undereducation: MLM.

VARIABLES

COEFFICIENT (B)

STANDARD ERROR

P-VALUE

-1.540

12,909

1.000

Rural

1.914

3.005

0.524

Urban

5.054

2.182

0.021**

2.057

0.723

0.004**

8.321

3.658

0.023

Rural

4.114

2.222

0.064**

Urban

0.403

1.395

0.773

0.584

0.418

0.163

Overeducation Intercept Spatial Characteristics Location

Access to Transport Inability to move Undereducation Intercept Location

Access to Transport Inability to commute MLM summary

-2log likelihood value

520

Pearson Chi Square

241.442

Constant

278

Observation â&#x20AC;&#x201C;N

299

Reference Category

PME

journal.heinz.cmu.edu

Winter 2014

TABLE 3. Influence of job characteristics on over and undereducation: MLM. VARIABLES

COEFFICIENT (B)

STANDARD ERROR

P-VALUE

-1.540

12,909

1.000

2.603

1.100

0.018**

Available by > than 50%

-1.642

1.287

0.202

Available by less than 50%

-0.054

0.749

0.942

0-20%

-1.002

0.849

0.238

21-40%

-19.784

0.886

0.982

41-60%

-3.638

1.197

0.002**

61-80%

-1.654

1.080

0.126

1.893

1.184

0.110

Less than a year

-1.110

2.022

0.583

1-2 years

-3.418

2.271

0.132

8.321

3.658

0.023

-0.092

0.502

0.855

Very available

0.963

0.802

0.230

Available

0.273

0.421

0.516

0-20%

1.321

0.780

0.090*

21-40%

2.886

0.976

0.003**

41-60%

0.796

0.973

0.413

61-80%

0.351

0.931

0.706

2.465

0.836

0.003**

Less than a year

-2.063

2.454

0.400

1-2 years

-0.976

2.481

0.694

Overeducation Intercept Sector Private Job information

Job Chance

Status of Contract Yes Time to get job

Undereducation Intercept Sector Private Job information

Job Chance

Status of Contract Yes Time to get job

MLM summary -2log likelihood value

520

Pearson Chi Square

241.442

Constant

278

Observation -N

299

Reference Category

PME

Significant at *p<0.1, **p<0.05, ***p<0.01

journal.heinz.cmu.edu

Winter 2014

OVE RE DUC ATION IN TANZANIA

TABLE 4. Influence of JECs on overeducation and undereducation: MLM. Variables

p-value

Coefficient (B)

Std. Error

-1.540

12,909

1.000

Masters

-0.305

1.004

1.000

First degree

-5.040

1.001

1.000

Diploma

-5.915

1.003

1.000

Certificate

-25.050

1.002

0.998

7-8 years

5.454

3.327

0.101

12-14 years

9.037

3.435

0.009**

15-17 years

5.857

3.063

0.056*

18-20 years

6.360

3.198

0.047**

Less than a year

0.336

2.983

0.910

1-5 years

1.197

2.839

0.673

6-10 years

2.043

2.810

0.467

11-15 years

-0.989

3.191

0.757

16-20 years

-0.296

2.887

0.918

8.321

3.658

0.023

Masters

-19.975

1.416

0.000**

First degree

-20.784

1.411

0.000**

Diploma

-19.333

1.251

0.000**

7-8 years

2.632

2.222

0.236

12-14 years

3.351

2.106

0.111

15-17 years

4.498

2.143

0.036**

18-20 years

2.080

2.102

0.322

Overeducation Intercept Actual education

Years on schooling

Tenure

Undereducation Intercept Actual Education

Schooling years

Tenure < one year

6.406

1.917

0.001**

1-5 years

4.508

1.674

0.007**

6-10 years

4.292

1.700

0.012**

11-15 years

5.674

1.839

0.002**

16-20 years

3.946

1.934

0.041**

MLM summary -2log likelihood value

520

Pearson Chi Square

241.442

Constant

278

Observation -N

299

Reference Category

PME

Significant at *p<0.1, **p<0.05, ***p<0.01

journal.heinz.cmu.edu

Winter 2014

THE HEINZ J OURNAL

MEASURING THE FEDERAL DEBT THE CASES FOR CONVERTING TO AN ACCRUAL BASIS OF ACCOUNTING ELLIOTT LONG ABSTRACT There is growing consensus that the United States federal government has accumulated dangerous levels of debt in recent years. However, cash-basis methods currently used by the federal government to measure its indebtedness offer an inadequate lens through which to view the magnitude and severity of the debt levels. The methods that are currently used to measure government accounting are reviewed, and it is explained why these methods are ambiguous and why a clear debt measurement is needed. A case is made for converting federal debt measurement to an accrual-basis of accounting, and the substantial roadblocks that exist in making such a change are examined.

INTRODUCTION Never in the history of the nation has the United States (US) held more debt than it does today. Thomas L. Hungerford, a Specialist in Public Finance at the Congressional Research Service (CRS), notices that, “Several policy makers and analysts have voiced concern over federal budget deficits and growing federal debt.”1 And for good reason: the federal government currently holds $17.1 trillion in nominal gross debt. 2 Reducing the federal government’s debt is of vital importance to the broader US economy. Brian W. Cashell, a Specialist in Macroeconomic Policy at CRS, believes that “The relationship between the growth rate of the federal debt and the overall rate of economic growth is critical to economic stability.” 3 However, cash-basis methods currently used by the federal government to measure its indebtedness give unclear answers, differing by 31 percent and leaving one uncertain of the federal government’s financial state. Converting to an accrual-basis of accounting could better serve the economy by “requir(ing) the actual unfunded liabilities of the federal government to be counted.”4 The alarming and brutally honest result of the new measurement would cause Americans to match the level of government services they receive to the level they pay for. After reviewing several types of debt measurement that are currently used, the conclusion is clear that an accrual-basis of accounting is the most accurate measurement for national debt. While implementing a new measurement for national debt would be a challenge, the benefits include increased certainty and the ability to pay for future expenses as well as an informed public.

journal.heinz.cmu.edu

CASH-BASIS METHODS CURRENTLY USED BY THE FEDERAL GOVERNMENT Currently, for purposes of the federal budget, debt is primarily measured on a cash-basis, which “records revenues when cash is received, and expenses when it is paid.”5 That is, balances equal received receipts minus paid expenses. While the federal government keeps records of several cash-basis methods, it undoubtedly lends the most merit to debt held by the public and gross debt.6 Debt Held by the Public One way that the federal government currently measures its debt is by the amount of debt held by the public. Debt held by the public can be defined as the amount of “federal debt held by all investors outside the federal government, including individuals, corporations, state or local governments, the Federal Reserve banking system, and foreign governments.”7 For example, this includes Treasury bills, notes, and bonds commonly held by Americans. Many argue that the method should be given primary consideration since it alone yields an accurate measure of creditors’ willingness to lend to the federal government. 8 Gross Debt Alternatively, another way that the federal government currently measures its indebtedness is through gross debt. Gross debt “is composed of both debt held by the public plus debt held by government accounts”9 and is “the total amount of outstanding federal debt, whether issued by the Treasury or other agencies and held by the public or federal government accounts.” 10 That is, it includes both debt held by the public and securities held by government trust funds, revolving funds, and special funds. The

Winter 2014

FE DE RAL DE BT

most common accounts are retirement, highway, and unemployment trust funds. Others believe that this method should be given the most consideration since it provides the broadest measurement in terms of accounts that are included.

US GDP in 2012 equal to $15.7 trillion (World Bank 2011) 15 the Federal debt-to-GDP ratio amounts to 78 percent. Yet, with gross debt currently at $17.1 trillion,16 the debt-to-GDP ratio quickly increases to 109 percent.

THE AMBIGUITY OF CASH-BASIS METHODS

WHY A CLEAR DEBT MEASUREMENT IS NEEDED

While both gross debt and debt held by the public presents valid reasons for its use, neither method yields clear results when measuring the Federal debt. For example, federal gross debt currently stands at $16.4 trillion. However, Jane R. Christensen writes in The National Debt: A Primer that, “The dollar amount of the debt, however large it may seem to be, is not a good measure of the burden it places on the economy.” Rather, “the importance of the debt can only be measured to (its) overall size.”11 The most common method by which this is done is comparing it to Gross Domestic Product (GDP),12 or “The total income earned domestically.”13 Debt held by the public currently rests at $12.2 trillion for fiscal year 2012.14 By this method, with

The ambiguous results of cash-basis methods currently used by the federal government to measure its indebtedness render the methods useless in service to the broader US economy. As shown in Figure 1, Reinhart and Rogoff recently warned that, historically, around 90 percent debt-to-GDP ratios high interest rates and inflation begin to increase the cost of servicing the debt and force painful fiscal adjustment in the form of tax hikes and spending cuts or even default.17 Under cash-basis methods, one wouldn’t know whether the federal government was in need of financial reform. Thus, the federal government could miss the opportunity to

Figure 1. Federal Government Debt, Growth, and Inflation.

journal.heinz.cmu.edu

Winter 2014

FE DE RAL DE BT

relay critical signals of its seriousness to fulfill its obligations and hinder the economy from functioning at optimum capacity. 18 As a result, many support the adoption of an alternative. THE C ASE FOR C ONVE RTING TO AN AC C RUALBASIS OF AC C OUNTING The economy would be better served if the federal government converted to an accrual-basis of accounting. As Hiroyuki Kohyama and Allison Quick of Harvard Law School explain, an accrual-basis of accounting would record “revenues when they are earned, and expenses whey they are incurred.” 19 That is, balances would equal earned revenues minus obligated expenses rather than received revenues minus paid expenses as measured in the cash-basis method. For example, if a contract were completed, the federal government would record revenue or

expenses then – not when payment is received or given out. The accrual-basis would “provide more accurate and complete information about receivables and refunds legally receivable and payable.”20 Switching to an accrual-basis of accounting would include future costs in today’s budget. For example, “The shortfall between the income and expenditures of current and past participants in Social Security is $17.5 trillion in present value terms, according to the Social Security trustees. For Medicare Part A, the shortfall is $6.9 trillion in present value terms. For Medicare Part B, the shortfall is $10.6 trillion in present value terms.” 21 A more detailed description of annual deficits in terms of GDP is shown in Figure 2 (Department of the Treasury). Those in favor of the method believe it would increase the ability to plan for these future expenses.

