As a young intelligence officer, if you had told me an adversary could act anonymously and alone, easily acquire the most advanced weaponry, disrupt or take down almost any “connected” target globally, and our ability to prevent these attacks was systemically flawed – I would have been astonished. As always, all adversaries integrate intention, capability, and opportunity. With cyber warfare, a breadth of adversaries and individuals can bring to bear all three by continuously aiming at the U.S. and our Allies. They target our Fortune 1000, our “smart cities,” our software-enabled platforms and architectures, and our often-porous Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance (C4ISR). With Cyber, our adversaries have discovered the “perfect” form of warfare.
From the very beginning of the Department of the Navy’s IT-21 Afloat (the 1990’s initiative to bring IT bandwidth, networks, and email communications to Naval Platforms), a majority of Naval Commanders made cyber defense all about IT technical controls, compliance, and audit vice a 360-warfare approach to include a comprehensive Cyber Intelligence effort focused on actors, methods, and countermeasures. C4ISR is foundationally all about owning “theirs” and protecting and enabling “ours.” Without exquisite insight into adversary objectives, intentions, cyber capabilities, and options, we think one-dimensionally.
I am one of those who believe the Cyber Domain is a true extension of C4ISR. The Cyber Domain is the technical evolution of all sensors, datasets, communications, analytics, and how dots connect to provide and share Battlespace Awareness. But this new domain came with new tech, terms, capabilities, and a new generation of bad actors. And it morphed at the speed of software which is often calculated in minutes and seconds vice days, months, and years. So as Warfare Commanders needed to come to terms with the new Domain, so did the Intelligence Community (IC).
A group of us started the C4ISR & Information Operations (IO) Community of Interest consisting of over 400 intelligence analysts across the IC who joined virtually for the first time, leveraging a classified version of Net Meeting and the Joint Worldwide Intelligence Communications System (JWICS). We started in 1998-99 in partnership with SPACECOM J2 and Joint Task Force – Computer Network Defense (JTF-CND) J2 to lay out how our intelligence responsibilities which were evolving as a result of computers riding networks. We would be the first COI to conduct an Acquisition Threat Assessment of a Naval IT Network and Program, the Navy-Marine Corps INTRANET (NMCI), as a major acquisition program and the first to develop all source intelligence support to Computer Network Defense. We knew this was not an IT or tech-only issue and that every cyber event started with a who, a why, and then a how. Ironically, very few saw it as a traditional all-source intelligence problem. Many Warfare Commanders wanted to relegate it solely to the Information Officers (i.e., N6s) and the Cryptologists.
Fast forward a decade to the advancement of cloud and wireless communications and devices. Ironically, many of the advancements in foundational Cyber Intelligence made in the late 1990s were either wiped away by the Global War on Terror (GWOT) or relegated to a corner in time. Only with the advent of the Comprehensive National Cyber Initiative (CNCI) in 2008-2013, led by then Director of National Intelligence (DNI) Mike McConnell and CNCI Director Melissa Hathaway, was the focus returned to Cyber operations, defense, exploitation, targeting, and all source intelligence. We all focused on what capabilities, skillsets, and resources were needed to make up for a lack of comprehensive and consistent focus on Cyber Intelligence across the IC for almost a decade.
As an Executive Director at Carnegie Mellon’s Software Engineering Institute in 2011, I had the opportunity to work with the first National Intelligence Manager (NIM) for Cyber, Rick Ledgett at the Office of the Director of National Intelligence (who continued to oversee the CNCI resources and programs), on the Cyber Intelligence Tradecraft Project. We knew we needed to continue fully leveraging CNCI and hone and standardize our Cyber Intelligence Lexicon, Analytic Framework, focus, and Mission Deliverables. This body of work eventually led to this mission statement for ODNI NIM Cyber and then the Cyber Threat Intelligence Center:
“Detect and understand cyber threats from state and non-state actors engaged in a malicious cyber activity to inform and enable national security decision making, cybersecurity, and the full range of response activities.”
