An Intelligence Community Perspective on Trends in Cyber Threats and Cyber Intelligence

I recently spent time listening to two current podcasts with IC cybersecurity experts regarding the evolving cyber landscape. In late November, Justin Doubleday with the Inside the IC Podcast, interviewed Jim Richberg, the former National Intelligence Manager for Cybersecurity. And last week, Kate Macri with Government CIO Media interviewed Laura Galante, ODNI Director of the Cyber Threat Intelligence Integration Center.

Similar themes emanated from both podcasts: cyber threats and threat intelligence are changing, collaboration is imperative to combatting cyber threats, lines are blurring between cybersecurity and national security, and cybersecurity is no longer just an IT problem.

Richberg explained the difference between cyber threat intelligence in the IC and that of the private sector and its evolution over the last decade. The IC uses cyber intelligence for three purposes: to inform and enable decision-making, to enable cybersecurity, and to enable the full range of responses.  The private sector focuses mainly on using cyber intelligence to enable cybersecurity. Richberg went on to explain that cyber intelligence exists at three levels - tactical, operational, and strategic.  The tactical level is all done by machines now.  “We’re 15 years past where humans conduct this type of work,” according to Richberg. Ninety-nine percent is now automated.

Richberg said that the government does tactical cybersecurity to protect critical infrastructure and government networks, but it also does a great deal in operational and strategic areas. According to Richberg,” The real Holy Grail is if you get a piece of strategic information that is about a coming threat and is credible.  Then you can put shields up.” Additionally, the government cares a lot more about attribution than the private sector. The private sector is concerned about enabling cybersecurity to protect customers. “By-in-large they don’t care who's doing it or trying to do it.” The government has a higher interest in “who is doing it that is distinct from ‘what are they doing.’”

Galante spoke about the blurring lines between cybersecurity and national security and how it is no longer just an IT problem. It was only 10-12 years ago, “when we talked about cybersecurity it had to do with information security and IT threats. It was an IT problem.  Now it's how is the Chinese military going after the intellectual property of a company.” Today the government, the IC, the private sector, partners, and allies, must continually evaluate whether they have the right visibility, organizational mechanisms, and resources to develop a collective defense picture given the level of threat that cyber adversaries can pose.

According to Galente, national security is about defining how you look at threats, building defensive measures, and developing appropriate ways to handle them. “We've been doing that for some time now, but it’s been a build. And adversaries aren't waiting around while the U.S. government builds up the right apparatus to handle cyber threats.” Adversaries have gotten more sophisticated and are now using the domain for existential threats around critical infrastructure and influence operations. Cybersecurity has gone from an IT issue to a national security issue in a very short span of time, said Galente.

One change Richberg noted in the evolution of hacking by cyber criminals is the desire for large data sets. As big data analytics have evolved, big data sets have become an attractive target to adversaries. In some cases, they are using these data sets for influence operations, such as Russian troll farms spinning up Black Lives Matter, and Blue Lives Matter. Richberg said big data analytics now allow fermenting on both sides with informed messaging and targeted audiences.

Galente spoke about two big-picture trends and challenges facing the ODNI with regard to cybersecurity and national security intelligence: the change in the globe’s dependency on U.S. technology and how to respond to cyber actions below the threshold identified for responding with force.

Galente said countries are moving beyond U.S. technology for the basis of their interaction with the internet. In the past, the U.S. was the dominant maker and supplier of IT. Now, technology from other countries is frequently becoming enterprise IT or social media platforms. This changes the IC’s and broader cybersecurity community’s understanding of the threat surface.

Another challenge faced by the IC involves “nation-states using cyber operations to conduct their affairs - political, espionage, or military – which are frequently falling below the threshold that you would identify for responding with force. Falling short of war-like action.”  Galente called this a “gray area.”  She said, “Collectively countries need to think, how do you respond, what do you do? It’s not as clear as in the kinetic space, the real-world space where a missile would have gone over the border and hit another country.  We have response mechanisms for that.” She said the cyber domain it’s frequently a much grayer area. She cited an example from the summer, regarding the Iranian state attack on Albania's networks. They were able to attribute the attack to Iran in September.  “What does collective defense look like when an adversary has taken down an alliance member's network? In this case Albania.  What's the appropriate response? How do you communicate, ‘that's unacceptable'? NATO members won't permit this.”

A key to protecting cyberspace cited by both Richberg and Galente is collaboration with the private sector, allied nations, other federal agencies, and other government entities. Galente stated that “one difficulty in this domain is there is no one entity that owns the domain (government, private, etc.).” She went on to say that collaboration and information sharing is a necessity. “The more victims of cyber-attacks will come forward and share information about the forensics of the attack they had. That is very useful from an intelligence standpoint,” she said. Galente admitted that the reporting landscape is a bit complicated at the moment. Currently, there is no one-stop-shop where victims should report. She noted that CISA is in its rule-making period which will give clarity on how incidents are reported to CISA pursuant to the legislation that passed this spring. Until then, there are multiple doors for reporting, and coordination among federal agencies has improved over the last few years.

Richberg said that the private sector is eager for information from the government regarding cyber threats, however, the problem is the volume of information the IC has. They can’t disseminate it all. It needs to be prioritized. He said that information sharing between the private sector and the government is essential in recognizing broader threats and cross-cutting activity. “The IC is not an expert about how private networks, private infrastructure works, the dependencies, etc. You need the people who own and operate those to say we’ve noticed something.” But Richberg said this requires an element of trust. Additionally, the private sector also sees a lot that the government doesn't see, according to Richberg. “We need to be able to put together government and private data and use AI on it.  Some is classified, some is not, but all of that relies on trust.  We want to get away from being reactive,” said Richberg.