Figure 2. Historical and Current Policy Projections for the Composition of Non-Interest Spending. Additionally, proponents argue that including these costs among others in today’s budget would cause Americans to match the level of government services they receive to the level they pay for.22 They believe it would cause a host of events to unravel as a result of the fiscal imbalance being seared into the minds of taxpayers who would subsequently increase political pressure on policymakers to address it.23

journal.heinz.cmu.edu

By this method, with federal debt topping an estimated $75 trillion,24 the debt-to-GDP ratio would explode to 513 percent. The alarming result would forever sever the historic distortion that Americans have in terms of the level of government they demand and the level they pay for, sparking them to apply pressure on elected officials to address the level of debt, who would subsequently have to prioritize the nation’s fiscal values or

Winter 2014

FE DE RAL DE BT

risk being replaced by someone else. Only when Americans pay for the level of government services they receive can they relay vital signs of their seriousness to fulfill their obligations to the markets and help the economy to function at its full capacity. THE PROSPE C T OF RE FORM While switching to an accrual-basis of accounting may hold the antidote to the US fiscal imbalance, the public remains largely unaware of the method. Lynch, Labonte, and Levit believe “it may, however, provide greater understanding of long-term challenges and greater incentives for Congress and the President to pursue and adhere to specific long-term debt reduction goals.”25 In other words, if cash-basis methods did not obscure the size of long-term fiscal deficits, there would be more public support and thus public pressure on policymakers to present a solution. The lack of public support can be characterized as a principalagent problem. A principal-agent problem exists “whenever one individual depends on the actions of another.” 26 Principal-agent problems represent a contract under which a principal delegates discretion to an agent to perform a task on their behalf. However, a problem usually arises because the agent has a propensity to maximize its own interests. In this case, the constituent acts as the principal while the policymaker acts as the agent.27 As such, making the switch to an accrual-basis of accounting is tantamount to asking policymakers to subject themselves to harsh political pressure that, in turn, is likely to inflict fiscal cuts and decrease the supply of funds deliverable to their constituency that they can claim credit for. The problem can often be exacerbated by asymmetrical information. That is, “although the agent has full knowledge of

its actions, the principal is not always in a position to observe, and hence control, the actions of the agent.” As a result, since very few constituents are knowledgeable about methods of accounting currently used by the federal government and the available alternatives, the policymaker can likely continue to operate in the status-quo if they ignore the lack of information. Several steps can be taken to increase awareness of accrual-based accounting methods. For example, if an accrual-basis budget window were included in the federal budget, the method could gain support. Additionally, accrual-based accounting methods could gain prominence if the President were to cite the method since he possesses the bully pulpit. C ONC LUSION The federal government has undoubtedly accumulated unprecedented amounts of debt. However, the cash-basis methods currently used to measure US indebtedness offer an inadequate lens through which to view the severity of the problem. As of right now, federal government balances equal receipts received minus expenses paid. It would be better served by adopting an accrual-basis of accounting, when balances equal earned revenues minus obligated expenses. Enacting this change would require elected officials to subject themselves to harsh political pressure that is otherwise easily avoidable, but moving to an accrual-basis would increase certainty in the economy and the ability to pay for future expenses. Finally, accrual-basis accounting may convince Americans to match the level of government services they receive to the level they pay for

Elliott Long graduated from Trachtenberg School of Public Policy and Public Administration at George Washington University in May 2013 with a Master of Public Administration in budget and tax policy. Additionally, he holds a Bachelor of Arts in political science from Florida Gulf Coast University.

journal.heinz.cmu.edu

Winter 2014

FE DE RAL DE BT

SOURCES 1)

Thomas L. Hungerford, Redistribution Effects of Federal Taxes and Selected Tax Provisions, (Washington: Congressional Research Service, 2011).

10)

Ibid.

11)

Jane R. Christensen, The National Debt: A Primer, (New York: Nova Science Publishers, 2004).

"The Debt to the Penny and Who Holds It," TreasuryDirect, accessed November 10, 2013. http://www.treasurydirect.gov/NP/debt/ current.

12)

Federal Debt: Answers to Frequently Asked Questions, (Washington, D.C.: Office, 1996).

13) 14)

Brian W. Cashell, The Federal Government Debt: Its Size and Eonomic Significance, (Washington: Congressional Research Service, 2006).

Mike Sylvester, "National Debt Officially Exceeds 14 Trillion for the First Time," Fort Wayne Politics, January 4, 2011, accessed February 05, 2013, http://fortwaynepolitics.com/2011/01/ national-debt-officially-exceeds-14-trillion-forthe-first-time

15)

Financial Accounting, April 1996, accessed February 5, 2013, http://www.fasab.gov/pdffiles/ sffas-7.pdf. 21)

Gregory N. Mankiw, Macroeconomics, (New York: Worth Publishers, 2000).

Megan S. Lynch, Marc Labonte, and Mindy R. Levit, “Adopting a Long-Term Budget Focus: Challenges and Proposal,” (Washington: Congressional Research Service, 2011).

22)

Department of the Treasury, A Citizen's Guide to the Fiscal Year 2011 Financial Report of the United States Government, accessed February 5, 2013, http://www.fms.treas.gov/frsummary/ frsummary2011.pdf.

Howell E. Jackson, "Accounting for Social Security and Its Reform," Harvard Journal on Legislation, 2004, 1-125, accessed February 5, 2013, http://papers.ssrn.com/sol3/papers.cfm? abstract_id=458921.

23)

Howell E. Jackson, "Accounting for Social Security and Its Reform," Harvard Journal on Legislation, 2004, 1-125, accessed February 5, 2013, http://papers.ssrn.com/sol3/papers.cfm? abstract_id=458921.

24)

Andrew Biggs, "What’s the Best Way to Measure the National Debt?," May 28, 2010, accessed February 05, 2013, http://www.aei-ideas.org/20 -10/05/what’s-the-best-way-to-measure-thenational-debt/.

25)

Megan S. Lynch, Marc Labonte, and Mindy R. Levit, Adopting a Long-Term Budget Focus: Challenges and Proposal, (Washington: Congressional Research Service, 2011).

"GDP (current US$)." Data. Accessed November 10, 2013, http://data.worldbank.org/ indicator/NY.GDP.MKTP.CD.

David Burd and Takeshi Fujitani, FASAB & 16) The Financial Statements of the United States: Comparing Budget Aggregates to Financial Statements, Issue 17) brief, May 3, 2005, accessed February 5, 2013, http://www.law.harvard.edu/faculty/hjackson/ FASAB_13.pdf.

Ibid.

Federal Debt: Answers to Frequently Asked Questions, (Washington, D.C.: Office, 1996).

18)

Ibid.

D. A. Austin, Long-Term Measures of Fiscal Imbalance, (Washington: Congressional Research Service, 2006).

Andrew Biggs, "What’s the Best Way to Measure the National Debt?," May 28, 2010, accessed February 05, 2013, http://www.aei-ideas.org/20 -10/05/what’s-the-best-way-to-measure-thenational-debt/.

19)

Hiroyuki Kohyama and Allison Quick, Accrual 26) Accounting in Federal Budgeting: Retirement Benefits for Government Workers, Issue brief, May 1, 2006, accessed February 5, 2013, http:// 27) www.law.harvard.edu/faculty/hjackson/ RetirementBenefits_25.pdf.

Federal Debt: Answers to Frequently Asked Questions, (Washington, D.C.: Office, 1996).

20)

Carmen M. Reinhart and Kenneth S. Rogoff, Growth in a Time of Debt, Working paper (Cambridge: National Bureau of Economic Research, 2010).

Stephen P. Riley, The Politics of Global Debt, (New York, NY: St. Martin's Press, 1993). Ibid.

Federal Accounting Standards Advisory Board, Accounting for Revenue and Other Financing Sources and Concepts for Reconciling Budgetary and

journal.heinz.cmu.edu

Winter 2014

THE HEINZ J OURNAL

CYBER WARFARE BY NATION-STATES WHAT DEFENSIVE HACKING STRATEGIES CAN WE IMPLEMENT? JOEL LEE

ABSTRACT Cyber warfare is used by nation-states as a means of attack, but the United States is inadequately prepared. Currently, there are no US policies to deal with a large-scale cyber attack. Thus, it is imperative that we implement adequate defenses to deal with any potential attacks on our systems. In this paper, we will examine defensive hacking strategies that can be implemented to deal with this threat. We will start by examining notable cyber warfare incidents suspected to have occurred with the help of nation-states. We will then examine the network structures that the US should adopt to ensure network security from such attacks. Next we will consider how the US can build a team to defend against potential attacks. After this, we will consider how penetration testing can be used to evaluate our network security. This is followed by the recommendation of a strategy to protect the US against cyber warfare. It concludes with a discussion on how to identify attacks and handle incidents. Overall, this paper provides a broad overview on cyber warfare by nation-states and suggests defensive hacking strategies that the US can use to defend itself.

INTRODUCTION According to The Economist, cyberspace has emerged as the fifth domain of warfare, after land, sea, air, and space. On June 23, 2009, the Secretary of Defense directed the US Strategic Command to set up the United States Cyber Command (USCYBERCOM), which achieved Full Operating Capability on October 31, 2010.1 President Barack Obama declared that the US’s IT infrastructure is a critical national asset and appointed Howard Schmidt, former head of security for Microsoft, as the cyber security coordinator for the White House in December 2009.2,3 In December 2011, the conference report on the National Defense Authorization Act for Fiscal Year 2012 mentions that “Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests.”4 Clearly, cyberspace has become a new battleground arena and the US has certainly not been impervious to this fact. The threat of cyber warfare by nation-states is very real. The cyber attacks that targeted Estonia in 2007 and Georgia in 2008 were thought to have been directed by the Kremlin, though they were traced to Russian cyber-criminals.5 In 2011, the US government considered launching cyber attacks on Libya’s airdefense systems before deciding to resort to air strikes on Muammar Gadaffi’s forces. The plan was ultimately shelved.6 Nonetheless, it provides a good indication of how a future cyber war may unfold. Cyber warfare is the perfect strategy for

journal.heinz.cmu.edu

countries that do not have the means and the resources to physically attack the United States. As mentioned by William Lynn, the former US Deputy Secretary of Defense, a hostile country could recruit hackers to bring down US financial systems, communications, and infrastructure at a much lower cost than building jet fighters. As such, “many militaries are developing offensive cyber capabilities.” Some might even be able to disrupt parts of the cyber infrastructure in the US 7 In an interview with CBS, former US Secretary of Defense, Leon Panetta, mentioned that cyber warfare has been “one of his biggest worries,” because it has the potential to bring down the power grid and paralyze the financial system.8 Due to the threat of cyber warfare and the damage that it could potentially cause, the US has taken steps to prepare for it. The US has been quietly working to find weaknesses in the data systems of its enemies and to equip itself with capabilities to exploit those weaknesses. The US Cyber Command has been creating defenses to protect against attacks. These defenses protect critical military and civilian infrastructure such as telecommunications, power systems, and utilities.9 President Obama, in June 2011, signed executive orders that describe the extent to which the US military can launch cyber attacks against its enemies. According to the executive orders, some of the approved activities include infecting an enemy’s computer with a virus, which would bring down the target’s defense network or electrical grid. The order also stated that the US could defend itself by blocking cyber attacks and that it could also carry out offensive attacks on servers in another country.10

