Cyber Intelligence: What Exactly Is It?Moving to a More Proactive, Over-the-Horizon Awareness Posture
Giving impetus to the emerging field of cyber intelligence is a new report, Cyber Intelligence: Setting the Landscape for an Emerging Discipline, from the Intelligence and National Security Alliance, a not-for-profit, nonpartisan think tank that examines intelligence and national security policies and solutions.
See Also: What is next-generation AML?
What is cyber intelligence? "We are not quite ready to propose a definitive definition," answers Chuck Alsup, the alliance's vice president of policy. One of the major purposes of the paper is to provoke a discussion on the need of such a discipline, he says, adding:
"At this point, we are talking about threats that can originate anonymously within this cyber domain with potentially enormous consequences: physical destruction to economic chaos. The people who monitor and respond to these threats are a unique coalition of the willing from government, industry and academia, as well as foreign partners."
The present situation is as dangerous as if the United States decided to outsource the design of bridges, electrical grids and other physical infrastructure to the Soviet Union during the Cold War.
The consultancy Deloitte deems cyber intelligence as a vastly more sophisticated and full set of threat management tactics (than IT security itself), providing tools to move to a more proactive, over-the-horizon threat awareness posture.
Alsup says the genesis of the INSA paper is the question: "Do we need a new intelligence discipline to understand this unique new threat?" If so, that leads to other questions: How to define and bound this discipline to be as inclusive of all the appropriate players as possible, but to also be manageable, efficient and transparent?
Unlike the 17-agency, U.S. intelligence community - easily identified by list of acronyms such as FBI, CIA, DHS, DIA, NSA and so on - the cyber intel community is ad hoc and not formalized. The cyber intelligence community consists of telecommunications and Internet providers, computer emergency readiness teams as well as infosec providers that engage in a wide range of activities.
It's much more than threats to government and military information and systems at stake. The INSA study contends the vast majority of the dangerous activity occurs within the .com domain - as opposed to the .gov or .mil domains - and more than 90 percent of the threat data and analytics are unclassified. Most of these threats are handled by network operations personnel, most of whom don't have the invaluable expertise and analytic aptitude of the U.S. intelligence community.
Another takeaway from the INSA study is that standard operating procedures put our IT at risk. Take, for instance, the common practice of using commodity software and hardware, a trend that makes economic sense, but could put our systems in jeopardy, as INSA points out:
"The attacker can experiment and perfect an attack on the same commodity infrastructure his victim is likely to have. Part of the cost of using a cookie-cutter computing platform has been to give attackers the blueprints to our infrastructure. These blueprints, combined with the complexity of the infrastructure that gives them a place to hide, are all they need. ... We have taken advantage of this economic leverage to such a degree that virtually everyone has a clone of everyone else's infrastructure."
Another vulnerability: our reliance on outsourcing, highly popular in government and the private sector. Done mostly for market reasons (costs, expertise), potential adversaries could be handling the design, implementation and maintenance of critical IT systems. The report says:
"The present situation is as dangerous as if the United States decided to outsource the design of bridges, electrical grids and other physical infrastructure to the Soviet Union during the Cold War. In tandem with the outsourcing of IT development, the IT systems themselves are becoming increasingly complex. Increased system complexity means that there are more exploitable vulnerabilities that arise by accident and more opportunities to hide deliberately introduced vulnerabilities, while it becomes harder for the finite number of trusted experts to check systems for integrity."
INSA also cautions against replicating another Cold War product: an arms race, which even in the digital world would prove costly, ineffective and a never-ending struggle:
"We must avoid an offensive-defensive cyber arms race, which consumes extensive resources, yet fails to produce an enduring or definitive outcome. At best, adversaries struggle for strategic parity, with one ending up bankrupt and all having little to show for it. At worst, an adversary conceives of the problem from a different perspective - unbeknownst to us - and we are blindsided through technological surprise."
INSA concludes that the ability to define, explore and analyze cyber threats in a thoughtful, methodical manner at a reasonable level of classification is not yet well developed. But, INSA sees such a need as urgent to better define and develop cyber intelligence as a new discipline:
"Such a discipline will also demand discussion of the unique training, education, skill sets and tradecraft that will be required to successfully conduct meaningful collection and analysis in the cyber domain. These and related topics, such as the role of cyber intelligence in other aspects of cyber operations and who is best suited to develop this discipline, will be the subject of further discussion."
Let the conversation begin.