Building upon an earlier version of this mission, we worked on the development of the following foundational building blocks:
The Lexicon: https://www.dni.gov/files/ODNI/documents/features/Cyber_Threat_Framework_Lexicon.pdf
The Cyber Threat Framework: https://www.dni.gov/files/ODNI/documents/features/A_Common_Cyber_Threat_Framework_Overview.pdf
The Cyber Threat Intelligence Integration Center: https://www.dni.gov/index.php/features/241-about/organization/cyber-threat-intelligence-integration-center?start=6
So why is Cyber Intelligence still so hard for people to wrap their heads around? First, the dynamics of the cyber landscape involve speed, reach, and impact while crosscutting all other military missions, society as a whole, and the global economy. The cyber landscape has blurred lines of responsibility and accountability both in the Department of Defense, the Federal Government, and the industry. The industry develops, owns, and operates most of the world’s IT and communications infrastructure, systems, and services to complicate matters.
Fallacies also remain within Cyber as a whole and Cyber Intelligence in particular. One is that only Computer Scientists, Engineers, and Software Developers are needed to understand and address the questions and issues and provide a way ahead. Cyber Operations, Intelligence, and Innovation require multidisciplinary skills across a breadth of fields of study and professions. And that the virtual (online) world is somehow separate from the physical world as opposed to being both parallel and intertwined, with each of us and all organizations having both a physical and a “Cyber Footprint” – enriching and yet complicating data collection, analysis and reporting “the ground truth.”
Another fallacy is that Cyber Intelligence is the realm of governments, when in fact, Cyber Threat Intelligence, focused on making networks, datasets, and devices resilient, is the realm of industry and society as a whole. To that end, as the Cyber Council Chair of the non-profit professional association of the Intelligence and National Security Alliance (INSA), INSA and I established the Cyber Intelligence Task Force, comprised of cyber leaders from government, industry, and academia, to write and publish some of the first unclassified White Papers on Cyber Intelligence – 4 in total from 2011 to 2015:
https://www.insaonline.org/cyber-intelligence-setting-the-landscape-for-an-emerging-discipline/
https://www.oodaloop.com/wp-content/uploads/2013/09/Operational-Levels-of-Cyber-Intelligence.pdf
Cybersecurity Vs. Cyber Intelligence
Cybersecurity is often conflated but is defined as “the state of being protected against the criminal or unauthorized use of electronic data, and/or the measures taken to achieve this.” Because Cyber Intelligence as a discipline lagged by over a decade behind Cybersecurity, billions have been spent on malware detection. Historically, there has been negligible government and industry investment in determining the intention and the actor behind a cyber event. True attribution of cyber criminals and adversaries remains rare. This means that being preventative, predictive, or providing Cyber Indications and Warnings are equally rare.
With the advent of the globally publicly available network (www) and dark net datasets and Artificial Intelligence (AI) threat, risk, vulnerability, and maturity-based analytics, Cyber Intelligence commercial capabilities, teams, and services have dramatically grown over the past decade. The commercial realm regularly outpaces the U.S. Department of Defense and Intelligence Community's global open monitoring and analytics. The industry now has sophisticated cyber intelligence reporting of current events, methods, trends, and actors, providing a new situational awareness, indications, and warning capability globally by Sector, Region, Sub-Sector, and Size/Type. This remains an arena where Private – Public Partnerships focused on Cyber Intelligence innovation and analytics can have the ability to break major cybercriminal and State Actor campaigns at speed and scale.
One Private Sector exemplar of this across commercial competitors is the Cyber Threat Alliance (CTA) (https://cyberthreatalliance.org/), now a non-profit made up of Palo Alto Networks, Cisco, Intel, Fortinet, and more. These companies mutually decided they would team on and share at network speed Cyber Threat Intelligence (the field of Cyber Intelligence focused on defense) and bake all they learn back into their product lines. In this manner, security for these companies’ respective product lines and customers is no longer seen as a competitive advantage, a vice they are teaming to meet CTA’s mission “to improve the overall cybersecurity of the global digital ecosystem.”
As with any other warfare domain, it all starts with an adversary and that adversary’s capabilities and intentions. Identifying and “chasing” the malware is only one piece of the Cyber Intelligence puzzle. And because Cyberwarfare capabilities impact, cut across, or enhance all warfare domains, understanding and fully leveraging foundational Cyber Intelligence Tradecraft is critical to all intelligence professionals today and into the future.
Comments