Winter 2014

C YBE R WARFARE

However, the US needs to study the impact of cyber warfare. Currently, there are no existing policies to determine the appropriate response to a large-scale attack on US civilian or military networks. As such, countries adversarial to the US might exploit this gray area to create delays in decision making in the US chain of command.11 Also, the US military faces the possibility of not being able to meet its cyber defense needs should there be “an extra $500 billion in defense cuts.”12 By nature, cyber attacks are instantaneous. Once an enemy finds vulnerabilities in the US cyber defenses, it takes milliseconds for the enemy to exploit them.13 This paper will study the defensive hacking strategies that nation -states carry out in the face of cyber warfare. For the purposes of this paper, cyber warfare refers not just to an attack on a country’s critical infrastructure. It could also be an attack on a large company for purposes of advancing the attacker’s knowledge or influence. We will start this paper by examining notable cyber warfare incidents that have occurred in recent years. Second, we will examine the network structure that the US should adopt to properly secure its networks. Afterwards, we will examine how the US can build a defensive team to defend against potential attackers. Next up, will be a discussion of penetration testing and how it is important to evaluate our network security, as well as an in-depth discussion of strategy. Finally, the paper will conclude with suggestions on how to identify attacks and handle incidents. BACKGROUND AND RELATED WORK Cyber warfare is defined as “the use of computers and other devices to attack an enemy’s information systems.”14 Cyber warfare can cause essential services, official websites, financial systems, and critical infrastructure to be disabled. Furthermore, it can steal or change classified data.15 Jeffery Carr, author of Inside Cyber Warfare, claims that because most military forces are network-centric, any country can carry out a cyber war against another country.16 Cyber warfare is still a relatively new concept. The amount of academic literature on this topic is relatively limited, though it has been gaining popularity. Chris Bronk, a senior fellow in cyberspace geopolitics at the University of Toronto, writes that digital forms of information stored on networked computers have created new policy issues. He argues that leaders in the United States must look at public and private partnerships as a necessary component to engage the problem successfully. 17 Networked information systems do not work by having a statecentric approach. 18 Instead, responsibility must be taken across all parts of the network, with all individuals and machines held responsible for its security.19 Sanjay Goel, an Associate Professor in the Information Technology Management Department at the University of Albany, argues that cyber warfare has become a potent weapon in espionage, propaganda, and political conflicts.20 Increasingly, it is being used for offensive capabilities as part of the national strategy of many countries, including China, Russia, and the US Nation-states make use of cyber warfare to weaken enemy nation-states and

journal.heinz.cmu.edu

thus provide the attacker with a wartime advantage.21 Cyber warfare can be used for several purposes. These include espionage and reconnaissance, propaganda, and social warfare, as well as disablement of government web infrastructure.22 In Cyber Warfare and Cyber Terrorism, Lech J. Janczewski and Andrew M. Colarik write that cyber attacks usually follow the same pattern as traditional crime. The first phase of the attack would be to conduct reconnaissance of the intended victim by observing the target’s normal operations to collect useful information. The second phase would be penetration of the system. The third phase would be to identify and expand internal capabilities by reviewing resources and increasing access to higher value resources in the system. The fourth phase is where the attacker does harm or obtains selected data from the system. The last phase can involve the removal of evidence by covering the attacker’s electronic trail or by deleting log files. 23 Ian M. Chapman, Sylvain P. Leblanc, and Andrew Partington argue that the increasing level of reliance on computer technology means that military organizations are increasingly at risk of falling victim to a cyber attack. It is important for military organizations to examine the potential effects of attacks through simulation, support training, and experimentation.24 Compared to the above papers, the scope of this paper is different as it examines the topic of cyber warfare by considering the defensive hacking strategies that the US can implement. ACTUAL CYBER WARFARE INCIDENTS Before analyzing the defensive hacking strategies that can be used by nation-states in the face of cyber warfare, it would be useful to examine cyber warfare incidents that have occurred over the past few years. This section will describe some of the more notable ones that have garnered significant attention from the public. While one cannot say with absolute certainty that the incidents below were linked to a nation-state, there is adequate evidence that suggests that states were involved. Compromise of Gmail Accounts On June 2011, Google announced that hackers in China managed to obtain access to hundreds of Gmail accounts, “including those of senior US government officials, military personnel, Chinese political activists, and journalists.”25 Officials from several Asian countries (mainly South Korea) were also targeted.26 The attackers used stolen passwords to change the forwarding and delegating settings in Gmail, which forward messages automatically and allow other users to access their accounts. Gmail notified victims as well as government officials about the attack. These affected Gmail users were victims of a phishing attack, which tricked users into providing their username and password to attackers on the false premise that their accounts would be secured.27 It was not until a year had passed after these attacks that it was discovered that China had carried them out. Previously, there had been more sophisticated assaults on Gmail accounts from China in late 2009 and early 2010.28 Google’s allegations that Chinese hackers were involved in this incident were met with denials from Chinese government officials, which caused the US to ask Beijing to conduct further investigations.29,30

Winter 2014

C YBE R WARFARE

Lockheed Martin Cyber Attack A major online attack took place in early May 2011 against the networks of Lockheed Martin, which is the largest defense contractor in the US Lockheed Martin said that the attack was “significant and tedious” but that the company detected the attack almost immediately and took actions to protect its systems and data, which did not compromise company or employee data.31 Even then, it was considered a serious incident since Lockheed Martin, as the largest defense contractor in the US, possesses data critical to the country’s safety and security. Lockheed Martin produces equipment from Trident missiles to F-22 fighter planes; the information it possesses would definitely be of value to hostile countries. Hackers exploited the VPN access system of Lockheed Martin as they were able to generate the factory encoded random keys used by some of Lockheed’s SecurID hardware tokens supplied by RSA, a company that supplies hardware tokens used for 2-factor authentication.32 This was possible due to RSA being hit by a cyber attack in March 2011, where hackers obtained information specific to RSA’s SecurID two-factor authentication system.33 China is the main suspect in the sophisticated attack on Lockheed Martin, which has been categorized as an Advanced Persistent Threat (APT) type of attack.34 An APT is an attack mechanism in which an attacker gains unauthorized access to the network and stays there for a period of time to steal data rather than to cause harm to the organization. It is usually targeted towards organizations that have highly sensitive information that is valuable to the attacker. Cyber Attack on US in 2008 The Pentagon announced in August 2010 that a foreign spy agency had carried out a cyber attack on US military computer systems in 2008. The attack was caused by an infected thumb drive inserted into a US military laptop at a Middle East base. This caused malicious computer code to be uploaded to the Central Command network. The code spread to both classified and unclassified systems without detection. This was the most significant breach of US military systems.35 The rogue program infected military computers for 14 months before it was discovered and eradicated. While details of the severity of the incident and the data that was lost was not made public, the attack was severe enough that it caused the military’s information defenses to reorganize and create a new Cyber Command unit.36 Cyber War on Georgia in 2008 After Russian troops crossed into South Ossetia, there was an attack against Georgian infrastructure and its key government websites. Multiple government websites were inaccessible for hours and even the President was unable to be contacted by CNN for an interview due to an attack against the VOIP phone system in Georgia.37 Websites were unavailable over the weekend when the Russian troops crossed over, which Georgia claimed was due to a Russian denial of service attack. 38 Among the websites attacked were the Ministry of Foreign Affairs, Ministry of Defense, online English language newspapers, and

journal.heinz.cmu.edu

the personal website of the Georgian President.39 This attack is interesting since it combined a physical attack with a cyber attack thus making it harder for the victim to respond. Stuxnet Stuxnet was described as the worm that started a new era of global cyberwar. The Stuxnet worm was much more complex and sophisticated than anything that was seen before.40 It was designed to look for Siemens machines that have a particular configuration with a specific Programmable Logic Controller (PLC) device. It then injects a code into the system to launch an attack. Once Stuxnet finds its target, it makes changes to a particular piece of Siemens code called Operational Block 35. This particular Siemens component is responsible for monitoring critical factory operations. By changing Operational Block 35, the worm could cause the refinery’s centrifuge to malfunction.41 Stuxnet was programmed to collect information every time a customer was infected. This information was then sent to two websites in Malaysia and Denmark. Both websites had been registered using a stolen credit card.42 The creator of Stuxnet went to great lengths to carry out the attack. Stuxnet made use of four previously unknown zero-day attacks and used compromised digital certificates from JMicron Technology and Realtek Semiconductor.43 Moreover, Stuxnet went through a sequence of checks to make sure that it had the right target before releasing the payload. Stuxnet was searching for a specific factory floor, type, and configuration of equipment found only in Iranian components. Also, it was searching for variable speed motors used to control spinning centrifuges, which are a critical piece of equipment in the enrichment of uranium. 44 It does its damage by making rapid changes to the rotational speed of the motors causing them to go up and down. Such rapid changes can cause the centrifuges to blow apart, a problem that Iran has experienced while running its centrifuges. Iran has since removed many centrifuges from active service, with reports stating that the Stuxnet virus might have caused Iran to decommission 1,000 centrifuges at its uranium enrichment facility. 45,46 It is suspected that Stuxnet was developed under a joint effort between the US and Israel.47 NETWORK STRUCTURE The cyber warfare incidents above illustrate that cyber warfare has been a real and persistent threat to countries. It has the potential to cause great harm to society. As such, it is imperative that countries build a secure and resilient network structure in order to mitigate risks and prevent their networks from being compromised. Firstly, countries must prioritize what they must defend based on their mission and assets. This is done through an assessment of their critical infrastructure to determine which of them must be defended. Some examples would be nuclear weapons systems, nuclear reactor systems, electrical grid systems, telecommunication systems, and military and government systems. Also, an assessment of resource limitations must be

