New Cyber Agency: The Challenges AheadAssessing the Cyber Threat Intelligence Integration Center
President Obama has twice threatened to veto cyberthreat sharing legislation co-sponsored by House Homeland Security Committee Chairman Mike McCaul. So when the Texas Republican backs the Democratic president's plan to create the Cyber Threat Intelligence Integration Center, you've got to think it's a great idea.
And such a center might just be what's needed to battle the growing and more damaging cyber-attacks facing U.S. governments and businesses. But let's not get ahead of ourselves. Taking what could be a great concept and executing it won't be easy.
One of the big challenges with interagency intelligence sharing will be internal politics that come into play.
Lisa Monaco, assistant to the president for homeland security and counterterrorism, announced on Feb. 10 the formation of the Cyber Threat Intelligence Integration Center, known as CTIIC (pronounced see-tick), which is to cull cyberthreat information from a variety of sources within the government and business community and then produce timely intelligence about the latest threats and threat actors (see White House Creates Cybersecurity Agency).
"A lot of people are scratching their heads thinking, 'We don't already do this?'" says Ken Westin, a senior security analyst with compliance software and services provider Tripwire. Adds "Surviving Cyberwar" author Richard Stiennon, "Isn't this what U.S.-CERT was formed to do?"
CTIIC vs. NCCIC
CTIIC sounds much like other cyberthreat analysis centers the government operates. Take, for instance, the Department of Homeland Security's National Cybersecurity and Communications Integration Center. NCCIC (pronounced n-kick) is an around-the-clock cyber-situational awareness, incident response and management center that's at the nexus of cyber and communications integration for the federal government, intelligence community and law enforcement. The United States Computer Emergency Readiness Team, or U.S.-CERT, is part of NCCIC, as is the Industrial Control Systems CERT.
CTIIC, by comparison, will have less to do with situational awareness and focus on rapidly melding cyberthreat intelligence from various sources and then alerting the likes of NCCIC. Indeed, Monaco said the swift federal government response to the Sony breach sets the standard for how CTIIC should function. "Within 24 hours of learning about the Sony Pictures Entertainment attack, the U.S. government pushed out information and malware signatures to the private sector to update their cyberdefenses so they could take action," Monaco said.
Still, some of those who make their living in cybersecurity wonder if CTIIC could become another bureaucracy duking it out with other bureaucracies with similar goals and operations. "One of the big challenges with interagency intelligence sharing will be internal politics that come into play; there has been a history of this within these agencies, which has impacted the effectiveness of several cyber-defense programs," Westin says.
That's a theme picked up by Lance Cottrell, chief scientist at the cybersecurity company Ntrepid, who cautions the government must be careful in how it rolls out CTIIC. "When we see five different organizations with overlapping and conflicting responsibility for an issue, we often respond by saying that there should be one new organization which can take control and coordinate the others," Cottrell says. "The unfortunate reality is that you often then have six different organizations with overlapping and conflicting responsibilities. This new organization has quite a challenge before it."
Perhaps the makeup of the initial CTIIC staff of 50 will help ease any confusion. Although Monaco promised the new center won't cannibalize staff from companion offices, another senior administration official says CTIIC's initial employees will come from other agencies. That, in itself, could be good. Having analysts and other specialists working side-by-side in the new center could help build trust and collaboration among the other analysis centers.
Critics question if an initiative such as CTIIC can succeed. Still, it's worth trying. As Westin says, "The government has not had a solid record when it comes to developing large-scale distributed information systems, not to mention ensuring that those systems and data are secured. All skepticism aside, I think it is a step in the right direction and am optimistic that the agency will help make an impact on securing the nation's cyber infrastructure. It is a great idea long overdue, but the challenge will be in the implementation."