Winter 2014

C YBE R WARFARE

made. For example, personnel limitations need to be taken into consideration. Knowing the number of people working to secure IT systems would help achieve this. Other limitations are the costs as well as the amount of information available on critical IT systems. In terms of network structure, there should be a firewall between the corporate network and the external network. Ingress and egress filtering should be carried out on the firewall. Ingress filtering restricts traffic entering the headquarters while egress filtering restricts traffic leaving the headquarters. Firewalls should monitor traffic at the host layer as well as the application layer, so as to better detect a compromised machine. The firewall should consist of a packet filter, connection filter, and stateful filter to control traffic going in and coming out of the network. The packet filter controls access to the network by analyzing incoming and outgoing packets and then deciding whether or not to let them pass by using the source and destination IP address.48 The connection filter can be used to “deny access at the network level.”49 Stateful filter allows for filtering decisions to be made by looking at the entire session rather than just the individual packet.50 On the corporate network itself, the infrastructure should be carved out into different defensive zones. The most critical systems should be carved out and security boundaries should be put up around them to limit access. Ideally, the critical system should be air-gapped, meaning that it would be on its own separate network away from the other non-critical systems. However, that might not be possible as that system might need to be on the same network for communication purposes. If the networks need to be connected, there would be another firewall to filter traffic to and from the subset of the network handling the critical systems. This firewall would be an application proxy, which is an application program that sets up a firewall system between two different networks. A client program that wants to communicate with the server inside the network has to first connect to the proxy in order to access the destination service. The proxy serves as an intermediary between the client and the destination, which allows individual computers on the network to be hidden behind the firewall. The proxy makes all packet forwarding decisions since all communication has to be done through the proxy server thus making this a highly secure method of protection.51 There has been a drive towards networked industrial control systems, since this would allow geographically distributed assets to be integrated through centralized control, allowing for remote monitoring, debugging, and maintenance of substations that are located in remote locations. There is a need for the headquarters to have immediate access to current operational data.52 However, this means that security has to take on a more integral role as critical systems become more networked. Critical networks that provide functions such as industrial control systems should be air-gapped from the corporate network or the public network. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) must be deployed in the secure network hosting the critical systems to detect any signs of malicious activity.53

journal.heinz.cmu.edu

BUILDING A DEFENSIVE TEAM The defensive skill set required has increased significantly over the years, as IT systems become more prevalent in our everyday life. Cyber warfare has become an increasingly important issue. China has been testing cyber attack capabilities and has confirmed the existence of a blue team to protect the People’s Liberation Army against outside attacks.54,55 USCYBERCOM was set up to plan, coordinate, integrate, synchronize, and direct activities to operate and defend the Department of Defense information networks.56 It has two goals: First, it seeks to “protect US and allied freedom of action in cyberspace.” Second, it seeks to “deny freedom of action in cyberspace for our adversaries.”57 The National Cybersecurity & Communications Integration Center (NCCIC), which is part of the Department of Homeland Security (DHS) works with private, public, and international entities to secure cyberspace and the United States’ cyber assets.58 While the USCYBERCOM has been responsible for coordinating the military systems, it is important that the NCCIC coordinate with the private sector in securing the United States’ cyber assets because the private sector operates many critical assets in the US, such as the electrical grid, banking, and telecommunications services.59 The organization in charge of maintaining critical systems should have a defensive team in place. The defensive team should be highly trained specialists and consist of an intelligence analyst, a technologist, a detective, and an attacker. It should have regular exercises with other organizations, in order to assess their weak points and sources of vulnerabilities. There should also be intrusion response teams with the expertise to handle and respond quickly to any incidents that might occur. These intrusion response teams should have relationships with other response teams so that their united expertise can be tapped into. Moreover, there should be an analysis team that understands the network thoroughly. The analysis team should be familiar with security and availability issues and understand how the network supports the needs of the organization. Also, the team should not just be proficient in networking, protocols, ports, and applications, but also have skills like team building and communications skills. These skills are essential to convince the management to adopt recommendations made by the analysis team. PENETRATION TESTING Penetration testing should be carried out to simulate an attack on networks. This should be done to identify vulnerabilities and take steps to fix them. It should be done for critical systems, in particular, as those systems would be targeted by attackers. In penetration testing, there is a need for the defender to have the mindset of an attacker. First, the defender should start with a reconnaissance stage in order to find the network, locate key hosts, conduct profiling, and find points of access and vulnerabilities to exploit. Once a vulnerability is found, an exploit can be created to gain access or elevate privileges. A communication channel should be set up for information to be

Winter 2014

C YBE R WARFARE

transferred so that the attacker would know whether or not the attack is successful. In practice, it will take multiple tries before an attack can succeed. Once the attack succeeds, a command server should be set up to direct actions of the hack. The command server would allow the attacker to monitor, modify, or cease the attack. After the attack is carried out, the attacker might proceed to corrupt or reconfigure the compromised server. In the midst of this, there must also be some unused capacity in order to respond to defenses or detection put up by the defender. The purpose of using penetration testing is to identify weaknesses in the system, to assess the performance of our security team, and to communicate the risk. This provides a measurable evaluation of security readiness to top management. The penetration test has to be carried out within a specified scenario appropriate to the objectives of the test. Moreover, it is important that there are clear guidelines that stipulate what the penetration test can or cannot do. “It is known that the US Government depends on a variety of privately owned and operated critical infrastructures to carry out the public’s business.”60 While penetration testing on privately owned infrastructures is needed to ensure the security of critical assets in the United States, it is important that a formal agreement is drawn up specifying what would be done. This could mitigate the risk of any legal complications. The constraints of the penetration testing should be identified and discussed in the agreement. Also, the liabilities of the penetration test must be considered. The result of the penetration test could be leaked to the public and cause public embarrassment to the company that was tested. There is the risk that penetration testing might cause personnel to be distracted should a real attack happen at the same time, therefore steps should be taken to mitigate that possibility. STRATEGY When engaging in cyber warfare, it is important for a good strategy to be adopted. The strategy should involve deception. To quote Sun Tzu’s The Art of War, “All warfare is based on deception. Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.”61 As defenders, we want to find ways to fool attackers. This way they will underestimate us and become arrogant. Like Sun Tzu wrote: “If your opponent is of choleric temper, seek to irritate him. Pretend to be weak, [so] that he may grow arrogant.” 62 The enemy can be deceived on the intent, extent, objects and success of attack and the value and depth of defense. It is important never to divulge actual information about the security mechanisms that the United States has adopted to protect its critical infrastructure. We must always act as if we are unprepared for a cyber attack, but we should have adequate resources to defend our systems. Network Issues It is important that critical infrastructures do not get displayed

journal.heinz.cmu.edu

to casual scanners or even to dedicated attackers. While critical systems in the United States are air-gapped from the internet, that alone is not sufficient. Stuxnet is an example of an attack on an air-gapped system. Stuxnet directs malware to enter an airgapped system with a removable drive. Policy makers need to know that even air-gapped networks can be breached.63 The pathways into critical infrastructure and information flows from air-gapped public networks should also be examined. If there are modes to gain access, such as plugging in a thumb drive, it must be examined whether users can transfer data between the two networks without any authorization. Failure to implement might lead to misuse by users, such as a user who wishes to charge his/her portable media device by plugging it into a computer on an air-gapped network. Unfortunately, the computer could have launched the auto run program on the portable device. The device could contain malware, which would penetrate and spread onto the air-gapped network. Hence, there must be policies that stipulate that personal devices should not be plugged into the air-gapped system. If files need to be transferred from the public network to the air-gapped network, an official removable drive should be used and the user should have the necessary approval. Defensive vs. Offensive Strategies It must be determined whether a defensive or an offensive strategy should be adopted. As Sun Tzu wrote: “Security against defeat implies defensive tactics; [the] ability to defeat the enemy means taking the offensive.”64 The Defense Bill passed in the United States in December 2011 stated that the Department of Defense can carry out offensive cyber attacks to defend US interests and its allies.65 Whether to adopt an offensive or defensive strategy is subjective. The National Security Agency and Cyber Command director General Keith Alexander said in October 2011 that there are advantages in conducting an offensive attack and that the government can in some cases go after botnets or other malicious attackers.66 However, there are also disadvantages. Preemptive strikes could attack the wrong target. Also, there are increased monitoring costs involved to prove that a preemptive attack is warranted. The strategy chosen should be decided within the context of the threat and with much deliberation with senior officials. Defensive Strategies In terms of defensive strategies, the key is to deceive the attacker and direct the attacker towards a non-critical target. Organizations with critical infrastructure should hide its nature. The footprints of critical assets should be minimized so that it is built into the proxies. There should be Tarpit software that sits outside the border router in order to monitor and slow down incoming streams. Honeypots, which act as fake servers or services in order to trick the enemy should also be employed. If the enemy does not fall for the deception trick, efforts should be made to frustrate the enemy. One way is to contaminate the information flow received by the enemy. Alarms should be created by wrapping the attack vectors with identification information so that the system administrator could be alerted. IDS should watch incoming traffic and outgoing traffic. For

Winter 2014

C YBE R WARFARE

example, a short 30-40 bytes every five seconds on telnet could be a sign that password attacks are taking place. If the enemy manages to intrude into the system, we would want to resist the enemy by making its progress on the network as difficult as possible. For example, we could have additional security requirements to access critical IT systems by making the enemy go through an additional layer of defenses. We can secure vulnerability points by identifying potential areas that can be exploited by an attacker. A very important component to resisting the enemy could be to adopt layered security. Layered security is to use a series of different defenses to cover each other’s gaps in protective capabilities. It uses multiple types of security measures that protect against different areas of attack. Examples of layered security systems could be “firewalls, intrusion detection systems, malware scanners, integrity auditing procedures, and local storage encryption tools.” 67 Adopting a layered security mechanism would mean that an enemy would have to penetrate through multiple layers before having access into the system. There is also a need to have significant amounts of monitoring on the critical systems in order to look for traffic trends and patterns of malicious activity. It is important to audit whatever the enemy did because it provides a record to review it and better defend our networks in the future. In resisting the enemy, it is important to assess the factors that can block resistance, such as the lack of skilled personnel, prohibitive costs, or coalitions in the organization. These factors should be employed when planning the defensive strategy. Furthermore, if the enemy manages to attack the system, the goal is to recognize the enemy, so we want to investigate intrusions from the system logs or any other alert files to provide us with a basis for who the enemy might be. We also want to monitor users and applications for any signs of unusual activity. Moreover, system configuration audits should be examined to find clues about the enemy. There are many factors that prevent the enemy from being recognized. For example, there are probably many different system logs and hence it might be hard to assemble traces of activity across a wide variety of networks. There could be manpower related issues, due to a shortage or overload of administrators. Alternatively, the administrator could be ignorant of a certain system or platform, which could cause them to miss critical pieces of information. OFFENSIVE STRATEGIES The attacker might attack with different mechanisms to harness network resources or run botnets onto the systems. For offensive strategies, it is important to apply various technologies to thwart the attacker. Firstly, it is important to attack with the correct position. As Sun Tzu wrote: “The skillful fighter puts himself into a position which makes defeat impossible, and does not miss the moment for defeating the enemy.”68 It is important to attack a network’s high point rather than the network’s low point. A network’s high point could be the main point of entry or exit, which allows the attacker to have a better view of the traffic coming and going. Secondly, it is important to have the correct visibility. We want to look at sites with more activity because those sites provide data from a broader spectrum of

journal.heinz.cmu.edu

traffic. This would allow us to determine who was responsible for an attack. An example of this in the Stuxnet incident was that Symantec contacted the DNS providers for the two domains that hosted the command and control servers and persuaded them to redirect them into a sinkhole. This allowed Symantec to get reports from machines as it was infected by Stuxnet, and obtain first-hand information about the spread of the malware.69 It is also important to consider the resources that we have by deciding how we want to carry out our network attack. We should decide whether to attack immediately or in phases. For instance, we could do a stepped attack by penetrating one area and then compromise the next, which is similar to the Stuxnet attack. Alternatively, we could do a massed attack in which we compromise all of the intermediate nodes in order to simultaneously attack an entity. Or we could carry out a masked attack, which hits all the launch points simultaneously to sow confusion. It is important to consider the occupation of the network. An analysis needs to be done on which nodes are key to the enemy’s victory. Since the enemy does not want to be identified for participating in the attack, they could leave as soon as they know that they are being pursued. For example, in the attack on the United States’ military systems, the attackers ceased as soon as they knew that their attack was discovered, which is why the attackers were never identified. 70 Lastly, it is important to adopt a risk avoidance strategy. The attack might not have been as severe, due to outside factors that lessened the attack and hence we must have mechanisms to deal with that. Also, contingencies must be planned for dealing with real-world events. Exercises ought to be conducted periodically in order to evaluate our level of preparedness. These exercises would be conducted on the different critical assets in the country and would evaluate the strength of the public-private partnerships in protecting the network. There would be a red team of attackers, a blue team of defenders, and a white team acting as exercise. USCYBERCOM and NCCIC would conduct the exercise and coordinate with public and private companies to secure our nation’s critical infrastructure. IDENTIFYING ATTACKS AND HANDLING INCIDENTS In order to identify attackers, leading questions should be asked. Questions should focus on whether there was a real break-in, whether any damage was done, whether the incident should be publicized, or whether it can happen again. In reality, there are no easy answers to these questions. RSA announced in March 2011 that it had suffered from an APT attack.71 They wrote that “the information extracted does not enable a successful direct attack on any of our RSA SecurID customers.” 72 Unfortunately, this was not the case because information hackers obtained from this attack allowed them to carry out an attack on Lockheed Martin’s systems, as described in section 3.2. RSA chose to believe that the attack would not happen again and decided not to carry out significant measures to stop another attack. It was only after the attack on Lockheed Martin that RSA decided to replace all SecurID tokens for customers that are

Winter 2014

C YBE R WARFARE

concerned that their network data could be compromised. 73 The Lockheed Martin attack could have been prevented if RSA had evaluated that there could be a repeated attack and replaced all of the SecurID tokens as soon as they knew that there was a successful compromise of SecurID information.

compromised system should be forced to create new passwords to prevent the attacker from having any backdoor access. Depending on the severity of the attack, it might be better to wipe off the system and start fresh in order to reduce the risk of a hidden backdoor to the system.

It is important that we document as much evidence as possible. For example, we want to collect printouts and backup media so that we can support our documentation. Also, we want to get legal assistance early to assist with any legal issues. There could be minute changes in the system that signifies that an intrusion has taken place. For instance, there could suddenly be a longer response time, a higher network load, or users suddenly sending problem reports. This happened in the case of Stuxnet, which was discovered after a customer in Iran reported the random blue screen of death and computer reboots. 74 The attack needs to be handled properly. It is important to identify and understand the problem to contain the damage. Then, a proper diagnosis must be done prior to restoring the system. Patches must be installed so that the attack would not happen again. Finally, the data can be restored from backups in order to get the system up and running again.

After the damage has been dealt with, we can then resume the service with caution. First, the system should be patched. If it is a zero-day attack, a patch would not exist. In this case, the software manufacturer involved should be notified of the attack. We should get advice from the software manufacturer on the configurations that need to be amended to prevent a repeat of the incident. Also, we should carry out our own independent tasks to ensure that a similar attack is not possible. NCCIC can then follow up with the software manufacturer to ensure that a patch is released as soon as possible to fix the exploit. Further monitoring must be done to ensure that the attacker does not attack the system again. Afterwards, the system can be evaluated for damage or any compromises of sensitive information. Depending on the severity level of the attack, there might be a need to alert authorities up the chain of command. If other parties were compromised as part of the attack, it must be decided whether they should be notified. We should also decide whether the other systemâ&#x20AC;&#x2122;s administrators who handle critical systems should be notified so that they can defend against a similar style of attack. Depending on the severity of the attack the public might be notified about it. If that is so, issues like when to notify the public or the level of detail for the disclosures should be considered. Once the case is completely evaluated, we want to mete out disciplinary measures to employees who were responsible, particularly if there was an insider that was involved.

There is also the issue of how to deal with intruders. The options available include ignoring, communicating, tracing and identifying, or breaking the intruderâ&#x20AC;&#x2122;s connection. Each of these options must be evaluated in the context of the attack. It is also important to consider whether a public announcement of the attack should be made. The United States has repeatedly accused Russia and China of cyber attacks on the United States, though it cannot confirm who is behind the attacks. Chinaâ&#x20AC;&#x2122;s response called the accusation baseless. While it is not part of US policy to engage in economic espionage, it is not known if the United States has carried out cyber attacks on Russia and China in retaliation. China has said that it was also a victim of cyber attacks.75 Russia has accused Western intelligence agencies of using cyber attacks.76 If there is an attack on critical assets in the US, it is important for authorities to be alerted as soon as possible. Stiff penalties should be meted out if the incidents are not alerted to authorities. A report should be prepared to describe a high-level description of the incident with an excerpt of the log and host information on the attacker. Open-source information from Wikipedia, DNS lookup, and websites like robtex.com or ip2location.com can provide routing and location information to supplement the report. After authorities are notified, experts from the NCCIC should be called to conduct a security assessment of the situation. NCCIC will find attack evidence through missing log files, unexplained error messages, connections from or to unfamiliar sites, any hidden directories, etc. The integrity of files could be checked by examining user files, boot files, library files, configuration files, and binaries to check for any unusual changes. Next, the damage caused by the attack must be dealt with by deleting any unauthorized accounts, restoring files or device protections, and removing any files or directories that have been added by the attacker. System configuration files should be restored to their original settings to prevent any tampering by the attacker. All existing users on the

journal.heinz.cmu.edu

CONCLUSION Cyber warfare conducted by nation-states has become an issue worthy of discussion. Actual cyber warfare incidents, such as the attack on Lockheed Martin or the Stuxnet malware have provided clear indications that it was carried out with the support of a nation-state. This has raised the ante in terms of cyber security from the days where script kidders were considered to be a serious threat. In particular, the Stuxnet malware incident shows that the sophistication and precision of attacks have increased, thus bringing cyber warfare to a whole new level. It is important that we implement adequate defenses to thwart attacks to our system. In order to do so, we must implement the right strategies for defensive hacking. We must create a network structure that will properly secure our critical assets. We should have a defensive team to deal with threats, conduct regular penetration testing, and adopt defensive and offensive strategies to identify attacks and handle incidents. 77 Governments in other countries are actively researching, and already possess advanced skills and tools in cyber warfare mitigation and offense. It is important to enable the United States to be well protected in the cyber arena as well.

Winter 2014

C YBE R WARFARE

Joel Lee is an IT security policy and technology consultant and a 2013 graduate of the MSc in Information Security Policy and Management program from the Heinz College at Carnegie Mellon University.

SOURCES 1)

“US Cyber Command,” United States Strategic Command, last modified August 2013, http:// www.stratcom.mil/factsheets/ Cyber_Command/.

“War in the fifth domain.” Economist.com, last modified July 1, 2010 http:// www.economist.com/node/16478792.

Macon Phillips, “Introducing the New Cybersecurity Coordinator,” The White House, last modified December 22, 2009, http:// www.whitehouse.gov/blog/2009/12/22/ introducing-new-cybersecurity-coordinator.

“National Defense Authorization Act for Fiscal Year 2012,” H.R. 1540, 112th Cong. § 1021 (2011).

“Cyber weapons are like the Ferrari you keep in the garage' says US official after decision NOT to use hack attacks in Libya,” Daily Mail, last modified October 18, 2011, http:// www.dailymail.co.uk/sciencetech/article2050521/U-S-considered-cyber-warfare-attackplan-Libya.html. Mark Thompson, “US Cyberwar Strategy: The Pentagon Plans to Attack,” Time.com, last modified February 2, 2010, http://www.time.com/ time/nation/article/0,8599,1957679,00.html.

Scott Pelley, “Panetta: Cyber warfare could paralyze US,” CBSNews.com, last modified January 5, 2012, http://www.cbsnews.com/830118563_162-57353420/panetta-cyber-warfarecould-paralyze-u.s/.

10)

11)

12)

13)

14)

“Cyberwar – The threat from the internet.” Economist.com, last modified July 1, 2010, http:// www.economist.com/node/16481504. 15)

report,” Agence France-Presse, last modified March 25) 8, 2012, http://www.rawstory.com/ rs/2012/03/08/china-cyber-warfare-skills-a-risk -to-u-s-military-report/.

Rash, W. “The United States' Role in Preparing for Cyberwar.,” TechSecurityToday, last modified December 22, 2012, https://web.archive.org/ web/20120116042418/http:// www.techsecuritytoday.com/index.php/ourcontributors/wayne-rash/entry/the-unitedstates-role-in-preparing-for-cyberwar. Fahmida Y. Rashid, “US Military Expanding Arsenal of Cyber-Warfare Capabilities,” EWeek.com, last modified June 23, 2011, http:// www.eweek.com/c/a/Security/US-MilitaryExpanding-Arsenal-of-CyberWarfareCapabilities-389786/. “China cyber warfare skills a risk to US military:

Andrea Shalal-Esa, “Pentagon sees progress, challenges in cyber warfare,” Reuters.com, last modified April 17, 2012, http:// www.reuters.com/article/2012/04/17/net-ususa-pentagon-cyberidUSBRE83G0VP20120417. Mark Thompson, “US Cyberwar Strategy: The Pentagon Plans to Attack,” Time.com, last modified February 2, 2010, http://www.time.com/ time/nation/article/0,8599,1957679,00.html.

26)

“Gmail Accounts Compromised by Chinese Hackers, Google Says,” FoxNews.com, last modified June 1, 2011, http://www.foxnews.com/ scitech/2011/06/01/gmail-compromisedchinese-hackers-google-says/.

27)

Cecelia Kang, “Google: Hundreds of Gmail accounts hacked, including some senior US government officials,” WashingtonPost.com, last modified June 1, 2011, http:// www.washingtonpost.com/blogs/post-tech/ post/google-hundreds-of-gmail-accountshacked-including-some-senior-us-governmentofficials/2011/06/01/AGgASgGH_blog.html.

28)

“Gmail Accounts Compromised by Chinese Hackers, Google Says,” FoxNews.com, last modified June 1, 2011, http://www.foxnews.com/ scitech/2011/06/01/gmail-compromisedchinese-hackers-google-says/.

29)

Cecelia Kang and Ellen Nakashima, “China rejects Google allegation of massive hacking breach as ‘fabrication’,” WashingtonPost.com, last modified June 2, 2011, http:// www.washingtonpost.com/business/chinarejects-google-allegation-of-massive-hackingbreach-as-fabrication/2011/06/02/ AGMdsEHH_story.html.

30)

“China targeted White House with Gmail hacking - as Hillary Clinton calls threat 'very serious',” Daily Mail, last modified June 3, 2011, http://www.dailymail.co.uk/news/article1394036/China-targeted-White-House-Gmailhacking-Hillary-Clinton-calls-threatserious.html.

“Cyberwarfare definition,” Dictionary.com, last modified 2005, http:// dictionary.reference.com/browse/cyberwarfare. “Cyberwarfare definition,” Techtarget.com, last modified May 2010, http:// searchsecurity.techtarget.com/definition/ cyberwarfare.

16)

Jeffery Carr, Inside Cyber Warfare: Mapping the Cyber Underworld (Sebastopol, California: O’Reilly Media, 2009).

17)

Chris Bronk, “Hacking the Nation-State: Security, Information Technology and Policies of Assurance,” Information Security Journal: A Global Perspective 17, no. 3 (2011): 132-142.

18)

Ibid.

19)

Ibid.

20)

Sanjay Goel, “Cyberwarfare - Connecting the Dots in Cyber Intelligence,” Communications of the ACM 54, no. 8 (2011): 132-140.

21)

Ibid.

22)

Ibid.

23)

Lech J. Janczewski, and Andrew M. Colarik, 31) Cyber Warfare and Cyber Terrorism (Hershey, Pennsylvania: IGI Global, 2007).

24)

Ian M. Chapman, Sylvain P. Leblanc, and Andrew Partington, "Taxonomy of cyber attacks and simulation of their effects," In Proceedings of 32) the 2011 Military Modeling & Simulation Symposium, pp. 73-80. Society for Computer Simulation 33) International, 2011.

journal.heinz.cmu.edu

Winter 2014

Mathew J. Schwartz, “Lockheed Martin Suffers Massive Cyberattack,” InformationWeek.com, last modified May 31, 2011, http:// www.informationweek.com/news/government/ security/229700151. Ibid. Chloe Albanesius, “RSA Hit By Hackers, SecurID Possibly at Risk,” PCMag.com, last modified March 18, 2011, http://www.pcmag.com/

C YBE R WARFARE

article2/0,2817,2382197,00.asp. 34)

35)

36)

37)

38)

39)

40)

41)

42)

43)

44)

45)

Kevin L. Jackson, “China Linked to Lockheed Martin Cyber Attack,” Forbes.com, last modified June 8, 2011, http://www.forbes.com/sites/ kevinjackson/2011/06/08/china-linked-tolockheed-martin-cyber-attack/. Phil Stewart, “Spies behind 2008 cyber attack, US official says,” Reuters.com, last modified August 26, 2010, http://www.reuters.com/ article/2010/08/26/us-usa-cyber-attackidUSTRE67P00X20100826.

NewYorkTimes.com, last modified November 18, 2010, http://www.nytimes.com/2010/11/19/ world/middleeast/19stuxnet.html? pagewanted=all. 46)

47)

Aharon Etengoff, “US DoD confirms 2008 cyber-attack,” TGDaily.com, last modified August 25, 2010, http://www.tgdaily.com/securityfeatures/51250-us-dod-confirms-2008-cyberattack. 48) Kevin Coleman, “Cyber War 2.0 — Russia v. Georgia,” DefenseTech.org, last modified August 13, 2008, http://defensetech.org/2008/08/13/ cyber-war-2-0-russia-v-georgia/. Tom Espiner, “Georgia accuses Russia of coordinated cyberattack,” CNet.com, last modified August 11, 2008, http://news.cnet.com/83011009_3-10014150-83.html. Thais Portilho-Shrimpton, “Battle for South Ossetia fought in cyberspace,” The Independent, last modified August 17, 2008, http:// www.independent.co.uk/news/world/europe/ battle-for-south-ossetia-fought-in-cyberspace899772.html.

49)

50)

51)

Steve Croft, “Stuxnet: Computer worm opens new era of warfare,” CBSNews.com, last modified 52) March 4, 2012, http://www.cbsnews.com/2102 -18560_162-57390124.html? tag=contentMain;contentBody. Robert McMillan, “Was Stuxnet Built to Attack Iran's Nuclear Program?,” PCWorld.com, last modified September 21, 2010, http:// www.pcworld.com/businesscenter/ article/205827/ was_stuxnet_built_to_attack_irans_nuclear_pro gram.html. Steve Croft, “Stuxnet: Computer worm opens new era of warfare,” CBSNews.com, last modified March 4, 2012, http://www.cbsnews.com/2102 -18560_162-57390124.html? tag=contentMain;contentBody. Robert McMillan, “Was Stuxnet Built to Attack Iran's Nuclear Program?,” PCWorld.com, last modified September 21, 2010, http:// www.pcworld.com/businesscenter/ article/205827/ was_stuxnet_built_to_attack_irans_nuclear_pro gram.html.

Yaakov Katz, “Stuxnet may have destroyed 1,000 centrifuges at Natanz,” The Jerusalem Post, last modified December 24, 2010, http:// www.jpost.com/Defense/Article.aspx? id=200843. William J. Broad, John Markoff and David E. Sanger, “Israeli Test on Worm Called Crucial in Iran Nuclear Delay,” NewYorkTimes.com, last modified January 15, 2011, http:// www.nytimes.com/2011/01/16/world/ middleeast/16stuxnet.html?pagewanted=all. “Packet filtering,” Webopedia.com, date accessed May 9, 2012, http://www.webopedia.com/ TERM/P/packet_filtering.html. “Using Network Connection Filters,” Oracle, date accessed May 9, 2012, http:// docs.oracle.com/cd/E12840_01/wls/docs103/ security/con_filtr.html. “Stateful filter rules,” IBM, date accessed May 9, 2012, http://publib.boulder.ibm.com/ infocenter/pseries/v5r3/index.jsp?topic=/ com.ibm.aix.security/doc/security/ intrusion_stateful_filter_rules.htm. “Application Gateway,” Webopedia.com, date accessed May 9, 2012, http:// www.webopedia.com/TERM/A/ application_gateway.html.

59)

“The Comprehensive National Cybersecurity Initiative,” The White House, last modified 2010, http://www.whitehouse.gov/cybersecurity/ comprehensive-national-cybersecurity-initiative.

60)

Ibid.

61)

Sun Tzu, “The Art of War”, date accessed May 9, 2012, http://classics.mit.edu/Tzu/artwar.html

62)

Ibid.

63)

Irving Lachow, “The Stuxnet Enigma: Implications for the Future of Cybersecurity,” Georgetown Journal of International Affairs, Winter (2011): 118-126.

64)

Sun Tzu, “The Art of War”, date accessed May 9, 2012, http://classics.mit.edu/Tzu/artwar.html

65)

J. Nick Hoover, “Defense Bill Approves Offensive Cyber Warfare,” InformationWeek.com, last modified January 5, 2012, http:// www.informationweek.com/news/government/ security/232301351.

66)

Ibid.

67)

Chad Perrin, “Understanding layered security and defense in depth,” TechRepublic.com, last modified December 18, 2008, http:// www.techrepublic.com/blog/security/ understanding-layered-security-and-defense-indepth/703.

“Architecture for Secure SCADA and Distributed Control System Networks,” Juniper Networks, 68) last modified July 2010, http:// www.juniper.net/us/en/local/pdf/ whitepapers/2000276-en.pdf. 69)

53)

Ibid.

54)

Ellen Nakashima, “China testing cyber-attack capabilities, report says,” WashingtonPost.com, last modified March 8, 2012, http:// www.washingtonpost.com/world/nationalsecurity/china-testing-cyber-attack-capabilitiesreport-says/2012/03/07/ gIQAcJwDyR_story.html.

55)

“China Confirms Existence of Elite CyberWarfare Outfit the 'Blue Army',” FoxNews.com, last modified May 26, 2011, http:// www.foxnews.com/scitech/2011/05/26/chinaconfirms-existence-blue-army-elite-cyberwarfare-outfit/.

56)

“US Cyber Command,” United States Strategic Command, last modified August 2013, http:// www.stratcom.mil/factsheets/ Cyber_Command/.

Steve Croft, “Stuxnet: Computer worm opens new era of warfare,” CBSNews.com, last modified 57) March 4, 2012, http://www.cbsnews.com/2102 -18560_162-57390124.html? tag=contentMain;contentBody . 58) William J. Broad and David E. Sanger, “Worm Was Perfect for Sabotaging Centrifuges,”

2012, http://www.dhs.gov/about-nationalcybersecurity-communications-integrationcenter

Keith B. Alexander, “Building a New Command in Cyberspace,” Strategic Studies Quarterly 5 no. 2 (2011): 3-12. Department of Homeland Security. (2010). “About the National Cybersecurity and Communications Integration Center”, date accessed May 9,

journal.heinz.cmu.edu

Winter 2014

Sun Tzu, “The Art of War”, date accessed May 9, 2012, http://classics.mit.edu/Tzu/artwar.html Kim Zetter, “How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History,” Wired.com, last modified July 11, 2011, http://www.wired.com/threatlevel/2011/07/ how-digital-detectives-deciphered-stuxnet/all/1.

70)

Phil Stewart, “Spies behind 2008 cyber attack, US official says,” Reuters.com, last modified August 26, 2010, http://www.reuters.com/ article/2010/08/26/us-usa-cyber-attackidUSTRE67P00X20100826.

71)

John Markoff, “SecurID Company Suffers a Breach of Data Security,” NewYorkTimes.com, last modified March 17, 2011, http:// www.nytimes.com/2011/03/18/ technology/18secure.html?_r=1.

72)

Art Coviello, “Open Letter to RSA Customers.” Sec.gov, date accessed May 9, 2012, http:// www.sec.gov/Archives/edgar/ data/790070/000119312511070159/ dex991.htm.

73)

Lance Whitney, “RSA to replace SecurID tokens following breaches,” CNet.com, last modified June 7, 2011, http://news.cnet.com/83011009_3-20069632-83/rsa-to-replace-securidtokens-following-breaches/.

74)

Eugene Kaspersky, “The Man Who Found

C YBE R WARFARE

Stuxnet – Sergey Ulasen in the Spotlight,” Nota Bene: Notes, Comments, and Buzz From Eugene Kapersky – Official Blog, last modified November 2, 2011, http:// eugene.kaspersky.com/2011/11/02/the-manwho-found-stuxnet-sergey-ulasen-in-thespotlight/. 75)

“US accuses China and Russia of repeated cyber spying,” The Telegraph, last modified November 4, 2011, http://www.telegraph.co.uk/ technology/news/8868802/US-accuses-China-

and-Russia-of-repeated-cyber-spying.html. 76)

Bill Gertz, “Russian Intelligence Director Accused West of Cyber Attacks as NATO Conducts Cyber Attack Exercise,” The Washington Free Beacon, last modified March 30, 2012, http://freebeacon.com/transmit-thisinformation-to-your-hackers/.

77)

Paul Cichonski, Tom Millar, Tim Grance, and Karen Scarfone, “Computer Security Incident Handling Guide,” NIST Special Publication 800

journal.heinz.cmu.edu

Winter 2014

-61, last modified August, 2012, http:// csrc.nist.gov/publications/nistpubs/80061rev2/SP800-61rev2.pdf

THE HEINZ J OURNAL

DIALOGUE POLICY THAT MATTERS’ RADIO FEATURE

DISCUSSION OF SYRIAN CONFLICT ALEX MITCHELL & SARAH FOSTER

Our weekly public affairs radio show Policy that Matters recently hosted a conversation on the civil war in Syria. Co-hosts Alex Mitchell and Sarah Foster worked together with their ideas and reflections to create a 30-minute program packed full of great content. We have Sarah Foster: Good Afternoon Pittsburgh, I am Sarah Foster here with my fellow Carnegie Mellon University student, Alex Mitchell. We will be hosting this week’s Policy that matters, a biweekly talk show were Carnegie Mellon University Public Policy students discuss the current policy issues of today. Today we will be discussing Syria. We will be talking about the current situation and the debatable issues regarding the countries future

process of taking weapons out of Syria, how transparent they will be during that process, how effective they will be, how cooperative Syria will be as we proceed, and how we look to diminish the human cost that is continuing to evolve. It should be noted that chemical weapons aren’t the only issue. In fact, they constitute less than 1% of the total death toll in Syria. SF: Yes, definitely. We need to look at how are we going to make sure Syria’s chemical weapons stockpile is truly eliminated. We know the deadline is set for 2014, so we already know that this timeline is very extended. Nothing is going to happen in the immediate term; all the while a civil war is still at its height.

First, I would like to provide a brief summary of Syria’s current situation. Syria’s civil war started two years ago, beginning among the turbulent Arab spring. Syria’s president Bashar al-Assad refuses to give up power, so the war rages on while over 100,000 people have been killed. A recent controversy involved Assad’s use of chemical weapons on the Syrian people. The Obama Administration has put the death toll for this chemical attack at around 1,429 people including at least 426 children. The Administration has signaled that it has a pro-intervention stance, meaning they are willing to conduct air strikes against the Syrian regime. Recent congressional proceedings, however, cast doubts on the prospects of Congress’s approval. At around this time, Al Gore suggested a way in which the US would not have to go in to Syria would be if somehow the international community could eliminate its entire chemical weapons stock hold to avoid the possibility of future use. Russia, one of Syria’s allies, jumped and said lets work with Syria; let us get them to get rid of their chemical weapon supply.

AM: There might be some utility in going back and questioning the why it is that our response must be intervention and the line in the sand is use of chemical weapons. For example, the wide proliferation of chemical weapons throughout the world is well known. Additionally, despite the presence of international agreements condemning the use of chemical weapons, Syria is not a signatory of any such treaty. So a large portion of the critique of the Administration’s approach has centered on how truly philanthropic their position on the matter actually is, especially in light of the fact that it would address a relatively small part of the issue. Furthermore, why is our corpus of international treaty really failing us here? Why is it instructing us to address specifically those lives that are lost by chemical weapons versus those lives lost by any other means? Moreover, there are treaties that address these issues such as the International Covenant on Civil and Political Rights (ICCPR) and the Universal Declaration of Human Rights (UDHR), as well as a number of others, number of others all of which specifically emanate from different conflicts in history. Alex Mitchell: And that’s really been the grand irony in the sense Even still, we don’t see any of these being called upon. that it’s been a great leverage point for us to just jump off when we look at Russia. When we look at Russia we talk about a coun- SF: And at the same time, the United States has been consistently try that is less transparent than your typical Westernized, industrial extending aid throughout this conflict. We have taken a stand as nation. We tend to look at Russia disparagingly, and it’s really being a pro-rebel, in my opinion. I find this to be the case because them who attempted to take the reins in de-weaponing Syria, at we are offering not only aid to the displaced and effected, but we least of their chemical weapons stock. The question at this point is are also giving weapons to forces opposing Assad. Now this is why and why now, and for what are their motivations? So as we incredibly controversial because, on the rebel side of this civil war, are addressing the policy, and as we are looking to see what it is in there are fractions of Al-Qaeda, some of which pose a threat to fact the best course of intervention is at this point, we are address- the US. So by giving weapons to the rebel forces, there exists the ing whether other forms of intervention should supplement it. All possibility that these weapons will fall into the hands of terrorists. eyes are on Russia now to see how they are going to expose the

journal.heinz.cmu.edu

Winter 2014

DIALOGUE

AM: That’s a great point Sarah, and I think that this takes us also in the general topic of war because we are not just seeing deaths, we are not just seeing atrocities, we are also seeing violence against vulnerable populations. For example, there has been an increase in the instances of rape, especially amongst women refugees. It’s not that these are uncommon, so much as the fact that our focus on this 100,000 figure is really only a portion of what’s been going on. SF: There are as many as 2 million refugees now, right? AM: Yes, at this point you have 4.2 million internally displaced, and with the population somewhere just over 22-24 million, 25% is a large proportion. Those are just the folks who are officially recognized as displaced, but there are also affects on surrounding nations as well. What is happening among the Syrian people is have destabilizing effects throughout the immediate region within countries such as Jordan and Lebanon. The regional impacts of the civil war are also the central reason for Russia’s recent foray into the matter. SF: The thing that interests me the most is the apprehension of the American people. I think the polls show a modest majority of the American public respond in opposition to intervention. What’s most interesting to me about this is the fact that it may signify a shift from a country largely willing to intervene in the world, to one fatigued by war and conflict and focused more on our own glaring domestic struggles. It seems many are thinking we’ve had boots on the ground in the region for a decade, the troops have been returning for the past 4 years, and now you want to send them to Syria?

weapons is drawing the attention away from the rebels need for weapons. This causes me to want to go back to the previous point that you made, which was that weapons do not have to be the answer. There are other ways to resolve the divisions, which is why I am pleased by the recent developments in Russia’s move to work with the US to rid the Syrian government of its access to chemical weapons. AM: And I like the idea of involving Syria to the greatest extent possible. Of course, in working with Syria’s leadership, it must be noted that we’re dealing with a strong autocratic government. We also need to keep in mind that the various rebel groups opposed to the current regime are not necessarily interested in replacing the Assad government with the kind of free-market democratic system that our bias causes us to believe every divided society desperately needs. This may indeed be what Syria ultimately needs to reconstruct their government, but the instability coming out of the Arab spring period should inform our activities. What you saw in Egypt, for example, was the emergence of a new constitutional democracy that led to continual discord as opposed to a strong unity. SF: I think that, along with that point, we have to recall that not everyone on the rebel side is pro-democratic. We have two sides fighting against each other, and neither truly reflects the American political, social, and economic values you are speaking of.

AM: The goal for us should be to find out what Syria needs from us, and at this point there is no one to ask. This lack of relationship is the bigger problem. Furthermore, even if we were to ask, the biggest problem is that there is no clear majority when you have a scattering of rebel group organizations. So in terms of any AM: And a huge part of that is a lack of education, in my opinion. kind of intervention, the prospects of success are dubious and the I’ve spoken with our colleagues at CMU and a remarkable number strategies for success are unclear. are intelligent on the topic. Yet there are still many with limited knowledge of the conflict. There is definitely a pronounced skew The next face of intervention should really look into assisting the in the way we have addressed the issue with our tendency towards people who are displaced. What you will see over time is what has anti-Russian sentiments. This has a measured amount of relevance been observed in Rwanda, the Democratic Republic of Congo, given our relationship to Russia in the past. and Sudan. There are scores of struggling people, an entire generation of Syrians who don’t have a place to go home, don’t have a Nevertheless, when we speak about intervention alternatives, we place to educate themselves, don’t have access to proper have to recognize that these take a long time to develop. They also healthcare. These people will be affected until the cessation of the don’t get addressed in the media very much. Instead, we mostly conflict. So I would advocate a threefold approach: dismantling hear about intervention as an all or a nothing game. It’s usually the chemical weapons stockpile, assist in the process of finding a let’s either going in guns blazing or let’s do nothing. By creating resolution to the conflict, and support refugees. this false dichotomy that I believe relates to our paternalistic impulse and is informed by our capitalist, imperialist tendencies. This SF: Right, because that is going to be so spread out over time, its distracts from the fact that there are other alternatives available to difficult to see where this goes and its potential for success. us that we may not be capitalizing upon. The idea of taking chemical weapons out of Syria might be a great starting point, but that’s So do you believe that the US should have intervened militarily at not a true resolution of the initial conflict. Ridding them of their any point thus far? Alternatively, do you find this new route in chemical stockpile will protect many, but it will not end the contandem with Russia a viable path you can support? flict, which will continue on to perpetuity until there can be found a resolution among the deeply divided Syrian people. AM: One thing that worries me regarding military intervention is that the troops would be deployed on the ground. I was glad SF: Right, and when that resolution will be found is a question no when it was clear that any intervention would not have meant one can answer at this point. The opposition was disappointed by physical deployments. However, I am also wary of the drawbacks President Obama’s decision to call off the threatened military of using drones and air strikes because of the human disconnect strikes because they feel that all this attention on the chemical from these forms and how difficult it is to avoid civilian casualties.

journal.heinz.cmu.edu

Winter 2014

DIALOGUE

Given that the intervention was, from day one, supposedly about humanitarian assistance, there would be a grand and tragic irony in intervention while death tolls rise from the use of drones. Given our continued international relations difficulties in the region, this would only serve to complicate matters.

of reconciliation problems in former conflict zones. They have also had great struggles in these regions in the establishment of truth commissions. These issues persist because, despite the success of the US-NATO intervention, there is a severe lack of community cohesion and the fiber that binds the community is gone. Current discussions of intervention are not also incorporating this element.

SF: We actually have a caller on the line. Welcome to the show. Caller: I’m calling because I am interested in the part of your conversation concerning international cooperation. I think it’s great that the US is working more collaboratively with other international actors. I am curious what your analysis tells you about the international community’s view of how the US has been handling the situation. SF: I think there is an overall perception from the international community that the US frequently oversteps important sovereign boundaries. We have a reputation of always intervening, always meddling in other countries’ business. The fact that the US is taking a step back and not only working with another country but working with another country that we have a disagreement with is a potentially positive development. The outcome of this partnership between the US and Russia could have positive long-term impacts on how interventions into similar conflicts are addressed.

SF: Right, and you brought up an important point about the internally displaced, which is an often-overlooked issue. Many just don’t have a home there. AM: They don’t, and even if they have a physical home, they do not have a sense of security. Within their homes and country they do not have a real domestic and legal presence that they have enjoyed for a period of time before the war even if they were an autocratic government. There is no doubt that communities have been destroyed from within just from the fractioning off of society into different support groups. I think the best work that the international community can do is to work with those refugees.

There are many necessary forms of support that we don’t consider. For instance, post-traumatic therapy can be an essential part of recoveries. Truth commissions are a hallmark as well. Even the exhausting work of reuniting families and communities, parents to children, former neighbors to neighbors, can promote the healing Caller: Right, and how does this change our position in the world of social ties. Again, these are often overlooked but are the kinds as we were supporting rebels but at the same time we are now of long-term policies we should also be considering. standing with Russian interests to stop chemical weapons? How does change our position in the overall matter? SF: But how long can we expect to be seeing this conflict play before these long-term concerns become immediate ones? SF: The US certainly maintains a pro-rebel stance. It was very recent that the Administration started offering military aid to the AM: The average civil war lasts 7 years, according to Paul Collier. rebels, this being just prior to the agreement with Russia. So I and it becomes a civil war when there are at least a 1,000 Civilian think that the US will continue to have a stake in the outcome of casualties. At this point we have at least two years of war roughly the Syrian civil war, and it will be interesting to see how its stance and hence we can expect an average of five more years. will evolve if the civil war starts to tilt in the favor of Assad. SF: And there have been 100,000 casualties so far. AM: I think our concern should be less about our stake and more about what is at stake for the Syrian people. There must be some- AM: And that’s a real problem. There are a lot of ideas about how thing in the middle of this debate over whether we have responsi- to rebuild post-conflict. There are a lot of ideas on how to interbility to solve the conflict where we can simply focus on the vene in different meaningful ways. But there isn’t much on how to needs. If we ever are to be called upon to assist the country in any end a conflict without strict military action. societal reforms, there should be a unified force of the international community instead of just us. There is a cultural bias in a SF: Right, and on the issue of refugees, there are some countries US-only approach. receiving them. For example, Germany is sheltering 5,000 Syrians and is urging other European nations to do the same. So one If there is any involvement in Syria, the efforts should be focused thing the US can consider, in addition to humanitarian aid and its on avoiding the descents into chaos seen in Sudan, Rwanda, and interest in addressing Syria’s chemical weapons, is helping with the Bosnia. refugee problem. Helping build and preserve this culture and keep the people from fractioning even more is an important effort. Going deeper, our involvement should consider the post-conflict effects on the country. For example, Bosnia is still countering a lot

Policy that Matters airs every Thursday at 5:00 PM and our hosts welcome any listener to join in the conversation by calling 412-621-WRCT.

journal.heinz.cmu.edu

Winter 2014

journal.heinz.cmu.edu

Winter 2014

THE HEINZ J OURNAL

DIALOGUE HEINZ VOICES’ FEATURED COLUMN

HOW RANDOMIZED CONTROL TRIALS CAN HELP SOLVE AFRICA’S POVERTY TRAP NATHAN JAYAPPA

Understanding how individuals create wealth in developing markets is essential for innovating market-based solutions to reduce poverty. Most economists agree that income earned today greatly influences income earnings tomorrow. If one is able to invest today, his or her earnings should be higher in the future. However, what if one earns so little that savings is not an option, thereby making the earning potential of tomorrow less than today? This is called a poverty trap, and Abijit Banerjee, an MIT economist, defines this occurrence as being “whenever the scope for growing income or wealth at a very fast rate is limited for those who have too little to invest, but expands dramatically for those who can invest a bit more.” The poverty trap can be visualized in this graph featured in the book Poor Economics.

CREDIT: E Duflo, AV Barnejee | SOURCE: Poor Economics

Taking a look at the illustration on S & L Curves, the linear line on both graphs equates to income today being equal to income tomorrow. That is, a direct correlation exists between earning wages from a job today and the potential for earning additional income tomorrow through savings. In a poverty trap scenario, an S-shaped curve represents the function of income as it relates to time. If an individual’s income falls below this linear line, income regression is the result. This is because the income today is less than that of tomorrow, meaning the individual will never be able to reach the point where income today exceeds income tomorrow. This area is defined as a “poverty trap zone,” and individuals who have an income within this zone are trapped indefinitely with negative savings potential. An individual living

journal.heinz.cmu.edu

in this area has a significantly lower potential of a decent standard of living than those living to the left of this intersection. If income falls to the right of the intersection of these lines, then income tomorrow is significantly higher than income today. Without a poverty trap, as indicated in the “Inverted L-Shaped Curve” graph, income potential is always higher tomorrow than it is today. In this scenario, individuals are always given the opportunity to make more money tomorrow than they do today. The potential for relatively more income is significantly more at lower income levels, thereby increasing savings potential and subsequent standards of living. Both of these income theories are supported by leading economists throughout the world, with divergent solutions on how to address extreme poverty in Africa . Jeffery Sachs, economist and Director of the Earth Institute at Columbia University, believes that sub-Saharan Africa has been the region most prone to getting stuck in a poverty trap. According to Sachs’ paper, “Ending Africa’s Poverty Trap,” there are several reasons why sub-Saharan Africa has suffered very slow growth in productivity which leaves the poor remaining impoverished. Burdensomely high transport costs and small market size, low-productivity agriculture, a very high disease burden, adverse geopolitics, and a very slow diffusion of technology are all attendant economic stressors. His solution to eliminating this trap is through an injection of grant-based aid in the public sector as a tool to augment national savings. This eliminates aid being used strictly for consumption purposes, and places the responsibility on governments to be efficient in determining the best methods of disbursal. Furthermore, Sachs believes that aid needs to be aligned with the ambitious 2015 Millennium Development Goals(MDGs). However, aligning aid programs to the MDGs has many pitfalls, as governments in sub -Saharan Africa are some of the least effective in the world. Furthermore, the MDGs have not influenced African countries to take action, as its universal goals are often times too broad to eradicate poverty on the individual country level. NYU economist William Easterly takes a critical stance on the reliance of grant-based aid to solve Africa’s poverty trap in a

Winter 2014

DIALOGUE

piece for the Brookings Institution entitled â&#x20AC;&#x153;Can the West Save Africa?â&#x20AC;? In his paper, Easterly argues that aid needs to shift away from a comprehensive approach to solving poverty. He sees efforts such as those seen in the MDGs and international aid campaigns springing from an ill-informed view of Africa as a unified problem with simple solutions. Despite great efforts from outside actors for unified action, sub-Saharan Africa has mostly failed at achieving the MDGs, with many instances of countries regressing in recent years. Additionally, outside financial assistance has resulted in tepid progress. U.S. development assistance to sub-Saharan Africa from USAID quadrupled from $1.94 billion in 2002 to $7.08 billion in 2012, with little economic progress resulting from increased funds. In response to disappointing outcomes and stubborn economic issues, Easterly and Banerjee advocate for the use of Randomized Control Trials (RCTs) to evaluate the most effective deployments of international aid. RCTs allow researchers to understand what works in aid by testing multiple theories before full deployment. Countries, cultures, and socioeconomic factors affect the success of aid, and organizations such as MITâ&#x20AC;&#x2122;s J-PAL and the Innovation for Poverty Action can use empirical evidence to measure the effectiveness of particular poverty relief projects. RCTs are conducted much like pharmaceutical trials, where one group is given a remedy (treatment) while the other group is not (control). The benefit of these tests is that it can quantify long-term results of projects and determine the most effective means to achieving specific outcomes. For example, if Kenya were to set a goal to reduce malaria-related deaths, there are multiple projects to help produce this outcome. Aid organizations can either distribute bed nets for free or they can charge a small fee. Alternatively, they can

allocate funds towards subsidizing malaria treatment and education. Discovering the best solution takes behavioral economic evidence to assess which strategy is sustainable in the long-term. Individual charitable contributions can often times be plagued with the same bureaucratic chaos and reliance on ineffective systems as international aid programs. In 2008, a few Harvard and MIT graduate students decided to use RCTs to determine the most effective way to help the poor in Kenya. Their discovery is counterintuitive to most charitable organizations, groups who typically believe that the best ways to alleviate the poverty trap is through providing the poor with agriculture assistances, education, or healthcare. The graduate students discovered that giving money directly to the poor is a significantly more effective means to reducing long-term poverty than typical charities. The success of this method is seen in GiveDirectly, rated as one of themost effectivecharities in the world. The poor understand their needs and a direct, one-time injection of cash to help them escape the poverty trap. Randomized Control Trials are only one of many solutions to help sub-Saharan Africa reduce extreme poverty. With an increasing amount of international aid flowing into its countries, organizations need to look beyond MDGs as a proxy to achieve outcomes. A long-term, sustainable poverty reduction endeavor of any country needs to come from sound policies and adoption by its citizens. International assistance can help to counteract poverty trap around the world. However, sustainable economic growth ultimately resides in the private sector. Grant-based aid evaluated through RCTs should be the first step in helping the poorest of the poor in our world.

Nathan Jayappa works for The Grassroots Business Fund as a BizCorps Associate. He assists the impact investing fund in deal sourcing and delivery of Business Advisory Services through conducting due diligence, financial modeling, assessing social returns, and strategic planning. Nathan graduated in 2013 with both an MBA from the Tepper School of Business and an MSPPM from the Heinz College at Carnegie Mellon University. He currently resides in Nairobi

journal.heinz.cmu.edu

Winter 2014

Policy. Research. Practice 41

journal.heinz.cmu.edu

Winter 2014